Skip to main content
Version: v1

Verify the response

The verification is almost the same as Google's ReCAPTCHA, so it should be easy to switch between the two (either direction).

In the form data sent to the server, there will be an extra text field called frc-captcha-solution. We will send this string to the Friendly Captcha servers to verify that the CAPTCHA was completed successfully.

Creating a verification request

You will need an API key to prove it's you, you can create one on the API Keys page in the dashboard.

To verify the CAPTCHA solution, make a POST request to https://api.friendlycaptcha.com/api/v1/siteverify with the following parameters:

POST ParameterDescription
solutionThe solution value that the user submitted in the frc-captcha-solution field
secretAn API key that proves it's you, create one on the Friendly Captcha website
sitekeyOptional: the sitekey that you want to make sure the puzzle was generated from.

You can pass these parameters in a JSON body, or as formdata.

If your account is on the Advanced or Enterprise plan your server can also make a request to our EU endpoint.

The verification response

The response will tell you whether the CAPTCHA solution is valid and hasn't been used before. The response body is a JSON object:

{
"success": true|false,
"errors": [...] // optional
}

If success is false, errors will be a list containing at least one of the following error codes below. If you are seeing status code 400 or 401 your server code is probably not configured correctly.

Error codeStatusDescription
secret_missing400You forgot to add the secret (=API key) parameter.
secret_invalid401The API key you provided was invalid.
solution_missing400You forgot to add the solution parameter.
bad_request400Something else is wrong with your request, e.g. your request body is empty.
solution_invalid200The solution you provided was invalid (perhaps the user tried to tamper with the puzzle).
solution_timeout_or_duplicate200The puzzle that the solution was for has expired or has already been used.

⚠️ Status code 200 does not mean the solution was valid, it just means the verification was performed succesfully. Use the success field.

A solution can be invalid for a number of reasons, perhaps the user submitted before the CAPTCHA was completed or they tried to change the puzzle to make it easier. The first case can be prevented by disabling the submit button until the CAPTCHA has been completed succesfully.

Verification Best practices

If you receive a response code other than 200 in production, you should probably accept the user's form despite not having been able to verify the CAPTCHA solution.

Maybe your server is misconfigured or the Friendly Captcha servers are down. While we try to make sure that never happens, it is a good idea to assume one day disaster will strike.

An example: you are using Friendly Captcha for a sign up form and you can't verify the solution, it is better to trust the user and let them sign up anyway, because otherwise no signup will be possible at all. Do send an alert to yourself!

Checking your integration

To check your integration works as it should, you can follow this guide.