hCaptcha Technical Architecture

2023 Update: This post was originally written in 2018, and the system has evolved as hCaptcha has scaled to serve hundreds of millions of people and more use cases. We have lightly revised it, but it is mainly of historical interest.

‍

This post details how hCaptcha works on a technical level, in the interest of providing more transparency to our users and to communicate our thinking on how to build a secure and valuable service.

Note: hCaptcha is under active development and details may change in the future.

First, a quick recap

The hCaptcha service provides a useful service to website owners by protecting their sites from fraud and abuse, especially non-human actors and bots.

Everyone benefits from this:

• Website owners secure their site by placing a captcha challenge to protect against unwanted bot/spam traffic. They receive protection by using hCaptcha.
• Website visitors enjoy a site with less spam and fewer bots.

High Level Design

‍

The basic interaction flow is as follows:

For website owners, the process to get involved is incredibly simple and is built to be a drop-in replacement for existing captcha services out there. Simply sign up and add our JavaScript tags where you want to protect your site. It’s as easy as that.

Detecting Human Users

A common question that arises is: “how does hCaptcha know the answers to user-submitted, generic tasks if a human has never been involved?”

The answer is by combining many different techniques:

• Using information from the client side environment to analyze data like browser data, mouse movements, and gyroscopic behavior.
• Presenting tasks multiple times in various forms, and comparing results via statistical analysis of the results.
• Using some of the latest machine learning techniques to enhance all of the above and verify the answers.

‍