# Handling Captcha challenges

Many applications have implemented anti-bot protection mechanism such as Captcha. Depending on the used Captcha, the agents can automatically solve these.

## Aikido can solve these catchas by itself

Below is a list of challenge types that the agents can solve autonomously and no additional actions are required.

|                                       |
| ------------------------------------- |
| ReCaptcha v2 - no ip-check configured |
| ReCaptcha v3 - no ip-check configured |
| reCAPTCHA v2 Enterprise               |
| reCAPTCHA v3 Enterprise               |
| Cloudflare Turnstile                  |
| Geetest v3 / v4                       |
| ImageToText                           |

## Captchas where Aikido needs some help from you

The following Captchas our agents cannot solve automatically. For the pentest to proceed, the following additional actions are required.

|                                    |                                                                                                                                                                                           |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| hCaptcha                           | hCaptcha does not provide allowlisting from within their portal. These Captcha exclusions must be implemented in the codebase.                                                            |
| ReCaptcha v2 - ip-check configured | Exclude the [Aikido IPs](/pentests/prepare-a-pentest/ip-addresses-for-pentest.md) using the following [allowlist instructions](https://docs.cloud.google.com/recaptcha/docs/allowlist-ip) |
| ReCaptcha v3 - ip-check configured | Exclude the [Aikido IPs](/pentests/prepare-a-pentest/ip-addresses-for-pentest.md) using the following [allowlist instructions](https://docs.cloud.google.com/recaptcha/docs/allowlist-ip) |

## Clarification on ReCaptcha ip-check support

When reCAPTCHA is configured without IP checks, validation does not depend on the client’s IP address. Google instead evaluates non-IP signals (such as browser behavior and execution context), so a token can still be validated even if it is submitted from a different IP.

When IP checks are enabled, reCAPTCHA binds the challenge/token to the originating IP address and expects the same IP during verification. Our agents use multiple IPs to solve checks and bypass bot protections, so validation can fail under IP enforcement.

For this reason, additional IP allowlisting is required when reCAPTCHA IP checks are enabled.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-captcha-challenges.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.