← knowledge.oriz.in

hCaptcha

service securitycaptchahcaptchafallback

hCaptcha

Role

Fallback CAPTCHA — runs when Cloudflare Turnstile is blocked by the visitor's network, region, or browser configuration. The shared <Captcha> component in @chirag127/oriz-kit performs a one-shot reachability probe against challenges.cloudflare.com on mount; if the probe fails (corporate proxy, regional block, ad-blocker), it transparently swaps in hCaptcha. Visitors never see the swap.

Different operator (Intuition Machines, not Cloudflare) on different infrastructure means a Cloudflare-edge incident doesn't take both captchas down at once.

Free tier

Card / subscription required?

NO. Sign-up is email-only on the Publisher plan. The paid "Enterprise" tier exists but is irrelevant — 1M/mo is far above family traffic.

How sites consume it

// @chirag127/oriz-kit/src/HCaptchaWidget.tsx (sketch)
import HCaptcha from '@hcaptcha/react-hcaptcha';

export function HCaptchaWidget({ onToken }: { onToken: (t: string) => void }) {
  return (
    <HCaptcha
      sitekey={import.meta.env.PUBLIC_HCAPTCHA_SITE_KEY}
      onVerify={onToken}
      size="invisible"
    />
  );
}

The Worker verifies the token at https://api.hcaptcha.com/siteverify; HCAPTCHA_SECRET_KEY lives in Doppler. The Worker dispatches to the correct verifier based on which provider issued the token (each token carries a provider tag from the kit).

CSP coupling

The family's _headers preset needs script-src extended with https://*.hcaptcha.com to load the widget. This is the only CSP delta from the Turnstile-only baseline; the kit ships the extended directive by default since hCaptcha may load on any visit.

Alternatives

Swap cost

Low — same <Captcha> component in

. If hCaptcha

ever loses the no-card stance, the slot can be filled by Friendly Captcha (paid) or by routing 100% of traffic through Turnstile and accepting the failure rate in blocked regions.

Why this is our pick

The most generous free tier among CAPTCHA providers that don't share infrastructure with Cloudflare. 1M verifications/mo is far above family-scale traffic. Different operator + different edge means an incident at one provider doesn't take the other down. No card.

Cross-refs