Developers add a captcha to their websites and apps to protect against abuse. Perhaps they include a captcha widget during signup to prevent spam accounts from being created.

Usually the integration with a captcha provider involves a widget you add to your website. This widget inserts a value that you verify on your server. The value that is inserted is usually called the captcha “response”. I think a better name for the captcha “response” would be “access token”, but let’s use that common naming.

Let’s explore an analogy for a captcha you add to your website.

Imagine you are the owner of a club, and you only want to admit people who can dance well. Across the street there’s a dance school and they are happy to work together with you. You set up the following scheme: potential visitors first visit the school, take a dance test, and then receive a piece of paper with a code that proves they passed the dance test.

The happy path​

When a visitor shows up at your door, you take their piece of paper and call the dance school to verify that this code is valid. If the visitor fails the test, that’s still part of the happy path: you were able to verify their dancing skills.

That’s pretty much how captchas work on the web: visitors on your webpage pass a test and receive the response token. This token is sent to your server, where you verify that it’s valid by calling your captcha provider’s API. In a way the captcha provider vouches for the visitor having passed the test.

The unhappy path​

Let’s think about what can go wrong at the door of our club. A visitor could turn up without a piece of paper: that’s easy; you can reject those visitors.

But what if something else goes wrong? Maybe your telephone stops working, or the dance school doesn’t pick up the phone. What do you do?

You have two options in that moment:

1. You can fail open: you allow everybody into your club.
2. You can fail closed: you send away everybody that shows up.

This is only an analogy. In the website bot protection version of this situation, it’s usually best to fail open. It’s better to potentially open yourself up to some bots getting through, rather than rejecting all users. In either case the reason of the failure should be logged and alerted on.

How we design for failing open (or closed)

Most of our competitors fail to acknowledge the unhappy path. In their integration examples and SDKs verification success is presented in a binary way: success or reject. But there is a third case: the one in which you were unable to verify the captcha response.

Of course we aim for that to never happen by making our API as reliable as possible (status page) - but let’s design for the worst case: our data centers each get hit by a meteor.

What does your server code do? Fail closed, fail open, or worse: crash? This should be a conscious decision.

In designing our SDKs and examples we make sure it’s straightforward to handle all possible cases. Here’s a simplified diagram of the captcha verification flow in our SDKs, including the signature of the VerifyCaptchaResponse returned by our API.

And here’s an example that shows how you might implement that flow in PHP.

function handleSignupRequest() {
    global $captchaSDK;

    $captchaResponse = isset($_POST["frc-captcha-response"]) ? $_POST["frc-captcha-response"] : null;
    $result = $captchaSDK->verifyCaptchaResponse($captchaResponse);

    if (!$result->wasAbleToVerify()) {
        if ($result->isClientError()) {
            // ALERT: your website is NOT PROTECTED because of a configuration error.
            // Send an alert to yourself, check your API key (and sitekey).
            error_log("Failed to verify captcha response because of a configuration problem: " . print_r($result->getResponseError()));
        } else {
            // Something else went wrong, maybe there is a connection problem or the API is down.
            error_log("Failed to verify captcha response: " . print_r($result->getErrorCode()));
        }
    }

    if (!$result->shouldAccept()) {
        // The captcha was not OK, show an error message to the user
        echo "Anti-robot captcha check failed, please try again.";
        return;
    }

    // The captcha is accepted, handle the request
    createAccount(...)
}

You can copy-paste our examples into your code and adapt them to what makes sense for your use-case. While handling the unhappy path doubles the length our examples, we recommend that anyone integrating with our API transparently handles all scenarios.

First-party, tested SDKs

We aim to create SDKs for all popular programming languages to make a correct integration quick and easy. Our goal is not only to be the most privacy-friendly and accessible captcha, but also the one with the best developer experience.

To ensure that all our SDKs behave consistently and correctly in the face of failures, we developed an open-source shared testing framework that simulates error cases. We provide these same tools for outside contributors to create properly tested SDKs for languages/frameworks we don’t support (yet).

Outside of SDKs, we also provide plugins for popular CMS and E-commerce frameworks. These plugins are generally built upon our SDKs, so they inherit this same robustness.

Looking to integrate Friendly Captcha with your website or app? Check out our integrations page for an overview of SDKs and plugins.

Friendly Captcha has been used to protect mobile apps since we started in 2020, but it required a custom integration each time.

We are happy to announce an official mobile SDK for Android and iOS. Using an SDK should reduce your integration time from days to under an hour.

Accessibility is a core value at Friendly Captcha. That means supporting the widest possible set of devices we can, to avoid excluding anyone. These mobile SDKs have been built to work on devices and operating systems that are over 10 years old.

Getting Started

Android​

The open source Android SDK supports both the AndroidView and Jetpack Compose UI frameworks, and it can be used from Java or Kotlin.

You can install the SDK from Maven Central (installation instructions).

Full examples and a guide for integrating it into your app can be found here.

iOS​

The open source iOS SDK supports both UIKit and SwiftUI UI frameworks, and it can be used from Swift or Objective C.

You can install the SDK from Cocoapods or Carthage (installation instructions).

Full examples and guide for integrating it into your app can be found here.

For the past two years the Friendly Captcha team has worked on the next generation of our solution to protect websites against bots and spam attacks. As of September 2024 we have achieved many of the goals we set out for the next version of our product.

