CAPTCHA Handling
Discord employs CAPTCHAs to prevent abuse when performing high-risk actions such as logging in, accepting invites, and sending friend requests. Some endpoints will always return a CAPTCHA, while others will only return one if the user is sending suspicious requests or has performed a large number of high-risk actions in a short period of time.
Identifying CAPTCHAs
When a request is challenged, the endpoint will return a 400 bad request with a response body looking similar to a legacy error response:
CAPTCHA Response Structure
Field | Type | Description |
---|---|---|
captcha_key | array[string] | The CAPTCHA service errors |
captcha_service | string | The CAPTCHA service to use |
captcha_sitekey 1 | ?string | The CAPTCHA site key |
captcha_rqdata? 2 | string | Custom data to be sent on challenge requests (used by hCaptcha Enterprise) |
captcha_rqtoken? | string | The CAPTCHA challenge request token (used by hCaptcha Enterprise) |
should_serve_invisible? | boolean | Whether the CAPTCHA challenge should be invisible |
1 For reCAPTCHA, this field is null
as the site key is always 6Lef5iQTAAAAAKeIvIY-DeexoO3gj7ryl9rLMEnn
. For hCaptcha, the site key is now dynamic and should no longer be hard-coded.
2 If this field is present, it must be used in the challenge request or the challenge will fail.
CAPTCHA Service
Value | Description |
---|---|
hcaptcha | hCaptcha |
recaptcha 1 | reCAPTCHA |
recaptcha_enterprise 1 | reCAPTCHA Enterprise |
1 reCAPTCHA is not currently used by Discord, but may be used again in the future.
Example CAPTCHA Response
{"captcha_key": ["invalid-input-response", "response-already-used-error"],"captcha_sitekey": "f5561ba9-8f1e-40ca-9b5b-a0b3f719ef34","captcha_service": "hcaptcha"}
Solving CAPTCHAs
When a CAPTCHA is returned, the client must display a CAPTCHA challenge to the user. How this is done depends on the CAPTCHA service used. See the hCaptcha and reCAPTCHA documentation for more information.
After the user has solved the CAPTCHA, the request should be retried with the CAPTCHA solution inserted into the X-Captcha-Key
header.
Additionally, if the captcha_rqtoken
field is present, it must be inserted into the X-Captcha-Rqtoken
header.
If the solution is not accepted, the endpoint will return a 400 bad request with a response body similar to the original CAPTCHA response.
Note that an otherwise valid solution may be rejected if the solution's bot score is too high or the captcha_rqdata
/captcha_rqtoken
fields are not properly handled.