Frequently Asked Questions
How do I integrate hCaptcha into my online service?
Hundreds of pre-built open source integrations are available, as well as native integrations in many online platforms.
If you are switching from reCAPTCHA, please see the reCAPTCHA to hCaptcha switching guide. We offer a drop-in replacement, so this often takes only a few minutes.
How long is a typical visitor's hCaptcha session?
In general, client-side interactions are about the same as a traditional captcha: 3-10 seconds depending on the difficulty mode.
When are multiple captchas required?
This depends on computed confidence in the visitor's humanity, the site difficulty setting, and other security factors. When a user fails a captcha, a new one will also be presented to the user.
What browsers are supported?
The hCaptcha service works on every major desktop and mobile browser, as well as desktop and mobile apps. The last two major versions of each browser are officially supported. The following is a non-exclusive list of browsers fully supported by hCaptcha:
- Mozilla Firefox
- Google Chrome
- Microsoft Edge
- Microsoft Internet Explorer 10+
- Apple Safari
- Apple Safari and Safari Webview on iOS
- Google Chrome on iOS
- Android native browser and Google Chrome on Android
- Electron apps on Windows, Mac, and mobile devices
Internet Explorer 10 is currently supported on a best-effort basis. IE8 and IE9 are no longer supported. Best-effort and unsupported browser versions together constitute less than 0.10% of all human traffic on the internet in 2023.
End of life for IE8 and IE9 Tier 1 support (proactive testing) occurred on January 1, 2020. End of life for IE10 Tier 1 support occurred on August 1, 2020. Extensions are available for enterprise users. Please contact us if you require extended support.
The hCaptcha SDK relies on Content Security Policy Level 2 support, which was introduced about 10 years ago. The following browser version minimums thus apply:
- Google Chrome 40
- Mozilla Firefox 45
- Microsoft Edge 79
- Opera 27
Extended support for older browsers and rare embedded browser engines is available to hCaptcha Enterprise customers upon request. Please contact us for more information on this topic.
Please note: like 30% of the internet, hCaptcha uses Let's Encrypt as its primary TLS certificates. This means that the OS root certificate store must trust ISRG Root X1, as is the case for every OS, browser, and library released in the last decade or so:
- Windows >= XP SP3
- macOS >= 10.12.1
- iOS >= 10
- iPhone 5 and above, with iOS 10+
- Android >= 7.1.1
- Mozilla Firefox >= 50.0
- Ubuntu >= Precise Pangolin / 12.04
- Debian >= jessie / 8
- Java 8 >= 8u141
- Java 7 >= 7u151
- NSS >= 3.26
Browsers generally trust the same root certificates as the operating system aside from Firefox, which has its own root store. Chrome also uses its own root store as of Chrome 105.
Support for deprecated legacy operating systems and browsers is available to hCaptcha Enterprise customers via our First-Party feature, enabling you to serve hCaptcha using your own certificates. Please contact hCaptcha Support for more information if you require this feature.
Only modern browsers are supported for the hCaptcha administration dashboard, the interface used to configure hCaptcha for your site and see statistics. The last two major versions of each browser are officially supported:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
Recent versions of Apple Safari are expected to work, but Firefox and Chrome are the recommended browsers.
How does hCaptcha compare with reCAPTCHA?
hCaptcha also stops bots and spam, but gives you more control over the difficulty level you need for your site and does a better job of protecting your users' privacy.
hCaptcha has 100% of the features of reCAPTCHA V2 and is API-compatible with reCAPTCHA V2. Please see our implementation docs for more information.
hCaptcha Enterprise has all of the features of reCAPTCHA V2 + V3, and goes much further with sophisticated custom threat models, detailed bot scores, and more, including unique privacy technology that makes compliance with privacy rules like GDPR, LGPD, CCPA, and more straightforward without sacrificing security. Details are at hCaptcha.com/enterprise.
Can I pin a specific SSL/TLS certificate or issuer on my backend when connecting to api.hcaptcha.com to verify tokens?
Issuers in use are always expressed via the hcaptcha.com CAA record. If you would like to verify validity against a rogue issuer, please rely on this mechanism rather than manually pinning a particular certificate or locking to a single issuer.
hCaptcha uses multiple certificates and issuers in parallel, and reserves the right to rotate between them or add more. hCaptcha infrastructure also uses short-lived certificates and rotates them frequently as part of our security best practices. This means that pinning a single certificate is not recommended.
What are the difficulty levels for the challenges, and how are they selected?
Different task types have different intrinsic difficulties associated with them. For example, picking the images that match a single simple criteria generally takes most people about the same amount of time. We use this in combination with the site difficulty level you select to decide what to show a user.
Currently, we have 4 difficulty levels available in Publisher accounts ("Always Challenge" mode): Easy, Medium, Difficult, and Auto.
Pro accounts also have access to our "99.9% Passive" No-CAPTCHA mode.
Enterprise accounts have additional levels, including "Passive" and "99.9% Passive" No-CAPTCHA modes.
Setting a different difficulty level influences the kinds of challenges your users will see. Setting the value to Auto means the user will always be presented with a challenge, with varying degrees of difficulty.
How does hCaptcha serve users with visual or other impairments?
hCaptcha provides a full accessibility solution that is usable by anyone able to browse the web. We believe hCaptcha as a service complies with WCAG and Section 508 requirements for publishers who need to meet these standards, but recommend publishers do their own evalation of their particular implementation.
