hCaptcha, operated by Intuition Machines, is a privacy-focused CAPTCHA and bot-defense platform used as a drop-in replacement for Google reCAPTCHA. The free Publisher and Pro tiers offer a JavaScript widget and a server-side /siteverify endpoint that issue and verify single-use tokens. The Enterprise tier (hCaptcha Enterprise) adds advanced bot detection, account defense, MFA, machine-learning fraud signals, and management APIs. hCaptcha is broadly integrated into web frameworks and CMS platforms (React, Vue, Angular, Node/Express, WordPress, Magento) and ships first-party mobile SDKs for iOS and Android.
APIs.json: https://raw.githubusercontent.com/api-evangelist/hcaptcha/refs/heads/main/apis.yml
- Type: Index
- Position: Provider
- Access: Public
- CAPTCHA
- Bot Defense
- Privacy
- hCaptcha
- Intuition Machines
- Account Defense
- Enterprise Security
- Created: 2026-05-23
- Modified: 2026-05-23
The /siteverify endpoint validates an hCaptcha response token submitted by a browser. The server POSTs the token, secret key, and optional remote IP, and receives a JSON response indicating success, hostname, timestamp, score (Enterprise), and any error codes. This is the canonical server-side check that gates form submissions and API calls behind an hCaptcha challenge.
- Human URL: https://docs.hcaptcha.com/
- Base URL:
https://api.hcaptcha.com
- Siteverify
- Token Verification
- Server-Side
- Documentation
- API Reference
- Postman Collection — Postman Collection 2.1
- Open Collection — Open Collection 1.0
The hCaptcha JS widget renders the visible or invisible challenge on a page and produces a response token on success. Developers include a script tag pointing at js.hcaptcha.com/1/api.js and place a div with data-sitekey, optionally configuring theme, size, callback, and language. Frontend wrappers exist for React, Vue, and Angular.
- Human URL: https://docs.hcaptcha.com/configuration
- Base URL:
https://js.hcaptcha.com/1/api.js
- JavaScript
- Widget
- Frontend
- Challenge
- Documentation
- Script U R L
- S D K React
- S D K Vue
- S D K Angular
- Postman Collection — Postman Collection 2.1
- Open Collection — Open Collection 1.0
Invisible hCaptcha runs the challenge in the background and only surfaces a visible puzzle when risk requires it. It is configured via the same widget script and an additional data-size="invisible" attribute, enabling no-friction verification on most legitimate users.
- Human URL: https://docs.hcaptcha.com/invisible
- Base URL:
https://js.hcaptcha.com/1/api.js
- Invisible
- Frictionless
- Risk-Based
hCaptcha publishes native iOS and Android SDKs (with React Native and Flutter wrappers) so mobile apps can present the same risk-based challenges as the web widget and obtain response tokens that the server verifies via /siteverify.
- Human URL: https://docs.hcaptcha.com/mobile_app_sdks
- Base URL:
https://docs.hcaptcha.com/mobile_app_sdks
- Mobile
- iOS
- Android
- SDK
- Documentation
- S D Ki O S
- S D K Android
- Postman Collection — Postman Collection 2.1
- Open Collection — Open Collection 1.0
hCaptcha Enterprise extends the core challenge with advanced bot detection, account defense (ATO and fake-account protection), MFA and pull-based SMS, fraud signals, and management APIs for provisioning sitekeys, retrieving analytics, and tuning policies. Access is gated to Enterprise customers.
- Human URL: https://www.hcaptcha.com/enterprise
- Base URL:
https://api.hcaptcha.com
- Enterprise
- Account Defense
- Fraud
- Management API
- Product Page
- Documentation
- Postman Collection — Postman Collection 2.1
- Open Collection — Open Collection 1.0
FN: Kin Lane Email: kin@apievangelist.com