Choose the appropriate reCAPTCHA key type

reCAPTCHA keys (also known as keys), let you protect your endpoints by verifying user interactions on your web pages and mobile applications.

To choose the appropriate reCAPTCHA key type, you must understand the types of keys that are supported for each platform and their differences.

Types of reCAPTCHA keys

The following table lists reCAPTCHA keys that are supported for each platform:

reCAPTCHA key types Description Supported keys Key integration type
reCAPTCHA keys for web Keys to integrate reCAPTCHA on web pages. Score-based keys SCORE
Checkbox keys CHECKBOX
reCAPTCHA keys for mobile applications Keys to integrate reCAPTCHA on Android and iOS apps. reCAPTCHA keys for Android SCORE
reCAPTCHA keys for iOS SCORE
reCAPTCHA keys for WAF Keys to integrate reCAPTCHA at the WAF layer. action-token keys SCORE and CHECKBOX
session-token keys SCORE
challenge-page keys INVISIBLE
express keys SCORE

Choose a reCAPTCHA key type for web

For websites, reCAPTCHA provides score-based (no challenge) and checkbox (checkbox visual challenge) keys to verify user interactions. Both key types return a score for each request, which is based on interactions with your site. This score lets you understand the level of risk that the interaction poses and helps you to take appropriate actions for your site.

The following table summarizes the differences between score-based and checkbox keys, and helps you choose the appropriate key based on your use cases:

Comparison category Score-based key (Recommended) Checkbox key
Description Score-based keys let you verify whether an interaction is legitimate without any user interaction.

Checkbox keys use a checkbox challenge that requires user interaction to verify that the user is not a robot. Also, you can use checkbox keys to protect specific actions with CAPTCHA challenges.

How it works

With score-based keys, the reCAPTCHA Enterprise API returns a score, which you can use to take action in the context of your site.

Examples of actions you might take include requiring additional factors of authentication, sending a post to moderation, or throttling bots that might be scraping content.

A checkbox key renders an I'm not a robot checkbox that a user must click to verify that they're not a robot. This checkbox key might or might not challenge them with CAPTCHA challenges. In both cases, the reCAPTCHA Enterprise API returns a score.

CAPTCHA challenges require a user to select certain kinds of objects, such as street signs, from a collection of images.

The following animated GIF is an example of a checkbox key:
reCAPTCHA_visual_challenge

The following image shows a sample CAPTCHA challenge:

A sample CAPTCHA challenge

Before using CAPTCHA challenges, you must understand the CAPTCHA challenges caveats.

Supported platforms Websites and mobile platforms. Websites only.
Use cases

Score-based keys are appropriate for the following use cases:

  • Websites that have accessibility requirements.
  • For payment-related transactions that prefer less friction for better conversion rates.
  • Situations where you want to use additional features such as password check (password leak detection) or Multi-factor authentication (MFA).
  • Sites accessed through mobile applications.
Checkbox keys are appropriate for forms, logins, and signups on web pages. Though it might cause extra friction for users, an extra step such as CAPTCHA challenge helps to deter unsophisticated attackers.

Caveats with CAPTCHA challenges

If you want to use checkbox keys with CAPTCHA challenges to protect against automated attacks, be aware of the following caveats:

  • CAPTCHAs require user interaction, which increases friction and might decrease conversion rates.
  • Due to the advances in computer vision and machine intelligence, CAPTCHAs are becoming less useful to distinguish between humans and bots.
  • CAPTCHAs are also under threat from paid attackers who can solve all types of challenges.
  • CAPTCHAs are not accessible for all users, so they might not be suitable if your website has accessibility requirements.

Choose reCAPTCHA key types for WAF

The following table shows a brief comparison of reCAPTCHA action-tokens, reCAPTCHA session-tokens, reCAPTCHA challenge page, and reCAPTCHA express:

Comparison category reCAPTCHA action-tokens reCAPTCHA session-tokens reCAPTCHA challenge page reCAPTCHA express
Use case Use reCAPTCHA action-tokens to protect user actions, such as login or comment posts. Use reCAPTCHA session-tokens to protect the whole user session on the site's domain. Use reCAPTCHA challenge page when you suspect spam activity directed to your site and you need to screen out bots.

This method interrupts a user's activity because the user has to verify a CAPTCHA challenge.

Use reCAPTCHA express when your environment does not support the integration of the reCAPTCHA JavaScript or the mobile SDKs.
Supported platforms Websites and mobile applications Websites Websites APIs, websites, mobile applications, and IoT devices such as TVs and gaming consoles
Integration effort Medium

Integration requires you to do the following:

  • Install the reCAPTCHA JavaScript on the individual pages of your site or install the reCAPTCHA mobile SDK on your mobile application.
  • Attach the action-token to the individual request header.
  • Configure Google Cloud Armor security policy rules, or reCAPTCHA firewall policies for third-party WAF service providers.
Medium

Integration requires you to do the following:

  • Install the reCAPTCHA JavaScript on the individual pages of your site.
  • Configure Google Cloud Armor security policy rules, or reCAPTCHA firewall policies for third-party WAF service providers.
Low

Integration requires you to configure security policy rules for Google Cloud Armor, or reCAPTCHA firewall policies for third-party WAF service providers.

Low

Integration requires you to either configure reCAPTCHA express with a WAF service provider or make a request from your application server to reCAPTCHA.

Detection accuracy Highest

An action-token protects individual user actions.

High

A session-token protects the whole user session on the site's domain.

Medium

The process involves redirects to the reCAPTCHA challenge page, which might not receive all the page-specific signals. As a result, bot detection might be less accurate.

Low

Client-side signals are not available.

Supported reCAPTCHA version reCAPTCHA score-based and checkbox keys reCAPTCHA score-based keys reCAPTCHA challenge page uses the optimized version of reCAPTCHA to minimize the integration. reCAPTCHA score-based keys

You can use one or more features of reCAPTCHA for WAF in a single application. For example, you can choose to apply a session-token for all pages, and based on the session-token's score, you can redirect suspicious requests to the reCAPTCHA challenge page. Also, you can use an action-token for high-profile actions, such as checkout. For more information, see examples.

What's next