hCaptcha 求解器, 返回即得令牌。

无需浏览器的 hCaptcha 求解 API。Takion 通过一个 POST 返回有效的 h-captcha-response 令牌(含企业版),让你的表单顺利提交、请求顺利通过。

最后更新 · 覆盖能力已针对一个实时的 hCaptcha 目标测试。

被 hCaptcha 拦住了?

hCaptcha 会给站点一个 h-captcha-response 令牌,由其后端校验。Takion 会为标准组件、隐形变体和企业版返回有效令牌,无需浏览器,也无需标注图像网格。随表单一并提交,它就能通过。

试用需要审核

为防止欺诈和滥用,试用不会自动开放。请先联系我们并说明你的使用场景。

hCaptcha 的工作原理

hCaptcha 是一种注重隐私的图像验证码,部署方式与大多数验证码相同:组件会给你的表单一个 h-captcha-response 令牌,由后端进行校验。它的企业版增加了风险评分和被动信号,其图像挑战还会轮换类别,以抵御自动化标注。

Takion 会为标准组件、隐形变体和企业版返回有效的 h-captcha-response。一个 POST 返回令牌;你随表单一并提交即可。无需浏览器,也无需自己去标注图像网格。

  • Takion 覆盖的挑战
  • hCaptcha 图像挑战
  • hCaptcha 企业版
  • 隐形 hCaptcha
  • 无障碍/被动模式

一次调用返回什么

一次调用即可为标准、隐形或企业版组件返回有效的 h-captcha-response,可直接提交。

h-captcha-response

随表单一并提交的令牌

Enterprise passcode

用于 hCaptcha 企业版部署的令牌

阅读 hCaptcha 文档同一个密钥,通吃每一堵墙。同一种 JSON 结构,适配每一个厂商。

How the hCaptcha solve works, end to end

No browser, no image grid to click. Five moves from challenge to token.

  1. 1

    The widget serves a challenge

    hCaptcha hands your page a sitekey and, when it fires, pulls a challenge from its backend: an image grid, an area-select, or the invisible pass. You grab the sitekey and the page context.

  2. 2

    You POST it to Takion

    Send the sitekey, the page URL, your session proxy, and, for Enterprise, the rqdata blob. One call, no widget to render.

  3. 3

    We pull and solve it server-side

    Takion requests the challenge, classifies the image grid or locates the drop-out point on a geometric variant, and computes the hsw proof-of-work the widget would have run in WASM.

  4. 4

    We submit the answers

    The answers plus the hsw token go back to hCaptcha's check endpoint, which mints the pass token on a correct solve.

  5. 5

    You get the token back

    The response carries a valid h-captcha-response. Drop it into the form field the site verifies against and submit.

The hCaptcha challenge, decoded

Five pieces, one token. Takion handles all of them:

Image grid
the 3x3 classification task where you pick every tile that matches the prompt, with categories that rotate to break automated labeling
Area select
the geometric variants like the missing-arch donut, where the answer is a coordinate, not a class
hsw proof-of-work
the hashcash-style token the widget computes in WASM before its answers are accepted; skip it and the solve is rejected
h-captcha-response
the pass token hCaptcha mints on a correct solve; you submit it with the form and the backend verifies it via /siteverify
rqdata (Enterprise)
the encrypted risk blob Enterprise passes into the widget; the token has to be minted against it or it fails verification

Why a trained solver beats a headless browser here

The browser way to beat hCaptcha is a headless Chrome loading the widget, a vision model clicking tiles, and a mouse path faked well enough to pass the passive signals. It renders every challenge, waits on every image, and still burns the hsw proof-of-work on the main thread. It is slow and it is expensive.

Takion never renders the widget. We pull the challenge over HTTP, run a trained classification model against the image grid, and solve the geometric variants with straight computer vision: preprocess the image, find the shape, locate the gap, return the coordinate. The hsw proof-of-work is computed directly, not run in a browser tab. You send JSON, you get a token.

hCaptcha rotates its image categories to starve generic labelers, so a solver that worked last week goes stale. Our models are retrained against the live challenge set, which makes a new category a training update on our side, not a broken solve on yours.

What breaks an hCaptcha solve

A token is only good if it verifies. hCaptcha and the site backend reject a solve for these:

  • Wrong sitekey. The token is minted for one sitekey. Solve against the exact sitekey the target page renders, not a stale one.
  • Missing or stale rqdata. Enterprise ties the token to the rqdata blob it handed the widget. Pass the current rqdata or the token fails /siteverify even though the challenge solved.
  • Domain mismatch. hCaptcha binds the token to the host it was issued for. Solve for the page URL you actually submit from.
  • Expired token. An h-captcha-response has a short lifetime. Submit it soon after you get it, do not queue it for minutes.
  • IP or proxy drift. Enterprise risk scoring reads the connection. Solve under the proxy you submit from so the passive signals line up.

The one rule that keeps tokens verifying

Solve against the exact sitekey and page URL you submit from, pass the current rqdata for Enterprise, and use the token fast. hCaptcha verification is a match check. Feed it a token minted for the right context and it passes.

hCaptcha 求解器常见问题

支持。Takion 会为标准图像挑战、隐形变体以及 hCaptcha 企业版部署返回有效的 h-captcha-response。
全程没有人工参与,也没有逐张图片的延迟。Takion 一次调用即以程序化方式返回令牌,因此它能内嵌在自动化流程中,而不必在打码平台上排队等待。
把返回的 h-captcha-response 放进站点用于校验的表单字段或 POST 请求体中。文档中给出了各部署方式下的确切放置位置。

所有其他防护墙

今天就上线你的 hCaptcha 求解方案。

免费试用,之后一个密钥通吃每一堵墙。一小时内完成首次调用。