How is hCaptcha different from reCAPTCHA?

hCaptcha uses image-pick puzzles and Intuition Machines' fingerprinting instead of Google's. It pays site operators for completed solves (the labels train Intuition's vision models) and emphasises privacy — no Google account tracking, no third-party cookies by default.

Is hCaptcha solvable by AI?

Yes. AI vision models routinely match human accuracy on hCaptcha image-pick puzzles. The Enterprise rqdata flow adds a session-binding signature that makes naive replay harder, but a proper solver handles it.

Can I use the same token across multiple submissions?

No. hCaptcha tokens are single-use and expire 120 seconds after issue. Solve immediately before submitting the form.

Glossary entry

hCaptcha

hCaptcha is a privacy-first CAPTCHA service used as a drop-in replacement for reCAPTCHA. Visible widgets, invisible Enterprise mode, image-pick challenges.

Definition

hCaptcha is a CAPTCHA service operated by Intuition Machines that serves as a privacy-first drop-in replacement for Google reCAPTCHA. It validates that a visitor is human by asking them to complete an image-recognition challenge, then returns a token the site backend verifies via hCaptcha's siteverify endpoint. The Enterprise variant adds an "invisible" mode that scores requests without showing any visible challenge.

How it works

hCaptcha embeds a JavaScript widget on the page. The widget collects a fingerprint (canvas, WebGL, hardware, navigator entropy), opens an iframe to hcaptcha.com, and either renders a 3×3 image-pick puzzle or scores the session invisibly. On success the widget writes a response token into a hidden input — both h-captcha-response (current) and g-recaptcha-response (for reCAPTCHA-compatible backends). The site's server posts the token to hcaptcha.com/siteverify with its secret key; the response confirms validity.

Where you see it

Login and signup forms on privacy-conscious sites, Discord, Cloudflare (deprecated in favor of Turnstile), and most sites that migrated off reCAPTCHA over privacy or pricing concerns. Often paired with Cloudflare or a bot-management WAF.

Try the API See pricing

Frequently asked questions

: hCaptcha uses image-pick puzzles and Intuition Machines' fingerprinting instead of Google's. It pays site operators for completed solves (the labels train Intuition's vision models) and emphasises privacy — no Google account tracking, no third-party cookies by default.
: Yes. AI vision models routinely match human accuracy on hCaptcha image-pick puzzles. The Enterprise rqdata flow adds a session-binding signature that makes naive replay harder, but a proper solver handles it.
: No. hCaptcha tokens are single-use and expire 120 seconds after issue. Solve immediately before submitting the form.

hCaptcha

Definition

How it works

Where you see it

Frequently asked questions

Related terms & guides