Frequently asked questions

What happens to reCAPTCHA v1?

Any calls to the v1 API will not work after March 31, 2018. Starting in November 2017, a percentage of reCAPTCHA v1 traffic will begin to show a notice informing users that the old API will soon be retired.

Most websites around the world have already switched to reCAPTCHA v2, where humans pass effortlessly. With our advanced risk analysis engine, reCAPTCHA v2 can effectively separate humans from bots and always stay ahead of the attackers.

If your site still uses reCAPTCHA v1, please upgrade to reCAPTCHA v2 immediately. We no longer support reCAPTCHA v1. Any calls to the v1 API will not work after March 31, 2018. Please register a new key and upgrade to v2.

I'd like to run automated tests with reCAPTCHA v2. What should I do?

With the following test keys, you will always get No CAPTCHA and all verification requests will pass.

  • Site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
  • Secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The reCAPTCHA widget will show a warning message to claim that it's only for testing purpose. Please do not use these keys for your production traffic.

I want to learn how reCAPTCHA grades my site traffic. Is there a report that I can check?

Yes. reCAPTCHA reports the daily pass and fail stats in the admin console. If you are using reCAPTCHA v2, you can also see how many No CAPTCHAs were rendered per day as well as site spam index chart. You are strongly encouraged to upgrade to reCAPTCHA v2 to enjoy these advanced features.

Can I customize the reCAPTCHA widget?

Yes. reCAPTCHA offers two themes, light and dark, as shown below. To choose a theme, simply set the data-theme attribute in the grecaptcha.render parameter.

Light theme:

Dark theme:

Or use the Invisible reCAPTCHA. Using the Invisible reCAPTCHA you have more control over the UI.

Does reCAPTCHA support users that don't have JavaScript enabled?

reCAPTCHA can only provide the optimal experience in terms of security and usability with JavaScript enabled. However, if supporting users who have disabled JavaScript is important for your site, you can enable the alternative challenge with the following steps. Navigate to the admin console and move the security preference slider to "easiest for users". Keep in mind that with this setting reCAPTCHA won't be able to use all of its security features.

Then, you must add the following <noscript> HTML immediately following the g-recaptcha tag.

<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<div class="g-recaptcha" data-sitekey="your_site_key"></div>
<noscript>
  <div>
    <div style="width: 302px; height: 422px; position: relative;">
      <div style="width: 302px; height: 422px; position: absolute;">
        <iframe src="https://www.google.com/recaptcha/api/fallback?k=your_site_key"
                frameborder="0" scrolling="no"
                style="width: 302px; height:422px; border-style: none;">
        </iframe>
      </div>
    </div>
    <div style="width: 300px; height: 60px; border-style: none;
                   bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px;
                   background: #f9f9f9; border: 1px solid #c1c1c1; border-radius: 3px;">
      <textarea id="g-recaptcha-response" name="g-recaptcha-response"
                   class="g-recaptcha-response"
                   style="width: 250px; height: 40px; border: 1px solid #c1c1c1;
                          margin: 10px 25px; padding: 0px; resize: none;" >
      </textarea>
    </div>
  </div>
</noscript>
The Invisible reCAPTCHA requires JavaScript and has no support for browsers without JavaScript enabled.

Recently my reCAPTCHA widget started displaying "Invalid site key". What's happening?

If you are seeing this error, your reCAPTCHA site key is no longer valid. To activate, please register a new key and follow the instructions on that page.

I'm getting an uncaught SecurityError: blocked a frame with origin "https://www.google.com" from accessing a frame with origin "<your domain>". What should I do?

This typically occurs if the reCAPTCHA widget HTML element is programmatically removed sometime after the end user clicks on the checkbox. We recommend using the grecaptcha.reset() javascript function to reset the reCAPTCHA widget.

I'm using Content-Security-Policy (CSP) on my website. How can I configure it to work with reCAPTCHA?

We recommend using the nonce-based approach documented with CSP3. Make sure to include your nonce in the reCAPTCHA api.js script tag, and we'll handle the rest.

Note: reCAPTCHA also works with 'strict-dynamic' on browsers that support it.

Alternatively, please add the following values to the directives:

  • script-src https://www.google.com/recaptcha/, https://www.gstatic.com/recaptcha/
  • frame-src https://www.google.com/recaptcha/
  • style-src 'unsafe-inline'

I'm getting an error "Localhost is not in the list of supported domains". This was working before, what should I do?

localhost domains are no longer supported by default. If you wish to continue supporting them for development you can add them to the list of supported domains for your site key. Go to the admin console to update your list of supported domains. We advise to use a separate key for development and production and to not allow localhost on your production site key.

Only on iOS 10, the page scrolls to the bottom when the user completes the challenge?

This is a focusing bug on Apple's side that we've reported to them. It affects users only on iOS 10 and only on some sites. If you are affected, a workaround is to move the reCAPTCHA widget higher or lower on the page, or use the new invisible reCAPTCHA.

My computer or network may be sending automated queries?

If you were directed to this page from the reCAPTCHA widget, you would have seen a message that said "We're sorry, but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

This can unfortunately happen to good users for a few reasons:

  • You may be on a shared network that is being used abusively
  • Your internet service provider may have recently assigned you a suspicious IP address
  • The site you are trying to access may be currently under heavy attack

To troubleshoot these issues, please look at the unusual traffic help page, or try again later.