hCaptcha APIs use several SSL certificate authorities, maintaining both primary and backup certificates; our CAA record is authoritative. We also automatically rotate certificates every three months as part of our security best practices.
We received several reports today from customers running servers with outdated root CA entries. They either needed to update these after our most recent automatic certificate rotation, or had locked their validation for our endpoints to a specific certificate chain rather than relying on CA validation and our CAA records.
Please ensure your servers calling the siteverify endpoint have an updated root CA store. This is an important security practice, as root CAs are occasionally compromised and removed from OS vendors' stores. Similarly, if you would like to enforce additional restrictions on validating our TLS certificates, please rely on the CAA record rather than hard-coding a specific intermediate chain.