Web Scraping
Aadithyan
AadithyanJul 14, 2026

Learn how hCaptcha solvers work, compare APIs, extensions, libraries, and ML models, and understand their costs, reliability, risks, and alternatives.

What Is an hCaptcha Solver? Types, Costs and Alternatives

An hCaptcha solver is a tool or service that automatically completes an hCaptcha challenge and returns a valid token, so an automated script can keep running instead of getting stuck. Solvers show up in four forms: hosted APIs and services, browser extensions, open-source code libraries, and custom machine learning (ML) models.

Solving is one option. But for most scraping and automation work, preventing the challenge from ever appearing is more reliable and cheaper. This guide covers both, so you can decide which fits your pipeline.

What Is hCaptcha and Why Do Sites Use It?

hCaptcha is a challenge that tells humans and bots apart before letting a request through. A bot is an automated program that visits web pages without a person driving it, and hCaptcha is designed to stop the unwanted ones.

Sites use it because automated traffic is now the majority of the web. Bots made up 51% of all web traffic in 2024, the first time they surpassed humans in a decade, with malicious bots alone accounting for 37%, according to the Imperva 2025 Bad Bot Report.

hCaptcha is popular as a privacy-focused alternative to Google's reCAPTCHA. It positions itself as collecting minimal user data, which site owners like for GDPR and CCPA compliance.

How hCaptcha Works (Sitekey to Token)

The flow is simpler than it looks. When a page loads, it shows an hCaptcha widget tied to a sitekey, a public ID that identifies the site to hCaptcha.

The user (or a solver) completes the challenge, usually by selecting matching images. hCaptcha then inserts a single-use token into a hidden form field called h-captcha-response. A token is a short proof-of-pass string that works only once.

When the form is submitted, the site's server sends that token to hCaptcha's API to verify it is real. Client-side interactions are about the same as a traditional CAPTCHA at 3-10 seconds depending on the difficulty mode, according to hCaptcha's own documentation. hCaptcha ships several difficulty levels, so the challenge a bot sees can get harder over time.

Types of hCaptcha Solvers

Solvers fall into four categories. Each trades cost, speed, and reliability differently, so it helps to see them side by side before picking one.

Solver APIs and Services

A solver API takes a sitekey and the target URL, works the challenge on its own infrastructure, and returns a token you drop into the form. Most run AI-first and fall back to human workers when the model fails.

Pricing gives you a benchmark. For reCAPTCHA v2, CAPTCHA-solving services like 2captcha price solving around $1-$2.99 per 1,000 requests, with an AI-first, human-fallback model. hCaptcha isn't listed by name on these services, so treat that figure as a reference point, and expect latency in seconds, not milliseconds, per challenge.

Browser Extensions and Open-Source Libraries

Chrome and Firefox extensions and PyPI or GitHub libraries solve challenges locally, right in the browser or script. They are convenient and often free.

They are also brittle. Extensions break when hCaptcha updates, libraries fall behind, and many solvers have been hit with cease-and-desist takedowns for violating hCaptcha's terms. Treat them as short-lived, not production-grade.

Building Your Own ML Solver

The do-it-yourself route means collecting thousands of challenge screenshots, fine-tuning an image-recognition model, and scripting the click flow. It is the most flexible option and the most work.

Accuracy is hard to hold, and hCaptcha changes its challenges specifically to break automated solvers. You are signing up for permanent maintenance, so this only makes sense at large scale with a dedicated team.

How Much Do hCaptcha Solvers Cost (and How Well Do They Work)?

Solving is never free, and the costs are easy to underestimate. By Olostep's analysis of automatic CAPTCHA solving, it typically costs $1-$3 per 1,000 solves and takes 10-60 seconds per challenge. Accuracy splits by method: human solvers hit roughly 90-95%, while AI-only solvers land around 60-80%.

At scale those numbers compound. A pipeline hitting 100,000 challenges a month pays real money and eats real time, and every failed solve is a retry that costs again. That is why the honest comparison includes a third column: avoiding the challenge entirely, which you can read more about in bypassing CAPTCHA in scraping.

ApproachUpfront costPer-solve costSpeedMaintenance
Build your own ML solverHigh (data + training)Low once builtFast if tunedConstant
Buy a solver APINone$1-$3 per 1,00010-60s per solveLow
Avoid triggering itNoneNone (no solve needed)FastestHandled by API

The More Reliable Approach: Avoid Triggering hCaptcha

Prevention beats solving because sites decide whether to show a challenge before you ever see one. They compute a trust score from signals like your TLS fingerprint, browser fingerprint, IP reputation, and request headers, and a low score triggers the CAPTCHA.

Look trustworthy and the challenge often never appears. Here is how to raise that score.

