Back to Blog

hCaptcha Technical Architecture

August 27, 2018

This is a multi-part series that details the business and technical architecture of hCaptcha, the drop-in replacement for reCAPTCHA.

2023 Update: This post was originally written in 2018, and the system has evolved as hCaptcha has scaled to serve hundreds of millions of people and more use cases. We have lightly revised it, but it is mainly of historical interest.

This post details how hCaptcha works on a technical level, in the interest of providing more transparency to our users and to communicate our thinking on how to build a secure and valuable service.

Note: hCaptcha is under active development and details may change in the future.

First, a quick recap

The hCaptcha service provides a useful service to website owners by protecting their sites from fraud and abuse, especially non-human actors and bots.

Everyone benefits from this:

  • Website owners secure their site by placing a captcha challenge to protect against unwanted bot/spam traffic. They receive protection by using hCaptcha.
  • Website visitors enjoy a site with less spam and fewer bots.

High Level Design

The basic interaction flow is as follows:

How this workflow is seen by visitors of websites using hCaptcha

For website owners, the process to get involved is incredibly simple and is built to be a drop-in replacement for existing captcha services out there. Simply sign up and add our JavaScript tags where you want to protect your site. It’s as easy as that.

Detecting Human Users

A common question that arises is: “how does hCaptcha know the answers to user-submitted, generic tasks if a human has never been involved?”

The answer is by combining many different techniques:

  • Using information from the client side environment to analyze data like browser data, mouse movements, and gyroscopic behavior.
  • Presenting tasks multiple times in various forms, and comparing results via statistical analysis of the results.
  • Using some of the latest machine learning techniques to enhance all of the above and verify the answers.

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog