Frequently Asked Questions

How long is a typical visitor's hCaptcha session?#

Client-side interactions are about the same as a traditional captcha: 3-10 seconds depending on the difficulty mode.

When are multiple captchas required?#

This depends on computed confidence in the visitor's humanity, the site difficulty setting, and other security factors. When a user fails a captcha, a new one will also be presented to the user.

What browsers are supported?#

The hCaptcha service works on every major desktop and mobile browser, as well as desktop and mobile apps. The last two major versions of each browser are officially supported. The following is a non-exclusive list of browsers fully supported by hCaptcha:

  • Mozilla Firefox
  • Google Chrome
  • Microsoft Edge
  • Microsoft Internet Explorer
  • Apple Safari
  • Apple Safari and Safari Webview on iOS
  • Google Chrome on iOS
  • Android native browser and Google Chrome on Android
  • Electron apps on Windows, Mac, and mobile devices

Older versions of Internet Explorer than 11 are also supported. Internet Explorer 8, 9, and 10 are currently supported, but are not eligible for hCaptcha earnings. These browser versions together constituted less than 0.20% of all human traffic on the internet in 2019.

End of life for IE8 and IE9 Tier 1 support (proactive testing) occurred on January 1, 2020. End of life for IE10 Tier 1 support occurred on August 1, 2020. Extensions are available for enterprise users. Please contact us if you require extended support.

Only modern browsers are supported for the hCaptcha administration dashboard, the interface used to configure hCaptcha for your site and see statistics. The last two major versions of each browser are officially supported:

  • Google Chrome
  • Mozilla Firefox

Recent versions of Microsoft Edge and Apple Safari are expected to work, but Firefox and Chrome are the recommended browsers.

How does hCaptcha compare with reCAPTCHA?#

hCaptcha also stops bots and spam, but gives you more control over the difficulty level you need for your site and does a better job of protecting your users' privacy.

hCaptcha has 100% of the features of reCAPTCHA V2 and is API-compatible with reCAPTCHA V2. Please see our implementation docs for more information.

hCaptcha Enterprise has all of the features of reCAPTCHA V2 + V3, and goes much further with sophisticated custom threat models, detailed bot scores, and more, including unique privacy technology that makes compliance with privacy rules like GDPR, LGPD, CCPA, and more straightforward without sacrificing security. Details are at hCaptcha.com/enterprise.

hCaptcha also pays publishers (free accounts) for the work your users are doing. Using reCAPTCHA donates that work to Google.

What controls the type of questions shown? OCR, images, etc?#

Behind the scenes of hCaptcha.com, a real-time system operates to match requesters of tasks and those doing the work. The type of task shown will generally be the one that is currently the closest match given the site-level interests specified.

What are the difficulty levels for the challenges, and how are they selected?#

Different task types have different intrinsic difficulties associated with them. For example, picking the images that match a single simple criteria generally takes most people about the same amount of time. We use this in combination with the site difficulty level you select to decide what to show a user.

Currently, we have 4 difficulty levels available in Publisher accounts ("Always Challenge" mode): Easy, Medium, Difficult, and Auto.

Enterprise accounts have additional levels, including "Passive" and "99.9% Passive" No-CAPTCHA modes.

Setting a different difficulty level influences the kinds of challenges your users will see, and how much your site will earn. Setting the value to Auto means the user will always be presented with a challenge, with varying degrees of difficulty.

How does hCaptcha serve users with visual or other impairments?#

hCaptcha provides a full accessibility solution that is usable by anyone able to browse the web. We believe hCaptcha as a service complies with WCAG and Section 508 requirements for publishers who need to meet these standards, but recommend publishers do their own evalation of their particular implementation.

There are several different accommodation methods provided. Our universal accessibility approach avoids the limitations of audio challenges to serve users with auditory processing issues. We offer both an email-verification system and text-based challenges, available in over 100 languages. Every aspect of accessibility support is fully configurable by Enterprise customers, who also have the option of relying on a separate Passive (non-interactive) mode and consuming risk scores.

What do Estimated and Available mean for HMT earnings?#

Estimated HMT is a real-time estimate based on the total number of captchas solved and other factors. Available HMT is the final computed balance available for withdrawal after a job has completed.

More details:

When requests are launched onto the HUMAN network they contain many tasks. These tasks are broken up into chunks. When a user submits a hCaptcha they are answering anywhere from 3-9 tasks. Based on a variety of factors an immediate preliminary estimate of correctness is made across all of those tasks, and they either pass or fail.

Behind the scenes it is a little more complex: answers from many users are periodically compared, and are combined along with known-good answers in a model to determine the likely right answer after the fact. Once this has been determined the final payout can be calculated based on the answer history per user and site. A bot that simply guesses randomly should earn nothing, while a person who is right 100% of the time should have their answers receive full compensation.

This means that the final payout can take a few days to a week or more to be computed and applied, based on the size of the request running and other factors.

What does Traffic Quality mean?#

During each Final Reconciliation period, the answers from users on your site are compared to answers to the same or similar questions by users across the entire network of hCaptcha sites.

Using a variety of statistical techniques, a highly reliable score can be computed to figure out how often your users' answers agree with the right answer.

