A CAPTCHA is an automated security test that determines whether a user is a human or an automated bot. It protects websites from automated abuse — form spam, fake account registrations, credential stuffing, brute force login attempts — by presenting a challenge that humans can pass but automated scripts typically cannot.

What does CAPTCHA stand for?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. The name comes from the Turing test, a concept developed by Alan Turing in 1950 to assess whether a machine can exhibit human-like behavior. A CAPTCHA inverts that idea: instead of testing whether a machine behaves like a human, it tests whether a user is human rather than a machine.

What is CAPTCHA code?

CAPTCHA code refers to the two-part implementation of a CAPTCHA system: a client-side script that runs verification in the browser — presenting a challenge or collecting behavioral signals — and a server-side call that validates the resulting token before the request is processed. The challenge itself can take several forms: distorted text, an image selection task, a math problem, or a fully invisible behavioral check. Most providers supply both the client script and a validation API. The code is usually small; the meaningful decisions are where to deploy it and how to handle borderline scores.

What are the main types of CAPTCHA?

The most common CAPTCHA types are: text-based (distorted letters or numbers to type in), image-based (selecting images that contain specific objects), audio-based (spoken characters as an accessibility alternative), math-based (simple arithmetic), checkbox or behavioral (reCAPTCHA's 'I'm not a robot' that analyzes mouse movement), and invisible or proof-of-work (no user interaction — verification runs in the background automatically).

Are CAPTCHAs accessible to all users?

Standard text and image CAPTCHAs create genuine accessibility problems. They rely on visual perception, which means people with visual impairments, dyslexia, or certain cognitive disabilities often cannot complete them. Audio CAPTCHAs exist as an alternative but are inconsistently implemented and still difficult for many users. Invisible CAPTCHAs — which verify users without any challenge — are the only type that meets WCAG 2.1 requirements without needing a separate accessible alternative.

What is the difference between CAPTCHA and reCAPTCHA?

CAPTCHA is the general concept — any challenge-response test used to distinguish humans from bots. reCAPTCHA is Google's specific implementation, which has evolved from distorted text (v1) to the 'I'm not a robot' checkbox (v2) to fully invisible background analysis (v3). For EU businesses, the key difference is data residency: reCAPTCHA sends data to Google's US infrastructure. French data protection authorities ruled against reCAPTCHA use in the Cityscoot and NS Cards France enforcement cases, citing data transfer and transparency grounds.

Is CAPTCHA enough to stop all bots?

A well-configured CAPTCHA stops most low-to-medium sophistication bots by raising the cost of automation. It does not stop determined attackers who use distributed infrastructure or human CAPTCHA-solving services, where people are paid small amounts to solve challenges on a bot's behalf. CAPTCHA works best as one layer in a broader strategy — combined with rate limiting, IP rules, and behavioral monitoring.

What Is a CAPTCHA? Definition, Types and How It Works

What Is a CAPTCHA?

A CAPTCHA is an automated security test that determines whether a user is a human or a bot. Most people encounter them at login pages, signup forms, contact forms, and checkout flows — a distorted string of letters to type, a grid of images to click through, or a checkbox before a form submission goes through.

The goal is always the same: let real users through while blocking automated programs. When a bot floods a registration form with fake accounts or hammers a login page with stolen credentials, a CAPTCHA raises the cost of that automation enough to make it economically unattractive at scale.

Illustration of a CAPTCHA verification challenge on a web form

What Does CAPTCHA Mean?

CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”

The Turing test was developed by Alan Turing in 1950 as a way to examine whether machines could exhibit human-like intelligence. A CAPTCHA inverts the concept: rather than testing if a machine behaves like a human, it tests whether a user is human rather than a machine.

The term was introduced in 2003 by a research team at Carnegie Mellon University led by Luis von Ahn and Manuel Blum, partly in response to Yahoo’s problem with bots creating millions of fake email accounts. The first CAPTCHA code generated a distorted image of random text and asked users to type what they saw — simple enough for a human, difficult for the optical character recognition (OCR) software available at the time.

How Does a CAPTCHA Work?

