FunCaptcha, now officially called Arkose Labs MatchKey, is a CAPTCHA system that uses interactive 3D challenges instead of traditional image grids. If your automation workflow encounters a challenge asking you to rotate a 3D object, pick the image that matches a silhouette, or identify an animal from an unusual angle, you are most likely dealing with FunCaptcha. Arkose Labs serves major platforms including EA Games, Roblox, Microsoft Outlook, and LinkedIn.
This explainer covers how FunCaptcha works, its challenge types, its technical identifiers, and how it compares to traditional CAPTCHA systems.
How FunCaptcha works
FunCaptcha uses a multi-layered defense model that combines behavioral analysis with interactive visual challenges:
- Detection layer — The Arkose Labs script evaluates device telemetry, browser fingerprint, mouse movement patterns, and IP reputation before deciding whether to present a challenge.
- Challenge presentation — If the risk score exceeds the threshold, the user sees an interactive challenge inside an iframe hosted on
arkoselabs.comorfuncaptcha.com. - Challenge interaction — Unlike image-grid CAPTCHAs, FunCaptcha challenges require spatial reasoning: rotating objects to match a target, picking the correct image from transformed perspectives, or identifying objects from unusual angles.
- Token generation — After successful completion, FunCaptcha returns a session token that the website validates server-side.
- Adaptive difficulty — Failed attempts increase challenge complexity. Repeated failures may trigger longer challenge sequences or additional verification steps.
Technical identifiers
| Signal | What to look for |
|---|---|
| Script source | https://client-api.arkoselabs.com/ or https://api.funcaptcha.com/ |
| Public key | A UUID-format key (e.g., 476068BF-9B07-4D4E-B5F5-9A1CEDFBA4F4) |
| iframe source | https://client-api.arkoselabs.com/fc/ |
| API domain | arkoselabs.com or funcaptcha.com |
| HTML attribute | data-pkey for the public key |
FunCaptcha challenge types
FunCaptcha is distinct from reCAPTCHA and hCaptcha because it uses interactive 3D and spatial challenges:
3D rotation challenges
The most common type. Users must rotate a 3D-rendered object (animal, dice, hand gesture) to match a target orientation. The rendering changes per attempt to prevent simple pattern matching.
Image matching challenges
Users see a set of images and must select the one that matches a described criterion (e.g., "select the image that shows the arrow pointing right"). Images are often distorted or transformed.
Perspective challenges
Users must identify an object shown from an unusual angle or perspective. This tests spatial reasoning rather than object recognition.
Sequential challenges
Some deployments require multiple correct answers in sequence. An incorrect answer resets the sequence but does not immediately fail the challenge.
Audio challenges
An accessibility mode provides audio-based challenges, though these are less common than in reCAPTCHA.
FunCaptcha vs reCAPTCHA vs hCaptcha comparison
| Factor | FunCaptcha / Arkose Labs | reCAPTCHA v2 | hCaptcha |
|---|---|---|---|
| Challenge style | 3D rotation, spatial reasoning | Image grid selection | Image grid selection |
| Difficulty model | Adaptive — harder on repeated failure | Fixed difficulty per challenge | Configurable by site owner |
| Primary clients | Gaming (EA, Roblox), Microsoft, LinkedIn | Broad web adoption | Cloudflare customers, privacy-focused sites |
| Detection method | Device telemetry + behavioral + IP | Browser signals + interaction + cookies | Browser signals + behavioral |
| Script domain | arkoselabs.com / funcaptcha.com |
google.com/recaptcha |
hcaptcha.com |
| Response field | Custom token via callback | g-recaptcha-response |
h-captcha-response |
| Enterprise tier | Always enterprise-grade | reCAPTCHA Enterprise available | hCaptcha Enterprise available |
| Token lifetime | Varies by deployment (60-300 seconds) | ~120 seconds | ~120 seconds |
How to detect FunCaptcha on a target page
Method 1: Check page source for Arkose script
import requests
response = requests.get("https://example.com/login")
html = response.text
if "arkoselabs.com" in html or "funcaptcha.com" in html:
print("FunCaptcha detected")
# Extract public key
import re
pkey_match = re.search(r'data-pkey="([^"]+)"', html)
if pkey_match:
print(f"Public key: {pkey_match.group(1)}")
Method 2: Monitor network requests
// In Puppeteer
page.on('request', request => {
const url = request.url();
if (url.includes('arkoselabs.com') || url.includes('funcaptcha.com')) {
console.log(`FunCaptcha request detected: ${url}`);
}
});
Method 3: Check iframe sources
const frames = page.frames();
const arkoseFrame = frames.find(f =>
f.url().includes('arkoselabs.com/fc/') ||
f.url().includes('funcaptcha.com/fc/')
);
if (arkoseFrame) {
console.log('FunCaptcha iframe found');
}
What makes FunCaptcha challenging for automation
- 3D rendering — Challenges render differently each time, making template matching ineffective.
- Adaptive difficulty — The system increases difficulty based on solving patterns, IP reputation, and session history.
- Device telemetry — Arkose Labs collects extensive client-side data including hardware characteristics, browser plugins, and timing patterns.
- Sequential challenges — Some configurations require 3-6 correct answers in sequence, with a reset on any error.
- Token binding — Tokens are bound to specific sessions and device fingerprints, making transfer complex.
Impact on scraping and automation workflows
When your workflow encounters FunCaptcha, you need to:
- Identify the public key — Extract it from
data-pkeyattributes or API calls - Determine the service URL — Usually
https://client-api.arkoselabs.com/fc/gt2/public_key/{pkey} - Choose a solving approach — API-based solving services can handle FunCaptcha challenges
- Handle token injection — FunCaptcha tokens are typically submitted via JavaScript callbacks rather than hidden form fields
For CAPTCHA types that CaptchaAI supports with the highest solve rates, including reCAPTCHA, Cloudflare Turnstile, and GeeTest:
Frequently asked questions
Is FunCaptcha the same as Arkose Labs?
Yes. FunCaptcha was the original product name. Arkose Labs is the company, and the current product name is Arkose MatchKey. Most developers still refer to it as FunCaptcha because the API domains still use funcaptcha.com.
Which major sites use FunCaptcha?
EA Games, Roblox, Microsoft (Outlook, Xbox), LinkedIn, GitHub (for certain flows), and several banking and financial services platforms.
Is FunCaptcha harder to solve than reCAPTCHA?
FunCaptcha's 3D rotation challenges require spatial reasoning that image-grid CAPTCHAs do not. The adaptive difficulty system also makes repeated solving attempts progressively harder. For automated workflows, FunCaptcha is generally considered harder than standard reCAPTCHA v2 but comparable to reCAPTCHA Enterprise with strict configurations.
Does FunCaptcha work without JavaScript?
No. FunCaptcha requires JavaScript for rendering 3D challenges, collecting device telemetry, and returning tokens. The entire challenge is delivered via JavaScript within an iframe.
How long do FunCaptcha tokens last?
Token validity varies by deployment, typically between 60 and 300 seconds. The token is single-use and bound to the session where it was generated.
Summary
FunCaptcha (Arkose Labs) uses interactive 3D challenges instead of traditional image grids, making it structurally different from reCAPTCHA and hCaptcha. You can identify it by script loads from arkoselabs.com or funcaptcha.com, UUID-format public keys, and 3D/spatial challenge presentation. For developers building automation workflows, correctly identifying the CAPTCHA type is the first step. Explore the CaptchaAI API for solving the CAPTCHA types your workflows encounter most frequently.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.