Extension for browsers

For business

Pricing

Blog

Docs

English

MTCaptcha
and CapMonster Cloud

Captcha solution, website integration, and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses MTCaptcha, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate MTCaptcha so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is MTCaptcha

MTCaptcha is a website protection system against automated actions, using intelligent verification and captcha. First, the service analyzes traffic in the background. If the visitor's behavior seems suspicious, the system automatically displays a text captcha for additional verification.

How to solve MTCaptcha via CapMonster Cloud

When testing forms that include MTCaptcha, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

Open the form page and make sure the captcha renders.
Try submitting the form without solving it — the server should return an error.
After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage, you pass your API key, captcha type, and its parameters. The service returns a unique taskId, which can later be used to get the result.

Sending an API request

In the request for solving MTCaptcha, you must specify the following parameters:

type - MTCaptchaTask

websiteURL - The address of the main page where the captcha is solved.

websiteKey - The MTcaptcha key, passed in the request parameters as “sk”.

pageAction - The action parameter is passed in the request as “act” and is displayed during token validation. Specify it only if the value differs from the default – %24.

isInvisible - Specify true if the captcha is invisible, meaning it has a hidden confirmation field. If bot activity is suspected, an additional check is triggered.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey": "API_KEY",
  "task": 
  {
    "type": "MTCaptchaTask",
    "websiteURL": "https://www.example.com",
    "websiteKey": "MTPublic-abCDEFJAB",
    "isInvisible": false,
    "pageAction": "login"
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
  "errorId": 0,
  "errorCode": null,
  "errorDescription": null,
  "solution": {
    "token": "v1(155506dc,c8c2e356,MTPublic-abCDEFJAB,70f03532a53...5FSDA**)"
  },
  "status": "ready"
}

Placing the token on the page

The received token can be inserted into a hidden form field or used to call a JavaScript function on the site to confirm the solution. After that, the server will accept the form as valid. For automation and testing, Puppeteer, Selenium, or Playwright are convenient, as they emulate user actions, insert tokens, and submit forms.

Recognizing MTCaptcha using ready-made libraries

CapMonster Cloud provides ready-to-use libraries for convenient work in Python, JavaScript (Node.js), and C#.

Python

JavaScript

Solve, insert token, and submit form

Node.js example for the full cycle of captcha recognition on your webpage. Possible approaches: use HTTP requests to get HTML and captcha parameters, submit the response and process the result; or use automation tools (like Playwright) — open the page, wait for the captcha, submit parameters (for testing you can send correct or incorrect data), get the result via CapMonster Cloud client, insert the token into the form, and see the result.


  // npm install playwright @zennolab_com/capmonstercloud-client
import { chromium } from 'playwright';
import { CapMonsterCloudClientFactory, ClientOptions, MTCaptchaRequest } from '@zennolab_com/capmonstercloud-client';

const API_KEY = 'YOUR_API_KEY';
const TARGET_URL = 'https://example.com';

async function main() {
  const browser = await chromium.launch({ headless: false });
  const context = await browser.newContext();
  const page = await context.newPage();

 
  let websiteKey = null;
  page.on('request', request => {
    const url = request.url();
    if (url.startsWith('https://service.mtcaptcha.com/mtcv1/api/getchallenge.json')) {
      const params = new URL(url).searchParams;
      const sk = params.get('sk');
      if (sk) {
        websiteKey = sk;
        console.log('Extracted websiteKey (sk):', websiteKey);
      }
    }
  });

  
  await page.goto(TARGET_URL, { waitUntil: 'networkidle' });

  if (!websiteKey) {
    console.error('Failed to extract websiteKey (sk) from the page');
    await browser.close();
    return;
  }

  
  const client = CapMonsterCloudClientFactory.Create(
    new ClientOptions({ clientKey: API_KEY })
  );

  
  const mtcaptchaRequest = new MTCaptchaRequest({
    websiteURL: TARGET_URL,
    websiteKey: websiteKey,
    isInvisible: false,
    pageAction: 'login'
  });

  // Captcha solution
  const result = await client.Solve(mtcaptchaRequest);

  
  const verifiedToken = typeof result?.solution?.value === 'string'
    ? result.solution.value
    : JSON.stringify(result.solution.token);

  console.log('VerifiedToken:', verifiedToken);

  
  // Insert token and submit form (replace with the required selector)
  await page.evaluate((token) => {
    const input = document.querySelector('#mtcaptcha-verifiedtoken-1');
    if (input) input.value = token;
  }, verifiedToken);

  console.log('Token inserted into input');

  
  // await page.click('button[type="submit"]');

  await page.waitForTimeout(5000);

  await browser.close();
}

main().catch(err => {
  console.error('An error occurred:', err);
});

There is also a great opportunity to test captcha recognition using the CapMonster Cloud browser extension, which allows you to quickly check captcha functionality directly on the page and track the solving process in real time without writing code — available for Chrome and Firefox.

How to connect MTCaptcha to your website

To confidently navigate captcha functionality on your site, understand its logic, reconnect or reconfigure it, we recommend studying this section. It describes the integration process — helping you quickly understand all details.

1. Register or log in to your MTCaptcha account.

2. After registration, add your website. You will receive two keys.

Site Key — public key for the frontend to display the widget.
Private Key — private key for the server to verify captcha solutions. Store it only on the server, do not pass it to the client.

