Modern CAPTCHA services: reCAPTCHA, Turnstile, hCaptcha and SmartCaptcha — how they work and which to choose

Modern CAPTCHA has long ceased to be just an “exercise in recognizing crooked letters.” Today it’s a full-fledged anti-bot mechanism that analyzes not only the explicit action of the user, but also the context of the request: browser behavior, frequency and nature of interactions, network signals, and in some cases — additional device-environment signals. Cloudflare Turnstile, for example, separately documents Ephemeral IDs — short-lived identifiers to strengthen anti-fraud analysis without classic cookies, and Google reCAPTCHA Enterprise is positioned not as a “widget with pictures” but as part of a protection system against scraping, credential stuffing, fake registrations and other abuse.

Below is an analysis of the main market players, the real integration scheme, and the details where half of integrations break.

Google reCAPTCHA (v2 / v3 / Enterprise)

Google reCAPTCHA remains one of the most well-known solutions on the market. The service has several integration modes: v2 with a checkbox, invisible reCAPTCHA, v3 with a score model, and an Enterprise branch tied to Google Cloud. It’s important to understand that today the boundary between a “simple captcha” and a full risk assessment at Google is rather blurred: even Google’s official guidance advises interpreting the score and building your server-side logic around it, rather than relying solely on the widget’s pass/fail.

• reCAPTCHA v2 (“I’m not a robot”) The classic checkbox variant. If the check is not confident in the user, an additional challenge may be shown. Google also has invisible reCAPTCHA, which belongs to the v2 family and can be invoked without an explicit checkbox.

• reCAPTCHA v3 Fully invisible mode. Instead of “solve the pictures” it returns a score that you interpret on your side. Google emphasizes that the v3 token should be requested at the moment of the user’s action, not on page load, because the token lives only 2 minutes.

• reCAPTCHA Enterprise This is an anti-abuse / fraud detection class solution, not just a widget. In official materials Google positions Enterprise as a tool against scraping, credential stuffing, account takeover, fake accounts, and payment fraud. For sites the backend typically creates an assessment and then makes a decision based on the assessment — allow the request, require additional verification, or block it.

From a practical point of view reCAPTCHA has two persistent downsides. First — privacy: the service is tightly tied to Google’s infrastructure, and some teams categorically do not want to pull such a dependency into public forms. Second — availability across regions and networks: if Google services open slowly or unstably for your users, the captcha will degrade with them. Google officially states GDPR-compliance for the Cloud version of reCAPTCHA, so the issue here is less about “legal or illegal” and more about architectural choice and trust model.

Cloudflare Turnstile

Cloudflare Turnstile over the past years has become the most notable direct alternative standard. Its strong point is minimal friction for the user. Cloudflare explicitly writes that Turnstile can be embedded into any site without mandatory use of Cloudflare CDN, and the service in many cases works without showing a traditional CAPTCHA at all.

Turnstile has several operating modes:

• Non-interactive — the user doesn’t click anything at all.
• Managed — an interactive check may appear when suspicious.
• Invisible — fully hidden mode.

As of March 2026 Turnstile has a free plan and an Enterprise plan. The free option is officially suitable not only for tests and personal sites, but for most production applications; Enterprise is needed for high volumes, complex host management, advanced bot detection and compliance scenarios. So it’s more accurate to say not “the service is completely free forever without caveats”, but “there is a very generous free tier and a separate enterprise level.”

From a privacy perspective Cloudflare has a strong marketing thesis: Turnstile does not collect data for ad retargeting. Additionally the service has Ephemeral IDs — short-lived, account-tied identifiers that help catch abuse patterns without classic cross-site tracking. This doesn’t mean “no data is collected at all”, but it means the architecture is noticeably less toxic for privacy discussions than the classic Google approach.

Another advantage — availability. Cloudflare officially claims Turnstile meets WCAG 2.2 AAA requirements, which for public forms and B2C services is not a nice-to-have but a practical selection criterion.

hCaptcha

hCaptcha is another major alternative player that heavily emphasizes a privacy-first approach and enterprise anti-abuse. In the basic scenario it is very similar to the classic CAPTCHA integration: a widget on the front end, a token on the server, server-side validation. But at the enterprise level passive modes without explicit challenge, risk scores, custom threat models, extended analytics and additional APIs are available. So hCaptcha is not just “pictures instead of Google”, but a full platform for abuse protection.

hCaptcha does have a monetization model where site owners can receive payments for participating in the labeling and challenge traffic ecosystem. But this should not be presented as the main reason for choosing it. In practice hCaptcha is chosen more often not for potential income but as a replacement for Google, regional availability, and a more flexible privacy stance.

From an accessibility perspective hCaptcha emphasizes not only audio approaches but alternative accessibility options, including universal accessibility flows and text challenge scenarios. This is an important nuance: in 2026 simply having an “audio captcha” can no longer be considered sufficient evidence of good accessibility.

