Captcha Token
Verifying the user’s response | reCAPTCHA | Google Developers
Verifying the user’s response | reCAPTCHA | Google Developers
Home
Guides
Support
This page explains how to verify a user’s response to a reCAPTCHA challenge from your application’s
backend.
For web users, you can get the user’s response token in one of three ways:
g-recaptcha-response POST parameter when the user submits the form on your site
tResponse(opt_widget_id) after the user completes
the reCAPTCHA challenge
As a string argument to your callback function
if data-callback is specified in either the g-recaptcha tag attribute or
the callback parameter in the method
For Android library users, you can call the
tTokenResult()
method to get response token if the status returns successful.
Token Restrictions
Each reCAPTCHA user response token is valid for two minutes, and can only be verified once to
prevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.
After you get the response token, you need to verify it within two minutes with reCAPTCHA using the
following API to ensure the token is valid.
API Request
URL: METHOD: POST
POST Parameter
Description
secret
Required. The shared key between your site and reCAPTCHA.
response
Required. The user response token provided by the reCAPTCHA client-side integration on your site.
remoteip
Optional. The user’s IP address.
API Response
The response is a JSON object:
{
“success”: true|false,
“challenge_ts”: timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd’T’HH:mm:ssZZ)
“hostname”: string, // the hostname of the site where the reCAPTCHA was solved
“error-codes”: [… ] // optional}
For reCAPTCHA Android:
“apk_package_name”: string, // the package name of the app where the reCAPTCHA was solved
Error code reference
Error code
missing-input-secret
The secret parameter is missing.
invalid-input-secret
The secret parameter is invalid or malformed.
missing-input-response
The response parameter is missing.
invalid-input-response
The response parameter is invalid or malformed.
bad-request
The request is invalid or malformed.
timeout-or-duplicate
The response is no longer valid: either is too old or has been used previously.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4. 0 License, and code samples are licensed under the Apache 2. 0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2021-06-01 UTC.
[{
“type”: “thumb-down”,
“id”: “missingTheInformationINeed”,
“label”:”Missing the information I need”}, {
“id”: “tooComplicatedTooManySteps”,
“label”:”Too complicated / too many steps”}, {
“id”: “outOfDate”,
“label”:”Out of date”}, {
“id”: “samplesCodeIssue”,
“label”:”Samples / code issue”}, {
“id”: “otherDown”,
“label”:”Other”}]
“type”: “thumb-up”,
“id”: “easyToUnderstand”,
“label”:”Easy to understand”}, {
“id”: “solvedMyProblem”,
“label”:”Solved my problem”}, {
“id”: “otherUp”,
“label”:”Other”}]
What is reCAPTCHA? – Google Support
Send feedback help content & informationGeneral Help Center experience reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out. By adding reCAPTCHA to a site, you can block automated software while helping your welcome users to enter with ease. Try it out at
To learn more about reCAPTCHA, visit our official website or our technical documentation site.
How to Get Google reCaptcha Site and Secret key – Phppot
by Vincy. Last modified on May 18th, 2021.
Google reCaptcha is a popular service providing anti-abuse security to protect your application. For integrating Google reCaptcha in an application, the app or web domain has to be registered to get the API keys.
There are two keys named as Site key and the Secret key will be given by registering the application. The site key and the secret key can also be known as public and private keys respectively.
The site key is used to render the reCaptcha in a page and the secret key is used for performing server-side validation. The keys are unique to the one domain or more registered domain.
In this tutorial, we are going to see how to get the Google reCaptcha API keys by following the three simple steps listed below.
Visit Google reCaptcha home and click My reCAPTCHA button.
Register application by choosing reCAPTCHA type.
Copy the Site key and Secret key created for the registered application.
We have seen already how to use these keys to deploy reCaptcha widget and to perform server-side processing.
Visiting Google reCAPTCHA Home
Below screenshot shows the Google reCaptcha website home with the My reCAPTCHA button control. By clicking this button, it redirects to a page with a signup up form to register an application for API keys.
Register Application to get reCaptcha API keys
In this section, it shows Google reCaptcha signup form to register the web or mobile application. In this form, we have to enter the label, domain or package names by choosing the reCaptcha type.
There are three radio options to choose the reCaptcha type.
reCAPTCHA v2
Invisible reCAPTCHA
reCAPTCHA Android
By choosing reCAPTCHA v2 or Invisible reCAPTCHA options a dynamic input will be shown to enter the domains. If you choose, the reCAPTCHA Android option, then the registration form will ask for the list of package names of your Android application to render Google reCaptcha.
Get the Registered Site API Keys
After submitting the site information, the request is processed to generate the API keys. Then, we will be redirected to a new page which shows the Site key and Secret key for the registered application.
↑ Back to Top
Frequently Asked Questions about captcha token
What is a Captcha token?
reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out.
How do I get a Captcha key?
How to Get Google reCaptcha Site and Secret keyVisit Google reCaptcha home and click My reCAPTCHA button.Register application by choosing reCAPTCHA type.Copy the Site key and Secret key created for the registered application.May 18, 2021
How can I get a free Captcha key?
To use reCAPTCHA you must generate api keys from the Google’s recaptcha website. Api keys are free. Click on the “Get reCAPTCHA” blue button in the top right corner of your screen. You are now required to login with your Google account, if you do not have one, register for a free account.