MTCaptcha
and CapMonster Cloud

Captcha solution, website integration, and testing.

Pricing of MTCaptcha solution

CAPTCHA
Price (USD)
$ 1.50
1000 tokens
Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses MTCaptcha, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate MTCaptcha so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is MTCaptcha
What is MTCaptcha
MTCaptcha is a website protection system against automated actions, using intelligent verification and captcha. First, the service analyzes traffic in the background. If the visitor's behavior seems suspicious, the system automatically displays a text captcha for additional verification.

How to solve MTCaptcha via CapMonster Cloud

When testing forms that include MTCaptcha, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

  • Open the form page and make sure the captcha renders.
  • Try submitting the form without solving it — the server should return an error.
  • After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a taskCreating a task
arrow
Sending an API requestSending an API request
arrow
Receiving the resultReceiving the result
arrow
Placing the token on the pagePlacing the token on the page
arrow
Recognizing MTCaptcha using ready-made libraries
CapMonster Cloud provides ready-to-use libraries for convenient work in Python, JavaScript (Node.js), and C#.
Python
JavaScript
C#
Solve, insert token, and submit form
Node.js example for the full cycle of captcha recognition on your webpage. Possible approaches: use HTTP requests to get HTML and captcha parameters, submit the response and process the result; or use automation tools (like Playwright) — open the page, wait for the captcha, submit parameters (for testing you can send correct or incorrect data), get the result via CapMonster Cloud client, insert the token into the form, and see the result.

  // npm install playwright @zennolab_com/capmonstercloud-client
import { chromium } from 'playwright';
import { CapMonsterCloudClientFactory, ClientOptions, MTCaptchaRequest } from '@zennolab_com/capmonstercloud-client';

const API_KEY = 'YOUR_API_KEY';
const TARGET_URL = 'https://example.com';

async function main() {
  const browser = await chromium.launch({ headless: false });
  const context = await browser.newContext();
  const page = await context.newPage();

 
  let websiteKey = null;
  page.on('request', request => {
    const url = request.url();
    if (url.startsWith('https://service.mtcaptcha.com/mtcv1/api/getchallenge.json')) {
      const params = new URL(url).searchParams;
      const sk = params.get('sk');
      if (sk) {
        websiteKey = sk;
        console.log('Extracted websiteKey (sk):', websiteKey);
      }
    }
  });

  
  await page.goto(TARGET_URL, { waitUntil: 'networkidle' });

  if (!websiteKey) {
    console.error('Failed to extract websiteKey (sk) from the page');
    await browser.close();
    return;
  }

  
  const client = CapMonsterCloudClientFactory.Create(
    new ClientOptions({ clientKey: API_KEY })
  );

  
  const mtcaptchaRequest = new MTCaptchaRequest({
    websiteURL: TARGET_URL,
    websiteKey: websiteKey,
    isInvisible: false,
    pageAction: 'login'
  });

  // Captcha solution
  const result = await client.Solve(mtcaptchaRequest);

  
  const verifiedToken = typeof result?.solution?.value === 'string'
    ? result.solution.value
    : JSON.stringify(result.solution.token);

  console.log('VerifiedToken:', verifiedToken);

  
  // Insert token and submit form (replace with the required selector)
  await page.evaluate((token) => {
    const input = document.querySelector('#mtcaptcha-verifiedtoken-1');
    if (input) input.value = token;
  }, verifiedToken);

  console.log('Token inserted into input');

  
  // await page.click('button[type="submit"]');

  await page.waitForTimeout(5000);

  await browser.close();
}

main().catch(err => {
  console.error('An error occurred:', err);
});
How to connect MTCaptcha to your website
To confidently navigate captcha functionality on your site, understand its logic, reconnect or reconfigure it, we recommend studying this section. It describes the integration process — helping you quickly understand all details.

1. Register or log in to your MTCaptcha account.

2. After registration, add your website. You will receive two keys.

  • Site Key — public key for the frontend to display the widget.
  • Private Key — private key for the server to verify captcha solutions. Store it only on the server, do not pass it to the client.

Example:

HowTo Connect image 1

3. Set up the MTCaptcha client-side:

Insert the code into the <head> of the page.

Replace <YOUR SITE KEY> with your Site Key obtained from the MTCaptcha dashboard.


  <head>
  <script>
    var mtcaptchaConfig = {
      sitekey: "<YOUR SITE KEY>"
    };
  
    (function() {
      var mt_service = document.createElement('script');
      mt_service.async = true;
      mt_service.src = 'https://service.mtcaptcha.com/mtcv1/client/mtcaptcha.min.js';
      (document.head || document.body).appendChild(mt_service);
  
      var mt_service2 = document.createElement('script');
      mt_service2.async = true;
      mt_service2.src = 'https://service2.mtcaptcha.com/mtcv1/client/mtcaptcha2.min.js';
      (document.head || document.body).appendChild(mt_service2);
    })();
  </script>
</head>


Add the captcha container to the <body>

Where you want to display the captcha (e.g., inside a form):

<div class="mtcaptcha"></div>

The widget will load automatically.