Additional information is then added to the calculation to determine the final humanity score for every user interacting with your site, which may differ from the real-time humanity score.

ValueDescription
NormalThis means your users are (on average) answering correctly at a rate similar to the expected rate for mostly human traffic.
ModerateThis means your users are (on average) answering less correctly than most sites. This indicates some bot activity or malicious human activity.
LowThis means your users are (on average) answering at a rate that indicates very high bot traffic or malicious human activity.

As a site's accuracy falls further down the distribution of expected humanity (i.e. your site's visitors are less accurate than the average site's visitors on the same questions, or are known bots) an increasingly large penalty is applied to earnings due to the reduced value of the answers supplied. This eventually reaches 100% as answers start to look close to random chance or are mostly supplied by bots.

How accurate are Dashboard Estimated earnings?#

Estimates start off based on global averages, and may not take your individual traffic statistics into account for up to one quarterly cycle or more, depending on your traffic volume and other factors. At this time your site's accuracy estimate will be updated based on the previous cycle. In other words, estimates displayed can go up or down, sometimes substantially, as they become more accurate. This happens when enough data is collected to start taking into account your site's observed traffic patterns, rather than using global averages that may not apply to your site.

This means that if your site has more accurate human visitors than average, you may earn more than the dashboard estimate after Final Reconciliation occurs.

However, as a site's accuracy falls further down the distribution of expected humanity (i.e. your site's visitors are less accurate than the average site's visitors on the same questions) an increasingly large penalty is applied to earnings due to the reduced value of the answers supplied, eventually reaching 100% as answers start to look close to random chance. This applies whether they are generated by humans or bots.

What if I'm directly paying users for solving hCaptchas?#

For most sites this is not an issue, but if your website creates a direct financial incentive for solving hCaptchas (i.e. by paying out a portion of the expected revenue) then you are very likely to see final earnings that are lower, and potentially far lower, than the estimated values displayed, until a full reconciliation occurs and your per-sitekey earnings estimates are updated. Examples of site categories like this include, but are not limited to: offerwalls, faucets, PTC, etc.

This is due to the fact that users will attempt to profit by running bots against your site that may not be subtracted from the initial real-time estimates, and your user behavior will often differ from a normal hCaptcha user, typically being less accurate. Initial estimates are based on global average behavior rather than your particular site. While they are typically quite accurate for most sites, in these categories they may be inaccurate until a full reconciliation occurs. You should recognize the risk inherent in this scenario, and decide whether it makes sense for your particular website.

If you still decide to accept this risk, we strongly recommend you not commit to paying out more than 10% of any estimated earnings prior to final reconciliation, as the system is likely to initially over-estimate payouts for these sites due to their higher proportion of malicious and bot traffic.

You should also ensure you are using the "credit" flag returned by siteverify, as documented here. If it returns false, your user should not be compensated. If their activity is automated or malicious, allowing them to send many bad answers will affect your Traffic Quality score and thus earnings. One possible strategy is to employ a simple backoff scheme: if one of your users gets 10 failed replies or credit-false responses in a row, block them from completing additional challenges for e.g. 10 minutes.

What is one HMT worth?#

The native medium of exchange on hCaptcha is the HUMAN Token (HMT), which can be used to request tasks within systems running on the HUMAN Protocol.

You should not assume that a HMT has intrinsic value beyond its utility within the system, and utility of a single HMT also varies over time based on a variety of factors.

No intrinsic value is implied or guaranteed: a real-time bidding system sets the HMT prices required for launching a particular job type on the HUMAN network, and HMT are not expected to have utility outside of the network.

note

hCaptcha website owners currently earn points rather than HMT. HMT points accrued may be used via hCaptcha for labeling jobs on the hCaptcha site. HMT or HMT point accruals via hCaptcha that reach a minimum threshold may also be converted quarterly to USD on a trailing 60 day basis, at a rate set periodically by hCaptcha, with payment received via PayPal Payouts. This applies to users located in the US or any of the 156 countries supported by PayPal Payouts.

During the current testnet period, HMT points issued by hCaptcha may be used as a convenient marker for earnings, with 1 HMT equal to 1 USD prior to fill rate adjustment. However, hCaptcha reserves the right to change this at any time, including retroactively within the current earnings period, and no guarantees are made as to the accuracy of estimates on your Dashboard. In particular, estimates may go up or down based on changes in your traffic quality, or other factors that may not be reflected in real-time. For more details, please see How hCaptcha Calculates Rewards.

How much should I expect to earn from hCaptcha?#

Site earnings vary based on three key factors: the number of answers users supply, the correctness of those answers, and real-time demand for the work.

It is difficult to predict exactly what your earnings will be, as prices for a given job type vary based on the demand in the system as represented by bid prices.

Many people are also not aware of how much bot traffic is already on their site. It is not safe to assume that pageviews to a login page are equivalent to real human beings, for example.

Is "NUMBER OF CAPTCHAS PASSED" the same as number of answers earning compensation?#

No: for example, this number counts automatically approved users who have not been prompted to answer a question at all, based on their likelihood of being a bot and your site difficulty setting.

