Google has been defending millions of sites with reCAPTCHA for over a decade. reCAPTCHA uses advanced risk analysis techniques to detect fraud. With reCAPTCHA, you can protect your websites or mobile applications from spam and abuse, and detect other types of fraudulent activities, such as credential stuffing, account takeover (ATO), and automated account creation. reCAPTCHA offers enhanced detection with more granular scores, reason codes for risky events, mobile app SDKs, password breach or leak detection, Multi-factor authentication (MFA), and the ability to tune your site-specific model to protect enterprise businesses.
reCAPTCHA tiers
reCAPTCHA offers three usage-based tiers: Enterprise, Standard, and Essentials.
To learn about the features that are available in these tiers, see Compare features between reCAPTCHA tiers.
How reCAPTCHA works
When reCAPTCHA is deployed in your environment, it interacts with your backend and client (web pages or mobile applications).
When an end user visits a web page or uses a mobile application, the following events are triggered in a sequence:
- The client loads the web page from the backend or launches the mobile application.
- When the end user triggers an action protected by reCAPTCHA such as login, the reCAPTCHA JavaScript API or the mobile SDK in the client collects and sends signals to reCAPTCHA for analysis.
- reCAPTCHA returns an encrypted reCAPTCHA token to the client for later use.
- The client sends the encrypted reCAPTCHA token to the backend for assessment.
- The backend sends the create assessment (
assessments.create) request and the encrypted reCAPTCHA token to reCAPTCHA. - After assessing, reCAPTCHA returns a verdict (scores from 0.0 through 1.0 and reason code) based on the risk evaluated for this request, to the backend.
- Depending on the verdict, you (as the developer) can determine the next steps to take for that specific user request or action.
The following sequence diagram shows the graphical representation of the reCAPTCHA workflow:
