# Handling Captcha/Email/Mobile OTPs

Pentest Copilot handles verification codes and captchas automatically while you record a login. Record once, the platform re-authenticates on every later test run.

### What the platform handles

| Challenge                | What you do                                  |
| ------------------------ | -------------------------------------------- |
| Email OTP                | Type the monitored email on the target form  |
| Magic link               | Type the monitored email                     |
| SMS OTP                  | Type the monitored phone number              |
| TOTP (authenticator app) | Paste the Base32 secret into the TOTP helper |
| Captcha                  | Nothing                                      |

### Where to find the monitored email and phone

Open **Browser Session Manager**, click **Record Session**. An info notice at the top shows both values as copyable chips. Use those exact values on the target app.

### Email OTP and magic links

| Scenario                  | Action                                                                                          |
| ------------------------- | ----------------------------------------------------------------------------------------------- |
| Standard login            | Type the monitored email, submit, wait.                                                         |
| Unique-per-account signup | Append a suffix, e.g. `pentestcopilot+acme@teambugbase.com`. Gmail routes it to the same inbox. |
| Target blocks the address | Ask your Bugbase contact to rotate to a domain the target accepts.                              |

The platform reads the incoming mail, extracts the code or opens the magic link, and continues.

### SMS OTP

Type the monitored phone in E.164 format, for example `+1XXXXXXXXX`. If the target splits country code and local number into separate inputs, put `+1` (or whatever prefix is shown) in the country-code field and the rest in the local-number field.

The platform reads the incoming text, extracts the code, and types it.

### TOTP (authenticator apps)

When the target shows a QR code or Base32 secret during authenticator setup:

| Step | Action                                                                                             |
| ---- | -------------------------------------------------------------------------------------------------- |
| 1    | Click the **TOTP** button in the recording toolbar                                                 |
| 2    | Paste the Base32 secret, e.g. `JBSWY3DPEHPK3PXP`                                                   |
| 3    | When the target asks for a code, click the OTP field. The platform types the current 6-digit code. |

The secret saves with the session. On every future run, the platform regenerates the current code and types it.

### Captcha

Nothing to do. The platform detects and solves:

* reCAPTCHA v2 and v3
* hCaptcha
* Cloudflare Turnstile
* Image, text, and audio puzzles

If a captcha sticks (rare, usually a new variant), solve it manually during recording and flag it to Bugbase.

### Recording checklist

| Step | Action                                                         |
| ---- | -------------------------------------------------------------- |
| 1    | Open Browser Session Manager, Record Session tab               |
| 2    | Note the monitored email and phone in the info notice          |
| 3    | Use those values wherever the target asks for email or phone   |
| 4    | For TOTP, use the helper button when the target shows a secret |
| 5    | Let captchas resolve on their own                              |
| 6    | Finish the login, stop recording, save                         |

### FAQ

| Question                                           | Answer                                                                                          |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| Is the displayed inbox real?                       | Yes. It's assigned to your workspace and polled continuously.                                   |
| Does every session share the same email and phone? | Yes. They're workspace-wide and stay the same across all your recorded sessions.                |
| What if a code expires before it's used?           | Polling runs every few seconds, so timeouts are rare. Failed runs are flagged for re-recording. |
| Is my TOTP secret secure?                          | It's stored inside the session record in your workspace, not shared across tenants.             |
| Do I need my own Capsolver or 2Captcha account?    | No. Captcha solving is included.                                                                |

### On-premise or custom tenant?

If you're running Pentest Copilot on your own infrastructure or need a dedicated email / phone (e.g. because the target allow-lists specific domains), we can swap in values you provide. Share the address and number during onboarding and the chips on your dashboard will update automatically. Captcha auto-solve can also be disabled per deployment when manual solving is required for an engagement.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://copilot-docs.bugbase.ai/enterprise/how-to-trigger-an-external-scan/handling-captcha-email-mobile-otps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.