To exclude trusted IP addresses from reCAPTCHA enforcement, you create an allowlist for a reCAPTCHA key that is associated with your site, and add the IP addresses and the subnets to that allowlist.
You can also remove an IP address and a subnet from the allowlist, and list the IP addresses and subnets that are added to the allowlist.
Before you begin
Gather all IP addresses and subnets that you want to add to the allowlist.
Identify the IP addresses and subnets that you want to remove from the allowlist.
Ensure that you have the following Identity and Access Management role: reCAPTCHA Enterprise Admin (
roles/recaptchaenterprise.admin).
Add an IP address or subnet to the allowlist
When you add an IP address or a subnet to the allowlist,
reCAPTCHA skips the verification and always gives a score of 0.9
to the requests coming from that IP address or subnet.
You can add a maximum of 100 IP addresses and subnets to an allowlist.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Before using any of the command data below, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
- IP_ADDRESS_OR_SUBNET: The IP address or subnet that needs to be added to the allowlist.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys add-ip-override KEY \ --ip=IP_ADDRESS_OR_SUBNET \ --override=ALLOW
Windows (PowerShell)
gcloud recaptcha keys add-ip-override KEY ` --ip=IP_ADDRESS_OR_SUBNET ` --override=ALLOW
Windows (cmd.exe)
gcloud recaptcha keys add-ip-override KEY ^ --ip=IP_ADDRESS_OR_SUBNET ^ --override=ALLOW
REST
Before using any of the request data, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
- IP_ADDRESS_OR_SUBNET: The IP address or subnet that needs to be added to the allowlist.
- PROJECT_ID: Your Google Cloud project ID
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:addIpOverride
Request JSON body:
{
"ip_override_data": {
"ip": "IP_ADDRESS_OR_SUBNET",
"override_type": "ALLOW"
}
}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:addIpOverride"
PowerShell
Save the request body in a file named request.json,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:addIpOverride" | Select-Object -Expand Content
You should receive a successful status code (2xx) and an empty response.
After you add an IP address or a subnet to the allowlist, the changes take effect within a few minutes.
Remove an IP address or subnet from the allowlist
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Before using any of the command data below, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
- IP_ADDRESS_OR_SUBNET: The IP address or subnet that needs to be added to the allowlist.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys remove-ip-override KEY \ --ip=IP_ADDRESS_OR_SUBNET \ --override=ALLOW
Windows (PowerShell)
gcloud recaptcha keys remove-ip-override KEY ` --ip=IP_ADDRESS_OR_SUBNET ` --override=ALLOW
Windows (cmd.exe)
gcloud recaptcha keys remove-ip-override KEY ^ --ip=IP_ADDRESS_OR_SUBNET ^ --override=ALLOW
REST
Before using any of the request data, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
- IP_ADDRESS_OR_SUBNET: The IP address or subnet that needs to be added to the allowlist.
- PROJECT_ID: Your Google Cloud project ID
HTTP method and URL:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:removeIpOverride
Request JSON body:
{
"ip_override_data": {
"ip": "IP_ADDRESS_OR_SUBNET",
"override_type": "ALLOW"
}
}
To send your request, choose one of these options:
curl
Save the request body in a file named request.json,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:removeIpOverride"
PowerShell
Save the request body in a file named request.json,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/keys/KEY:removeIpOverride" | Select-Object -Expand Content
You should receive a successful status code (2xx) and an empty response.
After you remove an IP address or a subnet from the allowlist, the changes take effect within a few minutes.
List all IP addresses from the allowlist
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Before using any of the command data below, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud recaptcha keys list-ip-overrides KEY --format=json
Windows (PowerShell)
gcloud recaptcha keys list-ip-overrides KEY --format=json
Windows (cmd.exe)
gcloud recaptcha keys list-ip-overrides KEY --format=json
REST
Before using any of the request data, make the following replacements:
- KEY: The reCAPTCHA key associated with your site.
- PROJECT_ID: Your Google Cloud project ID
HTTP method and URL:
GET https://recaptchaenterprise.googleapis.com/v1/projects//keys/ :listIpOverrides
To send your request, choose one of these options:
curl
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://recaptchaenterprise.googleapis.com/v1/projects//keys/ :listIpOverrides"
PowerShell
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://recaptchaenterprise.googleapis.com/v1/projects//keys/ :listIpOverrides" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{
"ipOverrides": [
{
"ip": "1.2.3.4",
"overrideType": "ALLOW"
}
],
"nextPageToken": ""
}