Skip to main content
Version: v2

/api/v2/captcha/siteverify

The siteverify endpoint is used to verify captcha responses. A captcha response is the value that is embedded in your form by the captcha widget when the challenge has been completed.

Request

Make a POST request to https://global.frcapi.com/api/v2/captcha/siteverify with the following parameters:

POST ParameterTypeDescription
responsestringThe response value that the user submitted in the frc-captcha-response field.
sitekeystringOptional: the sitekey that you want to make sure the puzzle was generated from.
tip

Remember to authenticate the request using the X-API-Key header.

You can pass these parameters in a JSON body, or as formdata.

Response

The response will tell you whether the captcha response is valid, meaning the captcha was solved succesfully.

The response body is a JSON object which has a success field that tells you whether the response was valid or not.

Example success=true verification

{
"success": true,
"data": {
"challenge": {
"timestamp": "2023-08-04T13:01:25Z", // Timestamp when the captcha challenge was completed.
"origin": "https://example.com" // Origin where the challenge happened. This can be empty if unknown.
}
}
}

Example success=false response

{
"success": false,
"error": {
"error_code": "bad_request", // Error code, see the table below for possible values
"detail": "..." // A human readable description of what went wrong.
},
}

Error codes

Possible values for error.error_code.

Error codeStatusDescription
auth_required401You forgot to set the X-API-Key header.
auth_invalid401The API key you provided was invalid.
sitekey_invalid400The sitekey in your request is invalid.
response_missing400You forgot to add the response parameter.
response_invalid200The response you provided was invalid (perhaps the user tried to work around the captcha).
response_timeout200The response has expired.
response_duplicate200The response has already been used.
bad_request400Something else is wrong with your request, e.g. your request body is empty.
Warning

Status code 200 does not mean the solution was valid. It means the verification was performed succesfully. Use the success field.

If you are seeing status code 400 or 401 your server code is probably not configured correctly.

tip

What to do when siteverify doesn't work

If you receive a response code other than 200 in production, you should probably accept the user's response despite not having been able to verify it.

Maybe your server is misconfigured or the Friendly Captcha servers are down. While we try to make sure that never happens, it is a good idea to assume one day disaster will strike.

It is better to temporarily accept bots or spam than to reject all requests. Do remember to send an alert to yourself!

Troubleshooting & Tips

method_not_allowed

If you are seeing an error that includes method_not_allowed, you are likely making a HTTP GET request. You can fix this by making a HTTP POST request instead.

How do I use automated testing with Friendly Captcha?

You can mock out the siteverify response. Instead of talking to our API, your code could always return {success: true}. This documentation page has more details and alternative techniques.