Yandex SmartCaptcha

Yandex SmartCaptcha is a strong candidate for the RU segment and generally for scenarios where data localization, good availability from Russia, and integration with Yandex Cloud infrastructure are critical. Yandex’s official documentation describes several modes: invisible captcha, intermediate checks like a checkbox or slider, and more complex tasks for suspicious requests. The service page separately lists task types, including text recognition, slider, silhouettes and kaleidoscope.

It’s important not to confuse two things. First: SmartCaptcha is indeed convenient for Russian projects because it lives in the Yandex Cloud ecosystem. Second: the phrasing “SmartCaptcha automatically makes your project compliant with Federal Law No. 152-FZ” is too coarse. More correct would be to say: Yandex Cloud in general claims compliance with the requirements of Federal Law No. 152-FZ and provides infrastructure for localization and processing of personal data in Russia, which makes SmartCaptcha a natural choice for such scenarios. But legal responsibility and a full compliance model still remain with the system owner.

From a UX perspective SmartCaptcha’s strong point is orientation toward minimal friction. Yandex explicitly writes that in many cases the user only needs to click “I’m not a robot”, and a complex task is shown only when bot suspicion is raised.

2. How integration actually works

Any modern CAPTCHA works via a two-step scheme. If you implemented only the frontend widget and did not perform server-side validation, you effectively have no protection. This is stated bluntly in Cloudflare Turnstile’s documentation: without calling siteverify the configuration is considered incomplete, and the client widget by itself does not provide protection. The same logic applies to Google reCAPTCHA, hCaptcha and Yandex SmartCaptcha.

Step 1: client side

On the frontend you include the service’s JS library and render the widget or invisible mechanism. After a successful check the service places a token into a hidden form field or returns it via a callback. For example:

• g-recaptcha-response for Google reCAPTCHA.
• cf-turnstile-response for Cloudflare Turnstile.
• h-captcha-response for hCaptcha.
• smart-token for Yandex SmartCaptcha.

Then this token needs to be sent to your backend along with the form payload: login, password, feedback message, order data, etc.

Step 2: server-side verification

This is the main step. Your backend must send the token to the CAPTCHA provider’s server and ensure that the token:

• exists;
• has not expired;
• has not been reused;
• corresponds to the expected action or site;
• passed validation.

Below are typical verification endpoints.

Google reCAPTCHA

curl -X POST https://www.google.com/recaptcha/api/siteverify \
  -d "secret=<secret_key>" \
  -d "response=<token>" \
  -d "remoteip=<user_ip>"

reCAPTCHA returns JSON with the field success, and for v3 and Enterprise-like scenarios score and assessment context are also important. The token lives 2 minutes and can be verified only once.

Cloudflare Turnstile

curl -X POST https://challenges.cloudflare.com/turnstile/v0/siteverify \
  -d "secret=<secret_key>" \
  -d "response=<token>" \
  -d "remoteip=<user_ip>"

Turnstile server-side verification is mandatory. The token expires after 5 minutes and is single-use.

hCaptcha

curl -X POST https://api.hcaptcha.com/siteverify \
  -d "secret=<secret_key>" \
  -d "response=<token>" \
  -d "remoteip=<user_ip>"

hCaptcha tokens by default also live 120 seconds, and reuse returns a separate already-seen-response error.

Yandex SmartCaptcha

curl -X POST https://smartcaptcha.cloud.yandex.ru/validate \
  -d "secret=<server_key>" \
  -d "token=<token_from_form>" \
  -d "ip=<user_ip>"

Yandex indicates that a SmartCaptcha token is valid for 5 minutes and can be used only once. The response will contain JSON with status, and you should proceed with form processing only when the status is ok.

3. What exactly to check on the backend

The most common integration mistake is the developer checked that the token field is not empty and stopped there. That is not protection. The correct sequence is:

1. Accept the token from the frontend.
2. Send it to the provider’s API.
3. Check validation success.
4. Ensure the token is not expired and not reused.
5. For score-based solutions — interpret the score on your side.
6. Only after that process the original request.

For reCAPTCHA v3 and enterprise scenarios it’s especially important not to turn the score into a magical number. The threshold depends on context. For a comment form you can allow more risky traffic, while for login, password recovery, registration or payment thresholds and reactive measures should be stricter. Google explicitly states that the score should be interpreted based on the specifics of your site and your traffic.

4. Important technical nuances people forget

The token cannot simply be “forwarded”

All major providers make tokens short-lived and single-use. For Google and hCaptcha a typical lifetime is 2 minutes. Turnstile and SmartCaptcha are 5 minutes. Re-validating the same token will either fail or return a reuse/expired error. This is done specifically to protect against replay attacks.

Timeouts on CAPTCHA API requests are mandatory

If an external CAPTCHA API is unavailable from your datacenter, a hanging backend easily becomes a DoS against itself. Therefore you should set a short timeout on outgoing requests to the CAPTCHA service. Yandex documentation even includes an example with CURLOPT_TIMEOUT, and in real practice 1–3 seconds is a quite workable range for public forms. What to do on error depends on the operation type:

• fail close — reject the request if the CAPTCHA API is unavailable;
• fail open — allow the request but with additional restrictions;
• soft fail — ask to resubmit the form, require an alternative check or a second factor.

