hCaptcha is a privacy-focused CAPTCHA service created by Intuition Machines. After Cloudflare dropped reCAPTCHA in favor of hCaptcha in 2020, it became the second most common CAPTCHA system on the web. If your automation workflow encounters a challenge that asks you to select images of motorcycles, crosswalks, or storefronts — and the widget frame references hcaptcha.com — you are dealing with hCaptcha, not reCAPTCHA.
This explainer covers how hCaptcha works, how it differs from reCAPTCHA, and what developers should understand when their scraping or automation workflows encounter hCaptcha challenges.
How hCaptcha works
hCaptcha uses a challenge-response model similar to reCAPTCHA but with a different data pipeline. When a website integrates hCaptcha:
- Widget loads — The
hcaptcha.jsscript loads on the page and renders a checkbox widget or invisible challenge. - Risk assessment — hCaptcha evaluates client-side signals: browser fingerprint, mouse behavior, interaction patterns, and device characteristics.
- Challenge decision — Based on the risk score, hCaptcha either passes the user silently, shows a checkbox, or presents an image-selection challenge.
- Image challenge — If triggered, the user sees a grid of images with a prompt like "Select all images with a bus." The challenge format is very similar to reCAPTCHA v2 image grid.
- Token return — After successful completion, hCaptcha returns a response token that the website validates server-side against the hCaptcha verify API.
Key technical identifiers
| Signal | What to look for |
|---|---|
| Script source | https://hcaptcha.com/1/api.js or https://js.hcaptcha.com/1/api.js |
| Widget class | h-captcha (not g-recaptcha) |
| Data attribute | data-sitekey on the widget container |
| iframe source | https://newassets.hcaptcha.com/ or https://imgs.hcaptcha.com/ |
| Response field | h-captcha-response (not g-recaptcha-response) |
hCaptcha challenge types
hCaptcha presents several challenge formats:
- Image classification — Select all images matching a label (most common)
- Image selection with bounding — Click on specific objects within images
- Text-based challenges — Occasional text recognition tasks
- Accessibility audio — Audio challenge for screen reader users
- Enterprise challenges — Custom challenge types for high-security deployments
hCaptcha vs reCAPTCHA: side-by-side comparison
| Factor | hCaptcha | reCAPTCHA v2/v3 |
|---|---|---|
| Provider | Intuition Machines | |
| Privacy model | Privacy-focused; does not track users across sites for ad targeting | Uses Google's data network; privacy concerns have been raised |
| Revenue model | Website owners earn small payments for challenges served (optional) | Free; Google uses challenge data for ML training |
| Challenge type | Image grid selection (similar to reCAPTCHA v2) | Checkbox, image grid (v2), invisible scoring (v3) |
| Invisible mode | Yes — passive mode available | Yes — reCAPTCHA v3 and Invisible v2 |
| Enterprise tier | Yes — hCaptcha Enterprise with custom rules and dashboards | Yes — reCAPTCHA Enterprise with risk scoring API |
| Script source | hcaptcha.com domain |
google.com/recaptcha domain |
| Response field name | h-captcha-response |
g-recaptcha-response |
| Widget HTML class | h-captcha |
g-recaptcha |
| Verification endpoint | https://hcaptcha.com/siteverify |
https://www.google.com/recaptcha/api/siteverify |
| Market share | ~15% of CAPTCHA-protected sites (2024) | ~65% of CAPTCHA-protected sites |
| Accessibility | Audio challenges, aria labels | Audio challenges, aria labels |
How to identify hCaptcha on a target page
When your automation hits a CAPTCHA, check these indicators:
Method 1: Inspect the widget container
<!-- hCaptcha widget -->
<div class="h-captcha" data-sitekey="10000000-ffff-ffff-ffff-000000000001"></div>
<!-- reCAPTCHA widget (for comparison) -->
<div class="g-recaptcha" data-sitekey="6Le-wvkSAAAAAPBMRTvw0Q4Muexq9bi0DJwx_mJ-"></div>
Method 2: Check loaded scripts
# Python detection example
import requests
from bs4 import BeautifulSoup
response = requests.get("https://example.com/login")
soup = BeautifulSoup(response.text, "html.parser")
scripts = [s.get("src", "") for s in soup.find_all("script") if s.get("src")]
if any("hcaptcha.com" in src for src in scripts):
print("hCaptcha detected")
elif any("recaptcha" in src for src in scripts):
print("reCAPTCHA detected")
