Secure Token

Important: This is a deprecated feature of the reCAPTCHA API. For the recommended replacement, please refer to Domain Validation.

A reCAPTCHA key is normally tied to a set of individual domains. However, you might have a large number of hosted domains and would like to have one key working on all of them - the solution is the secure token.

Use the secure token to request a CAPTCHA challenge from any domain. By encrypting the secure token with your site secret you can prevent a spammer from requesting CAPTCHAs on your behalf.

Configuration

The data-stoken field is specified by an encrypted string of a JSON object, including a unique session id and timestamp.

Name Description
session_id

Required. A unique string that identifies this request.

Every CAPTCHA request from your site needs a distinct session_id.

ts_ms Required. Current timestamp in milliseconds.

Example

  1. Prepare a token in JSON format:
        {"session_id": "e6e9c56e-a7da-43b8-89fa-8e668cc0b86f", "ts_ms": 1421774317718}
        
  2. Encrypt it with your site secret using AES (see example). It will look something like this:
        "Fg2rtWDZ6kf_Cc1fZs5xKJWnkkVvZgNCF-5fVhPS5_r1fB2NRXPg3WobIUUsyOvfN-ElyBz3zz29lK5v9NE0ByWrGzicUWecnoV8hwSb6W4"
        
  3. Request a CAPTCHA using this secure token:
        <html>
          <head>
          ...
            <script src='//www.google.com/recaptcha/api.js'></script>
          </head>
          <body>
            <form>
            ...
              <div class="g-recaptcha" data-sitekey="{$sitekey}
                  data-stoken="{$encryptedString}></div>
            </form>
          </body>
        </html>
        

See the code example in Github for more references.