The Verification Process

The cornerstone of adCAPTCHA's security is in the verification step. This is the part where non-human interactions are actully stopped. We provide a signal to your backend system which is used to direct traffic based on the results of the interaction.

Authentication Flow

Below is a sequence diagram that outlines the full process for an interaction with adCAPTCHA. There are two main components to this process, the interaction of the end user via your website and adCAPTCHA. Then, the interaction between your backend and adCAPTCHA for verification.

Success Tokens

Success tokens are signed JWTs (Json Web Tokens). They contain the following information:

  • Instance ID of the challenge solved
  • Placement ID for the location on the web page
  • Session ID for the users interaction

The tokens are signed with private keys which we rotate every 2 weeks. Keys are unique to each customer and are securely stored in our systems.

We provide a facility to Enterprise level customer that allow them to manage their own keys. This is very useful for customers who have strict security requirements. Or for customers who want to benefit from the performance benefits of verifying tokens locally.

Was this page helpful?