There are several different accommodation methods provided. Our universal accessibility approach avoids the limitations of audio challenges to serve users with auditory processing issues. We offer both an email-verification system and optional text-based challenges, available in over 100 languages. Every aspect of accessibility support is fully configurable by Enterprise customers, who also have the option of relying on a separate Passive (non-interactive) mode and consuming risk scores.
What Personally Identifiable Information is hCaptcha collecting?
Unlike competitors, we are not in the business of selling individually targeted ads. We work to protect your personal data and limit collection rather than selling it to others. Please see our Privacy Policy for more details.
Is there a way for me to send even less information to hCaptcha?
We care about privacy, and have been working on other solutions to this problem. Please see our Privacy Pass support if you would like to try out a cryptographically secure alternative to maintaining user privacy with hCaptcha. We are currently working within the IETF Privacy Pass working group to help this approach become a web standard, and expect it will be adopted by others in the future.
hCaptcha Enterprise customers also have additional options to pre-blind all user data and create additional security guarantees that make HIPAA, PCI, and similar compliance very simple, as no personal data can ever reach hCaptcha at all.
How do you secure the hCaptcha service?
hCaptcha follows secure development lifecycle practices, runs an internal red team and Security Operations Center with dedicated staff, receives regular external penetration tests, and maintains a bug bounty program to encourage responsible disclosure by outside researchers.
hCaptcha has also been externally audited to verify compliance with industry-standard security controls, including ISO 27001 certification and the SOC 2 Type II Security trust principle. A full SOC 2 Type II report is available to hCaptcha Enterprise customers upon request.
How can I switch from reCAPTCHA to hCaptcha?
It is very simple to switch to hCaptcha. Please see this guide on switching from reCAPTCHA to hCaptcha for more information. Most people only need to change three lines of code.
Do I need to display anything on the page when using hCaptcha in Invisible mode?
To ensure you are in compliance with privacy laws coming into effect around the world, we recommend including the following:
This site is protected by <a href="https://www.hCaptcha.com">hCaptcha</a> and its
<a href="https://www.hcaptcha.com/privacy">Privacy Policy</a> and
<a href="https://www.hcaptcha.com/terms">Terms of Service</a> apply.
We also recommend integrating a notice into your Privacy Policy similar to the one directly below this answer.
Note to sites with EU users:
Navigating global privacy laws can be confusing, as the requirements differ depending on your jurisdiction and the jurisdiction of your users, so you should do your own analysis as to what is required based on your specific facts.
For example: for users in the EU, this language is likely not required, as hCaptcha acts as a processor, and thus your site's terms and privacy policy apply, not ours. However, you should update your Privacy Policy to include a description of what data hCaptcha processes and under what basis, an in the sample text below.
An alternate variant if you prefer to keep the same language globally would then be:
This site is protected by <a href="https://www.hCaptcha.com">hCaptcha</a> and its
<a href="https://www.hcaptcha.com/privacy">Privacy Policy</a> and
<a href="https://www.hcaptcha.com/terms">Terms of Service</a> apply except as noted in our Privacy Policy.
(Linking to your own Privacy Policy in the final two words above.)
Should I update my Privacy Policy when enabling hCaptcha?
Many parts of the world require disclosure of data processors. For reference, we have prepared the following text which hCaptcha customers are free to review in connection with their own transparency (privacy policy) obligations:
hCaptcha
We use the hCaptcha security service (hereinafter "hCaptcha") on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation ("IMI"). hCaptcha is used to check whether user actions on our online service (such as submitting a login or contact form) meet our security requirements. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). The data collected during the analysis will be forwarded to IMI. hCaptcha analysis in the "invisible mode" may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Data processing is based on Art. 6(1)(b) of the GDPR: the processing of personal data is necessary for the performance of a contract to which the website visitor is party (for example, the website terms) or in order to take steps at the request of the website visitor prior to entering into a contract. Our online service (including our website, mobile apps, and any other apps or other forms of access offered by us) needs to ensure that it is interacting with a human, not a bot, and that activities performed by the user are not related to fraud or abuse. In addition, processing may also be based on Art. 6(1)(f) of the GDPR: our online service has a legitimate interest in protecting the service from abusive automated crawling, spam, and other forms of abuse that can harm our service or other users of our service. IMI acts as a "data processor" acting on behalf of its customers as defined under the GDPR, and a "service provider" for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha’s privacy policy and terms of use, please visit the following links: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms
Note that this is not legal advice, and you should consult with qualified counsel in the jurisdictions in which you operate if you have further questions about your specific use case.
Does hCaptcha support access by users in China?
hCaptcha provides several options for Pro and Enterprise customers to deliver a low latency experience across China and the rest of the world, including regional endpoints and our First-Party Hosting feature.
Please contact [email protected] for guidance if you are a Pro or Enterprise customer.
How do I delete my hCaptcha account?
If you are using the Publisher (free) tier or have an accessibility account, you can delete your account from the Dashboard: Account -> Settings -> Configuration -> Delete Account.
If you are a Pro user, you can cancel your yearly or monthly subscription at any time via Account -> Billing -> Manage Plan -> Edit -> Cancel Subscription. Subscription cancellation will take effect at the end of your current billing period. Once your Pro plan has been canceled and your account has been automatically downgraded, delete your account from the Dashboard: Account -> Settings -> Configuration -> Delete Account. If you need to delete your account while still in the current billing period, please contact us at [email protected].
If you are an Enterprise user, please contact us at [email protected] with your request, and we will assist you accordingly.
Help! I have another question not answered here, or need to update my geographic location.
No problem! Just send us an email at [email protected] and we'll be glad to help.