Capacity and performance
What is the default QPS limit, and what happens when it's exceeded?
CAPTCHA supports 1,000 queries per second (QPS) by default. Calls that exceed this limit fail immediately. To increase the limit, contact your account manager before traffic spikes occur.
How does CAPTCHA handle high-concurrency scenarios like flash sales?
The service supports up to 20,000 QPS. Dedicated clusters handle high-priority traffic with resource isolation to sustain peak concurrency. When traffic exceeds the agreed-upon QPS, an intelligent throttling and bypass mechanism ensures critical requests go through without loss.
For major sales events, contact your account manager in advance to purchase an additional resource plan.
Security
How does CAPTCHA protect against bot attacks?
CAPTCHA 2.0 uses JavaScript (JS) obfuscation combined with a dynamic verification mechanism. The dynamic layer prevents protocol-level replay attacks even if attackers reverse-engineer the JS code.
Machine learning models trained on user behavior analyze access frequency, device features, and behavioral anomalies to distinguish humans from bots — a method that overcomes the OCR-cracking weakness of traditional text-based CAPTCHAs.
For the highest level of protection, enable the Image Restoration verification type (powered by Artificial Intelligence Generated Content, or AIGC) directly in the console. Its complex challenge generation makes automated attacks significantly harder.
What types of attacks can CAPTCHA block — and what can't it stop?
CAPTCHA is a Turing test–based human verification mechanism. It effectively blocks automated threats such as bot registrations, ticket scalping, and web scraping.
It cannot reliably stop attacks that involve heavy investment in simulating human behavior or that use hired humans to solve challenges. Defending against those requires multi-dimensional security controls integrated into your business logic.
How do I strengthen CAPTCHA security when under attack?
Log on to the CAPTCHA console, select the relevant scene ID, and adjust the custom policy:
Switch to Advanced Defense Mode. This applies stricter policies and blocks a wider range of abnormal features, which may introduce a small number of false positives. Switch back to Basic Mode once the attack subsides.
Set access frequency thresholds. Analyze your traffic and attack patterns, then configure per-IP or per-device frequency limits to match your threat profile.
Enable additional detection rules. Configure policies for specific attack vectors, such as hijacked CAPTCHA pages or emulator-based requests.
For stronger verification, switch to the Image Restoration type. Its challenge logic is more resistant to automated bypass than other verification types.
What is the difference between Basic Mode and Advanced Defense Mode?
| Mode | Best for | Trade-off |
|---|---|---|
| Basic Mode | Low-risk scenarios (e.g., internal employee logons) | Prioritizes accuracy; minimal false positives |
| Advanced Defense Mode | Active attack scenarios | Blocks a wider range of abnormal features; may produce some false positives |
Switch to Advanced Defense Mode when your business is under attack. Switch back to Basic Mode after the attack ends.
Verification types
Choosing a verification type
CAPTCHA offers five verification types:
| Type | How it works | Best for |
|---|---|---|
| One-click | User clicks once to verify | Low-friction, general use |
| Slider | User drags a slider to complete the challenge | Moderate security, familiar UX |
| Jigsaw | User fits a puzzle piece into place | Moderate security with visual engagement |
| Image Restoration | User restores an AIGC-generated image | Highest security; most resistant to automated attacks |
| No-CAPTCHA | Safe users pass silently; risky users see a fallback challenge | Low-risk flows where user experience is the priority |
Switch verification types on the scene management page in the console. Changes take effect within approximately 5 minutes.
For optimal compatibility, use a dedicated scene ID if you plan to enable No-CAPTCHA.
When should I use No-CAPTCHA?
No-CAPTCHA is best for low-risk flows where you want safe users to pass verification without any visible challenge. The initial risk assessment runs silently based on device environment data and user interactions on the page.
Do not use No-CAPTCHA for app integrations that embed the widget in a WebView or HTML5 page without other user interactions. The risk assessment relies on behavioral signals from the page — if the WebView contains only the CAPTCHA widget and nothing else, there are no behavioral signals to collect, and all verification attempts will be blocked.
What triggers a secondary challenge in No-CAPTCHA?
When the page loads, the initial risk assessment collects signals from device, environment, and keyboard or mouse behavior on the page.
When the risk score exceeds a threshold, a secondary challenge is presented using the fallback verification type you configured (One-click, Slider, Jigsaw, or Image Restoration). The specific thresholds and decision logic are not disclosed to prevent circumvention.
Scene IDs
What is a scene ID?
A scene ID is a system-generated identifier created when you set up a verification scene. It links the CAPTCHA type, security policy, and data statistics for that scene and is required for integrating CAPTCHA 2.0 into your application.
Can I reuse one scene ID across multiple scenarios?
Yes, but using a unique scene ID for each business scenario — such as logon, registration, and password change — gives you independent data statistics and lets you tailor the CAPTCHA type and security policy per use case.
Languages and customization
How many languages does CAPTCHA support?
CAPTCHA supports 17 languages by default. Set the language using the language parameter in initAliyunCaptcha.
If your required language is not available, pass a custom language code in the language parameter and provide your own translations for the widget's text prompts as key-value pairs in the myLang object. For details, see Custom text and multi-language settings.
Can I customize the text on the CAPTCHA widget?
Yes. Pass upLang: myLang and define your translations in the myLang object.
Can I use custom background images for Jigsaw verification?
Yes, custom background images are supported for Jigsaw verification. This is currently configured on the backend at no extra cost — contact your account manager to enable it. This feature will be added to the console as a paid option in a future release; an announcement will be made before that happens.
Image requirements:
| Requirement | Value |
|---|---|
| Verification type | Jigsaw only |
| Dimensions | 300 x 200 pixels |
| File size | 50 KB or less |
| Number of images | 15 minimum; more than 130 recommended |
More images result in stronger security.
Testing and configuration
Do I need to release a new app version to switch the verification type?
No. Switch the verification type on the scene management page in the console. The change takes effect within approximately 5 minutes.
Test compatibility with all verification types during integration so you can switch freely in the console to adapt to different attack scenarios.
What does Test mode do?
In Test mode, CAPTCHA checks only whether the integration path is working. It skips security checks and returns a preset result — configured to always pass or always fail — so you can test your frontend interactions and UI states (such as how a failed Slider challenge is displayed).
Switch the scene status back to Production when testing is done. The change takes effect within approximately 5 minutes.
Monitoring and alerts
How do I set up a low-balance alert for resource plans?
Resource plans are managed at the Alibaba Cloud account level. Go to Expenses and Costs > Account > Resource Plan to view usage and configure low-balance alerts.
How do I get notified when request volume spikes?
| Service | What it provides | Cost |
|---|---|---|
| CloudMonitor | Monitoring rules that detect sudden increases in request volume; alerts sent via phone, text message, or DingTalk | Free |
| Simple Log Service | Collects and stores request and security logs from CAPTCHA interactions, with query analysis, statistical charts, and alert services | Billed by Simple Log Service |
For setup details, see Alert notifications and Simple Log Service.
How long do console configuration changes take to apply?
Changes take effect within approximately 5 minutes.