else:
print("No recognized CAPTCHA script found")
Method 3: Check iframe sources
// Node.js detection in Puppeteer
const frames = page.frames();
const captchaFrame = frames.find(f => {
const url = f.url();
return url.includes('hcaptcha.com') || url.includes('recaptcha');
});
if (captchaFrame) {
const type = captchaFrame.url().includes('hcaptcha')
? 'hCaptcha'
: 'reCAPTCHA';
console.log(`Detected: ${type}`);
}
How hCaptcha affects scraping and automation workflows
Detection is the first step
Before you can solve a CAPTCHA challenge in an automated workflow, you need to identify which CAPTCHA system the target site uses. hCaptcha and reCAPTCHA require different solving parameters:
| Parameter | hCaptcha | reCAPTCHA v2 |
|---|---|---|
| Sitekey source | data-sitekey on .h-captcha div |
data-sitekey on .g-recaptcha div |
| Response injection target | h-captcha-response textarea |
g-recaptcha-response textarea |
| Callback function | data-callback attribute or hcaptcha.execute() |
data-callback attribute or grecaptcha.execute() |
Challenge difficulty
hCaptcha challenges can vary in difficulty based on the website's configuration:
- Standard mode — Similar difficulty to reCAPTCHA v2 checkbox challenges
- Enterprise mode — Can include harder challenges, rate limiting, and behavioral analysis
- Passive mode — Works like reCAPTCHA v3 invisible scoring, no user interaction needed
Token lifecycle
- hCaptcha tokens expire after approximately 120 seconds (compared to ~120 seconds for reCAPTCHA v2)
- Tokens are single-use — they can only be validated once
- The token must be submitted on the same domain where it was generated
What CaptchaAI supports
CaptchaAI's API solves all major CAPTCHA types that developers encounter in production workflows. For the types CaptchaAI supports with the highest success rates, see the CaptchaAI supported types feature matrix.
The solving workflow pattern is the same regardless of CAPTCHA type:
- Extract the challenge parameters from the target page
- Submit them to the CaptchaAI API
- Poll for the solved result
- Inject the token back into the page flow
For step-by-step guides on supported types:
- How to Solve reCAPTCHA v2 Using API
- How to Solve Cloudflare Turnstile Using API
- How to Solve GeeTest v3 Captcha Using API
Frequently asked questions
Is hCaptcha harder to solve than reCAPTCHA?
Standard hCaptcha challenges are comparable in difficulty to reCAPTCHA v2 image challenges. hCaptcha Enterprise can be more difficult when configured with stricter rules, similar to how reCAPTCHA Enterprise adds risk scoring layers.
Can I tell from the URL whether a site uses hCaptcha?
Not from the page URL alone. You need to inspect the page source for hcaptcha.com script loads, .h-captcha widget containers, or h-captcha-response form fields. Network requests to hcaptcha.com domains are the strongest signal.
Why did Cloudflare switch from reCAPTCHA to hCaptcha?
Cloudflare cited privacy concerns — reCAPTCHA sends data to Google, which Cloudflare did not want for its customers. Cloudflare later created its own CAPTCHA replacement, Cloudflare Turnstile, and moved away from hCaptcha as well.
Does hCaptcha work without JavaScript?
No. hCaptcha requires JavaScript to render the widget, evaluate browser signals, and present challenges. Pages that block JavaScript will not show the hCaptcha widget, and the challenge cannot complete.
What is hCaptcha's market share compared to reCAPTCHA?
As of 2024, reCAPTCHA holds approximately 65% of the CAPTCHA market, hCaptcha holds approximately 15%, Cloudflare Turnstile holds approximately 10%, and the remaining 10% is distributed across other providers including GeeTest, Arkose Labs, and custom implementations.
Summary
hCaptcha is a privacy-focused alternative to reCAPTCHA used by a growing number of websites. For developers building scraping or automation workflows, the key differences are: different script sources (hcaptcha.com vs google.com/recaptcha), different response field names (h-captcha-response vs g-recaptcha-response), and different widget classes (.h-captcha vs .g-recaptcha). Correctly identifying which CAPTCHA system a target page uses is the first step toward solving it programmatically.
Explore the CaptchaAI solver API to handle CAPTCHA challenges across your automation stack.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.