Secure Token

Important: This is a deprecated feature of the reCAPTCHA API. For the recommended replacement, please refer to Domain Validation.

A reCAPTCHA key is normally tied to a set of individual domains. However, you might have a large number of hosted domains and would like to have one key working on all of them - the solution is the secure token.

Use the secure token to request a CAPTCHA challenge from any domain. By encrypting the secure token with your site secret you can prevent a spammer from requesting CAPTCHAs on your behalf.


The data-stoken field is specified by an encrypted string of a JSON object, including a unique session id and timestamp.

Name Description

Required. A unique string that identifies this request.

Every CAPTCHA request from your site needs a distinct session_id.

ts_ms Required. Current timestamp in milliseconds.


  1. Prepare a token in JSON format:
        {"session_id": "e6e9c56e-a7da-43b8-89fa-8e668cc0b86f", "ts_ms": 1421774317718}
  2. Encrypt it with your site secret using AES (see example). It will look something like this:
  3. Request a CAPTCHA using this secure token:
            <script src='//'></script>
              <div class="g-recaptcha" data-sitekey="{$sitekey}

See the code example in Github for more references.