How to Test and Verify Google reCAPTCHA v3

Google reCAPTCHA v3 offers frictionless bot detection for your web applications by returning a score based on user interactions. Unlike v2, v3 does not require user interaction with a widget, making it seamless for users.

In this article, you’ll learn how to test and verify reCAPTCHA v3 tokens using test credentials and how to integrate it into your workflow.

What is Google reCAPTCHA v3?

reCAPTCHA v3 works in the background to analyze user behavior and returns a score (0.0–1.0) indicating the likelihood that the request is legitimate. You can use this score to take appropriate actions in your application.

Test Credentials

Google provides test keys for development:

• Test Site Key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
• Test Secret: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

These keys always return a score of 0.9 and should only be used for testing.

How to Integrate reCAPTCHA v3

1. Add the reCAPTCHA v3 Script

Include the following script in your HTML, replacing SITE_KEY with your site key:

<script src="https://www.google.com/recaptcha/api.js?render=SITE_KEY"></script>

2. Generate a Token

Call grecaptcha.execute to generate a token for a specific action:

grecaptcha.ready(function() {
  grecaptcha.execute('SITE_KEY', {action: 'homepage'}).then(function(token) {
    // Send token to your backend for verification
    console.log(token);
  });
});

3. Verify the Token on the Server

Send the token to your backend and verify it with the secret key:

// Example using fetch in Node.js or browser
async function verifyCaptchaV3(secret, token) {
  const res = await fetch("https://www.google.com/recaptcha/api/siteverify", {
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: `secret=${encodeURIComponent(secret)}&response=${encodeURIComponent(token)}`,
  });
  return await res.json();
}

The response will include a score and action. For test keys, the score is always 0.9.

4. Example: Testing with Test Credentials

You can use the test site key and secret to generate and verify tokens during development. The process is similar to v2, but without a visible widget.

Steps:

1. Add the script with the test site key.
2. Call grecaptcha.execute for your action.
3. Copy the generated token.
4. Verify the token using the test secret and the /siteverify API.

Example Verification Response

{
  "success": true,
  "score": 0.9,
  "action": "homepage",
  "challenge_ts": "2025-01-03T12:34:56Z",
  "hostname": "localhost"
}

Conclusion

Google reCAPTCHA v3 provides a seamless way to protect your site from bots without user friction. By using the test credentials, you can safely develop and test your integration before going live.

• Use the test keys for development only.
• Always verify the token server-side.
• Adjust your application’s logic based on the returned score.

For more details, visit the official reCAPTCHA documentation.

Advanced reCAPTCHA v3 Implementation

Score Analysis and Thresholds

reCAPTCHA v3 returns a score between 0.0 (likely bot) and 1.0 (likely human). Understanding how to interpret and act on these scores is crucial:

Recommended Thresholds:

• 0.9-1.0: Very likely human – Allow all actions
• 0.7-0.8: Likely human – Allow most actions, maybe add light verification
• 0.3-0.6: Suspicious – Require additional verification (email, phone)
• 0.1-0.2: Likely bot – Block or require strong verification
• 0.0-0.1: Very likely bot – Block immediately

Dynamic Threshold Adjustment: Consider adjusting thresholds based on:

• Time of day (bots often operate during off-hours)
• Geographic location
• User behavior patterns
• Business criticality of the action

Action-Specific Implementation

Login Protection:

grecaptcha.ready(() => {
  grecaptcha.execute('your-site-key', { action: 'login' })
    .then((token) => {
      // Include token with login request
      submitLoginWithToken(token);
    });
});

Form Submission:

grecaptcha.ready(() => {
  grecaptcha.execute('your-site-key', { action: 'contact_form' })
    .then((token) => {
      document.getElementById('g-recaptcha-response').value = token;
      document.getElementById('contact-form').submit();
    });
});

Performance and UX Optimization

Preloading Strategy:

// Preload reCAPTCHA on page load
window.addEventListener('load', () => {
  grecaptcha.ready(() => {
    // Pre-execute for common actions to improve response time
    grecaptcha.execute('your-site-key', { action: 'page_view' });
  });
});

Analytics and Monitoring

Custom Dashboards: Track key metrics:

• Score distribution over time
• Action-specific success rates
• Geographic score variations
• Bot detection accuracy

Testing with OD2 Tools

The OD2 reCAPTCHA v3 Testing Tool helps you:

• Generate test tokens with various actions
• Validate your server-side verification logic
• Debug score threshold implementations
• Test different integration patterns

This tool is essential for developers implementing reCAPTCHA v3, providing a sandbox environment to perfect your integration before production deployment.

Conclusion

reCAPTCHA v3 represents a significant advancement in bot detection technology, providing seamless user experiences while maintaining robust security. Success with v3 requires understanding score interpretation, implementing proper server-side logic, and continuously monitoring performance.

Key takeaways:

• Always verify tokens server-side
• Use action-specific implementations
• Monitor and adjust score thresholds
• Implement progressive enhancement
• Combine with other security measures

Start testing your reCAPTCHA v3 implementation today with the OD2 testing tool and build more secure, user-friendly applications.