captcha.cc
Documentation

API Reference

Core endpoints, request bodies, and the browser-to-server verification sequence.

create challenge

POST /v1/challenges

{
  "site_key": "pk_live_xxx",
  "hostname": "example.com",
  "mode": "image"
}

Normal responses include challenge_id, captcha_blob, image_url, and expiry metadata. If the site accepts shared clearance and the browser already has a valid captcha.cc clearance cookie, the response can instead include skip_challenge: true plus a fresh proof_token.

verify answer

POST /v1/verify

{
  "captcha_blob": "...",
  "answer": "abcde"
}

If the answer is correct and the challenge is not spent, the response includes a single-use proof_token.

server redemption

POST /v1/siteverify

{
  "secret_key": "sk_live_xxx",
  "proof_token": "..."
}

The proof token is authenticated offline, then checked once against the authoritative spent record. Replays fail. Successful responses include metadata such as solve_mode, so your backend can decide whether shared-clearance proofs are acceptable for the current action.

sequence

  1. Browser creates a challenge with the site key.
  2. Browser submits captcha_blob and answer to /v1/verify.
  3. Browser sends the returned proof token to your server.
  4. Server calls /v1/siteverify with the secret key.
  5. Your app accepts or rejects the action based on success.