Frequently Asked Questions
How do I integrate hCaptcha into my online service?
Hundreds of pre-built open source integrations are available, as well as native integrations in many online platforms.
If you are switching from reCAPTCHA, please see the reCAPTCHA to hCaptcha switching guide. We offer a drop-in replacement, so this often takes only a few minutes.
How long is a typical visitor's hCaptcha session?
In general, client-side interactions are about the same as a traditional captcha: 3-10 seconds depending on the difficulty mode.
When are multiple captchas required?
This depends on computed confidence in the visitor's humanity, the site difficulty setting, and other security factors. When a user fails a captcha, a new one will also be presented to the user.
What browsers are supported?
The hCaptcha service works on every major desktop and mobile browser, as well as desktop and mobile apps. The last two major versions of each browser are officially supported. The following is a non-exclusive list of browsers fully supported by hCaptcha:
- Mozilla Firefox
- Google Chrome
- Microsoft Edge
- Microsoft Internet Explorer
- Apple Safari
- Apple Safari and Safari Webview on iOS
- Google Chrome on iOS
- Android native browser and Google Chrome on Android
- Electron apps on Windows, Mac, and mobile devices
Older versions of Internet Explorer than 11 are also supported. Internet Explorer 8, 9, and 10 are currently supported, but are not eligible for hCaptcha earnings. These browser versions together constituted less than 0.20% of all human traffic on the internet in 2019.
End of life for IE8 and IE9 Tier 1 support (proactive testing) occurred on January 1, 2020. End of life for IE10 Tier 1 support occurred on August 1, 2020. Extensions are available for enterprise users. Please contact us if you require extended support.
Only modern browsers are supported for the hCaptcha administration dashboard, the interface used to configure hCaptcha for your site and see statistics. The last two major versions of each browser are officially supported:
- Google Chrome
- Mozilla Firefox
Recent versions of Microsoft Edge and Apple Safari are expected to work, but Firefox and Chrome are the recommended browsers.
How does hCaptcha compare with reCAPTCHA?
hCaptcha also stops bots and spam, but gives you more control over the difficulty level you need for your site and does a better job of protecting your users' privacy.
hCaptcha has 100% of the features of reCAPTCHA V2 and is API-compatible with reCAPTCHA V2. Please see our implementation docs for more information.
hCaptcha Enterprise has all of the features of reCAPTCHA V2 + V3, and goes much further with sophisticated custom threat models, detailed bot scores, and more, including unique privacy technology that makes compliance with privacy rules like GDPR, LGPD, CCPA, and more straightforward without sacrificing security. Details are at hCaptcha.com/enterprise.
What are the difficulty levels for the challenges, and how are they selected?
Different task types have different intrinsic difficulties associated with them. For example, picking the images that match a single simple criteria generally takes most people about the same amount of time. We use this in combination with the site difficulty level you select to decide what to show a user.
Currently, we have 4 difficulty levels available in Publisher accounts ("Always Challenge" mode): Easy, Medium, Difficult, and Auto.
Pro accounts also have access to our "99.9% Passive" No-CAPTCHA mode.
Enterprise accounts have additional levels, including "Passive" and "99.9% Passive" No-CAPTCHA modes.
Setting a different difficulty level influences the kinds of challenges your users will see. Setting the value to Auto means the user will always be presented with a challenge, with varying degrees of difficulty.
How does hCaptcha serve users with visual or other impairments?
hCaptcha provides a full accessibility solution that is usable by anyone able to browse the web. We believe hCaptcha as a service complies with WCAG and Section 508 requirements for publishers who need to meet these standards, but recommend publishers do their own evalation of their particular implementation.
There are several different accommodation methods provided. Our universal accessibility approach avoids the limitations of audio challenges to serve users with auditory processing issues. We offer both an email-verification system and optional text-based challenges, available in over 100 languages. Every aspect of accessibility support is fully configurable by Enterprise customers, who also have the option of relying on a separate Passive (non-interactive) mode and consuming risk scores.
What does Traffic Quality mean?
Note: this question refers to a feature that is currently undergoing changes.