What if I just run a bot against my own hCaptcha, or pay people to click randomly? Will I still get paid?#

No, you will not get paid. Any answers originated via bots or unusually inaccurate humans are generally identified either in real-time or during the reconciliation cycle and eliminated from the accounting.

They have no value, so you are not getting paid for them. This may not be immediately reflected on your Dashboard Estimated Earnings for security reasons. Your account may also be terminated if we determine that it has been opened primarily to try different bot strategies against our service.

Can I publicly post or share detailed earning statistics from my dashboard, or crawl my account details every second to capture changes over time?#

Posting or sharing general historical details like "I earned X HMT last month" is fine.

Sharing detailed current earnings information (for example, output of your Dashboard statistics endpoints) or attempting to reverse engineer security-relevant service details via analysis of this information is prohibited by our terms of service, and may lead to account termination and forfeiture of any HMT in your account.

When do I get paid, and in what form am I getting paid?#

Please see the current Payment Schedule for details on payout dates and the periods they cover.

Reconciliation and validation happens periodically, so it may take some days or weeks to see your "HMTs earned" count move up for a new account.

Sophisticated anti-fraud measures are employed to detect and mitigate unearned allocation of HMTs, and some of them can only be run once some percentage of a job is completed.

The native medium of exchange on hCaptcha is the HUMAN Token (HMT), which can be used to request tasks within systems running on the HUMAN Protocol.

You should not assume that a HMT has intrinsic value beyond its utility within the system, and utility of a single HMT also varies over time based on a variety of factors.

note

hCaptcha website owners located within the United States and Canada earn points rather than HMT. For US and Canadian users, HMT points accrued may be used via hCaptcha for labeling jobs on the hCaptcha site. HMT or HMT point accruals via hCaptcha that reach a minimum threshold may also be converted quarterly to USD, at a rate set periodically by hCaptcha, with payment received via PayPal Payouts. This applies to users located in the US or any of the 156 countries supported by PayPal Payouts.

What Personally Identifiable Information is hCaptcha collecting?#

hCaptcha collects information like mouse movements, scroll position, keypress events, touch events, and gyroscope / accelerometer information as applicable.

This data is used to determine human confidence, as well as aggregate overall captcha completion.

Unlike competitors, we are not in the business of selling individually targeted ads. We work to protect your personal data and limit collection rather than selling it to others. Please see our Privacy Policy for more details.

Is there a way for me to send even less information to hCaptcha?#

We care about privacy, and have been working on other solutions to this problem. Please see our Privacy Pass support if you would like to try out a cryptographically secure alternative to maintaining user privacy with hCaptcha. We are currently working within the IETF Privacy Pass working group to help this approach become a web standard, and expect it will be adopted by others in the future.

hCaptcha Enterprise customers also have additional options to pre-blind all user data and create additional security guarantees that make HIPAA, PCI, and similar compliance very simple, as no personal data can ever reach hCaptcha at all.

How do you secure the hCaptcha service?#

hCaptcha follows secure development lifecycle practices, runs an internal red team and Security Operations Center with dedicated staff, receives regular external penetration tests, and maintains a bug bounty program to encourage responsible disclosure by outside researchers.

hCaptcha has also been externally audited to verify compliance with industry-standard security controls, including the SOC 2 Type II Security trust principle. A full SOC 2 Type II report is available to hCaptcha Enterprise customers upon request.

How can I switch from reCAPTCHA to hCaptcha?#

It is very simple to switch to hCaptcha. Please see this guide on switching from reCAPTCHA to hCaptcha for more information. Most people only need to change three lines of code.

Do I need to display anything on the page when using hCaptcha in Invisible mode?#

To ensure you are in compliance with privacy laws coming into effect around the world, please include the following:

This site is protected by <a href="https://www.hCaptcha.com">hCaptcha</a> and its
<a href="https://www.hcaptcha.com/privacy">Privacy Policy</a> and
<a href="https://www.hcaptcha.com/terms">Terms of Service</a> apply.

You may also prefer to integrate a notice into your Privacy Policy similar to the following:

hCaptcha

We use the hCaptcha anti-bot service (hereinafter "hCaptcha") on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation ("IMI"). hCaptcha is used to check whether the data entered on our website (such as on a login page or contact form) has been entered by a human or by an automated program. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). The data collected during the analysis will be forwarded to IMI. hCaptcha analysis in the "invisible mode" may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Data processing is based on Art. 6(1)(f) of the GDPR (DSGVO): the website or mobile app operator has a legitimate interest in protecting its site from abusive automated crawling and spam. IMI acts as a "data processor" acting on behalf of its customers as defined under the GDPR, and a "service provider" for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha and IMI's privacy policy and terms of use, please visit the following links: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms.

Note that this is not legal advice, and you should consult with qualified counsel in the jurisdictions in which you operate if you have further questions about your specific use case.

How do I delete my hCaptcha account?#

Just send an email to us at [email protected] with "Delete my account" in the subject line and we'll remove it quickly.

Help! I have another question not answered here, or need to update my geographic location.#

No problem! Just send us an email at [email protected] and we'll be glad to help.