Modern captchas aren't the simple puzzle-clicking tests anymore. They're full-blown behavioral and environmental verification systems. They look at everything — your browser fingerprint, device parameters, how you move your mouse, how you interact with the page. That little box you tick or the traffic lights you click? Just the final layer of a much deeper process.

If you're building scrapers, automation scripts, or working with anti-detect browsers, you need to understand how these things actually work under the hood. In practice, captcha handling comes down to two things:

• Scoring — who calculates your risk score and what model they use.
• Signals — what data gets collected from your browser and how it's sent to the verification server.

Different captcha providers do this differently. In this article, we break down three of the most common and technically advanced ones: reCAPTCHA v3, Cloudflare Turnstile, and hCaptcha. We'll look at how each one is built, what signals they grab, and how they decide whether you're a human or a bot.

How captchas work

1. reCAPTCHA v3 (Google)

A classic example of an invisible scoring model. The browser silently collects behavioral data — how you move your mouse, scroll, interact with elements — and exchanges it with Google for a token.

That token is then sent to the website's backend. The server makes a separate request to Google's verification endpoint, passing the token along with a secret key. Google responds with a JSON payload containing a risk score between 0.0 (bot) and 1.0 (human), plus an action label that matches the one you sent.

If the score comes back low (typically below 0.5), it's up to the website owner to decide what happens next. Some sites block the request entirely. Others fall back to a visible reCAPTCHA v2 challenge — those familiar grids of traffic lights, bridges, or storefronts.

Integration example. On a page that includes a captcha, you load the script like this:

<script src="https://www.google.com/recaptcha/api.js?render=Your_site_key">

When the target action occurs (for example, when clicking the “Login” button), the following method is called

grecaptcha.execute('YOUR_SITE_KEY', {action: 'login'}).then(function(token) {
     // This token is sent to the website backend along with the form data
 });

The token is valid for only 2 minutes and can be used for verification only once.

Important nuance for scrapers: the score isn't just about behavior — Google also considers the website's enterprise tier. When they increased the weight of TLS ClientHello fingerprints, the score drops below 0.1 even with a valid token if your request doesn't mimic Chrome 122+ (JA3 hash).

Backend verification example:

import requests

# client_ip must be obtained from request.remote_addr or headers 
response = requests.post('https://www.google.com/recaptcha/api/siteverify', data={
    'secret': 'YOUR_SECRET_KEY',
    'response': token,
    'remoteip': client_ip 
}).json()

score = response.get('score', 0) 
if score < 0.5:
    # Fallback to v2 or blocking
    pass

2. Cloudflare Turnstile

A verification platform with no visual puzzles. Instead of showing you a CAPTCHA, it runs a dynamic set of background checks inside your browser. Most users never notice anything — no clicking, no image selection, no explicit actions at all.

Main check types:

• Proof-of-work. The browser gets a hashing task to solve. Short CPU spike. Doesn't hurt real users but makes mass automated requests more expensive to run.
• Environment integrity. Turnstile compares declared params (User-Agent, platform, etc.) against what the browser engine can actually do. Mismatch = higher risk score.
• API availability. Checks for modern web standards — Canvas, WebAudio, WebRTC, etc. Bots running on stripped-down or outdated engines often fail here because they don't fully implement these APIs.
• Implementation validation. Not just whether an API exists, but whether it behaves like a real browser. For example: does Canvas rendering match Chrome's reference profile, or does it have artifacts from virtualized or spoofed drivers?
• Turnstile also checks Battery API and Permissions Policy. Node.js bots in headless mode often screw up navigator.getBattery(). Common patch via puppeteer-extra:

await page.evaluateOnNewDocument(() => {
  const originalQuery = window.navigator.permissions.query;
  window.navigator.permissions.query = (parameters) => originalQuery(parameters).then(() => ({ state: 'granted' }));
});

After these checks, ML models are applied to evaluate the results and a short-lived one-time token is issued.

The script connection works similarly to reCAPTCHA. Example integration:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

Widget element:

<div class="cf-turnstile" data-sitekey="yourSiteKey"></div>

Turnstile modes:

1. Managed — a widget appears on the page, but in most cases it auto-verifies and turns green instantly. No user interaction required.
2. Invisible — runs entirely in the background. No widget, no UI, no user involvement at all.

If Turnstile detects elevated risk or weird signals, it escalates. The user might see a checkbox to tick. In rare cases, it can fall back to a full visual challenge, but that's not the default behavior.

Once verification is complete, the widget drops the token into a hidden form field named cf-turnstile-response. The website's backend then takes that token and sends a POST request to Cloudflare at https://challenges.cloudflare.com/turnstile/v0/siteverify, passing two parameters:secret and response=token.

Like reCAPTCHA, the token is single-use. However, it has a longer lifespan — 5 minutes. If the response contains "success": false, the error-codes field will explain why. For instance, invalid-input-response means the token expired or was tampered with.

3. hCaptcha

A hybrid verification model that serves as a privacy-focused alternative to Google's solutions. In its basic setup, it presents the familiar "I am human" checkbox. When the system picks up suspicious signals, it escalates — showing more complex visual challenges that are typically harder than Google's.

Beyond the standard setup, hCaptcha also offers Invisible and Passive modes, where verification happens with little to no user interaction. Enterprise clients get access to a scoring mechanism similar to Google's — risk assessment without any interactive challenges.