Use Residential Proxies and Rotate IPs

Datacenter IPs are easy to flag because they come from known server ranges. A residential proxy routes your request through a real home internet connection, so it looks like an ordinary visitor.

Rotating IPs spreads requests across many addresses instead of hammering a site from one. Together they lower the IP-reputation signal that trips CAPTCHAs, which is why residential and rotating proxies are a first line of defense.

Look Like a Real Browser

A trust score also reads your browser fingerprint, the mix of headers, settings, and rendering behavior that identifies your client. A bare script with a default header set stands out immediately.

Send a realistic, current user-agent with matching headers, and run a full browser so JavaScript executes like it would for a person. See user agents for scraping for header realism, and antidetect browsers for configuring a believable browser environment.

Pace and Randomize Requests

Bots give themselves away with speed and rhythm. Requests fired milliseconds apart in perfect order look nothing like human browsing.

Add human-like delays, randomize the order you visit pages, and load the full page with its images and scripts. Avoid honeypot links, hidden traps that only automated clients follow, since hitting one is an instant red flag.

Let a Web Data API Handle It

Building and maintaining all of this yourself is a lot of infrastructure. A Web Data API does it for you: it manages JavaScript rendering, residential proxy rotation, and anti-bot handling on every request, so most CAPTCHAs never trigger in the first place.

That is the design behind Olostep's Scrape endpoint, which runs JS rendering with residential proxies and anti-bot handling and returns clean Markdown or structured JSON. If you would otherwise be wiring a solver into an automation framework, compare it against a manual setup like Selenium web scraping, where you own every anti-bot piece yourself.

Is Using an hCaptcha Solver Legal?

The honest answer is: it depends, and you should read the fine print. Bypassing a site's protections can violate its terms of service (ToS), which is a contract issue separate from any criminal law.

On the U.S. law question, scraping publicly available data likely does not violate the Computer Fraud and Abuse Act (CFAA), per the 9th Circuit's 2022 hiQ v. LinkedIn ruling. That ruling is narrow: it covers public data and the CFAA only, and ToS, copyright, and trespass claims can still apply. Review the target site's terms and talk to counsel before you build; for a fuller treatment, see is web scraping legal.

hCaptcha vs reCAPTCHA: What's the Difference?

Both stop bots the same way, and the solving flow is nearly identical. The main differences are privacy positioning and a few technical details.

FeaturehCaptchareCAPTCHA (v2)
VendorIntuition MachinesGoogle
Privacy claimMinimal data, GDPR/CCPA-friendlyTies into Google's ecosystem
Token fieldh-captcha-responseg-recaptcha-response
API compatibilityCompatible with reCAPTCHA v2Native
SitekeyPublic, per-sitePublic, per-site

hCaptcha markets itself as privacy-focused, collecting minimal user data. It is also API-compatible with reCAPTCHA v2, so migrating between the two is straightforward, but the token field name differs and the challenge details are its own.

Frequently Asked Questions

Is bypassing hCaptcha legal? It depends on the data and jurisdiction: scraping public data in the U.S. likely does not violate the CFAA, but terms of service, copyright, and trespass claims can still apply.

Can hCaptcha be solved automatically? Yes, through solver APIs, browser extensions, or custom ML models, though each trades off cost, speed, and reliability, and many extensions and libraries break or violate hCaptcha's terms.

How much does an hCaptcha solver cost? Automatic solving typically runs $1-$3 per 1,000 solves, and that cost compounds quickly at scale because every failed attempt is a paid retry.

What's the difference between solving and avoiding hCaptcha? Solving is reactive, completing a challenge after it appears, while avoiding is preventive, looking trustworthy enough that the challenge never triggers.

Does hCaptcha have a free tier for site owners? Yes, hCaptcha's pricing plans are free up to 10,000 requests per month, with paid tiers available above that limit.

Conclusion / Next Steps

hCaptcha solvers come in four forms: APIs, extensions, libraries, and custom ML models. All of them cost money, add 10-60 seconds of latency per challenge, and break when hCaptcha changes.

The durable path is to avoid triggering hCaptcha in the first place by looking like a real user, or to offload the whole problem to a Web Data API. If you would rather get clean Markdown and JSON without maintaining an anti-bot stack, try Olostep and let the infrastructure handle it for you.

About the Author

Aadithyan Nair

Founding Engineer, Olostep · Dubai, AE

Aadithyan is a Founding Engineer at Olostep, focusing on infrastructure and GTM. He's been hacking on computers since he was 10 and loves building things from scratch (including custom programming languages and servers for fun). Before Olostep, he co-founded an ed-tech startup, did some first-author ML research at NYU Abu Dhabi, and shipped AI tools at Zecento, RAEN AI.

On this page

Read more