Drop-in replacement. The h-captcha-response field is supported natively, so most form code keeps working unchanged.
The most common reason we hear: hCaptcha's image-grid challenges have gotten harder over the years, and user-completion rates have suffered. The underlying reason is that hCaptcha's free tier is funded by data labelling — your users solve image grids that contribute training data to hCaptcha's customers. As the labelling demand has grown, the difficulty has crept up.
Other reasons: predictable EUR pricing, EU data residency, mode flexibility (smart-click default vs hCaptcha's image-grid default), and the desire to use a CAPTCHA whose business model is just charging for the CAPTCHA service.
You'll need: an existing hCaptcha integration, your dashboard credentials for hCaptcha (to copy the existing sitekey and secret for parallel-run testing if desired), and ten minutes. The actual code changes are smaller than reCAPTCHA's because hCaptcha's API is already very close to reCAPTCHA's — and ours.
Create a free account at trustedcaptcha.com/signup. Add your site (production hostnames, comma-separated). You'll get a sitekey and a secret. The secret is shown once.
Find your hCaptcha script:
<!-- OLD -->
<script src="https://hcaptcha.com/1/api.js" async defer></script>Replace with:
<!-- NEW -->
<script src="https://cdn.trustedcaptcha.com/widget/v1/api.js" async defer></script><!-- OLD -->
<div class="h-captcha" data-sitekey="..."></div>
<!-- NEW -->
<div class="trustedcaptcha" data-sitekey="0x..."></div>Like reCAPTCHA's case, the widget loader will populate any existing h-captcha-response hidden input on success. If your server-side code reads $_POST['h-captcha-response'] directly, that keeps working — we fill that field name in addition to our native trustedcaptcha-response.
The data-theme, data-size, data-callback, data-expired-callback, and data-error-callback attributes work identically.
// OLD
$endpoint = 'https://hcaptcha.com/siteverify';
// NEW
$endpoint = 'https://challenges.trustedcaptcha.com/api/v1/siteverify';POST body shape: secret, response, remoteip — identical to hCaptcha. Response JSON: {success, challenge_ts, hostname, error-codes, ...} — also identical, with the addition of a score field for compatibility with code that previously used reCAPTCHA v3.
Update your environment variable. Existing variable name HCAPTCHA_SECRET works fine; rename if you want.
Submit a test form. Verify success in the dashboard. Deploy. Monitor for an hour. If anything looks wrong, support is at support@trustedcaptcha.com.
Privacy Pass. If your previous hCaptcha integration relied heavily on the Privacy Pass mechanism for repeat users, you'll see a slight UX difference: TrustedCaptcha doesn't use Privacy Pass tokens. Instead, our smart-click default tends to pass legitimate users on the first attempt without a visible challenge, achieving similar friction levels through different means.
Image difficulty. If you'd been hand-tuning challenge difficulty to balance bot blocking against user-completion rates, TrustedCaptcha's image grid uses different parameters. The default is generally less difficult than late-period hCaptcha grids; user completion rates typically improve.
"Always Challenge" mode. hCaptcha's "Always Challenge" mode (force visible challenge regardless of risk) maps to setting data-mode="image" on the TrustedCaptcha widget div, or to setting the site's default mode to "image" in the dashboard.
If you've been on hCaptcha's free tier (1M/month image grids), and your volumes are below ~33k/day, you'll fit in our 1k/day free tier. If you're above that, the €25/month Pro plan is unlimited and is materially cheaper than hCaptcha's $99/mo Pro tier. We don't have a per-call enterprise pricing schedule.
Reversible by undoing Steps 2 and 4. Your hCaptcha account remains intact. We'd love feedback if you bounce off — email support@trustedcaptcha.com.