Access token

When a visitor solves the CAPTCHA and sends their solution to an mCaptcha instance, the solution will be verified for correctness. If the solution is correct, mCaptcha will return a single use access token.

This access token should be attached to the visitor’s requited to the protected service and the protected service should validity of the access token with the mCaptcha instance and only allow access to protected resource if the access token is valid.

Validate access token:

1curl --location --request POST '' \
2  --header 'Content-Type: application/json' \
3  --data-raw '{
4    "token": "replace this with the access token presented by visitor",
5    "key": "replace this with the sitekey associated with the CAPTCHA"
6    "secret": "replace this with mCaptcha account secret, available in settings"
7  }'

Edit this page on GitHub