Most of your users are human. The job of an Invisible CAPTCHA is to wave them through silently — and only stop them when there's a real reason to. Prosopo does this by analysing the browser environment and user behaviour in the background, then deciding on the fly whether the visitor needs a visible challenge.
When the signals come back clean, the visitor sees nothing — the form submits, the token is attached, and your server verifies it like any other captcha response. When the signals look automated — typical of a CAPTCHA solver or commercial CAPTCHA farm — the visitor is escalated to an image challenge before the form goes through.
Invisible CAPTCHA isn't a single mode — it's a family of three, so you can match the right level of protection to each form.
| Mode | What the user sees | When to use |
|---|
| Frictionless (recommended) | Nothing for legitimate users. An image challenge if the request looks automated. | Most forms — best balance of UX and security. |
| Invisible Proof of Work | Nothing — a computational puzzle runs silently in the browser. | When you want a consistent invisible step regardless of risk score. |
| Invisible Image | Nothing initially. An image challenge appears on submission. | When image verification is required but you don't want a visible widget on the page. |
Switching between them is a one-attribute change on your widget — no integration rewrite.
Behind the scenes, the frictionless flow combines several signals to score each request:
- Browser environment — features and quirks that distinguish real browsers from headless automation tools like Playwright and Selenium.
- Interaction signals — natural mouse, touch and keyboard behaviour.
- Network context — whether the request comes from a network associated with bot traffic.
- Site policy — your Safety Threshold setting controls how strict the decision is. Tighter threshold = more challenges, fewer bots; looser threshold = fewer challenges, more bots squeak through.
You can tune the threshold in your portal at any time — useful for raising the bar during an active attack and lowering it back when the wave is over.
Invisible CAPTCHA is part of the same GDPR-friendly architecture as the rest of Procaptcha:
- No third-party tracking cookies.
- IP address is the only personal data stored, retained on the legitimate-interest grounds of fraud and security.
- No behavioural profiling sold on to advertisers — unlike the major reCAPTCHA-style competitors.
Invisible CAPTCHA is available on the Professional and Enterprise tiers. The standard visible widget remains free for up to 10,000 monthly verifications.
Full capability Partial / caveat Not available
| Capability | Prosopo Invisible | reCAPTCHA v3 | Cloudflare Turnstile |
|---|
| Invisible by default | ● | ● | ● |
|---|
| GDPR-compliant data handling | ● | ● | ● Limited |
|---|
| No third-party tracking cookies | ● | ● | ● |
|---|
| Switch between frictionless / PoW / image / puzzle modes per form | ● | ● | ● |
|---|
| Tunable strictness without code changes | ● | ● Limited | ● |
|---|
| Risk score returned to your backend | ● Paid tiers | ● | ● Limited |
|---|