Skip to content

hCaptcha Secret Key

Service Name: hCaptcha

Service Description: hCaptcha is a CAPTCHA service that helps websites protect against bots and automated abuse while providing revenue to website owners. It offers an alternative to reCAPTCHA with a focus on privacy and compensation for publishers.

Service Address: https://www.hcaptcha.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the account level through the hCaptcha dashboard.

Secret Access Scope: The secret key grants access to verify CAPTCHA responses and manage hCaptcha settings for your site. It allows verification of user responses and access to the hCaptcha API.

Secret Revokement URL: https://dashboard.hcaptcha.com/settings

Secret Example: 0x123AbCdEf456GhIjKlMnOpQrStUvWxYz0123456789

Suspicious Activity Investigation Instructions:

  • Review your hCaptcha dashboard for unusual verification patterns or spikes in usage.
  • Check for unexpected changes in pass/fail rates which might indicate abuse.
  • Monitor for verification requests from unexpected geographic locations.
  • Examine server logs for unusual patterns of hCaptcha verification API calls.
  • Look for increased bot traffic or bypass attempts that might indicate a compromised key.

Mitigation Instructions:

  • Log in to your hCaptcha dashboard at https://dashboard.hcaptcha.com/
  • Navigate to the Settings section.
  • Rotate your secret key by generating a new one.
  • Update the secret key in all your applications and services.
  • Implement proper secret management practices, such as using environment variables or a secrets manager.
  • Consider implementing additional security measures like IP restrictions if available.
  • Monitor your application after key rotation to ensure proper functionality.