Every CAPTCHA, regardless of type, follows the same basic process:

Trigger: The CAPTCHA activates when a user reaches a high-risk action — submitting a form, creating an account, resetting a password, completing a purchase.
Challenge: The system presents a task. In modern systems, this may run entirely in the background with no visible interaction.
Response: The user completes the challenge — typing text, clicking images, solving an arithmetic problem, or simply waiting while the system analyzes behavioral signals.
Token: The CAPTCHA generates a signed verification token and sends it to your server.
Validation: Your server calls the CAPTCHA provider’s API to confirm the token is genuine and unexpired.
Enforcement: Based on the result — pass, fail, or a risk score — your application allows the request, blocks it, or asks for additional verification.

The server-side validation step is what makes CAPTCHAs effective. Without it, a bot could replay tokens or bypass client-side checks entirely. The real security work happens on the server.

Illustration of a human user and a bot both approaching a web form, with the form acting as a verification checkpoint that identifies and blocks the automated request while letting the human through

When developers look for CAPTCHA code, the question usually breaks into two parts: the client-side script that runs verification in the browser, and the server-side validation call that confirms the token before the request goes through. Both pieces are required for the system to work.

Types of CAPTCHA

CAPTCHA technology has evolved from simple distorted text into several distinct approaches. Each type makes a different trade-off between security, usability, and accessibility.

Text-Based CAPTCHAs

The original format. Users see distorted letters or numbers — stretched, bent, overlaid with noise — and are asked to type what they see. The distortion is what makes it difficult for automated OCR to interpret.

Text CAPTCHAs are still in use but increasingly solvable by machine learning systems. They also frustrate legitimate users: a 2010 Stanford study found that groups of three users agreed on the correct answer only 71% of the time.

Image-Based CAPTCHAs

Users select all images from a grid that match a given description — “select all traffic lights” or “click every crosswalk.” Image recognition is harder for bots than reading text, though advances in computer vision have narrowed that gap considerably.

Image CAPTCHAs became widespread through Google’s reCAPTCHA v2, which replaced blurry text with photos sourced from Google Street View. They are more intuitive for most users than text CAPTCHAs but still fail on accessibility and add visible friction.

Audio CAPTCHAs

Designed as an accessibility alternative to visual challenges, audio CAPTCHAs play a recording of spoken letters or numbers — usually with background noise — and ask the user to type what they hear. Voice recognition software can defeat them, and the listening experience is often poor enough that many users with visual impairments still find them difficult to complete.

Math CAPTCHAs

Math CAPTCHAs are a form of text or image based CAPTCHAs where Users solve a simple arithmetic problem — “2 + 3 = ?” — before submitting a form. Math CAPTCHAs are straightforward to implement and work without images, but they provide almost no security against modern attacks. Bots can parse simple math as easily as they can read undistorted text.

Behavioral CAPTCHAs (Checkbox and Interaction Signals)

The “I’m not a robot” checkbox, used in Google reCAPTCHA v2, is the most recognizable example of behavioral analysis. The visible action is simple — click a box — but what the system actually evaluates is how the cursor moved before clicking, along with cookies, browser history, and device signals.

Human mouse movements contain tiny variations that a perfectly straight, instant bot movement does not. If the system is uncertain, it falls back to an image challenge.

Invisible CAPTCHAs and Proof-of-Work

Modern systems remove visible challenges entirely. Verification runs in the background while the user loads the page or fills out a form.

In score-based systems, every user receives a risk score, and your server decides what to do with that score — allow, block, or trigger a harder challenge. In proof-of-work systems, the user’s browser solves a lightweight cryptographic problem automatically. Legitimate users notice nothing. High-volume bot traffic faces a computational cost that makes mass automation impractical.

What CAPTCHA Code Does

CAPTCHA code has two components: a client-side script that runs in the browser, and a server-side validation call that checks the resulting token before processing the request.

In all cases, the client-side CAPTCHA code runs at the defined trigger point and collects evidence — a challenge response, behavioral signals, or a computational proof — then returns a signed token the server validates independently. The type of challenge the code presents — distorted text, an image task, a math problem, or no visible interaction at all — is a configuration choice. The two-part structure of client script and server call is constant across all types.

