hCaptcha
Privacy-focused CAPTCHA alternative to reCAPTCHA. Machine learning-based bot detection that pays website owners for serving challenges.
Websites Using hCaptcha
What Is hCaptcha?
hCaptcha is a privacy-focused CAPTCHA and bot-detection service that website owners embed to stop automated abuse on forms, logins, signups, and checkout flows. Built by Intuition Machines, it rose to prominence as the leading alternative to Google's reCAPTCHA, and its visibility grew enormously when Cloudflare switched its own default Managed Challenge to hCaptcha for several years before later building its own in-house challenge system. Because Cloudflare protects a very large share of the public web, hCaptcha challenges became one of the most commonly encountered "select all the images" or checkbox prompts on the internet during that period.
The short, answer-first version: if a site shows you a checkbox or an image-classification puzzle to prove you are human, and the assets load from hcaptcha.com, the site is using hCaptcha. It does the same job as reCAPTCHA but markets itself on privacy, regulatory friendliness, and a model where site owners can earn revenue from the challenge labor.
A note on accuracy and sourcing: hCaptcha's adoption claims (for example, that it serves a very large number of sites and historically powered Cloudflare's challenge page) come from Intuition Machines' own marketing and from Cloudflare's public blog posts announcing the partnership and, later, the move to a proprietary system. Exact market-share percentages vary by source and change over time, so this profile describes hCaptcha's role qualitatively rather than asserting a precise number. Always confirm current behavior against the official documentation at the hcaptcha.com developer site.
How hCaptcha Works
hCaptcha sits between a visitor and a protected action. When a user reaches a form, the hCaptcha widget loads in the browser and begins evaluating signals about the session. The flow generally looks like this:
- Widget load. The page includes a JavaScript API file from hCaptcha and renders a widget tied to a public site key.
- Risk assessment. hCaptcha analyzes behavioral and environmental signals (interaction patterns, browser characteristics, reputation data) to estimate whether the visitor is human.
- Challenge (only if needed). Low-risk visitors may pass with a single checkbox click or no interaction at all. Higher-risk sessions are served a visual challenge, such as classifying images.
- Token issuance. On success, hCaptcha returns a one-time response token to the page.
- Server-side verification. The site's backend sends that token, along with a private secret key, to hCaptcha's verification endpoint. hCaptcha replies with a pass/fail result. Crucially, the security decision happens on the server, not in the browser, so a bot cannot simply fake a success in client-side code.
This two-key design (public site key in the page, secret key on the server) mirrors the standard CAPTCHA verification pattern. The important consequence for anyone fingerprinting technology is that the public site key and the API script are visible in the page source, while the secret key never appears client-side.
Under the hood, the "human or bot" judgment is not a single yes/no test. hCaptcha blends passive signals (how the browser is configured, how the cursor and keyboard behave, the reputation of the network the request comes from) with an active challenge that is only escalated when the passive signals are inconclusive. This is why two visitors hitting the same form can have completely different experiences: one breezes through with a single click, while another, perhaps on a VPN or a heavily automated browser, is asked to classify several rounds of images. For site owners, the practical lever is the difficulty setting, which trades user friction against how aggressively suspicious sessions are challenged.
It also helps to understand what hCaptcha deliberately does not do. It is not a web application firewall, it does not inspect or block malicious payloads, and it does not protect an endpoint that an attacker can reach directly via API without ever loading the widget. It guards the specific action it is attached to (a form submission, a login, a signup) by requiring a valid, server-verified token. That scoping matters when you reason about a site's overall defenses: hCaptcha is one layer, usually paired with rate limiting, server-side validation, and sometimes a CDN-level challenge.
How to Tell if a Website Uses hCaptcha
hCaptcha leaves several reliable, observable footprints. You can confirm it with nothing more than a browser, and server-side tools make the detection more robust.
