A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement/acceptable use policy, or survey completion. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and both commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

The captive portal is presented to the client and is stored either at the gateway or on a web server hosting the web page. Depending on the feature set of the gateway, websites or TCP ports can be allow-listed so that the user would not have to interact with the captive portal in order to use them. The MAC address of attached clients can also be used to bypass the login process for specified devices.

WISPr refers to this web-browser–based authentication method as the Universal Access Method (UAM).

Captive portals are primarily used in open wireless networks where the users are shown a welcome message informing them of the conditions of access (allowed ports, liability, etc.). Administrators tend to do this so that their own users take responsibility for their actions and to avoid any legal responsibility. Whether this delegation of responsibility is legally valid is a matter of debate. Some networks may also require entering the user's cell phone number or identity information so that administrators can provide information to authorities in case there was illegal activity on the network.

Often captive portals are used for marketing and commercial communication purposes. Access to the Internet over open Wi-Fi is prohibited until the user exchanges personal data by filling out a web-based registration form in a web browser. The web-based form either automatically opens in a web browser, or appears when the user opens a web browser and tries to visit any web page. In other words, the user is "captive" - unable to access the Internet freely until the user is granted access to the Internet and has "completed" the captive portal. This allows the provider of this service to display or send advertisements to users who connect to the Wi-Fi access point. This type of service is also sometimes known as "social Wi-Fi", as they may ask for a social network account to login (such as Facebook). Over the past few years, such social Wi-Fi captive portals have become commonplace with various companies offering marketing centered around Wi-Fi data collection.

The user can find many types of content in the captive portal, and it's frequent to allow access to the Internet in exchange for viewing content or performing a certain action (often, providing personal data to enable commercial contact); thus, the marketing use of the captive portal is a tool for lead generation (business contacts or potential clients).

There are various ways to implement a captive portal.

A common method is to direct all World Wide Web traffic to a web server, which returns an HTTP redirect to a captive portal. When a modern, Internet-enabled device first connects to a network, it sends out an HTTP request to a detection URL predefined by its vendor and expects an HTTP status code 200 OK or 204 No Content. If the device receives an HTTP 2xx status code, it assumes it has unlimited internet access. Captive portal prompts are displayed if the device receives a 302 redirect status code to the captive portal instead. RFC 6585 specifies the 511 Network Authentication Required status code.