CAPTCHA 2.0 protects your web and mobile applications from bots by verifying user interactions on the client side and validating results on your server.
Integration workflow
Integrate CAPTCHA 2.0 in four steps:
-
Activate the service -- Subscribe to CAPTCHA 2.0 and obtain your identity prefix.
-
Create a verification scene -- Define how and where the CAPTCHA appears.
-
Integrate client and server -- Add the CAPTCHA to your front end and validate results on your back end.
-
Publish your application -- Deploy to production.
Prerequisites
Ensure you have:
-
An Alibaba Cloud account with a valid payment method
-
A client application (web, mobile app, or WeChat Mini Program) that needs CAPTCHA
-
A server that can call the
VerifyIntelligentCaptchaAPI
Step 1: Activate the CAPTCHA service
-
Log in to the CAPTCHA 2.0 console and click Buy Now.
-
Select a subscription or pay-as-you-go plan and complete the purchase.
-
Go to the Overview page. On the Basic Information card, copy the Identity Prefix for client-side integration.

Step 2: Create a verification scenario
-
In the left navigation pane, click .
-
Configure the following parameters:
-
Scenario Name -- Enter a descriptive name for the verification scenario.
-
Integration Method -- Select the method for your platform. See the table below.
-
Verification Type -- Select a verification type.
-
-
Complete the configuration and obtain the Scenario ID.
For more details, see Scenario management.
Integration method by platform
|
Platform |
Integration Method setting |
|
Web or H5 page |
Web/H5 |
|
Android or iOS app |
Webview+H5 (Supports apps and mini-programs) |
|
WeChat Mini Program |
Webview+H5 (Supports apps and mini-programs) or WeChat Mini Program Native Plugin |
Verification types
|
Verification type |
Description |
|
Slider Verification |
The user drags a slider to complete a challenge. |
|
Jigsaw Verification |
The user moves a puzzle piece into the correct position. |
|
Click-to-pass Verification |
The user clicks a button to pass verification. |
|
Image Restore Verification |
The user restores an image to its original state. |
|
No-CAPTCHA Verification |
Low-risk users pass without interaction. High-risk users receive a secondary challenge. |
Step 3: Integrate CAPTCHA
Integration has two parts: the client renders the CAPTCHA and collects user responses, and the server validates results with Alibaba Cloud.
Web and H5 integration
Set Integration Method to Web/H5 when you create the verification scenario.
-
Client side: Add CAPTCHA initialization code to each page that requires verification, as described in Web and H5 client V3 architecture integration.
-
Server side: Install the Alibaba Cloud SDK. Call the
VerifyIntelligentCaptchaAPI with theCaptchaVerifyParamfrom the client. For details, see Server-side integration.
App integration (Android and iOS)
Set Integration Method to Webview+H5 (Supports apps and mini-programs) when you create the verification scenario.
-
Client side (Web/H5): Add CAPTCHA initialization code to web pages loaded in your app. Web and H5 client V3 architecture integration.
-
Server side: Install the Alibaba Cloud SDK and call the
VerifyIntelligentCaptchaAPI. See Server-side integration. -
App side:
-
Android: Use a WebView to load pages with the CAPTCHA. Android V3 architecture integration.
-
iOS: Use a WKWebView to load pages with the CAPTCHA. iOS V3 architecture integration.
-
WeChat Mini Program integration
Set Integration Method to Webview+H5 (Supports apps and mini-programs) or WeChat Mini Program Native Plugin when you create the verification scenario.
Add CAPTCHA initialization code to each Mini Program page that requires verification. See Mini Program integration.
Verify the integration
Run these tests to confirm the CAPTCHA works correctly.
Test client-side initialization
-
Open the page where CAPTCHA is integrated.
-
Open the browser developer tools and go to the Network tab.
-
Confirm that the following items are present:
-
An initialization request.
-
The Preview of the initialization request contains CAPTCHA information with
successset totrue. -
CAPTCHA resources are loaded.
-

Test client-side verification
-
Trigger a verification request by interacting with the CAPTCHA.
-
In the browser developer tools, go to the Network tab.
-
Confirm that VerifyResult is
true.

Test server-side verification
After client-side verification succeeds, the client sends CaptchaVerifyParam to your business server. Your server calls the VerifyIntelligentCaptcha API.
Check the API response. A successful verification returns VerifyResult as true:
{
"RequestId": "C******-B***-4***-A***-5*******1",
"Message": "success",
"HttpStatusCode": 200,
"Code": "Success",
"Success": true,
"Result": {
"VerifyCode": "T001",
"VerifyResult": true
}
}
Test end-to-end behavior
Confirm that the CAPTCHA works as expected in your application:
-
Slider, Jigsaw, Click-to-pass, and Image Restore: The Verification Passed message appears after the user completes the challenge.
-
No-CAPTCHA: A successful business action confirms verification. For example, in a login scenario, the Logon Successful message appears after the user logs in.
Step 4: Publish your application
After all tests pass, deploy to production.
View statistical data
Once live, monitor verification metrics on the View statistical data page in the console.
How verification works (V3 architecture)
Slider, Jigsaw, Click-to-pass, and Image Restore
-
The client initializes CAPTCHA and requests JavaScript (JS) resources (images, questions) from the CAPTCHA server.
-
The CAPTCHA server returns the JS resources. The client loads and renders the CAPTCHA.
-
The user solves the challenge (slider, puzzle, or image restoration). The JS sends a verification request to the CAPTCHA server, which checks the answer and whether the request is from a bot.
-
On success, the CAPTCHA triggers the success callback and returns CaptchaVerifyParam. On failure, it refreshes for another attempt.
-
The client sends the business parameters and CaptchaVerifyParam to the business server.
-
The business server calls the VerifyIntelligentCaptcha API to validate CaptchaVerifyParam.
-
The CAPTCHA server verifies the parameters, checks for malicious activity, and returns the result.
-
The business server processes business logic and returns the verification and business results to the client.
No-CAPTCHA verification
-
The client initializes CAPTCHA and requests JS resources from the CAPTCHA server.
-
The CAPTCHA server returns the JS resources.
-
The user clicks the trigger button. The Alibaba Cloud server evaluates whether the user is safe.
-
The server returns the evaluation result:
-
Safe user: The initial verification passes. The success callback returns CaptchaVerifyParam for server-side validation.
-
Risky user: A secondary challenge is triggered:
-
The client loads JS resources and renders the CAPTCHA. After the user solves the challenge, the JS sends a verification request. The CAPTCHA server checks the answer.
-
On success, the success callback returns CaptchaVerifyParam. On failure, the CAPTCHA refreshes automatically.
-
-
-
The client sends the business parameters and CaptchaVerifyParam to the business server.
-
The business server calls the VerifyIntelligentCaptcha API to validate CaptchaVerifyParam.
-
The CAPTCHA server verifies the parameters, checks for malicious activity, and returns the result.
-
The business server processes the business logic and returns the result to the client.