Learn about common issues you might encounter or questions you might have while using reCAPTCHA Enterprise.
Can I use reCAPTCHA Enterprise globally?
Yes, you can use
www.recaptcha.net in your frontend code in circumstances when
www.google.com is not accessible to your users.
- First, replace
<script src="https://www.recaptcha.net/recaptcha/enterprise.js?render=<SITE_KEY>"></script>, substituting your Site Key for
- After that, apply the same logic to everywhere else that uses
www.google.com/recaptcha/on your site.
reCAPTCHA Enterprise sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
If you prefer to not use the
www.google.com domain which may have other cookies set, you can use
I'd like to hide the reCAPTCHA Enterprise badge. What is allowed?
Can I customize the reCAPTCHA Enterprise widget or badge?
Yes. reCAPTCHA Enterprise offers light and dark themes, as shown below. To choose a
theme, set the
data-theme attribute in the
How many domains can I add in the "verify domains" list in Google Cloud Console?
There is a limit of 250 domains per site key.
I use a third-party plug-in/implementation that does not formally support reCAPTCHA Enterprise but only legacy reCAPTCHA. Can I still use reCAPTCHA Enterprise?
Yes, the legacy secret key is available in the Google Cloud console. To learn about how to find the legacy secret key, see Find a legacy reCAPTCHA secret key.
Are there any rate limits on my use of reCAPTCHA Enterprise?
Yes, see quotas and limits.
In the reCAPTCHA Enterprise Dashboard, what timezone is used? Can I change this?
This timezone is based on the Client Timezone of your browser. This cannot be changed at this time.
How do I measure the quality of the scores reCAPTCHA Enterprise is returning?
Ultimately, it depends on your use case and desired results. Generally, we recommend that you use your own internal metrics you have about user behavior to determine if the score was accurate, such as:
- Did a user that reset their password and received a high score later report that their account was hijacked?
- Did a user that logged in with a low score proceed to spam others?
- Did a user that failed to login and received a low score, then proceed to try and login to several different usernames?
I'd like to run automated tests with reCAPTCHA Enterprise. What should I do?
You can create reCAPTCHA Enterprise site keys designed for testing by using
the Google Cloud CLI.
For more information, see the
--testing-score options in the
recaptcha keys create reference page.
- Creating a checkbox site key that always returns "No CAPTCHA" (no challenge) and 1.0 (change --domains and --display-name below).
gcloud recaptcha keys create --testing-challenge=nocaptcha --testing-score=1.0 --web --domains="domain1.com,domain2.com" --display-name="Always No CAPTCHA" --integration-type=checkbox
- Creating a checkbox site key that always returns an unsolvable challenge (change --domains and --display-name below).
gcloud recaptcha keys create --testing-score=0.0 --testing-challenge=challenge --web --domains="domain1.com,domain2.com" --display-name="Unsolvable Challenge" --integration-type=checkbox
- Creating a score-based site key that always returns a set score (change --domains, --display-name, and --testing-score below).
gcloud recaptcha keys create --testing-score=1.0 --web --domains="domain1.com,domain2.com" --display-name="Always 1" --integration-type=score
I'd like to communicate with the reCAPTCHA Enterprise REST API. Can I assume that the response format will not change in the future?
As our product evolves, we might apply non-breaking changes like adding new fields to our API. If you use JSON, make sure you do not strictly validate the format of the response to maintain compatibility with future additions to the API.
reCAPTCHA Enterprise returned BROWSER_ERROR when creating an assessment. What should I do about this?
BROWSER_ERROR tokens occur when the reCAPTCHA Enterprise script could not perform an
execute operation. In most cases, this is due to a client-side network failure or timeout. You must retry the
What session data is collected by reCAPTCHA Enterprise and how does Google protect it?
For information about the data collected by reCAPTCHA Enterprise and measures that Google takes to protect data, see our Cloud Data Processing Addendum and reCAPTCHA Enterprise Service Specific Terms.
For more information about how Google protects data, see the Security White Paper.
Is reCAPTCHA Enterprise GDPR Compliant?
Yes. In Google Cloud, we champion initiatives that prioritize and improve the security and privacy of customer personal data, and want reCAPTCHA Enterprise customers to feel confident using our services in light of GDPR requirements. We commit in our Cloud Data Processing Addendum to comply with GDPR in relation to our processing of customer personal data in all Google Cloud services, including reCAPTCHA Enterprise.
For additional terms specific to reCAPTCHA Enterprise, see reCAPTCHA Enterprise Service Specific Terms.
Is payment transaction information collected by reCAPTCHA Enterprise?
When you install reCAPTCHA Enterprise on a payment transaction page, it examines certain transaction signals to help protect against automated attacks. For example, many purchase attempts per second with the same price can in certain cases indicate an attack.
However, bots represent only a fraction of the overall fraud problem. For more comprehensive protection, integrate with reCAPTCHA Enterprise Fraud Prevention, which allows you to send more complete transaction information and receive assessments for fraud such as card testing and stolen instrument usage.