ALTCHA
and CapMonster Cloud

Captcha solving, website installation and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses ALTCHA, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate ALTCHA so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is ALTCHA

ALTCHA (Alternative CAPTCHA) is a system for protecting a website from bots and spam. It helps distinguish real users from automated programs so that the site remains safe and stable. ALTCHA is a modern alternative to traditional CAPTCHAs: it uses a lightweight cryptographic challenge (proof-of-work) and does not collect cookies or track users.

Examples of ALTCHA

Proof-of-Work (PoW)

The system uses the Proof-of-Work (PoW) verification method by default, which eliminates visual puzzles and intrusive checks. This approach combines security with user convenience, offering a non-intrusive captcha solution suitable for most visitors.

Code Captcha

Protection can be strengthened to require a text captcha.

Invisible Captcha

Verification happens without a visible widget and requires no user interaction.

How to solve ALTCHA via CapMonster Cloud

When testing forms that include ALTCHA, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

Open the form page and make sure the captcha renders.
Try submitting the form without solving it — the server should return an error.
After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage you send your API key, captcha type and its parameters. The service returns a unique taskId, which can later be used to obtain the result.

Sending an API request

Your ALTCHA solving request must include the following parameters:

type - CustomTask

class - altcha

websiteURL - the address of the page where the captcha is solved

websiteKey - for this task it is allowed to send an empty string.

challenge (inside metadata) - a unique challenge identifier obtained from the webpage.

iterations (inside metadata) - the number of iterations or the maximum value for calculations. Important: the iterations parameter corresponds to the maxnumber value!

salt (inside metadata) - the salt obtained from the site, used to generate hashes.

signature (inside metadata) - the digital signature of the request.

userAgent - Browser User-Agent. Provide only a current UA from Windows OS.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey": "API_KEY",
  "task": {
    "type": "CustomTask",
    "class": "altcha",
    "websiteURL": "https://example.com",
    "websiteKey": "",
    "userAgent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)",
    "metadata": {
      "challenge": "3dd28253be6cc0c54d95f7f98c517e68744597cc6e66109619d1ac975c39181c",
      "iterations": "5000",
      "salt":"46d5b1c8871e5152d902ee3f?edk=1493462145de1ce33a52fb569b27a364&codeChallenge=464Cjs7PbiJJhJZ_ReJ-y9UGGDndcpsnP6vS8x1nEJyTkhjQkJyL2jcnYEuMKcrG&expires=1761048664",
      "signature": "4b1cf0e0be0f4e5247e50b0f9a449830f1fbca44c32ff94bc080146815f31a18"
    }
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "data": {
      "token": "eyJhbGdvcml0aG0iOiJTSEEtMjU2IiwiY2hhbGxlbmdlIjoiNjMxOGUzYzc2NjhlOTZiMmFlYjg2NGU2NmRmMTliODRkYmYwZDBhMWRjNjYwMDdiMGM5ZGI4ODZiNTUxNjQxNiIsIm51bWJlciI6MTY0NDcsInNhbHQiOiJiMTQ1YWE5ZmU5MjA3NjBiMDgxYTAwNTMiLCJzaWduYXR1cmUiOiI5NzM4MmJlODE2NDUwNzk5MzlhYmU2M2ZkYzZjN2E3ZGYwOTM5MzNjODljZTk0ZjgzNTgxYmUyNDU3ZmI4MDM0IiwidG9vayI6MTczLjl9",
      "number": "16447"
    }
  }
}

Placing the token on the page

CapMonster Cloud response may contain two formats:

Full token — a base64-encoded set of parameters (including number).
Only number — if the server expects only the solution identifier.

To automate inserting tokens/numbers and submitting the form, it's convenient to use Puppeteer, Playwright, or Selenium—they allow you to emulate user behavior, insert hidden fields, and trigger form submission. When testing, be sure to cover both scenarios: sending the full token and sending only the number, as well as error cases (expired token, incorrect number, repeated use).

Solving, token insertion and form submission

Node.js example for a full captcha-solving cycle on your webpage. Possible approaches: use HTTP requests to obtain HTML and captcha parameters, send the solution and process the result; or use automation tools (e.g., Playwright) — open the page, wait for the captcha, send parameters (for testing you may send correct or incorrect values), get the result via CapMonster Cloud client, insert the token into the form and observe the result.

