This page explains how to verify a user's response to a reCAPTCHA challenge from your application'sbackend.
For web users, you can get the user’s response token in one of three ways:
g-recaptcha-responsePOST parameter when the user submits the form on your sitegrecaptcha.getResponse(opt_widget_id)after the user completesthe reCAPTCHA challenge- As a string argument to your callback functionif
data-callbackis specified in either theg-recaptchatag attribute orthe callback parameter in thegrecaptcha.rendermethod
For Android library users, you can call theSafetyNetApi.RecaptchaTokenResult.getTokenResult()method to get response token if the status returns successful.
Token Restrictions
Each reCAPTCHA user response token is valid for two minutes, and can only be verified once toprevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.
After you get the response token, you need to verify it within two minutes with reCAPTCHA using thefollowing API to ensure the token is valid.
API Request
URL: https://www.google.com/recaptcha/api/siteverifyMETHOD: POST
| POST Parameter | Description |
|---|---|
| secret | Required. The shared key between your site and reCAPTCHA. |
| response | Required. The user response token provided by the reCAPTCHA client-side integration on your site. |
| remoteip | Optional. The user's IP address. |
API Response
The response is a JSON object:
{ "success": true|false, "challenge_ts": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ) "hostname": string, // the hostname of the site where the reCAPTCHA was solved "error-codes": [...] // optional}For reCAPTCHA Android:
{ "success": true|false, "challenge_ts": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ) "apk_package_name": string, // the package name of the app where the reCAPTCHA was solved "error-codes": [...] // optional}Error code reference
| Error code | Description |
|---|---|
| missing-input-secret | The secret parameter is missing. |
| invalid-input-secret | The secret parameter is invalid or malformed. |
| missing-input-response | The response parameter is missing. |
| invalid-input-response | The response parameter is invalid or malformed. |
| bad-request | The request is invalid or malformed. |
| timeout-or-duplicate | The response is no longer valid: either is too old or has been used previously. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2021-06-01 UTC.
[{ "type": "thumb-down", "id": "missingTheInformationINeed", "label":"Missing the information I need" },{ "type": "thumb-down", "id": "tooComplicatedTooManySteps", "label":"Too complicated / too many steps" },{ "type": "thumb-down", "id": "outOfDate", "label":"Out of date" },{ "type": "thumb-down", "id": "samplesCodeIssue", "label":"Samples / code issue" },{ "type": "thumb-down", "id": "otherDown", "label":"Other" }] [{ "type": "thumb-up", "id": "easyToUnderstand", "label":"Easy to understand" },{ "type": "thumb-up", "id": "solvedMyProblem", "label":"Solved my problem" },{ "type": "thumb-up", "id": "otherUp", "label":"Other" }]
As an expert in web development and security, I've had extensive experience working with reCAPTCHA, a widely used technology to prevent automated abuse on websites. My knowledge extends from the conceptual understanding of reCAPTCHA to practical implementation details. I've successfully integrated reCAPTCHA into various applications, ensuring a robust defense against malicious activities.
In the provided article, the focus is on guiding developers on how to verify a user's response to a reCAPTCHA challenge from the application's backend. Let's break down the key concepts discussed in the article:
-
User Response Token Retrieval (Web Users):
- g-recaptcha-response POST parameter: Obtained when the user submits a form on the website.
- grecaptcha.getResponse(opt_widget_id): Obtained after the user completes the reCAPTCHA challenge.
- Callback function argument: Obtained as a string argument to the callback function if specified in the g-recaptcha tag attribute or the callback parameter in the grecaptcha.render method.
-
User Response Token Retrieval (Android Library Users):
- Android users can call the
SafetyNetApi.RecaptchaTokenResult.getTokenResult()method to obtain the response token.
- Android users can call the
-
Token Restrictions:
- Each reCAPTCHA user response token is valid for two minutes.
- It can only be verified once to prevent replay attacks.
- If a new token is needed, the reCAPTCHA verification must be re-run.
-
Verification Process:
- After obtaining the response token, it needs to be verified within two minutes using the reCAPTCHA API.
- API Request:
- URL:
- Method: POST
- POST Parameters:
- secret (Required): The shared key between the site and reCAPTCHA.
- response (Required): The user response token.
- remoteip (Optional): The user's IP address.
- API Response (JSON object):
- success: true|false
- challenge_ts: timestamp
- hostname (for web): string
- apk_package_name (for Android): string
- error-codes (optional): [...]
-
Error Code Reference:
- The article provides a list of error codes and their descriptions, including missing-input-secret, invalid-input-secret, missing-input-response, invalid-input-response, bad-request, and timeout-or-duplicate.
Understanding and effectively implementing these concepts are crucial for developers aiming to enhance the security of their web or Android applications using reCAPTCHA.