During each Final Reconciliation period, the answers from users on your site are compared to answers to the same or similar questions by users across the entire network of hCaptcha sites.
Using a variety of statistical techniques, a highly reliable score can be computed to figure out how often your users' answers agree with the right answer.
Additional information is then added to the calculation to determine the final humanity score for every user interacting with your site, which may differ from the real-time humanity score.
Value | Description |
---|---|
Normal | This means your users are (on average) answering correctly at a rate similar to the expected rate for mostly human traffic. |
Moderate | This means your users are (on average) answering less correctly than most sites. This indicates some bot activity or malicious human activity. |
Low | This means your users are (on average) answering at a rate that indicates very high bot traffic or malicious human activity. |
As a site's accuracy falls further down the distribution of expected humanity (i.e. your site's visitors are less accurate than the average site's visitors on the same questions, or are known bots) an increasingly large penalty is applied to earnings due to the reduced value of the answers supplied. This eventually reaches 100% as answers start to look close to random chance or are mostly supplied by bots.
What Personally Identifiable Information is hCaptcha collecting?
hCaptcha collects information like mouse movements, scroll position, keypress events, touch events, and gyroscope / accelerometer information as applicable.
This data is used to determine human confidence, as well as aggregate overall captcha completion.
Unlike competitors, we are not in the business of selling individually targeted ads. We work to protect your personal data and limit collection rather than selling it to others. Please see our Privacy Policy for more details.
Is there a way for me to send even less information to hCaptcha?
We care about privacy, and have been working on other solutions to this problem. Please see our Privacy Pass support if you would like to try out a cryptographically secure alternative to maintaining user privacy with hCaptcha. We are currently working within the IETF Privacy Pass working group to help this approach become a web standard, and expect it will be adopted by others in the future.
hCaptcha Enterprise customers also have additional options to pre-blind all user data and create additional security guarantees that make HIPAA, PCI, and similar compliance very simple, as no personal data can ever reach hCaptcha at all.
How do you secure the hCaptcha service?
hCaptcha follows secure development lifecycle practices, runs an internal red team and Security Operations Center with dedicated staff, receives regular external penetration tests, and maintains a bug bounty program to encourage responsible disclosure by outside researchers.
hCaptcha has also been externally audited to verify compliance with industry-standard security controls, including ISO 27001 certification and the SOC 2 Type II Security trust principle. A full SOC 2 Type II report is available to hCaptcha Enterprise customers upon request.
How can I switch from reCAPTCHA to hCaptcha?
It is very simple to switch to hCaptcha. Please see this guide on switching from reCAPTCHA to hCaptcha for more information. Most people only need to change three lines of code.
Do I need to display anything on the page when using hCaptcha in Invisible mode?
To ensure you are in compliance with privacy laws coming into effect around the world, we recommend including the following:
This site is protected by <a href="https://www.hCaptcha.com">hCaptcha</a> and its
<a href="https://www.hcaptcha.com/privacy">Privacy Policy</a> and
<a href="https://www.hcaptcha.com/terms">Terms of Service</a> apply.
We also recommend integrating a notice into your Privacy Policy similar to the one directly below this answer.
Note to sites with EU users:
Navigating global privacy laws can be confusing, as the requirements differ depending on your jurisdiction and the jurisdiction of your users, so you should do your own analysis as to what is required based on your specific facts.
For example: for users in the EU, this language is likely not required, as hCaptcha acts as a processor, and thus your site's terms and privacy policy apply, not ours. However, you should update your Privacy Policy to include a description of what data hCaptcha processes and under what basis, an in the sample text below.
An alternate variant if you prefer to keep the same language globally would then be:
This site is protected by <a href="https://www.hCaptcha.com">hCaptcha</a> and its
<a href="https://www.hcaptcha.com/privacy">Privacy Policy</a> and
<a href="https://www.hcaptcha.com/terms">Terms of Service</a> apply except as noted in our Privacy Policy.
(Linking to your own Privacy Policy in the final two words above.)
Should I update my Privacy Policy when enabling hCaptcha?
