Playground Sign in Start free
Resource · Anti-bot

Solve CAPTCHAs. Or skip them entirely.

The 2026 best practice is to never see a CAPTCHA in the first place. When one does fire, server-side solves are free and instant; human-loop solves are a fallback that costs a credit. Here’s when each path runs, when not to automate at all, and how to monitor your CAPTCHA spend.

Last updated Mar 2026
1

Avoid > solve. Almost always.

CAPTCHA-solving is a fallback, not a strategy. The 2024–2026 generation of bot detection (Turnstile, reCAPTCHA v3, AWS WAF) rarely shows a challenge UI; instead, it scores every request continuously on JA4 + IP + behaviour + browser internals. A “CAPTCHA” only appears when the score crosses a threshold. The reliable, cheap, fast path is keeping the score below threshold so no challenge ever fires.

Avoid (prevention)
Solve (reaction)
Speed
+0ms (request just succeeds)
+1–15s per challenge
Cost
No extra credits
1–2 extra credits when human-loop
Success rate
~98% on Turnstile, ~95% on DataDome
~85% on image puzzles
Reliability
Stable across vendor updates
Drops when puzzle types change
When it wins
Always — when feasible
Long-running sessions; account-bound flows where the IP changed mid-session and you need to recover
The default config we recommend
js=true + stealth=true + premium_proxy=true + matching proxy_country. On most protected sites this clears below challenge threshold. solve_captcha=true stays on as a safety net — it only costs anything if it actually fires.
2

The CAPTCHAs you’ll meet

Each major family, what triggers it, and how it gets resolved inside a scraping pipeline.

Cloudflare Turnstile Invisible

Default mode is fully invisible. Triggered by JA4 mismatch, IP reputation, or behavioural anomalies. Solved server-side by a real Chromium with patched fingerprint.

No extra cost
reCAPTCHA v3 Score-based

Continuous score 0.0–1.0. Most pages pass at ≥0.5; sensitive ones want ≥0.7. No challenge UI shown — purely score-driven.

No extra cost
reCAPTCHA v2 (image) Image puzzle

Click-the-traffic-lights and similar grids. Triggered when v3 score is too low or as a fallback. Outsourced to a vetted human-loop service. Median solve ~12s.

1 extra credit
hCaptcha Image puzzle

Same flow as reCAPTCHA v2 — image grid, human-loop solve.

1 extra credit
AWS WAF / Bot Control JS challenge

JS-execution puzzle plus behavioural checks. Solved server-side by headless Chromium with patched anti-detection. Almost always invisible.

No extra cost
DataDome Score+UI

Multi-signal scoring; falls back to a slider/puzzle UI on the borderline cases. Server-side handles the score path; UI path needs human-loop.

~1 extra credit when triggered
PerimeterX / HUMAN Multi-signal

Stack of TLS, behavioural, account-history scores. Requires residential IPs plus a clean fingerprint to never trigger. UI fallback is rare but supported.

~2 extra credits when triggered
GeeTest / Slider Behavioural

Drag-the-slider puzzle, common on Chinese-origin sites and some financial portals. Server-side path solves with motion modelling.

~1 extra credit
3

How CAPTCHAs get solved

Two solve paths. The router picks based on what the site actually serves.

Server-side (free, ~1–3s)

Turnstile, reCAPTCHA v3, AWS WAF, DataDome score-paths, and most GeeTest puzzles all run inside the browser. A real Chromium with patched anti-detection executes the challenge JS and returns the resolved page. No human in the loop, no extra cost, no extra latency budget worth caring about.

Human-loop (1–2 extra credits, ~8–15s)

reCAPTCHA v2 image puzzles, hCaptcha image puzzles, and DataDome’s slider fallback can’t be cleanly automated. When they actually appear, a vetted human-loop service solves them. Server-side is attempted first; humans only get involved if the page genuinely renders the challenge UI.

The cheapest CAPTCHA is the one that never fires
Most CAPTCHAs are avoidable. stealth=true + premium_proxy=true + matching proxy_country reduces challenge frequency dramatically. Don’t pay for solves you could have prevented with three flags.
4

Monitoring your CAPTCHA spend

Every response includes a captcha object so you can audit which sites cost human-loop credits and tune your config per-target. The four metrics below are what we ourselves watch in dashboards; the dashboard exposes them as time-series.

Metric
What it tells you
If it’s off
captcha_rate
Ratio of requests that triggered any challenge. < 5% is healthy; > 15% means the score is too high.
Switch to residential proxies; check device flag matches site
human_loop_rate
Ratio that escalated past server-side solving. Each one costs an extra credit.
Likely the same fix as captcha_rate; verify stealth=true
captcha_solve_p95
95th-percentile solve latency. Server-side ~3s; human-loop ~15s. Spikes mean a vendor changed their puzzle.
Open a ticket — we ship a patch within 24h
post_solve_success
Of requests that hit a challenge and were solved, how many returned a usable body.
< 90% means the challenge changed — check vendor-update log
response · captcha breakdown
{
  "success": true,
  "credits_used": 6,
  "fetch_path": "premium",
  "captcha": {
    "encountered": true,
    "type": "cloudflare_turnstile",
    "method": "browser_solve",
    "extra_credits": 0,
    "solve_ms": 1840
  }
}
5

When NOT to automate CAPTCHAs

We refuse some kinds of CAPTCHA-solving. Not because the technical path is harder, but because the CAPTCHA is doing the job it was designed to do — gating consent, authentication, or rate-limited public goods. Automating past it crosses from data extraction into impersonation.

