# Aliyun CAPTCHA MCP MCP

> Aliyun CAPTCHA validates user identity and assesses security risk for your applications. This MCP connects to Alibaba Cloud's bot protection services, allowing your agent to verify complex CAPTCHA tokens and audit access key configurations in real time. It determines if an interaction is genuinely human or suspicious automated activity, making it essential for secure login flows, checkout processes, and critical API endpoints.

## Overview
- **Category:** industry-titans
- **Price:** Free
- **Tags:** anti-bot, risk-assessment, security-diagnostics, verification, cloud-security, api-integration

## Description

Building a secure application requires more than just checking passwords. You need proof that the user interacting with your site is actually a person. This MCP lets you automate that entire process. Instead of having to manually navigate cloud consoles or write complex validation scripts, your agent handles it all. It takes raw CAPTCHA parameters from an end-user and instantly verifies them against Alibaba Cloud's defense platform. You can audit the integrity of API access keys or check regional gateway health—all without ever touching a dashboard. This capability lets you treat security diagnostics like any other routine query, making your application fundamentally safer. Because this MCP is hosted on Vinkius, you connect it once from your preferred AI client and gain immediate access to world-class bot protection tools for everything from basic login screens to complex enterprise workflows.

## Tools

### create_captcha_scene
Sets up a specific, unique CAPTCHA verification environment for use in your application's frontend flow.

### verify_captcha
Takes the user's submitted response and checks it against Alibaba Cloud’s system to confirm if the interaction passed validation.

## Prompt Examples

**Prompt:** 
```
Verify this Aliyun CAPTCHA parameter: '{"token":"...", "sig":"..."}'.
```

**Response:** 
```
I've successfully verified the CAPTCHA parameter. The validation result is 'OK', indicating a valid human interaction. The Aliyun Request ID for this check is `88210934-ABCD`. Should I retrieve your AccessKey status?
```

**Prompt:** 
```
Explain the verification result code 'VerifyFailed'.
```

**Response:** 
```
The code 'VerifyFailed' indicates that the CAPTCHA challenge was not completed correctly or was identified as suspicious (likely an automated bot). You should deny the associated action or prompt for a different verification method.
```

**Prompt:** 
```
Check the status and supported regions for Aliyun CAPTCHA.
```

**Response:** 
```
I've performed a diagnostic check. The Aliyun CAPTCHA gateway is responding normally. Supported regions for this service include Hangzhou, Shanghai, Beijing, and Singapore. Would you like me to verify your specific configuration?
```

## Capabilities

### undefined
undefined

### undefined
undefined

### undefined
undefined

### undefined
undefined

### undefined
undefined

## Use Cases

### Debugging a new login endpoint
A developer needs to test if their new sign-up flow is vulnerable to basic bots. They ask the agent: 'Validate these CAPTCHA parameters.' The agent uses `verify_captcha` and returns an instant pass/fail status, allowing the dev to confirm the security gate works before commit.

### Auditing a payment gateway
The ops engineer suspects their checkout page is being targeted by bots. They instruct their agent to run a full diagnostic check on API connectivity and CAPTCHA health status, getting confirmation that the system supports all necessary regions.

### Handling complex user flows
A site requires both login verification and then an account change. The developer uses `create_captcha_scene` first to set up the required context for the session, then calls `verify_captcha` later in the workflow to confirm the identity before allowing the sensitive action.

### Troubleshooting access issues
A user reports that API requests are failing due to unknown security errors. The agent checks the AccessKey status and verifies if the current API version is compliant, providing an actionable fix directly in the chat window.

## Benefits

- Real-time Bot Defense: Instead of guessing, you get definitive proof of user intent. The `verify_captcha` tool tells you immediately if a submitted token was genuinely generated by a human.
- Automated Risk Auditing: Stop manual checks. Your agent can interpret complex result codes to pinpoint suspicious automated activity or identify security vulnerabilities across your system.
- Seamless Integration: Integrate industry-standard bot protection into existing code flows. You don't need to build the validation logic; you just call `verify_captcha` from within your routine.
- System Diagnostics: Use this MCP to check supported regions and API version compliance, ensuring your application always uses the latest security standards without leaving your coding environment.
- Streamlined Setup: The workflow is simple. First, use `create_captcha_scene` to generate the necessary scene ID; then, pass that context for verification.

## How It Works

The bottom line is that you get real-time, authoritative proof of user identity and API health checks directly into your agent's conversation stream.

1. First, use `create_captcha_scene` to establish a new CAPTCHA verification scenario. This returns a Scene ID needed for client-side SDK initialization.
2. Next, when the user interacts with the site, your agent uses this established context and the returned parameters to call `verify_captcha`.
3. The system returns a clear validation result—either 'OK' (human) or a failure code—along with detailed security diagnostics.

## Frequently Asked Questions

**How do I find my Aliyun AccessKey ID and Secret?**
Log in to the [Alibaba Cloud Console](https://usercenter.console.aliyun.com/), navigate to [AccessKey Management] to find or create your unique ID and Secret.

**What is the 'VerifyParam'?**
The VerifyParam is a JSON string or token generated by the Aliyun CAPTCHA frontend component after a user successfully completes the challenge. It must be sent to this server for server-side validation.

**Which regions are supported for the CAPTCHA API?**
This server defaults to `cn-hangzhou`, but Aliyun CAPTCHA 2.0 is also available in `cn-shanghai`, `cn-beijing`, and `ap-southeast-1` (Singapore) for global applications.

**What is the proper workflow when using the `create_captcha_scene` tool?**
You must run `create_captcha_scene` first to get a unique Scene ID. This ID is required by your client-side SDK initialization, allowing subsequent calls like `verify_captcha` to target the correct verification context.

**If `verify_captcha` returns an unexpected error code, how should my agent handle it?**
The returned diagnostic details explain the failure type. If the issue is invalid parameters, you need to adjust your input JSON payload; if it's a service outage, wait and retry later.

**Does the MCP manage API rate limits or throttling when using these CAPTCHA tools?**
The platform handles connection management and retries based on documented limits. If you hit a rate limit, your AI client will receive a specific error response indicating how long to wait before trying again.

**Besides passing or failing, what extra context can I get from the output of `verify_captcha`?**
The output provides crucial diagnostic data, including the Aliyun Request ID and detailed verification result codes. This helps you pinpoint if the failure was due to user action or system misconfiguration.

**What security best practices should I follow when connecting the Aliyun CAPTCHA MCP to my agent?**
Always limit your AI client's permissions strictly to what is necessary. Never expose your primary AccessKey Secret, and ensure all communication uses secure, encrypted channels.