A reCAPTCHA key is normally tied to a set of individual domains or package names. For web users, the API key pair is unique to the domains and first-level subdomains that you specify. Specifying more than one domain could come in handy if you serve your website from multiple top level domains.
For example, if you specify the API key pair to yoursite.com, the following table shows whether or not reCAPTCHA will work for the domain and its subdomain variations. If you specify other domain names or TLDs (for example: anothersite.com, yoursite.net), the same reCAPTCHA conditions apply.
|Specified domain||Website domain||Will reCAPTCHA work?|
If you would like to use "localhost" for development, you must add it to the list of domains.
For mobile users, the API key pair is only unique to the specified package names (for example, com.google.recaptcha.test).
However, if your domain or package name list is extremely long, fluid, or unknown, we give you the option to turn off the domain or package name checking on reCAPTCHA's end, and instead check on your server.
To do so, in the admin console, go to "Advanced Settings" for your key, and untick the "Domain/Package Name Validation" box.
Turning off this protection by itself poses a large security risk - your key could be taken and used by anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a solution, you are required to check the hostname/package field and reject any solutions that are coming from unexpected sources.