Script domains and network requests
The clearest tell is the API script. An hCaptcha-protected page loads JavaScript from the hCaptcha domain, typically:
https://hcaptcha.com/1/api.js
https://js.hcaptcha.com/1/api.js
Open your browser's DevTools, go to the Network tab, reload the page, and filter for hcaptcha. You will see requests to hcaptcha.com (and frequently newassets.hcaptcha.com or imgs.hcaptcha.com for challenge assets). If the challenge actually renders, you will also see one or more iframes whose source is on hcaptcha.com or newassets.hcaptcha.com.
HTML markup and the data-sitekey attribute
Use View Source (or the DevTools Elements panel) and search the markup for an hCaptcha container. The widget is conventionally rendered into a div like this:
<div class="h-captcha" data-sitekey="10000000-ffff-ffff-ffff-000000000001"></div>
The combination of the h-captcha CSS class and a data-sitekey attribute is a strong, specific signal. The site key is meant to be public, so seeing it here is expected and harmless.
JavaScript globals in the console
Once the API script has loaded, hCaptcha exposes a global object. In the DevTools Console, type:
hcaptcha
If hCaptcha is present, this returns an object with methods such as render, execute, getResponse, and reset rather than undefined. This is a quick confirmation that goes beyond just spotting a script tag.
Cookies and form behavior
hCaptcha may set cookies (for example, an hc_accessibility cookie when a visitor uses the accessibility cookie feature) under the hcaptcha.com domain. More importantly, watch the form action and the network traffic on submit: the form will carry a hidden field named h-captcha-response (or g-recaptcha-response in some compatibility setups) containing the token, and the backend will round-trip that token for verification.
Tools that automate detection
- View Source / DevTools confirm script domains, the
h-captchadiv, and globals manually. - Network tab reveals the api.js request and challenge iframes.
- Wappalyzer and similar fingerprinting extensions recognize hCaptcha automatically and label the site.
- Server-side analysis is the most robust path because a challenge may only appear conditionally (for low-reputation visitors) and can be hidden behind a CDN's own challenge layer. StackOptic inspects a URL's scripts, request graph, and markup from the server side, which helps confirm hCaptcha even when a casual browser visit never triggers a visible puzzle. For the manual fundamentals, see how to tell if a website uses reCAPTCHA and how to protect your website from bots and scrapers.
Key Features
- Privacy-first positioning. hCaptcha emphasizes minimal personal-data collection and does not require accepting Google's advertising terms.
- Checkbox and invisible modes. Site owners can use a visible checkbox widget or an invisible mode that only challenges risky sessions.
- Configurable difficulty. Challenge passing difficulty can be tuned to balance security against user friction.
- Enterprise tier. hCaptcha Enterprise (sometimes branded around its bot-management and fraud features) adds richer risk scoring, analytics, and protection controls for larger operators.
- Accessibility support. An accessibility cookie program lets users who struggle with visual challenges obtain an alternative path.
- Drop-in reCAPTCHA compatibility. hCaptcha is designed so teams can migrate from reCAPTCHA with minimal code changes, including compatible response-field naming.
Pros and Cons
Pros
- Strong privacy and regulatory story (GDPR and CCPA friendly), which matters for EU-facing sites.
- Reduces dependence on Google's ecosystem and terms of service.
- Proven at very large scale through its historical Cloudflare deployment.
- Server-side verification keeps the security decision out of the browser.
- Easy migration path for sites already built around reCAPTCHA.
Cons
- Visual image challenges can frustrate legitimate users and hurt conversion, the same usability tax as any CAPTCHA.
- Determined attackers can use human-powered CAPTCHA-solving services to defeat challenges.
- Accessibility remains an inherent weakness of any visual puzzle, despite mitigations.
