Lunesha.to - International Newschool Server

Metin2Pserver.net

Blogs & News

4 Min read

Captcha-API: A Proper reCAPTCHA v2 Replacement for Metin2

A drop-in replacement for Google reCAPTCHA v2 - same client-side markup, same verification payload, same JSON response shape. Existing reCAPTCHA integrations migrate by swapping two URLs and pasting the new keys. Free for every Metin2 server with a verified backlink.

Why reCAPTCHA and hCaptcha Stopped Working for Metin2

If your Metin2 server runs Google reCAPTCHA or hCaptcha on its login, register or vote-reward page, your players are still being brute-forced. Commercial captcha-solver services run those puzzles for cents per thousand: 5,000 solves per hour costs roughly $15 a month. Bot operators do not need their own AI - they pay a third-party API and feed the captchas in.

Where does the volume come from? Whenever any Metin2 pserver gets hacked or shut down, its database leaks. Most Metin2 sources hash passwords very weakly, so attackers walk away with hundreds of thousands of working email password pairs. They then spray those credentials at every other Metin2 server through residential proxy pools at up to 30 attempts per second, with reCAPTCHA solved automatically in the loop. The result: account takeovers, item theft, yang theft, RMT resale, refund chargebacks, and angry players blaming you.

What Captcha-API Does Differently

Captcha-API is a self-hosted captcha built specifically for the Metin2 community. It is purpose-built to defeat the off-the-shelf solver services that defeat Google reCAPTCHA every day, and it gets continuous improvements without any changes on your side.

The user experience is identical to reCAPTCHA v2 - players see the familiar "I'm not a robot" checkbox, and where needed a follow-up puzzle. That is all the player ever sees. How the system decides what to show, and how the puzzles are produced, is intentionally not advertised.

The familiar checkbox

Metin2 Server Toplist Captcha

The follow-up puzzle

Metin2 P Server Toplist Captcha

What You Actually Get

For server admins

Drop-in compatibility with reCAPTCHA v2 - the client widget uses the same g-recaptcha div and the same data-sitekey attribute
Identical verification payload to siteverify - your existing secret response POST keeps working, including the optional remoteip field
Same JSON shape back - { "success": true, "error_codes": [] } - no client or server code changes beyond the key swap
Multi-domain key sets - one site key can be bound to your main domain plus every subdomain that runs a form (login, shop, voting, panel, etc.)
Live verification stats in the server panel
Free for every Metin2 server with a verified backlink to the toplist - no monthly fee, no rate cap
Battle-tested on metin2pserver.net itself - every vote, login, register and password-reset on the site uses this same Captcha-API

For your players

Same checkbox they already know from countless other websites
No third-party tracking pixels - we do not feed Google's ad graph
Faster loads than reCAPTCHA - no several-MB Google bundle
Accounts that actually stay safe

What Real reCAPTCHA Migration Looks Like

If your existing login page already uses reCAPTCHA v2, the swap is two lines. Replace the script source and the verification URL:

1. Client-side

Replace https://www.google.com/recaptcha/api.js with https://captcha.metin2.zone/assets/captcha.js
Replace your reCAPTCHA data-sitekey with the one generated in the server panel
Everything else stays the same: the widget div, the form submit, the hidden g-recaptcha-response field

2. Server-side

Replace https://www.google.com/recaptcha/api/siteverify with https://captcha.metin2.zone/captcha/api/siteverify
POST the same fields you already POST to Google: secret, response, optional remoteip
Read success on the JSON response exactly as before

That is it. Whatever framework or CMS you run - WordPress, custom PHP, Node, Python, Lua-Nginx - if it already verifies reCAPTCHA, it will verify Captcha-API with no logic changes.

What to Watch Out For

Things to avoid

Do not embed the script with a sitekey from a different domain - the API rejects keys outside their declared host list
Do not skip the server-side siteverify call - the client widget alone proves nothing
Do not log the secret key or expose it in client-side JavaScript - if it leaks, regenerate immediately
Do not chain ours with reCAPTCHA on the same form - pick one

How to Get Started

The Captcha-API panel is part of every Metin2 server's admin area on the toplist. Three steps:

Quick implementation guide

Add your Metin2 server to the toplist (free, two minutes)
Verify a backlink to your website to unlock the captcha system (and pick up 100 free votes per day while you are there)
Open Server Panel → Captcha, list the domains you want to protect, click Generate site & secret key
Paste the script tag in your <body>, drop the g-recaptcha div in any form, point your existing siteverify call at our endpoint - done

Try the live demo or jump straight in. Both are free.

Test the live demo →

Protect your Metin2 pserver with a captcha that was built for the threat model Metin2 actually faces in 2026, not the 2014 reCAPTCHA model. Join the growing list of servers that already swapped over - and let the credential-stuffing botnets pay another captcha provider for nothing.