// npm install playwright
// npx playwright install chromium

const { chromium } = require("playwright");

const API_KEY = "YOUR_API_KEY";
const ALTCHA_PAGE = "https://example.com"; // Your website with ALTCHA

(async () => {
  const browser = await chromium.launch({ headless: false, devtools: true });
  const context = await browser.newContext();
  const page = await context.newPage();

  // Catching all responses from the ALTCHA endpoint
  let challengeResp = null;
  page.on("response", async (response) => {
    try {
      const url = response.url();
      if (url.startsWith("https://captcha.example.com/altcha")) { // ALTCHA endpoint
        challengeResp = await response.json();
        console.log("Captured Altcha response:", challengeResp);
      }
    } catch (err) {
      console.warn("Error parsing Altcha response:", err);
    }
  });

  await page.goto(ALTCHA_PAGE, { waitUntil: "networkidle" });

  // Click the widget if it exists
  const widgetHandle = await page.$("altcha-widget");
  if (widgetHandle) {
    try {
      await widgetHandle.click();
    } catch {}
  }

  // Waiting for challenge to appear
  const start = Date.now();
  while (!challengeResp && Date.now() - start < 60000) { // Timeout increased
    await new Promise((r) => setTimeout(r, 300));
  }

  if (!challengeResp) {
    console.error("Failed to capture Altcha challenge.");
    await browser.close();
    return;
  }

  const { challenge, salt, signature, maxnumbers } = challengeResp;

  // Creating a task on CapMonster Cloud
  const createTaskBody = {
    clientKey: API_KEY,
    task: {
      type: "CustomTask",
      class: "altcha",
      websiteURL: ALTCHA_PAGE,
      websiteKey: "",
      userAgent:"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)",
      metadata: {
        challenge,
        iterations: maxnumbers || 100000,
        salt,
        signature,
      },
    },
  };

  const taskResp = await fetch("https://api.capmonster.cloud/createTask", {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(createTaskBody),
  }).then((r) => r.json());

  console.log("CreateTask response:", taskResp);
  if (!taskResp?.taskId) {
    console.error("CreateTask failed:", taskResp);
    await browser.close();
    return;
  }

  const taskId = taskResp.taskId;

  // Getting the solution
  let fullSolution = null;
  const pollStart = Date.now();
  while (Date.now() - pollStart < 120000) {
    const res = await fetch("https://api.capmonster.cloud/getTaskResult", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ clientKey: API_KEY, taskId }),
    }).then((r) => r.json());

    if (res.status === "ready") {
      fullSolution = res.solution;
      console.log("Solution:", fullSolution);
      break;
    }
    await new Promise((r) => setTimeout(r, 3000));
  }

  if (!fullSolution) {
    console.error("No solution received in time.");
    await browser.close();
    return;
  }

  const token = fullSolution?.data?.token || fullSolution?.token || fullSolution?.data;

  if (!token) {
    console.error("Token not found in solution:", fullSolution);
    await browser.close();
    return;
  }

  //Inserting the token
  await page.evaluate((t) => {
    let input = document.querySelector("#captchaParaValidar");
    if (!input) {
      input = document.createElement("input");
      input.type = "hidden";
      input.id = "captchaParaValidar";
      input.name = "captchaParaValidar";
      (document.querySelector("form") || document.body).appendChild(input);
    }
    input.value = t;

    let alt = document.querySelector('input[name="altcha"]');
    if (!alt) {
      alt = document.createElement("input");
      alt.type = "hidden";
      alt.name = "altcha";
      (document.querySelector("form") || document.body).appendChild(alt);
    }
    alt.value = t;

    const widget = document.querySelector("altcha-widget");
    if (widget) {
      widget.setAttribute("data-state", "verified");
      const checkbox = widget.querySelector("input[type='checkbox']");
      if (checkbox) {
        checkbox.checked = true;
        checkbox.dispatchEvent(new Event("change", { bubbles: true }));
      }
      const label = widget.querySelector(".altcha-label");
      if (label) label.textContent = "Verified";
    }
  }, token);

  console.log("Token injected:", token);
})();

You can also test captcha solving using the CapMonster Cloud browser extension, which allows you to check captcha behavior directly on the page and track the solving process in real time without writing code — available for Chrome and Firefox.

How to integrate ALTCHA into your website

To confidently understand how captcha works on your site, know its validation logic, reconnect or reconfigure it, we recommend reading this section. It describes the integration process — helping you quickly understand all the details.

