Authorization token

When a visitor solves the CAPTCHA and sends their solution to an mCaptcha instance, the solution will be verified for correctness. If the solution is correct, mCaptcha will return a single use authorization token.

This authorization token should be attached to the visitor’s requited to the protected service and the protected service should validity of the authorization token with the mCaptcha instance and only allow authorization to protected resource if the authorization token is valid.

Cooldown Period

mCaptcha implements leaky bucket algorithm to measure current traffic levels. Cooldown period specifies the leak or the time after which a visitor addition is decremented.

For instance, if initial traffic level is 0 and a user visits one second later, the traffic level will be incremented to 1. Now, if the cooldown period is set to 30 seconds, the traffic level will be decremented after 30 seconds. So after 30 seconds, the traffic level will go from 1 to 0.

Difficulty Factor

Difficulty factor determines the time it takes to solve a CAPTCHA. The higher the difficulty factor, the longer it will take to generate a proof of work for it to solve the CAPTCHA.

mCaptcha’s proof of work based mechanism makes it highly accessible to people with special needs but it is important to choose the difficulty factor with care as very high difficulty factors will make the CAPTCHA inaccessible to users on slow devices.


Site key is a unique identifier associated with CAPTCHA configurations created on mCaptcha. It is required to integrate a CAPTCHA with your website.

Visitor Threshold

mCaptcha’s variable difficulty factor mechanism requires a website’s traffic statistics be split into levels, so that it can deploy the right difficulty factor for each level.

Visitor threshold is used to traffic into levels and mCaptcha accepts a difficulty configuration for each of these levels. When current traffic exceeds a difficulty factor, mCaptcha will increase the difficulty factor to the next configured level.

For instance, consider the configuration given below:

  • Cool down period: 30 seconds
LevelDifficulty FactorVisitor Threshold

If the website sees 2,000 requests in a 30 second window, level 1 difficulty factor(5,000) will be deployed. If the traffic increases to 5,000 requests in a 30 second window, then difficulty factor will be upgraded to level 2(50,000). Likewise 10,000 and 15,000 requests over 30 seconds will result in difficulty factor being upgraded to 500,000 and 5,000,000 respectively.

Visitor threshold is how mCaptcha determines which difficulty factor level to deploy. mCaptcha uses leaky bucket algorithm to keep the visitor threshold constantly updated within the configured cool down period. So, at any given moment the, the current visitor level will be the amount of traffic that was served in the cool down period specified.

Edit this page on git.batsense.net