Example:

3. Set up the MTCaptcha client-side:

Insert the code into the <head> of the page.

Replace <YOUR SITE KEY> with your Site Key obtained from the MTCaptcha dashboard.


  <head>
  <script>
    var mtcaptchaConfig = {
      sitekey: "<YOUR SITE KEY>"
    };
  
    (function() {
      var mt_service = document.createElement('script');
      mt_service.async = true;
      mt_service.src = 'https://service.mtcaptcha.com/mtcv1/client/mtcaptcha.min.js';
      (document.head || document.body).appendChild(mt_service);
  
      var mt_service2 = document.createElement('script');
      mt_service2.async = true;
      mt_service2.src = 'https://service2.mtcaptcha.com/mtcv1/client/mtcaptcha2.min.js';
      (document.head || document.body).appendChild(mt_service2);
    })();
  </script>
</head>

Add the captcha container to the <body>

Where you want to display the captcha (e.g., inside a form):

<div class="mtcaptcha"></div>

The widget will load automatically.

You can use ready-made SDKs and plugins for quick integration:

Server-side SDKs: Java, Node.js, PHP
Client-side SDKs: React, React Native, Vue
CMS plugins: WordPress, Drupal

MTCaptcha also provides a convenient demo page to test and configure protection before deploying to your website.

4. Working with the server-side. Get Verified-Token on the client.

Via hidden form field:

<input type="hidden" name="mtcaptcha-verifiedtoken" />

Or via JS:

mtcaptcha.getVerifiedToken() / mtcaptchaVerifiedCallback(status)

Send the token to the server along with the form or request.

Verify token via API (server-side check):

GET https://service.mtcaptcha.com/mtcv1/api/checktoken?privatekey=<PRIVATE_KEY>&token=<TOKEN>

privatekey — your private key (server-side only)
token — token from client

Alternative URL for servers with firewall:

https://service2.mtcaptcha.com/mtcv1/api/checktoken

Process response:

success: true → captcha passed, continue processing.

Example


{
  "success": true,
  "tokeninfo": {
    "v": "1.0",
    "code": 201,
    "codeDesc": "valid:captcha-solved",
    "tokID": "ae1e60a1e249c217cb7b05c4dba8dd0d",
    "timestampSec": 1552185983,
    "timestampISO": "2019-03-10T02:46:23Z",
    "hostname": "some.example.com",
    "isDevHost": false,
    "action": "",
    "ip": "10.10.10.10"
  }
}

success: false → error (token expired, reused, etc.)

Each verifiedToken is valid for a few minutes and can be checked only once via CheckToken API, preventing reuse. After receiving the token, the server must verify it in time — the MTCaptcha widget guarantees at least 50 seconds for validation.

Simple example using MTCaptcha module on Node.js


const { MTCaptcha } = require('mtcaptcha');

const PRIVATE_KEY = 'YOUR_PRIVATE_KEY';
const tokenFromClient = 'TOKEN';

const mt = new MTCaptcha(PRIVATE_KEY, tokenFromClient);

mt.verify((result) => {
  if (result.success) {
    console.log('Captcha passed!', result.tokeninfo);
  } else {
    console.error('Captcha failed:', result.fail_codes || result.error);
  }
});

For a detailed study of MTCaptcha features — widget customization, client/server configuration, framework integration, and other aspects — refer to the official documentation.

Possible errors and debugging

Invalid site or key

Captcha does not load or the server returns invalid-privatekey or privatekey-mismatch-token. Make sure you are using the correct sitekey and privatekey pair.

Token missing or invalid

Errors missing-input-token, invalid-token, bad-request. Check that the token value is sent to the server and not modified.

Expired token (token-expired)

Token is valid for a limited time (usually ~120 seconds), after which it must be obtained again.

Token recheck (token-duplicate-cal)

Token can only be verified once — this protects against replay attacks.

Expired or deactivated key (expired-sitekey-or-account)

Ensure your keys are current and your account is active.

For diagnostics, enable request logging and output fail_codes to understand the reason for the error.

Protection resilience checks

Request without token should return an error (missing-input-token or similar).

Load testing (e.g., k6 or JMeter): Under high load, the captcha interface should function correctly, and the server should verify tokens stably.

Checking repeated or expired token should return the corresponding fail_code, e.g., token-duplicate-cal or token-expired.

Security and optimization tips

Store the <b>privatekey only on the server</b> — do not pass it to the client.

Store the privatekey only on the server — do not pass it to the client.

Log <b>fail_codes</b> to track error causes and analyze protection bypass attempts.

Log fail_codes to track error causes and analyze protection bypass attempts.

Place links to the <b>Privacy Policy</b> and <b>Terms of Use</b> on the form if required by your platform’s policy.

Place links to the Privacy Policy and Terms of Use on the form if required by your platform’s policy.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of MTCaptcha, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify MTCaptcha and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

MTCaptcha Documentation →

CapMonster Cloud Documentation (working with MTCaptcha) →

SDKs and plugins for quick MTCaptcha integration →

MTCaptcha demo page (Code Builder) →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

MTCaptcha and CapMonster Cloud

MTCaptcha
and CapMonster Cloud