HelpIcon

You can use ready-made SDKs and plugins for quick integration:

  • Server-side SDKs: Java, Node.js, PHP
  • Client-side SDKs: React, React Native, Vue
  • CMS plugins: WordPress, Drupal

MTCaptcha also provides a convenient demo page to test and configure protection before deploying to your website.

4. Working with the server-side. Get Verified-Token on the client.

Via hidden form field:

<input type="hidden" name="mtcaptcha-verifiedtoken" />

Or via JS:

mtcaptcha.getVerifiedToken() / mtcaptchaVerifiedCallback(status)

Send the token to the server along with the form or request.

Verify token via API (server-side check):

GET https://service.mtcaptcha.com/mtcv1/api/checktoken?privatekey=<PRIVATE_KEY>&token=<TOKEN>
  • privatekey — your private key (server-side only)
  • token — token from client

Alternative URL for servers with firewall:

https://service2.mtcaptcha.com/mtcv1/api/checktoken

Process response:

success: true → captcha passed, continue processing.

ExampleExample
arrow

success: false → error (token expired, reused, etc.)

HelpIcon
Each verifiedToken is valid for a few minutes and can be checked only once via CheckToken API, preventing reuse. After receiving the token, the server must verify it in time — the MTCaptcha widget guarantees at least 50 seconds for validation.

Simple example using MTCaptcha module on Node.jsSimple example using MTCaptcha module on Node.js
arrow

HelpIcon

For a detailed study of MTCaptcha features — widget customization, client/server configuration, framework integration, and other aspects — refer to the official documentation.

Background
Possible errors and debugging
Bug Icon
Invalid site or key
Captcha does not load or the server returns invalid-privatekey or privatekey-mismatch-token. Make sure you are using the correct sitekey and privatekey pair.
Bug Icon
Token missing or invalid
Errors missing-input-token, invalid-token, bad-request. Check that the token value is sent to the server and not modified.
Bug Icon
Expired token (token-expired)
Token is valid for a limited time (usually ~120 seconds), after which it must be obtained again.
Bug Icon
Token recheck (token-duplicate-cal)
Token can only be verified once — this protects against replay attacks.
Bug Icon
Expired or deactivated key (expired-sitekey-or-account)
Ensure your keys are current and your account is active.
Bug Icon
For diagnostics, enable request logging and output fail_codes to understand the reason for the error.
Protection resilience checks
Security and optimization tips
Store the <span class="font-bold">privatekey only on the server</span> — do not pass it to the client.
Log <span class="font-bold">fail_codes</span> to track error causes and analyze protection bypass attempts.
Place links to the <span class="font-bold">Privacy Policy</span> and <span class="font-bold">Terms of Use</span> on the form if required by your platform’s policy.
Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of MTCaptcha, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify MTCaptcha and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Conclusion
Helpful links
DocIconMTCaptcha DocumentationDocIconCapMonster Cloud Documentation (working with MTCaptcha)DocIconSDKs and plugins for quick MTCaptcha integrationDocIconMTCaptcha demo page (Code Builder)

Frequently Asked Questions about MTCaptcha

If the sitekey (sk) is not visible in the page HTML or JavaScript, inspect network requests to find it:

  1. Open DevTools → Network.
  2. Trigger the CAPTCHA and filter requests by getchallenge.json.
  3. Copy the sk query parameter from the URL.

For automation (e.g., Playwright): Intercept the same request programmatically, parse sk from the URL string, and map it directly to the websiteKey field in your CapMonster Cloud MTCaptchaTask payload.

The pageAction in MTCaptchaTask must strictly match the act value found in the site's getchallenge.json network request (alongside the sk parameter). This match is case-sensitive and includes special characters. If the site uses the default %24, omit pageAction from your request entirely. Read more

This happens when the verifiedToken expires before your backend validates it. MTCaptcha tokens are only valid for 60–120 seconds by default. The reliable solution is to start the task in CapMonster Cloud immediately before the form is submitted, rather than at the beginning of the session.

Set isInvisible: true only if the MTCaptcha widget is running in invisible mode. Signs of such a mode:

  • No checkbox or visible captcha element is shown when the page loads.
  • An extra challenge appears only if suspicious or bot-like behavior is detected.

If the page displays a standard visible MTCaptcha widget, you can omit the isInvisible flag in your request.

Passing the wrong boolean will generate an invalid token due to mismatched solver logic.

You can do this by manually injecting a solved token from the CapMonster Cloud API:

  1. Request a solution from the CapMonster Cloud API using Postman, a script, or another HTTP client by passing your sk and act parameters.
  2. Copy the solution.token returned in the API response.
  3. Open DevTools on the target page and find the hidden <input name="mtcaptcha-verifiedtoken"> field.
  4. Paste the token into the field's value attribute and submit the form to confirm validation.

Alternatively, you can inspect the page's network traffic to identify the exact endpoint used for server-side verification, then send a direct HTTP request containing the solved token.