It seems file write permissions aren’t being granted. Here’s the full article markdown — copy it directly:
—
Paying a captcha-solving service for every single request is expensive and slow — but the real cost isn’t money, it’s latency. A hCaptcha solve via 2captcha averages 12-18 seconds. Multiply that by 10,000 daily requests and you’ve introduced 33+ hours of cumulative solve time into your pipeline. Captcha-token recycling fixes this: solve once, inject the same token across dozens of requests before it expires. Done right, you can cut captcha costs by 80-90% and reduce solve latency to near-zero on cached hits.
Why Tokens Are Reusable at All
Most anti-bot systems issue captcha tokens with a validity window — not a single-use constraint. hCaptcha tokens are valid for roughly 120 seconds after issue. reCAPTCHA v2 tokens expire in 2 minutes. Cloudflare Turnstile tokens last 5 minutes. Enterprise platforms like PerimeterX or DataDome are tighter, but even they don’t always invalidate on first use.
The server-side flow matters here. When your scraper submits a form with a h-captcha-response token, the target’s backend calls the captcha provider’s /siteverify API. Some backends cache the verification result for the session or store it in a signed cookie. Others call /siteverify once per form action, not per page load. This inconsistency is what recycling exploits.
Before building anything, map the target’s validation behavior: submit the same token twice in quick succession. If both succeed, the token is reusable. If the second fails with invalid-input-response, the site uses single-use validation and recycling won’t work directly — you’ll need session-level caching instead.
Token Lifetime by Provider (2026)
| Provider | Typical token TTL | Single-use? | Notes |
|---|---|---|---|
| hCaptcha | 120s | No | Enterprise mode can enforce single-use |
| reCAPTCHA v2 | 120s | No | Token tied to IP in strict mode |
| reCAPTCHA v3 | 120s | No | Score baked in at solve time |
| Cloudflare Turnstile | 300s | No | CF checks IP + UA consistency |
| AWS WAF CAPTCHA | 300s | Yes (varies) | Token bound to session cookie |
| DataDome | 60-90s | Yes | Aggressive fingerprint binding |
| Arkose Labs | 60s | Yes | Also device-fingerprint-bound |
The providers in the bottom half of that table are binding tokens to fingerprint state — IP, TLS fingerprint, User-Agent, and sometimes browser canvas hash. Recycling across different proxy IPs or UA strings will fail. Recycling within the same session (same proxy, same UA, same cookie jar) still works within the TTL.
Architecture: The Token Pool
A token pool is a small cache layer that sits between your solve service and your scraper workers. Workers pull tokens instead of solving on demand. A background producer keeps the pool warm.
import time
import threading
from collections import deque
from twocaptcha import TwoCaptcha
class TokenPool:
def __init__(self, site_key, page_url, min_size=5, ttl=90):
self.site_key = site_key
self.page_url = page_url
self.min_size = min_size
self.ttl = ttl # conservative TTL, provider max minus buffer
self.pool = deque()
self.solver = TwoCaptcha('YOUR_API_KEY')
self._lock = threading.Lock()
self._fill()
def _solve_one(self):
result = self.solver.hcaptcha(sitekey=self.site_key, url=self.page_url)
return {'token': result['code'], 'expires_at': time.time() + self.ttl}
def _fill(self):
while len(self.pool) < self.min_size:
entry = self._solve_one()
with self._lock:
self.pool.append(entry)
def get(self):
with self._lock:
now = time.time()
while self.pool and self.pool[0]['expires_at'] < now:
self.pool.popleft() # discard expired
if self.pool:
return self.pool.popleft()['token']
# pool empty or all expired -- solve synchronously
entry = self._solve_one()
threading.Thread(target=self._fill, daemon=True).start()
return entry['token']This pattern gives workers a fresh token in microseconds on cache hit. Set ttl to 15-20 seconds below the provider’s real TTL to avoid submitting a token that expires mid-transit.
For high-volume pipelines, run the pool as a shared Redis-backed service. Workers POST to /token and the service manages the producer loop. This scales horizontally and isolates solve costs to one place — see the Building a Captcha-Solving Integration Service guide for a production design with Redis + health checks.
Session Coupling: The Hidden Dependency
Token recycling fails silently when you detach a token from the session it was issued in. Cloudflare Turnstile, in particular, ties the challenge to the visitor’s cf_clearance cookie. If you solve the captcha in browser session A and inject the token into a raw httpx request with no cookies, the submission will fail — not because the token is invalid, but because the cookie state doesn’t match.
The fix is to carry the full cookie jar from solve time through to submission. Use the same cookie jar management patterns described in Cookie Jar Persistence Patterns for Logged-In Scrapers (2026) — persist the jar to disk, reload it per worker, and pin each worker to a dedicated proxy to prevent IP-cookie mismatch.
A few things to avoid:
- don’t share one solved token across workers on different IPs. Turnstile and strict reCAPTCHA will flag the IP mismatch.
- don’t recycle tokens past the conservative TTL, even if they “technically” haven’t expired yet. network latency and clock drift eat into that buffer.
- don’t recycle across different User-Agent strings if the target logs the UA at challenge time.
If the target also requires a prior login step, the captcha token is usually just one layer. you’ll often need to handle 2FA and OTP walls after the captcha clears, especially on financial or marketplace targets.
Recycling Limits and Burn Rate Tuning
How many times can you actually reuse a token? it depends on the provider and the target’s backend:
- No validation caching on target: each request calls
/siteverify. providers typically allow multiple calls on the same token within TTL, but some enterprise plans flag repeated verifications as abuse. test with 5 uses before assuming unlimited. - Validation result cached by target: the most recycling-friendly case. the target calls
/siteverifyonce, stores the result in the session, and never calls again. you can submit the same token for the session lifetime. - Token bound to a single form action: single-use enforced by the target, not the provider. recycling won’t help here — shift to session-level caching and solve fresh per session, not per request.
Tune your burn rate conservatively. start with a max of 10 uses per token, measure your error rate, and increase in steps of 5. at 50 uses per token with a 120s TTL, you’re sustaining roughly 25 requests per minute through a single solve — compare that to 3-4 requests per minute if solving on demand.
For reCAPTCHA v3, recycle with extra caution: the score is baked in at solve time. a token solved from a “clean” IP looks high-trust. if you recycle it from a data-center proxy, the downstream risk score may not match what you’re submitting. solve on a residential IP, recycle on the same IP class.
Bottom Line
Token recycling is the highest-leverage captcha optimization most scraping pipelines aren’t using. solve once with hCaptcha or reCAPTCHA v2, recycle up to 30-50 times within TTL, and keep tokens pinned to the session and IP they were issued on. for complex stacks, the integration service architecture covered here at DRT gives you the right foundation to plug this into any scraper at scale.