Most providers supply both components: a JavaScript snippet loaded with a site key, and a single server-to-server API call to verify the token. The code itself is usually small. The decisions that matter are where to deploy it, what thresholds to set, and how to handle borderline scores.

What CAPTCHAs Protect Against

CAPTCHAs are most effective against attacks that depend on automation at volume:

Form spam: Bots submitting contact forms or comment sections with spam content or malicious links
Fake account creation: Automated registrations used for spam distribution or platform abuse
Credential stuffing: Bots testing large lists of stolen username and password pairs against login forms
Brute force attacks: Repeated password guessing against login or reset endpoints
Ticket scalping: Bots buying up limited inventory faster than any human could
Skewed online polls: Automated votes to manipulate polling results

What CAPTCHAs do not do: they do not verify identity, they do not stop a human attacker, and they are not a replacement for access control. Determined attackers can use human CAPTCHA-solving services, where people are paid small amounts to complete challenges on behalf of bots. A CAPTCHA raises the cost of automation — it does not eliminate the threat entirely.

Illustration of a user surrounded by intrusive CAPTCHA puzzle challenges — image grids, distorted text fields, and checkboxes — conveying the friction and cognitive load that traditional CAPTCHAs impose during everyday form interactions

Limitations of Traditional CAPTCHAs

Text and image CAPTCHAs have three well-documented problems that have pushed the industry toward invisible alternatives.

User experience. Interrupting a form submission with a puzzle creates friction. Users who fail a challenge — or find it unclear — often abandon the form. The harder the CAPTCHA, the worse the conversion rate. The impact on user experience is measurable and compounds on mobile, where image grids are harder to interact with.

Accessibility. Text and image challenges rely on visual perception. For users who are blind, have low vision, dyslexia, or certain cognitive disabilities, they create a genuine barrier. The European Accessibility Act, which entered into force in June 2025, means this is now a legal consideration for EU B2C services — not just a UX concern.

Effectiveness gaps. Machine learning has made classic text CAPTCHAs reliably solvable by bots. Researchers demonstrated automated attacks on distorted-text CAPTCHAs as early as 2012. Image CAPTCHAs have followed a similar trajectory. High-volume attackers also use human-solving services, which bypass any challenge a human could complete.

Choosing the Right CAPTCHA Matters as Much as Having One

Deploying a CAPTCHA is the right call. Deploying the wrong one creates a different set of problems: users abandoning forms, accessibility violations, and — for EU businesses — real regulatory exposure around data transfers and consent.

The trade-off that defined traditional CAPTCHAs — better security means more friction — no longer holds. Modern invisible systems verify users entirely in the background using proof-of-work and behavioral signals. Legitimate users notice nothing. Bots face a computational cost that makes mass automation economically unviable at scale.

For EU organizations, the implementation choice carries additional weight. A CAPTCHA that sends data to US infrastructure introduces GDPR transfer risk. A CAPTCHA that relies on cookies requires a consent banner. A CAPTCHA that presents visual puzzles needs a separate accessible alternative to meet WCAG 2.1 — or it becomes a compliance liability under the European Accessibility Act.

An invisible, cookie-free system hosted within the EU is the only architecture that resolves all three concerns without workarounds. The best CAPTCHA is one that protects effectively, holds up legally, and remains entirely invisible to the users it is protecting.

TrustCaptcha

TrustCaptcha is an invisible CAPTCHA built for exactly this trade-off. It uses proof-of-work and bot scoring to verify users entirely in the background — no puzzles, no checkboxes, no interaction required. All data is processed in EU-certified data centers, no cookies are used, and a Data Processing Agreement is included with every account. For EU businesses navigating GDPR, the European Accessibility Act, and conversion pressure at the same time, it is designed to satisfy all three without compromise.

Try TrustCaptcha for free and protect your site from spam and automated abuse without disrupting the experience for real users.

What Is a CAPTCHA? Definition, Types and How It Works

CAPTCHA at a Glance — Key takeaways