yCAPTCHA

Verifies a one-time token after the user completed the CAPTCHA challenge. This is the only endpoint your backend needs to call.

Must be called from your server — never from the browser.

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

token*string

The verification token received from the widget's postMessage.

secretKey*string

Your site's secret key (sk_...). Found in the dashboard.

Response Body

`application/json`

curl -X POST "https://ycaptcha.xyspg.moe/api/v0/captcha/siteverify" \  -H "Content-Type: application/json" \  -d '{    "token": "aB3dEfGhIjKlMnOpQrStUvWxYz0123456789AbCdEfGhIjKlMnOpQrStUvWx01",    "secretKey": "sk_aBcDeFgHiJkLmNoPqRsTuVwXyZ123456"  }'

{
  "success": true
}

{
  "success": false,
  "error": "Missing token or secretKey"
}

Empty

Verify a CAPTCHA token

Request Body

Response Body

200application/json

400application/json

429

Valid token

Invalid or expired token

Wrong secret key

`application/json`

`application/json`