reCAPTCHA migration overview

This document explains the migration of reCAPTCHA Classic to reCAPTCHA Enterprise on Google Cloud, including the reasons to migrate, the automated process, and the impact on your existing reCAPTCHA implementations.

Why migrate to reCAPTCHA

reCAPTCHA on Google Cloud provides enterprise-grade features like account defender, SMS defense, multi-factor authentication, and fraud prevention. The platform uses Google Cloud for dashboards and integrates with Cloud Monitoring and Looker for enhanced monitoring, reporting, and alerts.

Whether you migrate your keys yourself or wait for the automated migration, your keys continue to function without any code changes.

Impact on existing keys and data

Your existing v2 or v3 site keys continue to work after migration. You don't need to change any code on your website. The key continues to function even if you don't immediately accept the project ownership invitation.

Google Cloud-based deployment benefits

Moving to the Google Cloud-based deployment provides the following benefits:

Simplified technology: All reCAPTCHA development is dedicated to this unique offering.
Stronger compliance: The platform improves adherence to data protection regulations by shifting from data controller to data processor.
Advanced feature exposure: You gain access to advanced features such as Account Defense and Password Defense, as well as an improved Google Cloud console experience that includes generative AI insights and an enhanced dashboard.
Resolves terms of service issues: The platform resolves issues where users' transitive enterprise use Terms of Service restrict their data usage.

Automatic migration process overview

If you don't migrate your keys yourself, reCAPTCHA automatically migrates them. The automatic migration provisions a Google Cloud project and associates your reCAPTCHA keys with that project. Automigration includes the following steps:

A Google Cloud project is created to hold your existing keys.
Your project keys are associated with the Google Cloud project.
An email invitation is sent to you to accept ownership of the project. If a key has multiple owners, all of them are invited to the same new project.

Project ownership invitations don't expire. Your keys continue to function after migration. However, to manage the keys, such as to create, delete, or modify them, you must accept the project.

If you have an existing Google Cloud account, you can move the project that was created by the automigration process to your existing Google Cloud account by creating a new reCAPTCHA key in a project of the existing Google Cloud account.

Important: If the administrator or owner of a Classic reCAPTCHA key is no longer active, the automatic migration still proceeds. If this occurs, you cannot reclaim the migrated project. However, you can create a new site key to associate with a new or existing project that you can access.

Migration timeline

All reCAPTCHA Classic customers must migrate or will be migrated to Google Cloud by the end of 2025. The process involves the following phases.

Q3 2024: New Classic keys are no longer allowed.
Q1 2025: The first notification that informs customers to migrate using the self-migration tool is sent.
Q3 2025: A follow-up notification is sent to customers that haven't yet migrated from Classic, which links directly to the migration tool in the Google Cloud console.
Q4 2025: Customers are automatically migrated from Classic to the Enterprise version.
Q4 2025: All Classic keys are rejected, with API access locked for keys without a Google Cloud project.

You can migrate your Classic accounts at your convenience. Consider your company's code freeze schedule when planning your migration. The Google team automatically migrates your Classic accounts in October if you don't migrate your account. No immediate code changes are required. SiteVerify requests continue to function as they did before the migration. Migrate and create an assessment after your account migrates to Google Cloud to use the advanced features.

Access to the reCAPTCHA Admin console

The reCAPTCHA Admin console remains available. After you migrate your account to Google Cloud, you can still access your historical data and any configuration related to your Classic accounts from the reCAPTCHA Admin console. However, any changes to key configuration must be made through the Google Cloud console.

If you don't accept project ownership after your account is migrated, the reCAPTCHA Admin console will redirect you to accept project ownership.

Billing and enforcement

reCAPTCHA Enterprise has a free tier of 10,000 monthly assessments. For usage over 10,000 assessments per month, you must enable billing for your Google Cloud project.

If you exceed the free 10,000 monthly assessments after automigration and don't enable billing, reCAPTCHA returns an error for any new request.

SiteVerify requests: After migration, SiteVerify requests that exceed their quota will fail open. This means that they will return success:true with a score of 0.9, and the API response will include an error message indicating that you exceeded the quota. This behavior is designed to prevent valid users from being blocked, similar to the previous Classic reCAPTCHA policy. It is a change in API behavior for Enterprise keys.
CreateAssessment requests: After migration, CreateAssessment requests that exceed their quota will fail open. To help prevent this, over-quota notifications and emails will alert you about a missing billing account.

Key management and monitoring

After migration, you onboard to the Google Cloud console for key management. Use the Google Cloud console to monitor your site's traffic and analyze risk for requests that occur after the migration.

What's next

Use reCAPTCHA features after migration.