In this article we'd like to highlight how Friendly Captcha version v2 builds on and expands our vision and mission to make the internet safer, friendlier and more accessible.

What is Friendly Captcha v2?​

Friendly Captcha works by collecting signals from a user session in order to generate a score that indicates the likelihood of the session being abusive. It then assigns a computationally intensive challenge that increases in difficulty as the score increases.

The result of this is that it makes it increasingly difficult and expensive for abusers to access a service, while regular users mostly don’t even notice we’re there at all. This last bit is why we're Friendly Captcha. 😊

With this new version v2, we take our learnings from the past 4 years of protecting websites and apps. We collect more, different signals which help us distinguish between bots and genuine users. Aside from the improved protection, we made it easier to integrate into your website, improved the user experience, and gave the user interface an overhaul.

Towards a human-friendly, inclusive internet​

Friendly is not just part of our company name, it’s part of our core philosophy for the software we design. Most other anti-bot solutions come at the expense of users, their privacy, or their experience.

In the best case the user doesn’t even notice that Friendly Captcha is there, while the website is protected from spam and other abuse. With Friendly Captcha v2 we can deliver that ideal situation in even more cases.

Some highlights:

• Privacy friendly. In order to distinguish real users from bots, we can't get around collecting and processing some data from the web browser. Data is a burden and not an asset. We treat it accordingly, and do not collect or store what we don't need.

  We do not use HTTP cookies and do not store any data in the browser’s persistent storage, and none of the data we collect is shared with third parties or used for purposes other than protecting websites from abuse. We comply with regulations like the GDPR to safeguard the privacy of all our users, and the code that runs on your website is open source so you can verify what data is collected. You can read more about this in our privacy policy.

• More powerful bot-or-not engine. With v2 we collect a more diverse set of data points we call signals. We look at a wide range of signals like HTTP request information, the browser environment to detect browser automation, as well as the interaction of the users with the page (e.g. mouse movements).

  The better we can tell apart bots from genuine users, the better the user experience, as well as the protection, will be.

• Inclusive and friction-free. Just like v1, Friendly Captcha v2 does not rely on the user tasks like clicking on pictures of cars or solving puzzles. This means that nobody is excluded or annoyed. Our goal is to make CAPTCHA truly accessible. The widget, which is the visible element that is added to websites that are protected, has been redesigned with speed in mind — in v2, it’s more likely that the captcha challenge will be completed before the user even finishes filling out the form!

• Easier to integrate than ever. There are official SDKs and plugins for popular programming languages and frameworks (such as PHP, Python, Node/Javascript, Go, Wordpress), with more on the way. Integration into your webpage is more straightforward with easier CSP (content security policy) requirements and automatic language detection. The same old browsers and operating systems are supported as before (including Internet Explorer 11).

• Reliability: Reliability is incredibly important: our system should always be available. Thanks to infrastructure changes our services are more resilient to failure, whether issues happen internally or outside of our control.

  The best part is that these reliability improvements carry over to Friendly Captcha v1 as well, so they’re not exclusive to v2. 😊

Getting started with Friendly Captcha v2​

Friendly Captcha v2 is now available to all newly created accounts. The Getting Started section of the documentation is a good place to start for new integrations. For existing integrations there is the Upgrading from v1 to v2 guide.

If you have an existing account, the dashboard will prompt you to sign the renewed DPA before you can use v2 - more on that below.

Data Processing Agreement (DPA)​

Friendly Captcha v2 collects a different and larger set of data. Many companies sign a data processing agreement with us, which is a document that describes the data we collect from end-users to protect your website and how we handle that data.

If you have previously signed a data processing agreement with us or signed up before May 1st 2024, you will need to review and sign the new data processing agreement to enable Friendly Captcha v2 for your account.

What is the future for Friendly Captcha v1?​

Friendly Captcha v1 isn't going anywhere, and we will continue to support it for many years moving forward. At some point we will disable Friendly Captcha v1 for newly created applications, which will be timely announced in the dashboard, this blog, and the documentation.

For new projects or integrations we recommend you use Friendly Captcha v2.

Summary​

• Select accounts can now participate in the beta of the Friendly Captcha widget version two.
• Version two improves on protection and user experience.
• You will have to change some code to switch to the new version.
• Version one is not going away any time soon, upgrading is voluntary.

Introducing v2​

Since launching Friendly Captcha in 2020 we've grown a lot. Friendly Captcha now protects the websites of thousands of organizations. Along the way we've continuously improved our offering.

Some improvements however are hard to fit into the existing system. In 2022 we decided to start building version 2 of our captcha product, incorporating all the learnings over the past years.

Rollout​

We are deliberately slow and careful in rolling out v2 to all Friendly Captcha subscribers.

V2 is not stable yet, there may be changes to the API. Inevitably there will also be edge cases and bugs that we want to weed out before recommending v2 for production use.

As of June 2023, we are slowly inviting users to try the beta version. We expect to open the beta to all users end of summer this year.

What happens to v1?​

Version 1 is not going away. We commit to supporting and maintaining it for years to come.

We aim for all organizations to eventually upgrade to version 2, but we are also realistic in our expectations. We understand that switching takes time and effort, and for some organizations or projects the upgrade may never happen.

Further reading​

• Migration guide from v1 to v2
• Why upgrade to v2?