hCaptcha solver, token on return.

An hCaptcha solver API without a browser. Takion returns a valid h-captcha-response token, including Enterprise, in one POST, so your form submits and your requests get through.

Last updated · Coverage tested against a live hCaptcha target.

Getting blocked by hCaptcha?

hCaptcha hands the site an h-captcha-response token its backend verifies. Takion returns a valid token for the standard widget, the invisible variant, and Enterprise, with no browser and no image grid to label. Submit it with your form and it passes.

Trial access is gated

To prevent fraud and abuse, trial access is not automatic. Contact us first and tell us your use case.

How hCaptcha works

hCaptcha is a privacy-first image captcha, deployed the same way most are: the widget hands your form an h-captcha-response token that the backend verifies. Its Enterprise tier adds risk scoring and passive signals, and its image challenges rotate their categories to resist automated labeling.

Takion returns a valid h-captcha-response for the standard widget, the invisible variant, and Enterprise. One POST returns the token; you submit it with the form. No browser, no image grid to label yourself.

  • Challenges Takion covers
  • hCaptcha image challenge
  • hCaptcha Enterprise
  • Invisible hCaptcha
  • Accessibility / passive modes

What one call returns

One call returns a valid h-captcha-response for the standard, invisible, or Enterprise widget, ready to submit.

h-captcha-response

the token you submit with the form

Enterprise passcode

the token for hCaptcha Enterprise deployments

Read the hCaptcha docsSame key, every wall. Same JSON shape, every vendor.

How the hCaptcha solve works, end to end

No browser, no image grid to click. Five moves from challenge to token.

  1. 1

    The widget serves a challenge

    hCaptcha hands your page a sitekey and, when it fires, pulls a challenge from its backend: an image grid, an area-select, or the invisible pass. You grab the sitekey and the page context.

  2. 2

    You POST it to Takion

    Send the sitekey, the page URL, your session proxy, and, for Enterprise, the rqdata blob. One call, no widget to render.

  3. 3

    We pull and solve it server-side

    Takion requests the challenge, classifies the image grid or locates the drop-out point on a geometric variant, and computes the hsw proof-of-work the widget would have run in WASM.

  4. 4

    We submit the answers

    The answers plus the hsw token go back to hCaptcha's check endpoint, which mints the pass token on a correct solve.

  5. 5

    You get the token back

    The response carries a valid h-captcha-response. Drop it into the form field the site verifies against and submit.

The hCaptcha challenge, decoded

Five pieces, one token. Takion handles all of them:

Image grid
the 3x3 classification task where you pick every tile that matches the prompt, with categories that rotate to break automated labeling
Area select
the geometric variants like the missing-arch donut, where the answer is a coordinate, not a class
hsw proof-of-work
the hashcash-style token the widget computes in WASM before its answers are accepted; skip it and the solve is rejected
h-captcha-response
the pass token hCaptcha mints on a correct solve; you submit it with the form and the backend verifies it via /siteverify
rqdata (Enterprise)
the encrypted risk blob Enterprise passes into the widget; the token has to be minted against it or it fails verification

Why a trained solver beats a headless browser here

The browser way to beat hCaptcha is a headless Chrome loading the widget, a vision model clicking tiles, and a mouse path faked well enough to pass the passive signals. It renders every challenge, waits on every image, and still burns the hsw proof-of-work on the main thread. It is slow and it is expensive.

Takion never renders the widget. We pull the challenge over HTTP, run a trained classification model against the image grid, and solve the geometric variants with straight computer vision: preprocess the image, find the shape, locate the gap, return the coordinate. The hsw proof-of-work is computed directly, not run in a browser tab. You send JSON, you get a token.

hCaptcha rotates its image categories to starve generic labelers, so a solver that worked last week goes stale. Our models are retrained against the live challenge set, which makes a new category a training update on our side, not a broken solve on yours.

What breaks an hCaptcha solve

A token is only good if it verifies. hCaptcha and the site backend reject a solve for these:

  • Wrong sitekey. The token is minted for one sitekey. Solve against the exact sitekey the target page renders, not a stale one.
  • Missing or stale rqdata. Enterprise ties the token to the rqdata blob it handed the widget. Pass the current rqdata or the token fails /siteverify even though the challenge solved.
  • Domain mismatch. hCaptcha binds the token to the host it was issued for. Solve for the page URL you actually submit from.
  • Expired token. An h-captcha-response has a short lifetime. Submit it soon after you get it, do not queue it for minutes.
  • IP or proxy drift. Enterprise risk scoring reads the connection. Solve under the proxy you submit from so the passive signals line up.

The one rule that keeps tokens verifying

Solve against the exact sitekey and page URL you submit from, pass the current rqdata for Enterprise, and use the token fast. hCaptcha verification is a match check. Feed it a token minted for the right context and it passes.

hCaptcha solver FAQ

Yes. Takion returns a valid h-captcha-response for the standard image challenge, the invisible variant, and hCaptcha Enterprise deployments.
There is no human in the loop and no per-image latency. Takion returns the token programmatically in one call, so it fits inline in an automated flow instead of queuing against a solver farm.
Drop the returned h-captcha-response into the form field or POST body the site verifies against. The docs show the exact placement per deployment.
Both. The classic 3x3 image grid (pick every tile that matches the prompt) is solved with a trained classification model, and the geometric variants like the missing-arch donut are solved with computer vision that finds the shape and returns the drop-out coordinate. The invisible variant resolves to the same h-captcha-response token.
Yes. Before hCaptcha accepts your answers it wants an hsw token, a hashcash-style proof-of-work the widget normally computes in WASM. Takion computes it server-side and submits it with the answers, so the solve is accepted without a browser tab burning cycles on it.
Yes. Enterprise ties the token to an rqdata blob it passes into the widget. Send us the current rqdata with your request and Takion mints the h-captcha-response against it, so the token clears /siteverify instead of failing on a context mismatch.
Takion is built for accessing data you are authorized to access: your own accounts, public data, sites you have permission to automate. It is not for fraud or abuse, and our acceptable-use policy draws that line. What you do with a solved token is on you.

Every other wall

Start solving hCaptcha today.

Start free, no card. One key clears every wall, and your first solve lands within the hour.