All Products
Search
Document Center

Captcha:Integration guide

Last Updated:May 27, 2026

CAPTCHA 2.0 protects your web and mobile applications from bots by verifying user interactions on the client side and validating results on your server.

Integration workflow

Integrate CAPTCHA 2.0 in four steps:

  1. Activate the service -- Subscribe to CAPTCHA 2.0 and obtain your identity prefix.

  2. Create a verification scene -- Define how and where the CAPTCHA appears.

  3. Integrate client and server -- Add the CAPTCHA to your front end and validate results on your back end.

  4. Publish your application -- Deploy to production.

image

Prerequisites

Ensure you have:

  • An Alibaba Cloud account with a valid payment method

  • A client application (web, mobile app, or WeChat Mini Program) that needs CAPTCHA

  • A server that can call the VerifyIntelligentCaptcha API

Step 1: Activate the CAPTCHA service

  1. Log in to the CAPTCHA 2.0 console and click Buy Now.

  2. Select a subscription or pay-as-you-go plan and complete the purchase.

  3. Go to the Overview page. On the Basic Information card, copy the Identity Prefix for client-side integration.

image.png

Step 2: Create a verification scenario

  1. In the left navigation pane, click Scenarios > Create Scenario.

  2. Configure the following parameters:

    • Scenario Name -- Enter a descriptive name for the verification scenario.

    • Integration Method -- Select the method for your platform. See the table below.

    • Verification Type -- Select a verification type.

  3. Complete the configuration and obtain the Scenario ID.

For more details, see Scenario management.

Integration method by platform

Platform

Integration Method setting

Web or H5 page

Web/H5

Android or iOS app

Webview+H5 (Supports apps and mini-programs)

WeChat Mini Program

Webview+H5 (Supports apps and mini-programs) or WeChat Mini Program Native Plugin

Verification types

Verification type

Description

Slider Verification

The user drags a slider to complete a challenge.

Jigsaw Verification

The user moves a puzzle piece into the correct position.

Click-to-pass Verification

The user clicks a button to pass verification.

Image Restore Verification

The user restores an image to its original state.

No-CAPTCHA Verification

Low-risk users pass without interaction. High-risk users receive a secondary challenge.

Step 3: Integrate CAPTCHA

Integration has two parts: the client renders the CAPTCHA and collects user responses, and the server validates results with Alibaba Cloud.

Web and H5 integration

Set Integration Method to Web/H5 when you create the verification scenario.

  1. Client side: Add CAPTCHA initialization code to each page that requires verification, as described in Web and H5 client V3 architecture integration.

  2. Server side: Install the Alibaba Cloud SDK. Call the VerifyIntelligentCaptcha API with the CaptchaVerifyParam from the client. For details, see Server-side integration.

App integration (Android and iOS)

Set Integration Method to Webview+H5 (Supports apps and mini-programs) when you create the verification scenario.

  1. Client side (Web/H5): Add CAPTCHA initialization code to web pages loaded in your app. Web and H5 client V3 architecture integration.

  2. Server side: Install the Alibaba Cloud SDK and call the VerifyIntelligentCaptcha API. See Server-side integration.

  3. App side:

WeChat Mini Program integration

Set Integration Method to Webview+H5 (Supports apps and mini-programs) or WeChat Mini Program Native Plugin when you create the verification scenario.

Add CAPTCHA initialization code to each Mini Program page that requires verification. See Mini Program integration.

Verify the integration

Run these tests to confirm the CAPTCHA works correctly.

Test client-side initialization

  1. Open the page where CAPTCHA is integrated.

  2. Open the browser developer tools and go to the Network tab.

  3. Confirm that the following items are present:

    • An initialization request.

    • The Preview of the initialization request contains CAPTCHA information with success set to true.

    • CAPTCHA resources are loaded.

image.png

Test client-side verification

  1. Trigger a verification request by interacting with the CAPTCHA.

  2. In the browser developer tools, go to the Network tab.

  3. Confirm that VerifyResult is true.

167d503fc87ab8383c045bf94889cb4c

Test server-side verification

After client-side verification succeeds, the client sends CaptchaVerifyParam to your business server. Your server calls the VerifyIntelligentCaptcha API.

Check the API response. A successful verification returns VerifyResult as true:

{
    "RequestId": "C******-B***-4***-A***-5*******1",
    "Message": "success",
    "HttpStatusCode": 200,
    "Code": "Success",
    "Success": true,
    "Result": {
        "VerifyCode": "T001",
        "VerifyResult": true
    }
}

Test end-to-end behavior

Confirm that the CAPTCHA works as expected in your application:

  • Slider, Jigsaw, Click-to-pass, and Image Restore: The Verification Passed message appears after the user completes the challenge.

  • No-CAPTCHA: A successful business action confirms verification. For example, in a login scenario, the Logon Successful message appears after the user logs in.

Step 4: Publish your application

After all tests pass, deploy to production.

View statistical data

Once live, monitor verification metrics on the View statistical data page in the console.

How verification works (V3 architecture)

Slider, Jigsaw, Click-to-pass, and Image Restore

image
  1. The client initializes CAPTCHA and requests JavaScript (JS) resources (images, questions) from the CAPTCHA server.

  2. The CAPTCHA server returns the JS resources. The client loads and renders the CAPTCHA.

  3. The user solves the challenge (slider, puzzle, or image restoration). The JS sends a verification request to the CAPTCHA server, which checks the answer and whether the request is from a bot.

  4. On success, the CAPTCHA triggers the success callback and returns CaptchaVerifyParam. On failure, it refreshes for another attempt.

  5. The client sends the business parameters and CaptchaVerifyParam to the business server.

  6. The business server calls the VerifyIntelligentCaptcha API to validate CaptchaVerifyParam.

  7. The CAPTCHA server verifies the parameters, checks for malicious activity, and returns the result.

  8. The business server processes business logic and returns the verification and business results to the client.

No-CAPTCHA verification

image
  1. The client initializes CAPTCHA and requests JS resources from the CAPTCHA server.

  2. The CAPTCHA server returns the JS resources.

  3. The user clicks the trigger button. The Alibaba Cloud server evaluates whether the user is safe.

  4. The server returns the evaluation result:

    • Safe user: The initial verification passes. The success callback returns CaptchaVerifyParam for server-side validation.

    • Risky user: A secondary challenge is triggered:

      1. The client loads JS resources and renders the CAPTCHA. After the user solves the challenge, the JS sends a verification request. The CAPTCHA server checks the answer.

      2. On success, the success callback returns CaptchaVerifyParam. On failure, the CAPTCHA refreshes automatically.

  5. The client sends the business parameters and CaptchaVerifyParam to the business server.

  6. The business server calls the VerifyIntelligentCaptcha API to validate CaptchaVerifyParam.

  7. The CAPTCHA server verifies the parameters, checks for malicious activity, and returns the result.

  8. The business server processes the business logic and returns the result to the client.