# Tencent CAPTCHA MCP

> Tencent CAPTCHA / 腾讯云防水墙 connects your AI agent to China's dominant anti-fraud and bot protection service. It lets you check application security setup, verify user-submitted CAPTCHA tickets (like slide or random string), and get a detailed 'EvilLevel' score. This score tells you immediately if the user is likely human or a malicious bot.

## Overview
- **Category:** industry-titans
- **Price:** Free
- **Tags:** anti-bot, risk-management, fraud-prevention, security-verification, authentication, api-integration

## Description

Your agent connects directly to Tencent CAPTCHA, giving you access to China’s primary anti-fraud and bot protection system. You won't ever have to deal with the actual cloud console; your agent handles all that messy security diagnostics in natural conversation flow.

To start, `get_captcha_app_info` pulls up your application setup details. It retrieves crucial info like your unique CaptchaAppId and confirms the operational status of the API configuration for your specific service. This tells you right away if your security integration is properly set up to go.

When a user submits credentials, `verify_captcha` takes over. Your agent passes two things: the user's submitted CAPTCHA ticket and the associated random string. The tool checks that combination against Tencent’s massive fraud database, returning two key pieces of data—the raw validation result and an 'EvilLevel' score.

The 'EvilLevel' number is your immediate indicator of risk. It tells you whether the interaction came from a human or a bot. A low EvilLevel, maybe around 5, means the system thinks it's a legit person. High numbers signal malicious activity—you're looking at a bot attack or sophisticated fraud attempts.

You use this score to make hard decisions: if the risk is too high, you can block the user immediately. If the level is low enough, you let them proceed with registration or payment.

This system handles all access gating for you. You'll run it on everything from secure user sign-ups to real-time transaction verification where seconds count. Your agent becomes the security coordinator that provides accurate results straight from one authorized source.

## Tools

### get_captcha_app_info
Retrieves your Tencent CAPTCHA application's current configuration and operational status.

### verify_captcha
Checks a specific CAPTCHA ticket using its associated random string and returns the validation result plus an EvilLevel score.

## Prompt Examples

**Prompt:** 
```
Verify this CAPTCHA ticket: 't0...ABCD' with randstr 'xyz123' from IP '1.2.3.4'.
```

**Response:** 
```
I've successfully verified the CAPTCHA result. The ticket has passed validation with an 'EvilLevel' of 5, indicating a low-risk human user. Should I retrieve the full details for your CaptchaAppId?
```

**Prompt:** 
```
What does an EvilLevel of 85 mean?
```

**Response:** 
```
An EvilLevel of 85 is classified as 'High Risk'. This indicates a very high probability that the interaction originated from a malicious bot or a fraudulent automation script. I recommend blocking this request or requiring additional authentication.
```

**Prompt:** 
```
Show me the configuration and status of my Tencent CAPTCHA project.
```

**Response:** 
```
I've retrieved your project overview. Your CaptchaAppId is correctly registered, and the API gateway is responding normally in the 'ap-guangzhou' region. Would you like me to check if your AppSecretKey is also properly configured for verification calls?
```

## Capabilities

### Check Application Setup Details
Retrieves your current Tencent CAPTCHA application ID and API configuration status.

### Validate User Captcha Tickets
Verifies a user's submitted CAPTCHA ticket and random string, returning the validation result and an 'EvilLevel' score.

### Determine Bot Risk Score (EvilLevel)
Interprets the provided 'EvilLevel' numeric value to classify interaction risk—low-risk human vs. high-risk bot activity.

## Use Cases

### Stopping bot sign-ups on a new feature
A developer needs to block bots trying to spam new accounts. They ask their agent: 'Verify this ticket for the new user signup flow.' The agent runs `verify_captcha`, gets an EvilLevel of 92, and tells the dev to block the request immediately.

### Troubleshooting a payment gateway failure
The payments team can't process transactions. They ask: 'What is the status of our CAPTCHA service?' The agent runs `get_captcha_app_info`, confirming the API gateway is online and the AppId is valid, solving the issue instantly.

### Auditing a client's security setup
A security engineer needs to check if a new regional endpoint is configured correctly. They ask the agent to pull the app info using `get_captcha_app_info`, confirming region compliance and API key readiness before deployment.

