What's the best way to bypass CAPTCHAs in 2026?

Avoidance first — clean residential IPs + realistic browser fingerprint + human-like pacing means most sites never show you a CAPTCHA. When you can't avoid them, solver APIs (Capsolver, 2Captcha, NopeCHA, CapMonster) handle reCAPTCHA, hCaptcha, and Turnstile for $0.50-$3 per 1,000 solves. Vision LLMs (GPT-4V, Claude Vision) work on custom captchas but cost 100x more.

How much do CAPTCHA solvers cost?

Per 1,000 solves in 2026: reCAPTCHA v2 ~$1, reCAPTCHA v3 ~$1, hCaptcha ~$1.50, Turnstile ~$3, FunCaptcha ~$3, image-grid custom ~$0.50-$2. Vision LLMs like GPT-4V cost $10-$30 per 1,000 — only worthwhile for one-off captchas the solver services don't support.

Can ChatGPT or Claude solve CAPTCHAs?

Yes — modern vision LLMs (GPT-4V, Claude 3.5 Sonnet+, Gemini 2.5) can solve image CAPTCHAs by description: send a screenshot, ask for the letters/numbers/objects. Cost is ~$0.01-$0.03 per solve, far more than dedicated services. Best used as a fallback when no solver service supports your specific CAPTCHA type.

How do I bypass Cloudflare Turnstile?

Three options: (1) FlareSolverr — Docker container that runs undetected-chromedriver, transparently solves Turnstile, returns the cf_clearance cookie; (2) Solver APIs that added Turnstile support — Capsolver, NopeCHA, 2Captcha; (3) real Playwright with stealth (Patchright) + clean residential IP — sometimes enough to never trigger an interactive challenge.

Why am I getting CAPTCHAs even with a solver?

Solving the CAPTCHA gets you past that one challenge, but if your underlying setup is bad (datacenter IP, headless Chrome with default fingerprint, no cookies) the next request fires another CAPTCHA. Fix the root cause: switch to residential proxies, use a real browser with stealth, persist cookies, pace requests. The solver is the last line, not the only line.

Is bypassing CAPTCHAs legal?

Generally yes when used on sites where you have legitimate access. It violates many sites' ToS (civil consequences like account suspension), but rarely crosses into criminal computer-fraud laws unless paired with account fraud, ticket scalping at restricted volumes, or credential abuse. Check your jurisdiction and the target site's ToS for the specific case.

How do solver APIs actually work?

You extract the CAPTCHA's sitekey and page URL from the HTML, POST them to the solver's API with your account key. The solver employs human workers or AI to solve the challenge and returns a token in 15-45 seconds. You inject the token into the page's hidden form field and submit. The site validates the token with the CAPTCHA provider and lets you through.

What's faster — FlareSolverr or a paid solver?

Both run 5-30 seconds per solve. FlareSolverr is self-hosted (one-time setup, compute cost only), good if you're scraping at modest volume. Paid solvers like Capsolver are managed (no infra), better for sporadic high-volume bursts. FlareSolverr handles Turnstile and CF challenges natively; for reCAPTCHA v2/hCaptcha you'd still need a paid service or vision LLM.

How to Bypass CAPTCHAs (2026 Methods)

Alex R.

Mon May 18 2026

Quick verdict: CAPTCHA bypass in 2026 splits four ways. Avoidance — clean residential IPs + realistic browser fingerprints means most sites never show you a CAPTCHA. Solver APIs — Capsolver, 2Captcha, NopeCHA, CapMonster, $0.50–$3 per 1k solves, work on reCAPTCHA v2/v3, hCaptcha, Turnstile, image-grids. Vision LLMs — GPT-4V and Claude can solve image CAPTCHAs but cost 100x more than dedicated solvers. Browser automation tricks — specific bypasses for Turnstile (CF Clearance), reCAPTCHA v3 (score-faking). Prefer avoidance; reach for solvers only when the target captchas you anyway.

Know What You're Bypassing

CAPTCHA	How it fires	Best bypass
reCAPTCHA v2 ("I'm not a robot")	Click + image grid if suspicious	Solver API ($1-$2 / 1k)
reCAPTCHA v3 (invisible score)	Backend gets a 0.0-1.0 risk score	Solver API ($1-$2 / 1k) or score-fake
reCAPTCHA Enterprise	Backend score, harder to fake	Solver API + good IP + good fingerprint
hCaptcha	Image grid (privacy-focused)	Solver API ($1-$3 / 1k), CapSolver
Cloudflare Turnstile	JS challenge, no images by default	FlareSolverr, Capsolver Turnstile
FunCaptcha (Arkose)	Rotation puzzles	Solver API ($2-$4 / 1k), specialized
Geetest v4	Slider + behavioral	Solver API with behavior model
Image-grid (custom)	Site-specific image challenges	Vision LLM (GPT-4V, Claude)
Math / text CAPTCHA (legacy)	"What is 3+5?"	OCR + simple solver

Method 1: Avoidance (Best, Always Try First)

Modern CAPTCHAs fire based on a risk score, not at random. Reduce the score, and most sites never show you one. The big levers:

Use residential IPs. Datacenter IPs alone trigger CAPTCHAs on most protected sites. A residential or mobile IP starts you at low risk.
Realistic browser fingerprint. Don't scrape with bare curl; use a real browser (Playwright with stealth, Patchright, undetected-chromedriver). Match TLS fingerprint to a real Chrome via curl_cffi or impersonation.
Human-like pacing. 500ms–3s between requests; small random jitter. Bots that hit a site at 100ms intervals trip behavior detection in seconds.
Real referer + cookies. Don't scrape product pages without first hitting the homepage and accepting cookies.
Warm the session. One scrape per session is suspicious; 3–5 page views in a natural order is normal.