Many parts of the world require disclosure of data processors. For reference, we have prepared the following text which hCaptcha customers are free to review in connection with their own transparency (privacy policy) obligations:
hCaptcha
We use the hCaptcha security service (hereinafter "hCaptcha") on our website. This service is provided by Intuition Machines, Inc., a Delaware US Corporation ("IMI"). hCaptcha is used to check whether user actions on our online service (such as submitting a login or contact form) meet our security requirements. To do this, hCaptcha analyzes the behavior of the website or mobile app visitor based on various characteristics. This analysis starts automatically as soon as the website or mobile app visitor enters a part of the website or app with hCaptcha enabled. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or app, or mouse movements made by the user). The data collected during the analysis will be forwarded to IMI. hCaptcha analysis in the "invisible mode" may take place completely in the background. Website or app visitors are not advised that such an analysis is taking place if the user is not shown a challenge. Data processing is based on Art. 6(1)(b) of the GDPR: the processing of personal data is necessary for the performance of a contract to which the website visitor is party (for example, the website terms) or in order to take steps at the request of the website visitor prior to entering into a contract. Our online service (including our website, mobile apps, and any other apps or other forms of access offered by us) needs to ensure that it is interacting with a human, not a bot, and that activities performed by the user are not related to fraud or abuse. In addition, processing may also be based on Art. 6(1)(f) of the GDPR: our online service has a legitimate interest in protecting the service from abusive automated crawling, spam, and other forms of abuse that can harm our service or other users of our service. IMI acts as a "data processor" acting on behalf of its customers as defined under the GDPR, and a "service provider" for the purposes of the California Consumer Privacy Act (CCPA). For more information about hCaptcha’s privacy policy and terms of use, please visit the following links: https://www.hcaptcha.com/privacy and https://www.hcaptcha.com/terms
Note that this is not legal advice, and you should consult with qualified counsel in the jurisdictions in which you operate if you have further questions about your specific use case.
How do I delete my hCaptcha account?
Just send an email to us at [email protected] with "Delete my account" in the subject line and we'll remove it quickly.
Help! I have another question not answered here, or need to update my geographic location.
No problem! Just send us an email at [email protected] and we'll be glad to help.
Legacy Feature Questions
The questions below relate to features that are being deprecated or changed.
How accurate are Dashboard Estimated earnings?
Note: this question refers to a feature that is currently undergoing changes.
Estimates start off based on global averages, and may not take your individual traffic statistics into account for up to one quarterly cycle or more, depending on your traffic volume and other factors. At this time your site's accuracy estimate will be updated based on the previous cycle. In other words, estimates displayed can go up or down, sometimes substantially, as they become more accurate. This happens when enough data is collected to start taking into account your site's observed traffic patterns, rather than using global averages that may not apply to your site.
This means that if your site has more accurate human visitors than average, you may earn more than the dashboard estimate after Final Reconciliation occurs.
However, as a site's accuracy falls further down the distribution of expected humanity (i.e. your site's visitors are less accurate than the average site's visitors on the same questions) an increasingly large penalty is applied to earnings due to the reduced value of the answers supplied, eventually reaching 100% as answers start to look close to random chance. This applies whether they are generated by humans or bots.
What if I'm directly paying users for solving hCaptchas?
Note: this question refers to a feature that is currently undergoing changes.
For most sites this is not an issue, but if your website creates a direct financial incentive for solving hCaptchas (i.e. by paying out a portion of the expected revenue) then you are very likely to see final earnings that are lower, and potentially far lower, than the estimated values displayed, until a full reconciliation occurs and your per-sitekey earnings estimates are updated. Examples of site categories like this include, but are not limited to: offerwalls, faucets, PTC, etc.
This is due to the fact that users will attempt to profit by running bots against your site that may not be subtracted from the initial real-time estimates, and your user behavior will often differ from a normal hCaptcha user, typically being less accurate. Initial estimates are based on global average behavior rather than your particular site. While they are typically quite accurate for most sites, in these categories they may be inaccurate until a full reconciliation occurs. You should recognize the risk inherent in this scenario, and decide whether it makes sense for your particular website.