### Validating user input during registration
During a critical registration flow, the user submits a ticket. The agent uses `verify_captcha` to check the score. If it's high risk, the flow stops and asks the user for additional proof.

## Benefits

- You get an immediate risk score. Instead of just knowing 'pass/fail,' the `verify_captcha` tool provides an 'EvilLevel' metric (e.g., 5 vs. 85) that tells you *how* suspicious the user is.
- Audit your setup without logging in. Use `get_captcha_app_info` to check your CaptchaAppId and API gateway status—it confirms everything is configured right, saving manual checks.
- Handle complex verification flows simply. Your agent sequences the calls: first checking metadata with `get_captcha_app_info`, then running validation via `verify_captcha`.
- Catch advanced bots. The system isn't just anti-spam; it measures behavior. High 'EvilLevel' scores point directly to malicious automation scripts, allowing you to block them upstream.
- Stay compliant and accurate. It validates things like user IP formats and ticket strings, ensuring your security checks are high-precision and trustworthy.

## How It Works

The bottom line is that your agent handles the entire security handshake—getting the config and then checking the data—in one chat session, without manual console navigation.

1. First, your agent calls `get_captcha_app_info` to pull the necessary metadata and check the status of your CaptchaAppId.
2. Next, you pass the user's submitted CAPTCHA ticket and random string to the `verify_captcha` tool.
3. The system returns a verification result along with an 'EvilLevel' score (e.g., 5 or 85), letting you know if the user passed validation.

## Frequently Asked Questions

**How does Tencent CAPTCHA MCP Server calculate risk?**
It calculates risk using an 'EvilLevel' score. This numeric value is a direct output of `verify_captcha` and indicates the probability that the interaction came from a malicious bot or fraud script.

**Do I need to call get_captcha_app_info before verify_captcha?**
Yes. For reliable results, you must first call `get_captcha_app_info` to confirm your AppId and API status are correctly configured before attempting any verification with `verify_captcha`.

**What is the difference between a ticket and random string?**
The CAPTCHA ticket is the unique identifier generated by Tencent for the session. The random string is the specific secret key or code associated with that ticket, used alongside it in `verify_captcha`.

**Can I use this server for general security auditing?**
Absolutely. You can use both tools to audit your whole setup. Use `get_captcha_app_info` to check the API gateway status, and then run mock verifications with `verify_captcha` to test end-to-end flow.

**What credentials do I need to execute `verify_captcha`?**
You must provide your Tencent Cloud SecretId, SecretKey, CaptchaAppId, and AppSecretKey. These four unique identifiers are required by the server to authenticate every request. Always ensure these keys are properly loaded into your agent's environment variables before running any verification calls.

**If `verify_captcha` fails, how do I debug the error?**
Check the API response status code first. A 401 usually means bad credentials or keys are wrong; a 429 signals that you've hit your rate limit quota. The full response payload will contain specific details explaining why the verification call failed.

**Are there usage limits when running `verify_captcha`?**
Yes, Tencent enforces request quotas on all users. You need to monitor your account's API dashboard for current rate limits. For robust applications, write your agent code to use exponential backoff and retry logic to handle temporary service interruptions gracefully.

**How do I check my project configuration using `get_captcha_app_info`?**
This tool pulls the core operational data for your CAPTCHA application. It returns vital setup details, including the registered AppId and API gateway region. You use this to confirm that your keys are linked to the expected service parameters.

**How do I find my Tencent Cloud SecretId and SecretKey?**
Log in to the [Tencent Cloud Console](https://console.cloud.tencent.com/), navigate to [Access Management] -> [API Key Management] to find or generate your unique SecretId and SecretKey.

**Where do I get the CaptchaAppId and AppSecretKey?**
Navigate to the [Tencent CAPTCHA (防水墙) Console](https://console.cloud.tencent.com/captcha), select your CAPTCHA application, and you will find these identifiers in the application overview or basic information section.

**What is the 'EvilLevel' metric?**
EvilLevel is a risk score (0-100) provided by Tencent Cloud to identify suspicious activity. A higher value indicates a higher probability that the user is a malicious bot or part of a fraudulent attack.