Done right, avoidance handles 90% of CAPTCHA scenarios. Reach for solvers only when the target captchas you despite all of this.

Method 2: CAPTCHA Solver APIs

Solver services accept a CAPTCHA payload (image, sitekey, page URL) and return the solution within seconds. Workflow:

Detect the CAPTCHA on the page.
Extract the sitekey (visible in the page HTML) and the page URL.
POST to the solver API.
Poll until the solver returns a token.
Inject the token into the page's form / hidden input.
Submit.

# 2Captcha example with reCAPTCHA v2
import requests
import time

api_key = "YOUR_2CAPTCHA_KEY"
sitekey = "6Lc..."          # from the page
pageurl = "https://target.com/login"

# 1. Submit the captcha
r = requests.post("https://2captcha.com/in.php", data={
    "key": api_key, "method": "userrecaptcha",
    "googlekey": sitekey, "pageurl": pageurl, "json": 1
})
cid = r.json()["request"]

# 2. Poll for the solution (typically 15-45 seconds)
for _ in range(40):
    time.sleep(5)
    res = requests.get(f"https://2captcha.com/res.php"
                       f"?key={api_key}&action=get&id={cid}&json=1").json()
    if res["status"] == 1:
        token = res["request"]
        break

# 3. Use token: page.evaluate(f"document.getElementById('g-recaptcha-response').innerHTML='{token}'")

See our 6 best CAPTCHA solving tools for a full price + accuracy comparison. Headline numbers (2026): reCAPTCHA v2 ~$1/1k, hCaptcha ~$1.50/1k, FunCaptcha ~$3/1k, Turnstile ~$3/1k.

Method 3: Vision LLMs (GPT-4V, Claude Vision, Gemini)

For custom image CAPTCHAs that no solver service supports, modern vision LLMs can solve them directly. Send a screenshot, ask for the answer.

from openai import OpenAI
import base64

with open("captcha.png", "rb") as f:
    img = base64.b64encode(f.read()).decode()

client = OpenAI()
resp = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": [
        {"type": "text", "text": "What letters and numbers are in this captcha?"},
        {"type": "image_url", "image_url": {"url": f"data:image/png;base64,{img}"}}
    ]}]
)
print(resp.choices[0].message.content)

Cost: ~$0.01–$0.03 per solve. Far more expensive than dedicated solvers ($0.001–$0.003) but works on never-seen-before captchas where 2Captcha would fail.

Cloudflare Turnstile

Turnstile is Cloudflare's 2023+ CAPTCHA replacement. By default it shows no challenge — just runs JS in the background and decides. Bypass approaches:

FlareSolverr (the standard tool). Docker container + Python client. Solves transparently, returns cf_clearance cookie. See our FlareSolverr guide.
Solver APIs that support Turnstile. Capsolver, NopeCHA, 2Captcha all added Turnstile support in 2024–25.
Real Playwright with stealth. Patchright, undetected-playwright; sometimes enough to pass without a solver.
Mobile / Residential IPs. Turnstile's score includes IP reputation; clean IPs reduce the chance of escalation to an interactive challenge.

reCAPTCHA v3 (Score-Faking)

reCAPTCHA v3 returns a score 0.0–1.0 to the backend; the backend decides what to do. Bypass strategies:

Solver API. Returns a high-score token, typically 0.7+. Costs $1-$2/1k.
Real browser + clean IP. A genuine Playwright session through a residential proxy scores 0.7-0.9 routinely without any solver.
Cookie persistence. Google's score is partly based on prior Google account / cookie history. Run with a warmed browser profile that has visited Google before.

hCaptcha

hCaptcha is Cloudflare's previous default (pre-Turnstile) and still common on many sites. Image-grid based. Solver workflow is identical to reCAPTCHA v2 with a different method name. Cost: ~$1.50/1k. Capsolver and CapMonster handle hCaptcha well; some older solvers (2Captcha) work but with slightly lower success rates.

Real Cost Comparison (10k Solves)

Method	Cost	Latency	Success rate
Avoidance (residential + stealth)	$0	0s	~70-90% never see a captcha
2Captcha reCAPTCHA v2	~$10	15-45s per solve	~95%
Capsolver Turnstile	~$30	5-15s per solve	~92%
FlareSolverr (self-hosted)	Compute only	5-15s per solve	~85%
GPT-4V image CAPTCHA	~$200-$300	2-5s per solve	~85% on common types
NopeCHA hCaptcha	~$15	10-20s per solve	~93%

Legal & Ethical

CAPTCHA bypass is legal in most jurisdictions when used on sites where you have legitimate access (your own accounts, public data scraping, research). It violates many sites' Terms of Service, which means civil consequences (account suspension) but rarely criminal liability. Don't use bypass for account fraud, credential stuffing, ticket scalping at restricted volumes, or anything that breaks computer-fraud laws in your jurisdiction. Solver services typically prohibit financial fraud and CSAM-adjacent abuse in their ToS.

Best-Practices Checklist

Try avoidance first — clean residential IP + realistic browser fingerprint.
Don't solve captchas you didn't expect — investigate why one fired.
Pair solvers with proxies. A solved CAPTCHA on a banned IP gets banned again on the next request.
Cache solver tokens when reusable (Turnstile cf_clearance lasts ~30 minutes).
Monitor solver success rates. A drop below 80% usually means the CAPTCHA vendor updated; switch solvers or wait for updates.
Budget for retries. 95% success rate + 5 retries = 99.99% effective.