If you still decide to accept this risk, we strongly recommend you not commit to paying out more than 10% of any estimated earnings prior to final reconciliation, as the system is likely to initially over-estimate payouts for these sites due to their higher proportion of malicious and bot traffic.
You should also ensure you are using the "credit" flag returned by siteverify, as documented here. If it returns false, your user should not be compensated. If their activity is automated or malicious, allowing them to send many bad answers will affect your Traffic Quality score and thus earnings. One possible strategy is to employ a simple backoff scheme: if one of your users gets 10 failed replies or credit-false responses in a row, block them from completing additional challenges for e.g. 10 minutes.
What is one HMT worth?
Note: this question refers to a feature that is currently undergoing changes.
hCaptcha HMT points are solely a marker related to answers submitted. You should not assume that HMT points earned have any intrinsic value.
Eligible HMT point accruals via hCaptcha that reach a minimum threshold may be converted quarterly to USD on a trailing 60 day basis, at a rate set periodically by hCaptcha and currently 1:1 with the USD, with payment received via PayPal Payouts. This applies to users located in the US or any of the other countries supported by PayPal Payouts, subject to compliance with all applicable laws including relevant sanctions.
hCaptcha reserves the right to change this at any time, including retroactively within the current earnings period, and no guarantees are made as to the accuracy of estimates on your Dashboard. In particular, estimates may go up or down based on changes in your traffic quality, or other factors that may not be reflected in real-time. For more details, please see How hCaptcha Calculates Rewards.
How much should I expect to earn from hCaptcha?
Note: this question refers to a feature that is currently undergoing changes.
Site earnings vary based on several factors, including the number of answers submitted and the correctness of those answers.
Many people are not aware of how much bot traffic is already on their site. It is not safe to assume that pageviews to a login page are equivalent to real human beings, for example.
Is "NUMBER OF CAPTCHAS PASSED" the same as number of answers earning compensation?
No: for example, this number counts automatically approved users who have not been prompted to answer a question at all, based on their likelihood of being a bot and your site difficulty setting.
What if I just run a bot against my own hCaptcha, or pay people to click randomly? Will I still get paid?
Note: this question refers to a feature that is currently undergoing changes.
No, you will not get paid. Any answers originated via bots or unusually inaccurate humans are generally identified either in real-time or during the reconciliation cycle and eliminated from the accounting.
This may not be immediately reflected on your Dashboard Estimated Earnings for security reasons. Your account may also be terminated if we determine that it has been opened primarily to try different bot strategies against our service.
Can I publicly post or share detailed earning statistics from my dashboard, or crawl my account details every second to capture changes over time?
Note: this question refers to a feature that is currently undergoing changes.
Posting or sharing general historical details like "I earned X HMT last month" is fine.
Sharing detailed current earnings information (for example, output of your Dashboard statistics endpoints) or attempting to reverse engineer security-relevant service details via analysis of this information is prohibited by our terms of service, and may lead to account termination and forfeiture of any HMT points in your account.
When do I get paid, and in what form am I getting paid?
Note: this question refers to a feature that is currently undergoing changes.
Please see the current Payment Schedule for details on payout dates and the periods they cover.
Reconciliation and validation happens periodically, so it may take some time to see your "HMTs earned" count move up for a new account.
Sophisticated anti-fraud measures are employed to detect and mitigate unearned allocation of HMTs.
You should not assume that a HMT point has intrinsic value, and utility of a single HMT also varies over time based on a variety of factors.
HMT or HMT point accruals via hCaptcha that reach a minimum threshold may also be converted quarterly to USD, at a rate set periodically by hCaptcha, with payment received via PayPal Payouts. This applies to users located in the US or any of the other countries supported by PayPal Payouts, subject to compliance with all applicable laws including relevant sanctions.
What do Estimated and Available mean for HMT earnings?
Note: this question refers to a feature that is currently undergoing changes.
Estimated HMT is a real-time estimate based on the total number of captchas solved and other factors. Available HMT is the final computed balance available for withdrawal.