Mobile App SDKs
Native mobile SDKs and integration guides are available for all popular mobile app platforms.
If you do not see your required platform or framework below, please contact us: in general it is straightforward to add support for new frameworks.
Android SDK
The Android SDK is a fully featured drop-in replacement for Google's SafetyNet reCAPTCHA API: switching should take only a few minutes. It additionally includes support for all of the advanced hCaptcha Enterprise features like first-party hosting, custom challenges, and more.
An example app, complete implementation guide, and full source are available on the public GitHub repo.
The SDK is also published for convenient integration via the JitPack Maven repo.
iOS SDK
The iOS SDK provides a simple API to embed hCaptcha into your app.
An example app, complete implementation guide, and full source are available on the public GitHub repo.
The SDK is also published for convenient integration via Carthage and CocoaPods.
Flutter
An implementation guide with source is available here.
React Native
An example app, implementation guide, and full source are available on the public GitHub repo.
See also the separate hCaptcha React library.
Less Common Scenarios
Managing your own Webviews or Embedded Environments
If you are managing your own webview, you can ship a hcaptcha HTML that embeds the standard api.js just as you would in a web environment, i.e. with an implementation pattern identical to the one described here.
The only thing to keep in mind is that you will need to provide a host flag to api.js as it can not detect a hostname inside the webview. For example: api.js?host=my.com. This is used purely for analytics breakdowns on your sitekey, and is treated as untrusted data; it has no security implications.
This is the equivalent of the SDK argument host provided in our native SDKs. (Examples: iOS, Android)
Note that we would always recommend using our native SDKs when your environment permits this. Integrating our native SDKs is simpler and more efficient than managing your own webview, and enables better performance in many cases.
Migrating Self-Managed Webviews from Other Security Providers
If you are already managing your own webview, then your existing flow will almost always look like this:
- Your app embeds a HTML file that embeds Provider's JS script tag. (hCaptcha equivalent:
<script src="https://js.hcaptcha.com/1/api.js?mobile.my.com" async defer></script>) - Your app triggers a JS execute call via the webview's postMessage bridge, causing a challenge to appear and/or a token to be returned, depending on whether you are using active or passive mode (hCaptcha equivalent:
hcaptcha.execute()JS call) - Your app sends the token to your backend server along with other data, e.g. login info. (Usually no changes required here.)
- Your backend calls the provider to verify the token (hCaptcha equivalent:
siteverifyserver-side call
To switch to hCaptcha, you generally only need to: swap out the JS tag in your HTML file (step 1), change the execute call (step 2), and call the hCaptcha API to verify the token (step 4).
This is typically a very quick process, so if you have any questions please reach out to Support and we will be happy to help.