For login, registration, password reset, checkout and API write operations it’s usually better to fail close or soft fail. For blog subscription or secondary forms sometimes fail open with rate limiting and logging is acceptable.

CAPTCHA is not a full anti-bot system

Any CAPTCHA is only one layer of protection. Google, Cloudflare, hCaptcha and Yandex work best combined with other measures:

• rate limiting;
• IP / ASN reputation;
• device / session anomalies;
• behavioral signals;
• limits on registration, login and form submission speed;
• WAF and anti-fraud rules;
• separate rules for anonymous networks, proxies and datacenter IPs.

If you have a serious bot problem, one CAPTCHA will not solve it. Live anti-captcha services, device farms and proxied browsers have long been able to pass basic checks. CAPTCHA should act as an additional barrier and as a signal source for your server-side logic.

Accessibility is already part of security

A bad CAPTCHA not only cuts conversion but also breaks accessibility. Cloudflare claims WCAG 2.2 AAA for Turnstile. hCaptcha separately develops universal accessibility flows and text challenge scenarios. Yandex SmartCaptcha highlights accessibility as a standalone product aspect. Against this background “old” visual captchas with strange symbols already look like technical debt.

CSP can break the integration

If you have a strict Content-Security-Policy the widget may not load at all. For Turnstile Cloudflare officially recommends either nonce-based CSP or explicitly adding the domain to script-src and frame-src. Yandex SmartCaptcha’s JS is loaded from smartcaptcha.cloud.yandex.ru, and this must also be considered in your script loading policy.

For example, a typical Turnstile setup would look like this:

Content-Security-Policy:
  script-src 'self' https://challenges.cloudflare.com;
  frame-src https://challenges.cloudflare.com;

And for SmartCaptcha you need to allow loading the script and related resources from the Yandex Cloud domains used by the widget.

Test keys and staging environment

Another common mistake is using production keys in automated tests. Google has official test keys for v2, and Cloudflare Turnstile separately documents dummy sitekeys and secret keys for testing. For v3 Google recommends creating a separate key for the test environment because scores without real traffic will be unrepresentative.

5. Practical recommendations for choosing

When to pick Cloudflare Turnstile

Turnstile is a very strong default choice for most modern web projects. It’s easy to integrate, does not require Cloudflare CDN, works well without explicit challenges, has a strong accessibility position and is convenient when you don’t want to pull in a dependency on Google. For marketing sites, SaaS, dashboards, login forms, feedback forms and registration it’s currently one of the most pragmatic options.

When to pick Google reCAPTCHA

reCAPTCHA makes sense if you are already deeply in the Google Cloud ecosystem, you need mature enterprise-level protection, or you are building more complex anti-fraud logic around assessment and risk scoring. But in public forms and global B2C scenarios alternatives are increasingly winning — simply because of UX, privacy concerns and regional availability.

When to pick hCaptcha

hCaptcha is logical where a privacy-first approach is needed, as a Google replacement without losing serious anti-abuse capability, and where richer enterprise options like passive modes and custom threat models are desired. Additional monetization exists, but for production it’s better to treat it as a secondary factor.

When to pick Yandex SmartCaptcha

SmartCaptcha is a reasonable choice for projects with audiences in Russia and CIS, and for systems where local availability, Russian-language ecosystem and data localization requirements are important. It fits especially well when paired with other Yandex Cloud services. But, like any CAPTCHA, it does not close the whole class of attacks and does not replace rate limiting, WAF and server-side anti-fraud logic.

6. Summary table

7. Minimal production checklist

Before considering CAPTCHA “deployed”, check:

• the token is validated only on the server;
• the secret key is nowhere exposed in frontend code;
• the request to the CAPTCHA API has a timeout;
• token reuse is not allowed;
• validation errors are logged;
• there is separate logic for CAPTCHA API degradation;
• the score threshold for invisible solutions is tuned on real traffic;
• CSP is configured and does not break widget loading;
• CAPTCHA is complemented by rate limiting and basic anti-fraud logic.

Conclusion

If choosing practically, without religious wars and unnecessary theory, for most modern web applications Cloudflare Turnstile currently looks like the most universal option: fast, unobtrusive to the user, formally well-considered for accessibility and not tied to the Google ecosystem.

If data localization, availability from Russia and integration with Yandex Cloud are critical, then Yandex SmartCaptcha is a very strong candidate. Just don’t sell it as an “automatic guarantee of compliance with Federal Law No. 152-FZ”: it’s more correct to say it fits well into infrastructure built with those requirements in mind.

If you need a more developed enterprise anti-fraud model with risk scoring and tight integration with Google’s ecosystem, look at reCAPTCHA Enterprise. If you want a privacy-first alternative with strong enterprise-level features without Google — consider hCaptcha.

And most importantly: CAPTCHA is not a silver bullet. It should be part of a broader protection model, not the only barrier between your API and a bot farm.