Skip to content
Glossary entry

CAPTCHA token

Every CAPTCHA solve returns a token (gRecaptchaResponse, h-captcha-response, cf-turnstile-response). Here's what they actually contain and how backends verify them.

Definition

A CAPTCHA token is a short-lived cryptographic string issued by a CAPTCHA provider after a successful solve. The token proves the bearer completed the challenge; the site's backend posts the token to the provider's verify endpoint along with a secret key to confirm validity. Tokens are single-use, time-bounded (typically 2–5 minutes), and bound to the (sitekey, origin, optional action) tuple they were issued for.

How it works

Solving the CAPTCHA β€” either by the user clicking the widget or by an out-of-band solver β€” produces an opaque token string. The page injects the token into a hidden form input (g-recaptcha-response, h-captcha-response, cf-turnstile-response) or surfaces it via a JS callback. On form submit, the site's server posts {response: token, secret: SECRET} to the provider's siteverify endpoint. The provider validates the token against its short-term store, returns {success: true|false, ...metadata}, and the server accepts or rejects the request accordingly.

Where you see it

Every form behind a CAPTCHA: login, signup, password reset, checkout, contact, comment. Anywhere a bot would be costly to admit.

Try the API See pricing

Frequently asked questions

No. CAPTCHA verify endpoints invalidate the token on the first successful check (timeout-or-duplicate error code). Solve immediately before submitting each form.

Provider-specific: reCAPTCHA v2/v3 tokens last 120 seconds, hCaptcha 120 seconds, Cloudflare Turnstile around 300 seconds, AWS WAF around 300 seconds. Always submit promptly.

No PII. The token is an opaque identifier into the provider's session store. The verify response includes metadata (action, score, hostname) but no user data.

Related terms & guides