Choose the appropriate reCAPTCHA key type

reCAPTCHA keys (also known as keys), let you protect your endpoints by verifying user interactions on your web pages and mobile applications.

To choose the appropriate reCAPTCHA key type, you must understand the types of keys that are supported for each platform and their differences.

Types of reCAPTCHA keys

The following table lists reCAPTCHA keys that are supported for each platform:

reCAPTCHA key types	Description	Supported keys	Key integration type
reCAPTCHA keys for web	Keys to integrate reCAPTCHA Enterprise on web pages.	Score-based keys	`SCORE`
reCAPTCHA keys for web	Keys to integrate reCAPTCHA Enterprise on web pages.	Checkbox keys	`CHECKBOX`
reCAPTCHA keys for mobile applications	Keys to integrate reCAPTCHA Enterprise on Android and iOS apps.	reCAPTCHA keys for Android	`SCORE`
reCAPTCHA keys for mobile applications		reCAPTCHA keys for iOS	`SCORE`
reCAPTCHA keys for WAF	Keys to integrate reCAPTCHA Enterprise at the WAF layer.	action-token keys	`SCORE` and `CHECKBOX`
		session-token keys	`SCORE`
		challenge-page keys	`INVISIBLE`
		express keys	`SCORE`

Choose a reCAPTCHA key type for web

For websites, reCAPTCHA Enterprise provides score-based (no challenge) and checkbox (checkbox visual challenge) keys to verify user interactions. Both key types return a score for each request, which is based on interactions with your site. This score lets you understand the level of risk that the interaction poses and helps you to take appropriate actions for your site.

The following table summarizes the differences between score-based and checkbox keys, and helps you choose the appropriate key based on your use cases:

Comparison category	Score-based key (Recommended)	Checkbox key
Description	Score-based keys let you verify whether an interaction is legitimate without any user interaction.	Checkbox keys use a checkbox challenge that requires user interaction to verify that the user is not a robot. Also, you can use checkbox keys to protect specific actions with CAPTCHA challenges. We do not recommend using checkbox keys because they increase user friction and don't significantly improve accuracy. For more information, see the FAQs.
How it works	With score-based keys, the reCAPTCHA Enterprise API returns a score, which you can use to take action in the context of your site. Examples of actions you might take include requiring additional factors of authentication, sending a post to moderation, or throttling bots that might be scraping content.	A checkbox key renders an I'm not a robot checkbox that a user must click to verify that they're not a robot. This checkbox key might or might not challenge them with CAPTCHA challenges. In both cases, the reCAPTCHA Enterprise API returns a score. CAPTCHA challenges require a user to select certain kinds of objects, such as street signs, from a collection of images. The following animated GIF is an example of a checkbox key: The following image shows a sample CAPTCHA challenge: Before using CAPTCHA challenges, you must understand the CAPTCHA challenges caveats.
Supported platforms	Websites and mobile platforms.	Websites only.
Use cases	Score-based keys are appropriate for the following use cases: Websites that have accessibility requirements. For payment-related transactions that prefer less friction for better conversion rates. Situations where you want to use additional features such as password check (password leak detection) or Multi-factor authentication (MFA). Sites accessed through mobile applications. We recommend that you do not use reCAPTCHA Enterprise for websites in embedded WebViews, and instead use the native reCAPTCHA Enterprise iOS and Android SDKs.	Checkbox keys are appropriate for forms, logins, and signups on web pages. Though it might cause extra friction for users, an extra step such as CAPTCHA challenge helps to deter unsophisticated attackers.

Caveats with CAPTCHA challenges

If you want to use checkbox keys with CAPTCHA challenges to protect against automated attacks, be aware of the following caveats:

CAPTCHAs require user interaction, which increases friction and might decrease conversion rates.
Due to the advances in computer vision and machine intelligence, CAPTCHAs are becoming less useful to distinguish between humans and bots.
CAPTCHAs are also under threat from paid attackers who can solve all types of challenges.
CAPTCHAs are not accessible for all users, so they might not be suitable if your website has accessibility requirements.

Choose reCAPTCHA key types for WAF

The following table shows a brief comparison of reCAPTCHA action-tokens, reCAPTCHA session-tokens, reCAPTCHA challenge page, and reCAPTCHA WAF express protection:

Comparison category	reCAPTCHA action-tokens	reCAPTCHA session-tokens	reCAPTCHA challenge page	reCAPTCHA WAF express protection
Use case	Use reCAPTCHA action-tokens to protect user actions, such as login or comment posts.	Use reCAPTCHA session-tokens to protect the whole user session on the site's domain.	Use reCAPTCHA challenge page when you suspect spam activity directed to your site and you need to screen out bots. This method interrupts a user's activity because the user has to verify a CAPTCHA challenge.	Use reCAPTCHA WAF express protection when your environment does not support the integration of the reCAPTCHA JavaScript or the mobile SDKs.
Supported platforms	Websites and mobile applications	Websites	Websites	APIs, websites, mobile applications, and IoT devices such as TVs and gaming consoles
Integration effort	Medium Integration requires you to do the following: Install the reCAPTCHA JavaScript on the individual pages of your site or install the reCAPTCHA Enterprise mobile SDK on your mobile application. Attach the action-token to the individual request header. Configure Google Cloud Armor security policy rules, or reCAPTCHA firewall policies for third-party WAF service providers.	Medium Integration requires you to do the following: Install the reCAPTCHA JavaScript on the individual pages of your site. Configure Google Cloud Armor security policy rules, or reCAPTCHA firewall policies for third-party WAF service providers.	Low Integration requires you to configure security policy rules for Google Cloud Armor, or reCAPTCHA firewall policies for third-party WAF service providers.	Low Integration requires you to either configure reCAPTCHA WAF express protection with a WAF service provider or make a request from your application server to reCAPTCHA Enterprise.
Detection accuracy	Highest An action-token protects individual user actions.	High A session-token protects the whole user session on the site's domain.	Medium The process involves redirects to the reCAPTCHA challenge page, which might not receive all the page-specific signals. As a result, bot detection might be less accurate.	Low Client-side signals are not available.
Supported reCAPTCHA version	reCAPTCHA Enterprise score-based and checkbox keys	reCAPTCHA Enterprise score-based keys	reCAPTCHA challenge page uses the optimized version of reCAPTCHA to minimize the integration.	reCAPTCHA Enterprise score-based keys

You can use one or more features of reCAPTCHA Enterprise for WAF in a single application. For example, you can choose to apply a session-token for all pages, and based on the session-token's score, you can redirect suspicious requests to the reCAPTCHA challenge page. Also, you can use an action-token for high-profile actions, such as checkout. For more information, see examples.

What's next

Create reCAPTCHA keys for websites.
Create reCAPTCHA keys for mobile applications.
Learn more about reCAPTCHA keys for WAF.