3rd party captcha is retarded I know, because it tracks people and changes hardness based on how private your browsing setup is, especially recaptcha, if they can’t correlate your residential address and your joogle browsing history with your session, they will challenge with 20+ captchas.

hCaptcha is better but nah, I don’t trust them 100%. But I have to use it because it’s the best option for now.

So 4Chad implements a 10 posts per hour rate limit on each IP, below this rate limit, it won’t even challenge you with captcha.

I could use an open source implementation, but I couldn’t find any good ones, so DM me if you find something good.

How captcha works on 4Chad

First you embed the captcha box from hCaptcha

<script src="" async defer></script>
<div class="h-captcha" data-sitekey="083531b8-f18e-481c-afae-dbb8baa523d0"></div>

After the captcha has been completed, copy the hcaptcha-data-response or whatever, the token returned from hCaptcha that is. Then put it into this:

Method Domain Path Description
POST Captcha validation /captchaverify upload the captcha completed

Example body:


Example return:

    "captcha-verified-token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTIyODAyMTIsImlkIjoiNmE1ODFiYTk3Y2NiNDY1NSIsImlhdCI6MTU5MjI4MDE1Mn0.joI44DKcaOXgYDSv7vlaOxjO-BP6YDiQfoPPnTa1zEU"

Then you take the captcha-verified-token, and put it into the header 4chad-captcha-verified-token when you post a post.

Normally when you post, 4Chad doesn’t require the 4chad-captcha-verified-token header, but if you exceed the rate limit, you will be confronted with an error message, that’s when you know you need to do the captcha.