hCaptcha is a privacy-preserving CAPTCHA service used by Cloudflare (on its portal), Discord, GitHub, and many other high-traffic sites. It presents image selection challenges similar to reCAPTCHA v2 but with different challenge structures and validation.
Solving hCaptcha returns an h-captcha-response token that is submitted with the form.
hCaptcha Solver Rankings
| Rank | Provider | Solve Speed | Success Rate | Notes |
|---|---|---|---|---|
| 1 | CaptchaAI | 7–11s | ~96–98% | Best overall for hCaptcha |
| 2 | NopeCHA | 5–8s | ~90–94% | Fastest on hCaptcha specifically |
| 3 | Anti-Captcha | 8–13s | ~93–96% | Reliable; good API |
| 4 | CapSolver | 8–12s | ~90–94% | Competitive |
| 5 | 2Captcha | 10–16s | ~74–80% | Broad coverage but lower success rate |
NopeCHA is particularly fast on hCaptcha within its supported type set. For operations focused primarily on hCaptcha volume, it merits evaluation alongside CaptchaAI.
How hCaptcha Solving Works
The solver returns an h-captcha-response token. You inject it into the response field before form submission.
Python Integration (CaptchaAI)
import requests
import time
API_KEY = "YOUR_API_KEY"
def solve_hcaptcha(page_url: str, site_key: str) -> str:
"""Solve hCaptcha and return h-captcha-response token."""
resp = requests.post("https://ocr.captchaai.com/in.php", data={
"key": API_KEY,
"method": "hcaptcha",
"sitekey": site_key,
"pageurl": page_url,
"json": 1,
})
data = resp.json()
if data["status"] != 1:
raise ValueError(f"Submission failed: {data}")
task_id = data["request"]
time.sleep(5)
for _ in range(24):
r = requests.get("https://ocr.captchaai.com/res.php", params={
"key": API_KEY,
"action": "get",
"id": task_id,
"json": 1,
}).json()
if r["status"] == 1:
return r["request"]
if "ERROR" in str(r.get("request", "")):
raise ValueError(f"Error: {r['request']}")
time.sleep(5)
raise TimeoutError("hCaptcha solve timed out")
Anti-Captcha JSON Format
import requests
import time
API_KEY = "YOUR_API_KEY"
def solve_hcaptcha_anticaptcha(page_url: str, site_key: str) -> str:
resp = requests.post("https://api.anti-captcha.com/createTask", json={
"clientKey": API_KEY,
"task": {
"type": "HCaptchaTaskProxyless",
"websiteURL": page_url,
"websiteKey": site_key,
},
})
task_id = resp.json()["taskId"]
time.sleep(5)
for _ in range(24):
r = requests.post("https://api.anti-captcha.com/getTaskResult", json={
"clientKey": API_KEY,
"taskId": task_id,
}).json()
if r["status"] == "ready":
return r["solution"]["gRecaptchaResponse"]
time.sleep(5)
raise TimeoutError("hCaptcha solve timed out")
Finding the hCaptcha Site Key
import re
import requests
def get_hcaptcha_sitekey(url: str) -> str:
page = requests.get(url, headers={"User-Agent": "Mozilla/5.0"})
# Pattern: data-sitekey attribute on h-captcha div
match = re.search(r'data-sitekey=["\']([0-9a-f-]{36})["\']', page.text)
if match:
return match.group(1)
raise ValueError("hCaptcha sitekey not found")
hCaptcha site keys are UUID format (e.g., a5f74b19-9e45-40e0-b45d-47ff91b7a6c5).
hCaptcha Enterprise
hCaptcha Enterprise is a higher-security variant with stricter behavioral analysis. Most major solvers support it — specify the enterprise task type when available. CaptchaAI and Anti-Captcha both support hCaptcha Enterprise.
Injecting the Token
# With Playwright
page.evaluate(
'document.querySelector("[name=h-captcha-response]").value = arguments[0]',
token
)
# With Selenium
driver.execute_script(
'document.querySelector("[name=h-captcha-response]").value = arguments[0];',
token
)
FAQ
Is hCaptcha harder to solve than reCAPTCHA v2? It is different, not necessarily harder. hCaptcha uses image selection challenges. AI providers have trained models on hCaptcha specifically and achieve similar success rates as on reCAPTCHA v2.
Does hCaptcha work with Discord bot automation? hCaptcha is used in Discord's login flow. Solving it programmatically for unauthorized automation may violate Discord's Terms of Service. Use solving services only within applicable terms.
My hCaptcha token is rejected — why? Common causes: expired token (use within 2 minutes), wrong site key, token injected into wrong field. Check the exact field name on the target page.
Compare hCaptcha solvers at captcharank.com/compare.
Production Readiness Notes
Use Best hCaptcha Solver as a decision and implementation aid, not just as a one-time reference. The practical test for best hcaptcha solver is whether the same approach behaves reliably when traffic is messy: rotating sessions, expired tokens, changing widget parameters, intermittent solver delays, and target pages that refresh without warning. For Automation developer / scraping engineer, the safest rollout is to start with a narrow fixture, record every submitted task, and compare the solver response with the browser state that finally submits the form. That makes failures explainable instead of mysterious, especially when a target alternates between visible challenges, invisible checks, and server-side verification.
Evaluation Criteria
A type-specific guide should map the widget parameters to the solver task fields, then verify that the returned token is accepted by the target page rather than merely returned by the API. For hCaptcha work, the most useful scorecard combines technical acceptance with operational cost. A low nominal price is not enough if retries double the real cost per accepted token, and a fast median solve time is not enough if p95 latency stalls the queue. Track these criteria before you standardize the workflow:
- The challenge subtype, sitekey, action, rqdata, blob, captchaId, or page URL used for each task.
- Median and p95 solve time, separated by provider and target domain.
- Accepted-token rate on the target page, not just successful API responses.
- Retry count, timeout count, zero-balance incidents, and invalid-parameter errors.
- The exact browser, proxy region, and user-agent that submitted the solved token.
Rollout Checklist
Before this guidance moves into a production job, build a small acceptance suite around the pages that matter most. Run it with a fixed browser profile, then repeat with the proxy and concurrency settings you expect in production. Keep the first release conservative: bounded polling, clear timeout handling, and a fallback path when the solver cannot return a usable answer. For hCaptcha, verify sitekey discovery, rqdata handling, challenge refresh behavior, proxy consistency, and token injection timing. That checklist keeps the article useful after the first copy-paste, because the integration is judged by end-to-end completion rather than by whether a code sample returned a string.
Monitoring Signals
Healthy CAPTCHA automation is observable. Log the task id, provider, challenge type, target host, queue time, solve time, final submit status, and normalized error code for every attempt. Review those logs in daily batches at first, then move to alerts once the baseline is stable. Sudden drops usually come from target-side changes: a new sitekey, a changed action name, a stricter hostname check, an added managed challenge, or a proxy pool that no longer matches the expected geography. When you can see those shifts quickly, provider switching becomes a controlled decision instead of a late-night rewrite.
Maintenance Cadence
Revisit the setup whenever the target UI changes, when the solver provider changes task names or pricing, or when benchmark data shows a sustained latency or solve-rate shift. Keep one known-good fixture for each CAPTCHA subtype and rerun it after dependency upgrades, browser updates, and proxy changes. If the article is used for vendor selection, repeat the same fixture across at least two providers before renewing a balance or migrating the whole pipeline. That habit keeps best hcaptcha solver work aligned with the real target behavior rather than with stale assumptions.