Example integration:

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
 <div class="h-captcha" data-sitekey="YOUR_SITE_KEY"><

After passing the captcha, a hidden field h-captcha-response appears in the form. The website server verifies it with a POST request: https://api.hcaptcha.com/siteverify. Parameters: secret, response, and preferably remoteip.

Server response: In the free version everything is straightforward:

{
   "success": true,  // or false
   "challenge_ts": "..."
 }

In the Enterprise version, the JSON contains additional fields with a risk score and rejection reasons.

Comparison table by criteria

*If you're looking an anti-detect browser for automation, you can test Octo Browser for free with a promo code DEVTO. *

Captcha bypass strategies

When you're dealing with large-scale scraping, multi-accounting, or heavy web automation, you've got three main options for handling captchas. Which one you pick depends on your traffic volume, how stable you need things to be, and how aggressive the target site's protection is.

Delegating: using an intermediary service

The most popular approach for scalable systems. You don't solve the captcha yourself — you send it to a third-party service that solves it and hands you back a token.

But getting the token is only half the battle. The website won't know the captcha has been solved until you actually apply it. This usually means injecting it via JavaScript.

1. Locate the hidden field — typically named g-recaptcha-response — and insert the token there.
2. The critical part: you also need to trigger the callback function that kicks off server-side verification. Skip this, and the "Submit" button might stay disabled.

# Insert token into hidden field
driver.execute_script("document.getElementsByName('g-recaptcha-response')[0].value = arguments[0];", token)
# Call the callback function (a trigger for the website)
driver.execute_script(f"submitCallback('{token}');")

Possible pitfalls:

1. User-Agent matching. The User-Agent string used by the solving service must match the one you use when submitting the token. If the service solved the captcha with Chrome 139 but you submit the token with Chrome 140 headers, the token gets rejected. This is especially critical for Turnstile.

2. Proxy matching. For reCAPTCHA v3 and hCaptcha Enterprise, you really want to send your proxy to the recognition service. The captcha should be solved from the same IP address you'll use to access the site. Otherwise, Google detects the mismatch.

3. Dynamic parameters. Sometimes the SiteKey alone isn't enough. Take Google SERP or other heavily protected systems — they often require a data-s parameter that's dynamically generated on each page load. If you just send the SiteKey to the solving service without this parameter, you'll get a valid token, but the website won't accept it.

Browser emulation (Puppeteer/Selenium + Stealth)

This approach is necessary when the target site strictly checks the JS environment — Turnstile and hCaptcha Enterprise fall into this category. Standard Puppeteer or Selenium gets detected immediately because navigator.webdriver is set to true.

So you need additional tools: Puppeteer-extra-plugin-stealth, Undetected Chromedriver, or Octo Browser via API.

The core idea is that the browser runs on a modified Chromium kernel that spoofs critical fingerprints — Canvas, WebGL, WebRTC, Audio — at the native C++ code level, not through JS injections.

This is the key difference. Turnstile looks for traces of JS-level interference. Octo has none. The browser introduces unique hardware noise and parameters, passes integrity checks, and you get the token automatically.

The downside: this method eats RAM and CPU. Not suitable for thousands of threads. But for 50–100 threads, it's optimal.

If you need 100+ threads, combine it with Docker and flags like --no-sandbox --disable-gpu. With Playwright, a stealth plugin, and residential proxies, expect around a 70% success rate bypassing Turnstile. Alternatively, use the Octo Browser API in headless mode.

HTTP-level requests (TLS fingerprinting)

This is an advanced approach for high-volume scraping, using languages like Go, Python (Requests), or C#. No browser involved. Instead, you reproduce the network fingerprint of a real browser.

The catch: standard HTTP libraries like Python Requests do TLS handshakes differently than browsers. Different order of parameters, different connection signature. Cloudflare spots these discrepancies and can block your request before the captcha script even loads.

But there are libraries that can mimic the TLS fingerprint of an actual browser. With those, you can pass Cloudflare Turnstile checks without spinning up a browser at all.

Why your bot receives a low score or a ban

If you sent the captcha to a solving service, injected the token, and still can't get in — the issue is probably not the captcha itself. Check these instead:

1. Dirty proxies. Datacenter IPs are flagged as high risk by Google and Cloudflare right out of the gate. The fix? Use mobile or residential proxies.

2. Lack of profile preparation (reCAPTCHA v3 specific). You're hitting the site with a clean, empty profile — no history, no cookies. To reCAPTCHA v3, that screams "bot". You need properly prepared profiles with saved SID/HSID cookies from an authenticated Google session.

3. Header inconsistency. The order of your request headers doesn't match what a real browser sends. Chrome, for example, has a specific order: Host -> Connection -> sec-ch-ua... If your library sends headers in a different sequence, anti-fraud systems will notice.

Conclusion

By 2026, automation isn't just about writing scripts — it's about building a solid architecture and staying in control at every level of interaction.

reCAPTCHA v3 isn't really beaten by solving challenges. It's all about reputation management: high-quality profiles, consistent interaction history, and a stable environment.

Cloudflare Turnstile is strict about environment integrity. Any mismatch in JS behavior, API responses, or TLS fingerprints will lower your trust score and trigger escalation.

hCaptcha leans more on visual tasks, which actually makes it easier to bypass with modern computer vision models compared to the other two.

Bottom line: beating captchas today means understanding how anti-bot systems think and managing your digital fingerprint at every single step.