1. Installing the widget

Option 1 — via CDN (the simplest). Add this to your HTML <head>:

<script async defer src="https://cdn.jsdelivr.net/gh/altcha-org/altcha/dist/altcha.min.js" type="module"></script>

Option 2 — via npm:

npm install altcha

Import the widget into your JS file:

import "altcha";

2. Adding the widget to the form.

Insert the <altcha-widget> component into the form where protection is required:


<form method="POST" action="/submit">
  <altcha-widget challengeurl="/altcha/challenge"></altcha-widget>
  <button type="submit">Send</button>
</form>

challengeurl — your server endpoint for issuing the challenge.

If you use ALTCHA Sentinel (a ready server-side protection system against bots and spam with machine learning and traffic analysis), use its URL instead of your own server:


<altcha-widget 
  challengeurl="https://sentinel.example.com/v1/challenge?apiKey=YOUR_API_KEY">
</altcha-widget>

Installation and full guide for ALTCHA Sentinel

3. Server-side validation.

How validation works:

1) The widget generates a payload — Base64-encoded JSON, usually sent as the form field altcha.
2) On the server, you validate the payload cryptographically (without additional API requests).
3) After successful validation, you can process the form.

Validation via ALTCHA Sentinel:

Using the library


import { verifyServerSignature } from 'altcha-lib';

// The secret API key generated in Sentinel
const apiKeySecret = 'sec_...';

// Payload received from the widget
const payload = '...';

// Validation
const { verificationData, verified } = await verifyServerSignature(payload, apiKeySecret);

if (verified) {
  // Validation successful — form data can be processed
}

Tip: store used payloads to prevent replay attacks.

Through Sentinel HTTP API (if the library is unavailable):


const resp = await fetch('https://sentinel.example.com/v1/verify/signature', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ payload }),
});

const { verified } = await resp.json();

if (verified) {
  // Validation successful — processing the form
}

The API automatically prevents reuse of the same payload.

4. Validation without Sentinel (your own server)

Generating the challenge:


import { createChallenge } from 'altcha-lib';

const hmacKey = '$ecret.key'; // Your HMAC secret key

const challenge = await createChallenge({ hmacKey });

// Return the challenge in JSON for the widget

Payload validation when the form is submitted:


import { verifySolution } from 'altcha-lib';

const hmacKey = '$ecret.key'; // Your HMAC secret key

const verified = await verifySolution(payload, hmacKey);

if (verified) {
  // Validation successful — processing the form data
}

In this case, you create your own /altcha/challenge endpoint to issue tasks and implement validation on the server.

ALTCHA source code is available on GitHub for studying, customization and integration.

Possible errors and debugging

Invalid challengeurl or API Key

The widget does not load or returns an error during validation.

Solution timeout

The server did not have enough time to validate the payload. Increase the waiting time or ensure that the server-side validation works correctly.

Empty payload

Error while transferring the result from the widget to the server.

Verification failed

Payload is expired, reused or tampered with. For diagnostics, enable logging and check the fields verified and verificationData in the server or Sentinel response.

Protection resilience checks

After integration, make sure the system really protects the site from automated actions.

Try making a request without solving the captcha — the server should return success: false.

Perform a load test (e.g., using k6 or JMeter) at a rate above 100 requests per second — the captcha should load correctly and the validation system should remain stable.

Check the server reaction to an expired or reused token — the expected response is 403 Forbidden.

Security and optimization tips

<b>Keep secret keys</b> (HMAC or API Key for Sentinel) only on the server — do not send them to the frontend.

Keep secret keys (HMAC or API Key for Sentinel) only on the server — do not send them to the frontend.

<b>Log errors</b> and verification events (<b>verified: false</b> and <b>verificationData</b>) to understand the reasons for failed checks.

Log errors and verification events (verified: false and verificationData) to understand the reasons for failed checks.

For transparency and user trust, <b>add links to the privacy policy</b> and <b>ALTCHA terms of use</b> if required.

For transparency and user trust, add links to the privacy policy and ALTCHA terms of use if required.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of ALTCHA, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify ALTCHA and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

ALTCHA Documentation →

ALTCHA Source Code →

CapMonster Cloud Documentation (ALTCHA integration) →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

ALTCHA and CapMonster Cloud

ALTCHA
and CapMonster Cloud