Verifying the user's response
Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to verify a user's response to a reCAPTCHA challenge from your application's
backend.
For web users, you can get the user’s response token in one of three ways:
g-recaptcha-response POST parameter when the user submits the form on your sitegrecaptcha.getResponse(opt_widget_id) after the user completes
the reCAPTCHA challenge- As a string argument to your callback function
if
data-callback is specified in either the g-recaptcha tag attribute or
the callback parameter in the grecaptcha.render method
For Android library users, you can call the
SafetyNetApi.RecaptchaTokenResult.getTokenResult()
method to get response token if the status returns successful.
Token Restrictions
Each reCAPTCHA user response token is valid for two minutes, and can only be verified once to
prevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.
After you get the response token, you need to verify it within two minutes with reCAPTCHA using the
following API to ensure the token is valid.
API Request
URL: https://www.google.com/recaptcha/api/siteverify
METHOD: POST
| POST Parameter |
Description |
secret |
Required. The shared key between your site and reCAPTCHA. |
response |
Required. The user response token provided by the reCAPTCHA client-side integration on your site. |
remoteip |
Optional. The user's IP address. |
API Response
The response is a JSON object:
{
"success": true|false,
"challenge_ts": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
"hostname": string, // the hostname of the site where the reCAPTCHA was solved
"error-codes": [...] // optional
}
For reCAPTCHA Android:
{
"success": true|false,
"challenge_ts": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
"apk_package_name": string, // the package name of the app where the reCAPTCHA was solved
"error-codes": [...] // optional
}
Error code reference
| Error code |
Description |
missing-input-secret |
The secret parameter is missing. |
invalid-input-secret |
The secret parameter is invalid or malformed. |
missing-input-response |
The response parameter is missing. |
invalid-input-response |
The response parameter is invalid or malformed. |
bad-request |
The request is invalid or malformed. |
timeout-or-duplicate |
The response is no longer valid: either is too old or has been used previously. |
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-14 UTC.
[null,null,["Last updated 2024-10-14 UTC."],[[["\u003cp\u003eThis page details how to verify if a user successfully completed a reCAPTCHA challenge on your website or Android app.\u003c/p\u003e\n"],["\u003cp\u003eYou'll receive a response token from the reCAPTCHA integration that needs to be verified within two minutes using the reCAPTCHA API.\u003c/p\u003e\n"],["\u003cp\u003eVerification involves sending a POST request to the reCAPTCHA API with the secret key, response token, and optionally, the user's IP address.\u003c/p\u003e\n"],["\u003cp\u003eThe API response is a JSON object indicating success or failure, along with details like timestamp and potential error codes.\u003c/p\u003e\n"],["\u003cp\u003eEach response token is valid for a single use and expires after two minutes to prevent replay attacks.\u003c/p\u003e\n"]]],["To verify a user's reCAPTCHA response, obtain the response token via the `g-recaptcha-response` parameter, `grecaptcha.getResponse()`, or a callback function for web users or the `SafetyNetApi.RecaptchaTokenResult.getTokenResult()` method for Android. Then, within two minutes, send a POST request to `https://www.google.com/recaptcha/api/siteverify` with `secret` (your site's key) and `response` (the user token). The optional `remoteip` can be included. The JSON response indicates success, timestamp, and hostname or `apk_package_name` if Android, and error codes if any.\n"],null,["# Verifying the user's response\n\nThis page explains how to verify a user's response to a reCAPTCHA challenge from your application's\nbackend.\n\nFor web users, you can get the user's response token in one of three ways:\n\n- `g-recaptcha-response` POST parameter when the user submits the form on your site\n- [`grecaptcha.getResponse(opt_widget_id)`](/recaptcha/docs/display#js_api) after the user completes the reCAPTCHA challenge\n- As a string argument to your [callback function](/recaptcha/docs/display#render_param) if `data-callback` is specified in either the `g-recaptcha` tag attribute or the callback parameter in the `grecaptcha.render` method\n\nFor Android library users, you can call the\n[SafetyNetApi.RecaptchaTokenResult.getTokenResult()](https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetApi.RecaptchaTokenResult.html#getTokenResult())\nmethod to get response token if the status returns successful.\n\nToken Restrictions\n------------------\n\nEach reCAPTCHA user response token is valid for two minutes, and can only be verified *once* to\nprevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.\n\nAfter you get the response token, you need to verify it within two minutes with reCAPTCHA using the\nfollowing API to ensure the token is valid.\n\nAPI Request\n-----------\n\nURL: `https://www.google.com/recaptcha/api/siteverify`\n\nMETHOD: `POST`\n\n| POST Parameter | Description |\n|----------------|---------------------------------------------------------------------------------------------------|\n| `secret` | Required. The shared key between your site and reCAPTCHA. |\n| `response` | Required. The user response token provided by the reCAPTCHA client-side integration on your site. |\n| `remoteip` | Optional. The user's IP address. |\n\nAPI Response\n------------\n\nThe response is a JSON object: \n\n {\n \"success\": true|false,\n \"challenge_ts\": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)\n \"hostname\": string, // the hostname of the site where the reCAPTCHA was solved\n \"error-codes\": [...] // optional\n }\n\nFor reCAPTCHA Android: \n\n {\n \"success\": true|false,\n \"challenge_ts\": timestamp, // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)\n \"apk_package_name\": string, // the package name of the app where the reCAPTCHA was solved\n \"error-codes\": [...] // optional\n }\n\n### Error code reference\n\n| Error code | Description |\n|--------------------------|---------------------------------------------------------------------------------|\n| `missing-input-secret` | The secret parameter is missing. |\n| `invalid-input-secret` | The secret parameter is invalid or malformed. |\n| `missing-input-response` | The response parameter is missing. |\n| `invalid-input-response` | The response parameter is invalid or malformed. |\n| `bad-request` | The request is invalid or malformed. |\n| `timeout-or-duplicate` | The response is no longer valid: either is too old or has been used previously. |"]]
