hCaptcha
Human verification challenge powered by the hCaptcha service. Presents a visual or invisible challenge to verify the user is human before allowing a claim.
How it works
- The ClaimUI loads the hCaptcha widget using the public site key
- The user completes the challenge (visual puzzle or invisible, depending on configuration)
- The client includes the resulting token in the claim request as
captchaToken - The server verifies the token against
hcaptcha.com/siteverify - If verification passes, the claim proceeds; if it fails, the claim is denied
Configuration
| Env var | Default | Description |
|---|---|---|
FAUCET_HCAPTCHA_SITE_KEY | (unset = disabled) | Public site key from hCaptcha dashboard |
FAUCET_HCAPTCHA_SECRET | (unset) | Server-side secret for verification |
Setting FAUCET_HCAPTCHA_SITE_KEY enables the layer. Both the site key and secret are required.
Getting credentials
- Sign up at hCaptcha Dashboard
- Create a site and choose the challenge difficulty
- Copy the site key and secret key
Decision logic
- No token provided:
denywith reason "captcha token required" - Token verification fails or token reused:
deny - Token valid:
allowwith score 0
Trade-offs
- Free tier available for most use cases
- Privacy-focused alternative to reCAPTCHA
- Requires network call per verification (~100-200ms)
- Mutually exclusive with Turnstile — pick one, not both
SDK support
All frontend SDKs include built-in hCaptcha widget components. The captchaToken is passed automatically when using useFaucetClaim hooks.