- Adds third-party JavaScript and external requests that affect page weight and privacy posture.
hCaptcha vs Alternatives
The CAPTCHA and bot-challenge landscape includes Google reCAPTCHA, Cloudflare Turnstile, and hCaptcha as the most commonly detected options. They differ mainly in privacy posture, whether they show puzzles, and how they monetize.
| Capability | hCaptcha | reCAPTCHA (v2/v3) | Cloudflare Turnstile |
|---|---|---|---|
| Primary positioning | Privacy-focused CAPTCHA | Google bot detection | CAPTCHA-free challenge |
| Visible image puzzles | Yes, when risk is high | v2 yes; v3 score-only | Generally no |
| Ecosystem ties | Independent vendor | Google account/terms | Cloudflare network |
| Typical script domain | hcaptcha.com | google.com/recaptcha | challenges.cloudflare.com |
| Revenue-share model | Yes (challenge labor) | No | No |
| Free tier | Yes | Yes | Yes (any site) |
If your main concern is avoiding Google, hCaptcha and Cloudflare Turnstile are the two leading choices; Turnstile leans harder into a no-puzzle experience, while hCaptcha keeps a traditional challenge available. If you simply want the most widely documented option and already use Google services, reCAPTCHA remains the default.
Use Cases
- Account signup and login protection. Blocking credential stuffing and fake-account creation.
- Comment and contact forms. Preventing spam submissions on blogs and marketing sites.
- Checkout and payment pages. Reducing carding and automated fraud attempts.
- Free-trial and coupon abuse. Stopping bots from mass-claiming promotional offers.
- Privacy-sensitive deployments. Organizations in regulated industries or the EU that want to minimize data sharing with Google.
- API and scraper deterrence. Slowing automated harvesting of pricing, listings, or content on pages that gate an action behind the widget.
Why hCaptcha Detection Matters for Site Analysis
Knowing that a site uses hCaptcha tells you more than "they have a CAPTCHA." It signals a deliberate choice to avoid Google's reCAPTCHA, which often correlates with a privacy-conscious posture or an EU-focused audience. For competitive research, recognizing hCaptcha on a competitor's signup or checkout flow hints at the friction their real users encounter and the bot pressure they are trying to manage. For technical due diligence, spotting hCaptcha alongside a CDN-level challenge tells you the operator is layering defenses rather than relying on a single control.
There is also a practical reason detection is harder than it looks: challenges are conditional. A first-time, low-risk visitor may never see a puzzle, so a single manual page load can miss hCaptcha entirely even though it is configured. The reliable signals are therefore the script and markup that are always present (the api.js request, the h-captcha div, the hcaptcha global) rather than the visible puzzle, which only appears for a subset of sessions. This is precisely the kind of always-present-versus-conditional distinction that server-side scanning handles better than eyeballing a page.
Frequently Asked Questions
Is hCaptcha better than reCAPTCHA?
It depends on your priorities. hCaptcha is stronger on privacy and independence from Google, while reCAPTCHA has broader documentation and tighter integration with the Google ecosystem. For raw bot-stopping effectiveness they are broadly comparable, and both can be defeated by human-powered solving services, so neither is a complete solution on its own.
Does hCaptcha collect personal data?
hCaptcha markets itself as privacy-focused and states that it minimizes personal-data collection and supports GDPR and CCPA compliance. As with any third-party widget, you should still review its current privacy documentation and reflect its use in your own privacy policy.
Can I use hCaptcha for free?
Yes. hCaptcha offers a free tier suitable for most websites, alongside paid Enterprise tiers for organizations that need advanced risk analytics and bot-management features. Confirm current limits on the official site.
Why do I keep getting hCaptcha challenges on so many sites?
For several years, Cloudflare used hCaptcha to power its default challenge page, so any site behind Cloudflare's challenge could surface an hCaptcha puzzle. Cloudflare has since moved to its own challenge technology, but the historical footprint is why hCaptcha became so familiar to web users.
Does seeing the site key in the page source mean the site is misconfigured?
No. The site key is intentionally public and belongs in the page so the widget can load. The sensitive value is the secret key, which is used only for server-side verification and should never appear in client-side code. Seeing a data-sitekey value is normal and expected.
Want to know exactly which CAPTCHA, bot-mitigation, and security tools a site relies on? Run the URL through StackOptic for a server-side breakdown.
Alternatives to hCaptcha
Compare hCaptcha
Analyze a Website
Check if any website uses hCaptcha and discover its full technology stack.
Analyze Now