Friendly Captcha sits in a different corner of the market than reCAPTCHA, hCaptcha, or Turnstile. Instead of behavioural scoring or image puzzles, it serves a cryptographic proof-of-work problem that the user's device solves in the background. The user sees a progress bar; bots see a CPU bill that scales with risk. The whole thing is committed to GDPR-style privacy: no third-party cookies, no fingerprinting, EU-only data processing as an option.
This post is about the SDK shape, not the marketing pitch. If you're integrating Friendly Captcha, what do you actually wire up?
The two pieces
Every CAPTCHA vendor has the same two-part contract: a widget on the client, a verification call on the server. Friendly Captcha is no exception.
Client widget. Loaded via a script tag or an npm package (@friendlycaptcha/sdk). It attaches to a DOM element, runs the proof-of-work puzzle, and inserts a frc-captcha-solution field with the resulting token into the form.
Server verification. A POST to https://global.frcapi.com/api/v2/captcha/siteverify with your API key, the sitekey, and the solution token. Returns {success: true/false} plus metadata.
The token is single-use, scoped to the sitekey, and short-lived. The server verification step is non-optional: the client-side flow only proves the puzzle was solved on some device, not yours.
Plain HTML integration
The simplest deployment is the site script, which auto-attaches widgets to anything with the frc-captcha class:
<script src="https://cdn.friendlycaptcha.sdk/site/v1/sitejs.js" async defer></script>
<form action="/signup" method="POST">
<input name="email" type="email" required>
<div class="frc-captcha" data-sitekey="YOUR_SITEKEY"></div>
<button type="submit">Sign up</button>
</form>The widget injects a hidden frc-captcha-solution input into the form on success. Your server reads it from request.body['frc-captcha-solution'].
Programmatic integration
When you need more control — single-page apps, dynamic forms, framework wrappers — use the SDK directly:
import { FriendlyCaptchaSDK } from "@friendlycaptcha/sdk";
const sdk = new FriendlyCaptchaSDK({ apiEndpoint: "global" });
const widget = sdk.createWidget({
element: document.getElementById("captcha-mount"),
sitekey: "YOUR_SITEKEY",
});
widget.addEventListener("frc:widget.complete", (event) => {
// event.detail.response is the token
submitForm(event.detail.response);
});The framework wrappers (@friendlycaptcha/react, @friendlycaptcha/vue) are thin layers over this — they handle mount/unmount and prop forwarding so you don't have to remember to call widget.destroy().
Server verification
curl -X POST https://global.frcapi.com/api/v2/captcha/siteverify \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"response": "FROM_CLIENT_FORM_FIELD",
"sitekey": "YOUR_SITEKEY"
}'The response is small: success, an optional data.action, and an errors array. Verify on every request. Cache nothing. The token is single-use; replays should fail.
Where Friendly Captcha shines
The privacy story is real. No Google dependency, no third-party cookies, no behavioural fingerprinting. If your compliance review has flagged reCAPTCHA, Friendly Captcha is the go-to swap. For EU-headquartered B2B SaaS, this is often the deciding factor.
The proof-of-work model also has a clean failure mode for honest users: the puzzle slows down on slow devices, but it doesn't fail them. There's no "you keep getting it wrong" loop the way image grids have.
Where it has limits
Proof-of-work is resource-shifting, not bot-blocking. A determined attacker with cloud credit can solve the puzzle at scale; the cost is just baked into their unit economics. Friendly Captcha relies on the difficulty function ramping up under attack, but a slow drip of 100 fake signups per hour is still profitable for the attacker even at full difficulty.
It's also less effective against scraping than against form spam. Scraping operations care about per-request latency more than per-request CPU; an extra two seconds of puzzle solve is acceptable to them.
Comparison with other vendors
| Vendor | Model | Privacy | Mobile SDK |
|---|---|---|---|
| Friendly Captcha | Proof-of-work | EU-first, no cookies | Web only |
| Cloudflare Turnstile | Behavioural + light interaction | No cookies (claimed) | Web only |
| reCAPTCHA v3 | Behavioural scoring | Google cookies | Android via SafetyNet |
| hCaptcha | Image puzzle | Privacy-friendly tier available | Mobile SDKs |
| CaptchaLa | Tiered scoring + interaction | EU/Asia data residency | iOS, Android, Flutter, RN, web |
The mobile column matters more than people expect. Friendly Captcha's web-only stance forces hybrid teams to either run their app inside a WebView or pick a different vendor for native flows.
Recap
Friendly Captcha's SDK is a clean three-step integration: widget on the client, hidden form field, server verification on submit. The framework wrappers exist; the API is simple; the privacy posture is genuinely differentiated. Where it doesn't fit is high-volume targeted attack scenarios and native mobile apps, both of which need either deeper behavioural signals or platform SDKs that Friendly Captcha doesn't ship today.