Login / signup pages

A CAPTCHA on a login form is the consent gate. Solving it is impersonating the account owner.

Account creation

Mass signup automation is the canonical abuse case CAPTCHAs were built for. Out of scope.

Paywalled content

A challenge before paid content is the merchant gating their own goods. Don’t.

Banking / KYC

Out of scope, full stop. Not a use case we support at any tier.

Voting / sweepstakes

Ratchets that depend on one-human-one-vote integrity. Solving the CAPTCHA breaks the protocol.

Unsolicited contact forms

A CAPTCHA on “contact us” is anti-spam. Don’t solve it to send mass messages.

What’s in scope
Public web pages where automated access doesn’t violate the site’s terms — product listings, articles, public profiles, SERPs, public docs. Set solve_captcha=false for a hard bounce on any challenge if your compliance program needs the explicit guardrail. Acceptable-use policy →
6

CAPTCHA-related API parameters

Parameter
Type
Default
Description
solve_captcha
boolean
false
Auto-solve any CAPTCHA encountered. Server-side solves are free; human-loop solves charge only when triggered.
js
boolean
false
Required for JS-based challenges (Turnstile, AWS WAF, DataDome). Without it, score-based vendors will simply mark the request as bot.
stealth
boolean
false
Patches webdriver/canvas/WebGL leaks. Lowers risk score so most CAPTCHAs never trigger in the first place — the prevention dial.
premium_proxy
boolean
false
Residential IPs. Network-layer trust score; primary lever for keeping vendors below challenge thresholds.
proxy_country
string
auto
ISO country code. Set Accept-Language and timezone to match.
wait_for
string
CSS selector. Wait until the post-challenge page is hydrated before returning HTML.
7

Code examples

Avoid CAPTCHAs in the first place (recommended)

Python · prevention
import requests

response = requests.get(
    'https://api.example.com/scrape',
    params={
        'url': 'https://target-site.com',
        'js': 'true',
        'stealth': 'true',
        'premium_proxy': 'true',
        'proxy_country': 'US',
    },
    headers={'ApiKey': 'YOUR_API_KEY'},
)
print(response.text)

Auto-solve as a safety net

cURL · solve_captcha=true
curl -X GET 'https://api.example.com/scrape' \
  -H 'ApiKey: YOUR_API_KEY' \
  -G \
  --data-urlencode 'url=https://protected-site.com' \
  --data-urlencode 'js=true' \
  --data-urlencode 'stealth=true' \
  --data-urlencode 'premium_proxy=true' \
  --data-urlencode 'solve_captcha=true'

Hard-bounce on any CAPTCHA (compliance mode)

Node · no auto-solve
// Returns 403 with captcha.type set if any challenge appears
const res = await fetch('https://api.example.com/scrape?' + new URLSearchParams({
  url: 'https://target.com',
  js: 'true',
  stealth: 'true',
  solve_captcha: 'false',
}), { headers: { ApiKey: 'YOUR_API_KEY' } });

if (res.status === 403) {
  const meta = JSON.parse(res.headers.get('X-Meta'));
  console.log('blocked by', meta.captcha?.type);
}
8

FAQ

Do I need solve_captcha=true to bypass Cloudflare?

Often no. Turnstile is invisible, and with stealth=true + residential proxies it usually never triggers a visible challenge. Enable solve_captcha as a safety net — it costs nothing unless it actually solves.

How long does a solve take?

Server-side: 1–3s, mostly the page reload after the challenge resolves. Human-loop: 8–15s median, capped at 60s before we return a 503 you can retry.

Can I see which CAPTCHA was triggered?

Yes — response.captcha.type and response.captcha.method are in every successful response, plus solve_ms and extra_credits.

Why are my requests still hitting CAPTCHAs?

Almost always one of three things: (a) datacenter IPs on a site that does IP-reputation scoring, (b) stealth=false, or (c) proxy_country not matching the site’s primary audience. The fingerprinting guide walks through the diagnostic flow.

What about Cloudflare’s 2025 update?

Cloudflare now scores audio context, deeper plugin enumeration, and a wider canvas variance check. All are handled by stealth=true; we ship patches within ~24h of vendor changes.

Do you ever refuse a request?

Yes. CAPTCHAs on login pages, signup forms, paywalls, banking, KYC, and voting are out of scope. The API returns 422 with a clear refusal message rather than attempting the solve.

Ship Ujeebu tonight.

5,000 credits free. No card. Real residential proxies on the free tier.

Get API key Try in playground