Submit the form below to watch the PoW challenge run in real time. Open your browser's devtools and you'll see captcha.js load and the /challenge and /verify calls fire — the same flow that runs on a real integration. This demo does not sign you in or store submitted form data.
Demo only — nothing is submitted.
Challenge starts on your first click, tap, or keystroke.
Total end-to-end time
Varies by device and browser
The widget received a signed captcha_attestation. Your backend verifies it locally with an HMAC check — no extra HTTP round-trip.
Total end-to-end time
Varies by device and browser
Appended hidden field
Verify the captcha_attestation HMAC server-side using your project's secret key.
What happens here
Challenge fetched
On your first interaction (click, tap, or keystroke), the widget calls /challenge in the background and receives a token with required difficulty.
PoW solved in a Web Worker
The worker iterates nonces, hashing each with the token until the result clears the target.
Attestation received
The widget posts the solution to /verify and receives a signed attestation (HMAC-SHA256, signed with your project's secret key).
Hidden field injected on submit
On submit, captcha_attestation is appended to your form. Your backend verifies its HMAC locally — no HTTP round-trip to captchaAPI.
Status panel states
idle
Fetch started
solving
Worker running
ready
Solution found
error
Missing key / failure
rate_limited
429 from /challenge or /verify
Live countdown driven by the server's retry_after header.
Add data-captcha to your form and load the script. That's it.