Every hCaptcha challenge type, catalogued.

hCaptcha has no single canonical puzzle. The widget rotates through several visual challenge families, decides how many rounds you face based on risk, and sometimes shows nothing at all. Official docs cover integration, not puzzle content, so here is the taxonomy: what each challenge looks like, what the prompt asks, and which ones are painful to script.

One widget, five puzzle families

When the checkbox is clicked (or an invisible widget fires), hCaptcha makes two decisions. First: does this session get a free pass, or a challenge? Second, if a challenge: which format, and how many rounds. Five visible families account for nearly everything in the wild today: the classic image grid, its select-all variants, drag-to-position puzzles, counting tasks, and point-and-click selection. The mix shifts over time, and the same page can serve different formats to different visitors in the same minute.

The classic 3×3 image grid

The format everyone pictures: nine square tiles under a prompt like “Please click each image containing a motorcycle.” You click the matching tiles and press the button, which reads Verify on the final round and Next when more rounds are queued. This is still the most common challenge by a wide margin.

It is also the most tractable for automation, which is exactly why every open-source solving project targets it first: the answer space is nine yes/no decisions. The difficulty is in the images themselves. Crops are deliberately awkward (objects half out of frame, strange angles, lookalike categories such as seaplane versus airplane), and the category vocabulary rotates, so anything built on a fixed label list goes stale within weeks.

Select-all and zero-match variants

Same grid skeleton, different contract. The prompt reads “Please select all images containing…” and the number of correct tiles ranges from zero to nine. The zero case is the trap: some rounds contain no matching tile at all, and the correct move is to select nothing and press the button, which reads Skip when nothing is selected. Scripts that assume at least one tile must always be picked fail these rounds every time.

Prompts in this family also drift away from single nouns. You will see longer phrases describing a scene or an attribute rather than an object name, and prompt text is localized to the visitor’s language, so matching on exact English strings is fragile.

Drag-to-position puzzles

A single canvas image with a loose element, and a prompt like “Drag the piece to complete the puzzle” or “Drag the segment to complete the line.” You press on the piece, move it, and release it where it belongs.

This is the hardest family to script, for two reasons. The answer is continuous: a coordinate on a canvas, not a discrete tile choice, and the canvas exposes no DOM handles to anchor a selector on. And the answer is performed rather than declared: the widget receives a full pointer sequence (down, movement, up), so a synthetic click() does nothing, and even a driver-level drag from Selenium ActionChains or Puppeteer’s mouse API still has to land within a tight tolerance of a target position it cannot read from the page. Most DIY setups simply fail these rounds and retry until a grid shows up.

Counting tasks

A scene image with a prompt like “How many animals are in this image?”, answered by picking the correct count from the options presented. Humans find these mildly annoying; scripts find them harder than grids, because the task is whole-scene counting. Partially occluded objects, clusters, and background lookalikes all count or do not count, and an off-by-one answer fails the round outright. There is no partial credit.

Point and area select

One larger image and an instruction to click somewhere specific: “Please click on the elephant”, sometimes with a precision qualifier like clicking the center of an object. The answer is raw click coordinates. There are no tile boundaries to lean on, and the region hCaptcha will accept around the target is not visible, so a script needs both correct object localization and enough precision to land inside an unknown tolerance. Some rounds ask for several clicks in sequence.

The five families side by side

One solve is often several rounds

Clearing one challenge screen does not always end the solve. hCaptcha chains rounds: finish a grid and a second grid loads, sometimes a third, occasionally in a different family. hCaptcha picks the chain length per session as part of its risk grading: clean sessions usually clear in a single round, while suspicious ones grind through two or three.

This is why NoneCap bills from 1 credit per challenge round instead of a flat rate per token: hCaptcha controls the round count, and it averages about 1.7 across real traffic. Credits are charged on success only, failed or expired solves are auto-refunded, and packs run $0.25 to $0.50 per 1,000 credits. The full ladder is on the pricing page.

The challenge you never see

There is a sixth outcome: no puzzle at all. If the session looks clean enough, hCaptcha issues a token passively, either behind an invisible widget that never renders a checkbox or as an instant pass right after the checkbox click. The visitor sees a spinner for a moment, then the form accepts. From the site’s perspective this token is identical to one earned through five rounds of grids. How that path works, and when sites use it, is covered in invisible hCaptcha.

Riskier sessions get harder challenges

Which family you get, how many rounds you face, and how ambiguous the images are all track the same thing: how risky your session looks. Datacenter IPs, flagged residential ranges, and obvious automation fingerprints get longer chains and harder formats, while a clean residential session on a normal browser may never see a puzzle. Two users on the same page at the same time can have completely different experiences. The signals behind that grading are the subject of why am I getting hCaptcha.

Honest caveat: this taxonomy is a snapshot. hCaptcha tests new formats and retires old ones without notice, so a variant not listed here will eventually appear in the wild. What has stayed stable is the output: whatever the widget shows, a successful solve still produces one P1_ token in h-captcha-response.

Every challenge type ends in the same token

However elaborate the puzzle, success produces exactly one artifact: a P1_ token injected into the hidden h-captcha-response field, single-use and valid for roughly 120 seconds. The site’s server never learns which puzzle produced it; siteverify validates the token, not the challenge history. Grids, drags, counts, and passive passes are indistinguishable on the other side.

That is also the entire NoneCap contract. You never pick a challenge type in the request, because there is nothing to pick: send the sitekey and page URL, and the response carries a real P1_ token whichever family hCaptcha served, multi-round chains included. The credits_charged field tells you how many rounds it took.

curl "https://api.nonecap.com/v1/solves?wait=90" \
  -H "Authorization: Bearer $NONECAP_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "type":    "hcaptcha",
    "sitekey": "f5ab1c2d-7e8f-4a9b-b1c2-d3e4f5a6b7c8",
    "url":     "https://target.example/login"
  }'

{
  "id":              "solve_01HQF7K3JKWZX",
  "object":          "solve",
  "type":            "hcaptcha",
  "status":          "solved",
  "token":           "P1_eyJ0eXAi...UV8w",
  "credits_charged": 2
}

Submit the token as the form’s h-captcha-response and the page treats it as a real pass. The full solve object, polling and webhook options, and every language sample are in the API reference; what the token itself contains is covered in the hCaptcha token guide.