CAPTCHA: hCaptcha

Solve the real hCaptcha widget and verify its response token server-side

What you will learn

Generalise frame-entry + response-token extraction beyond Google to a second vendor
Verify the h-captcha-response token server-side via the siteverify round-trip
Compare hCaptcha's widget mechanics with reCAPTCHA and Turnstile

hCaptcha — Real Vendor Widget

A genuine third-party hCaptcha widget rendered in its own iframe. Solve the checkbox, capture the response token, and let the server verify it via siteverify.

Unlike the self-hosted math/code/grid challenges, the answer here never lives in your DOM — hCaptcha hands back an opaque token that only the vendor can validate server-side. Your automation cannot forge it; it has to drive the real widget and then read the token it produces.

This is the second vendor in the set. The pattern generalizes across providers: switch into the widget iframe, trigger the challenge, then extract the response token from the host page — the exact same shape you used for reCAPTCHA. Only the iframe origin and the global name (window.hcaptcha vs window.grecaptcha) change.

Mode: practice — the published TEST sitekey always passes, so the flow is fully automatable end to end.

hCaptcha Widget

Click the checkbox, then the token is auto-verified by the server

Loading hCaptcha SDK…

Testing Tips

Automation hints

✓ The checkbox lives in an hCaptcha iframe — use a frame locator (Playwright frameLocator("iframe[src*=hcaptcha]")) before clicking #checkbox, never the top-level document
✓ After solving, the response lands in a hidden textarea[name="h-captcha-response"] and is mirrored here on #hcaptcha-token[data-token] — extract it instead of re-solving
✓ The TEST sitekey 10000000-ffff-… always passes: click the box, wait for the auto-POST, then assert #captcha-result[data-verdict=human]
✓ Prefer the API path — POST { vendor: "hcaptcha", token } to /api/captcha/vendor to skip the UI entirely (200 = pass, 403 = fail)
✓ Same recipe as reCAPTCHA — only the iframe origin and global (window.hcaptcha vs window.grecaptcha) differ; build one reusable "solve vendor captcha" helper

Related Challenges

hCaptcha — Real Vendor Widget

A genuine third-party hCaptcha widget rendered in its own iframe. Solve the checkbox, capture the response token, and let the server verify it via siteverify.

Mode: practice — the published TEST sitekey always passes, so the flow is fully automatable end to end.

Testing Tips

Automation hints

✓ The checkbox lives in an hCaptcha iframe — use a frame locator (Playwright frameLocator("iframe[src*=hcaptcha]")) before clicking #checkbox, never the top-level document
✓ After solving, the response lands in a hidden textarea[name="h-captcha-response"] and is mirrored here on #hcaptcha-token[data-token] — extract it instead of re-solving
✓ The TEST sitekey 10000000-ffff-… always passes: click the box, wait for the auto-POST, then assert #captcha-result[data-verdict=human]
✓ Prefer the API path — POST { vendor: "hcaptcha", token } to /api/captcha/vendor to skip the UI entirely (200 = pass, 403 = fail)
✓ Same recipe as reCAPTCHA — only the iframe origin and global (window.hcaptcha vs window.grecaptcha) differ; build one reusable "solve vendor captcha" helper

CAPTCHA: hCaptcha

What you will learn

hCaptcha — Real Vendor Widget

hCaptcha Widget

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop

CAPTCHA: hCaptcha

What you will learn

hCaptcha — Real Vendor Widget

hCaptcha Widget

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop