Guide

How to Solve FunCaptcha (Arkose Labs) When Scraping

FunCaptcha is Arkose's interactive puzzle: rotate the object, match the image, and hand back a single-use fc-token the server verifies. Here is how the puzzle and token actually work, how solving fits, and why a clean residential setup keeps it rare.

HProxy Team · ·Updated July 18, 2026 ·7 min read
HProxy. Guide

Free proxies won't hold up here.

Shared datacenter IPs get flagged and dropped fast. When it has to hold, gaming, streaming, accounts, you need mobile and residential IPs that read as a real device, from $0.65/GB, pay as you go.

See plans & pricing

You hit a FunCaptcha and you know it on sight: a small interactive panel asking you to rotate an animal until it is upright, or to pick the image that matches a prompt, usually on a signup or a suspicious login. It is Arkose Labs' interactive challenge, long called FunCaptcha and now branded Arkose MatchKey, and it is the wall widely reported behind account creation on platforms like X and Roblox. The automation that ran clean an hour ago now meets that puzzle on every attempt, and swapping proxies changes how often it appears but never makes it go away. That is the tell. Arkose scored your session first and only served the puzzle because the score went against you, and the puzzle itself is engineered to be expensive to solve at scale, not impossible. This guide is about the solving side: how the puzzle and the token actually work, how a solver fits, and why the token is not a thing you can detach and stockpile. For the scoring side, how the invisible risk assessment decides whether you see a puzzle at all, our guide on getting past Arkose Labs covers it in full. One thing honest up front: no proxy solves the puzzle for you.

Can proxies solve FunCaptcha?

No, and it is worth being blunt about it. A proxy changes the IP your request comes from, nothing more. A clean residential IP lowers your Arkose risk score, which lowers how often FunCaptcha appears and how hard the puzzles are, but it never rotates the object and never returns a token. Proxies reduce challenge frequency. Real browsers and solver services handle the challenges that still get through.

What the FunCaptcha challenge actually is

FunCaptcha is the enforcement half of Arkose. When your session scores as risky, Arkose serves an interactive puzzle instead of a quiet pass. As the solving community describes it, FunCaptcha uses interactive puzzles and games to tell humans from bots, which is exactly why plain OCR bots cannot cope with it.

The puzzle types. The classic is rotating an object until it is upright. Others show a set of numbered images and ask you to pick the one matching a text prompt, or the one where object values sum to a given number, and there is an audio variant. The tasks are visual and logical rather than text, so reading distorted characters is not the skill being tested.

They are built to be expensive. The design goal is economic. By escalating difficulty for risky sessions and rotating the puzzles so a solver tuned to one variant stops working, Arkose makes automated solving slow and costly enough that a large attack stops being profitable. That is why FunCaptcha shows up on high-value account flows and not on ordinary page reads.

The token is the output. Completing the puzzle produces a verification token, something like 3084f4a302b176cd7.96368058|r=ap-southeast-1|...|surl=https://funcaptcha.com. You place it in the page's fc-token or verification-token field and submit the form. The token is single-use and verified server-side against the Arkose Verify API with a private key that never touches the browser, so the client-side value is proof of a completed challenge, not something you can forge.

How a solver service actually fits

For the puzzles that get through, a captcha-solving service is the usual tool. The flow is not magic, and understanding it tells you why success rates vary. You pass the service the Arkose public key and the page URL, and on hardened deployments the data blob the page generates for the Arkose client, plus optionally a proxy so the solve happens from your IP rather than the service's. The service completes the puzzle, by human labor or, on some services, an AI model that returns an answer in seconds, and hands back a token. You inject the token into the page and submit.

The honest nuance is that the token carries session context. Arkose scores the whole session, so a token solved on a different IP or fingerprint than the one your request rides on can still verify poorly or trigger a step-up. This is why a solver that returns a token does not guarantee a pass, and why passing your own proxy and matching your own fingerprint into the solve matters. It is also why the durable answer is to keep the puzzle rare in the first place, the same reason token farming fails against hCaptcha: there is no clean, context-free token to stockpile.

Why a raw HTTP client cannot even reach the puzzle

Point a plain requests or axios script at an Arkose-protected flow and it fails before the puzzle matters. The Arkose client script has to run in a browser, and a plain HTTP client has no JavaScript engine to run it, so it never generates the challenge or a token. Separately, its TLS and HTTP/2 fingerprint matches no real browser, so it looks automated the moment it connects. Rotating a proxy pool changes none of that, because rotation fixes the IP and the IP was never the thing that would produce a token.

Where residential proxies fit

Residential proxies earn their place because the IP is one of the many signals feeding Arkose's risk score. Route through a real consumer or mobile connection and you present as an ordinary visitor rather than a datacenter range that reads as automation on sight, which nudges the score toward a quiet pass and away from the puzzle, and when the puzzle does appear it tends to be the easier, shorter variant. What a proxy cannot do is solve the puzzle or fix a headless browser's tells. The proxy forwards your bytes untouched, so a clean IP behind a stock automation build still fingerprints as automation and still gets challenged. As with every captcha-class defense, the proxy makes your IP believable and the browser makes the rest of you believable, and Arkose reads them as one scored session. The same model runs through how websites detect proxies.

A setup that keeps the puzzle rare and solvable

Everything here lowers your risk score, so the puzzle is the exception and the solve is cheap:

  1. Start with clean residential or ISP IPs, verified before use and held per session, so the scored session stays consistent and any solver can work from the same IP.
  2. Drive a real, fortified browser, a hardened Playwright or Puppeteer or an anti-detect browser, with the automation tells patched out, so the detection layer scores you as a genuine device.
  3. Pace and enter like a person, through a natural path rather than a cold deep-link, with randomized delays and modest per-IP volume.
  4. When you must solve, match the context. Pass your own proxy and the page's data blob into the solve so the token is produced against the same IP and session it will be verified against.

Test before you scale

Prove one identity before you commit a batch. Confirm your exit is alive and residential with the proxy checker, then run one real request through your browser and IP and see what Arkose does: a quiet pass, or a puzzle. If a fortified browser on a clean residential IP still gets a hard puzzle on the first hit, your fingerprint or behavior is dragging the score down, and no solver subscription fixes that root cause. Testing one full identity tells you which input is failing before you scale the mistake to thousands of requests.

The honest bottom line

FunCaptcha is the enforcement half of Arkose: an interactive puzzle served when your session already scored as risky, engineered to be expensive to solve in bulk, producing a single-use token that is verified server-side and cannot be farmed. You can solve the ones that get through with a service, but the token carries session context, so the solve has to match your IP and fingerprint to hold, and the bill and latency grow with volume by design. Residential proxies fix the IP input and are the foundation, but they are one input of several, and a clean address behind a headless browser still scores like a bot and still draws the puzzle. Raise the score with residential IPs, a real browser, and human pacing so the puzzle is rare, keep a solver on standby for the leftovers, and take an official API path when a site offers one. Our residential and mobile IPs start at $0.65/GB pay-as-you-go with no KYC and a balance that does not expire, so a flow that runs in bursts pays only for what it uses. Proxies make the puzzle rare; a clean setup is what makes it rare enough to live with.

Sources

  • 2Captcha: FunCaptcha (Arkose Labs): the interactive-puzzle mechanics (rotate and match tasks rather than text), the token you inject and submit, and the solve flow, described from the solving community. Arkose does not publish every internal detail, so the puzzle and token specifics here are drawn from solver documentation alongside Arkose's own pages.
  • Arkose Labs developer docs: standard setup: the client-side step that displays a challenge and provides a one-time-use token, and server-side verification of that token via the Arkose Verify API using a private key kept off the client.
  • Arkose Labs: Arkose Protect: the 225+ risk signals behind the score that decides whether a puzzle is served at all.

Frequently asked questions

Can proxies solve FunCaptcha?
No. A proxy only changes your IP. A clean residential IP lowers your Arkose risk score, so FunCaptcha appears less often and with easier puzzles, but it never rotates the object, never matches the image, and never returns the fc-token. Proxies reduce how often you see the puzzle; a real browser or a solver service handles the puzzles that still get through. Anyone promising a pure-proxy FunCaptcha solve is overselling.
What are the FunCaptcha (Arkose MatchKey) puzzle types?
Interactive visual tasks built to be easy for a human and expensive for a machine. The classic is rotating an object until it is upright. Others ask you to pick the image that matches a prompt, or the image where object values sum to a given number, and there is an audio variant for accessibility. Arkose rotates and updates the puzzles so a solver tuned to one variant does not keep working, which is the point of the design.
How does a FunCaptcha solver service work?
You pass the service the public key and page URL, and on hardened deployments the data blob the page generates, plus optionally a proxy so the solve happens from your IP. The service completes the puzzle and returns a token. You inject that token into the page's fc-token or verification-token field and submit the form. The catch is that the token carries session context, so a solve done on a mismatched IP or fingerprint can still score poorly.
What is the fc-token and can I reuse it?
It is the verification string the completed challenge produces, something like 3084f4a302b176cd7.96368058|r=ap-southeast-1|...|surl=https://funcaptcha.com. It is single-use. The site sends it to the Arkose Verify API server-side, authenticated with a private key that never touches the browser, so you cannot cache tokens ahead of time, replay one across a batch, or share one between sessions. There is nothing to stockpile.
Why does my solver return a token but the request still fails?
Because Arkose scores the whole session, not just the puzzle. The token is bound to session context: the IP, the fingerprint, and the data blob it was solved against. If the solver worked on a different IP or fingerprint than your session, or if your session already scored badly before the puzzle, the server-side verify can still reject it or step up the difficulty. A returned token is necessary, not sufficient.
Is it cheaper to solve FunCaptcha or to prevent it?
Prevention, at any real volume. Arkose deliberately makes each solve cost time and money, so a solver bill and the added latency per solve grow with your traffic, exactly the economics Arkose is engineering for. A clean residential IP, a real browser, and human pacing keep the puzzle rare, which means the solver runs on the small leftover share instead of every request. Solve the ones that slip through; do not build your strategy on solving.

Proxies that don't die mid-job

Residential, ISP, datacenter and mobile, verified by the same engine that runs tens of millions of checks. They read as a real device and hold up under load. Pay as you go, and your balance never expires.

47M+ proxy checks run · 100+ countries · HTTP / HTTPS / SOCKS · re-checked every few minutes · no signup