Stay organized with collections
Save and categorize content based on your preferences.
Google has been defending millions of sites with reCAPTCHA for
over a decade. reCAPTCHA uses advanced risk analysis techniques
to detect fraud. With reCAPTCHA, you can protect your websites or mobile applications
from spam and abuse, and detect other types of fraudulent activities, such as
credential stuffing, account takeover (ATO), and automated account creation.
reCAPTCHA offers enhanced detection with more granular scores,
reason codes for risky
events, mobile app SDKs, password leak detection, Multi-factor
authentication (MFA), and the ability to tune your site-specific model to
protect enterprise businesses.
reCAPTCHA tiers
reCAPTCHA offers three usage-based tiers: Enterprise, Standard,
and Essentials.
When reCAPTCHA is deployed in your environment, it interacts
with your backend and client (web pages or mobile applications).
When an end user visits a web page or uses a mobile application,
the following events are triggered in a sequence:
The client loads the web page from the backend or launches the mobile application.
The web page or mobile application initializes the reCAPTCHA
JavaScript API or mobile SDK, which begins collecting signals.
When the end user triggers an action protected by reCAPTCHA
such as login, the reCAPTCHA JavaScript API or the mobile SDK
in the client requests a verdict from reCAPTCHA.
reCAPTCHA returns an encrypted reCAPTCHA token
to the client for later use.
The client sends the encrypted reCAPTCHA token to the backend
for assessment.
The backend sends the create assessment (assessments.create)
request and the encrypted reCAPTCHA token to reCAPTCHA.
reCAPTCHA returns a verdict to the backend based on the risk evaluated for
this request. This verdict consists of scores from 0.0 through 1.0 and reason codes.
Depending on the verdict, you (as the developer) can determine the next steps
to take for that specific user request or action.
The following sequence diagram shows the graphical representation of the
reCAPTCHA workflow:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# reCAPTCHA overview\n\nGoogle has been defending millions of sites with reCAPTCHA for\nover a decade. reCAPTCHA uses advanced risk analysis techniques\nto detect fraud. With reCAPTCHA, you can protect your websites or mobile applications\nfrom spam and abuse, and detect other types of fraudulent activities, such as\ncredential stuffing, account takeover (ATO), and automated account creation.\nreCAPTCHA offers enhanced detection with more granular scores,\nreason codes for risky\nevents, mobile app SDKs, password leak detection, Multi-factor\nauthentication (MFA), and the ability to tune your site-specific model to\nprotect enterprise businesses.\n\nreCAPTCHA tiers\n---------------\n\nreCAPTCHA offers three usage-based tiers: Enterprise, Standard,\nand Essentials.\n\nTo learn about the features that are available in these tiers, see\n[Compare features between reCAPTCHA tiers](/recaptcha/docs/compare-tiers).\n\nHow reCAPTCHA works\n-------------------\n\nWhen reCAPTCHA is deployed in your environment, it interacts\nwith your backend and client (web pages or mobile applications).\n\nWhen an end user visits a web page or uses a mobile application,\nthe following events are triggered in a sequence:\n\n1. The client loads the web page from the backend or launches the mobile application.\n2. The web page or mobile application initializes the reCAPTCHA JavaScript API or mobile SDK, which begins collecting signals.\n3. When the end user triggers an action protected by reCAPTCHA such as login, the reCAPTCHA JavaScript API or the mobile SDK in the client requests a verdict from reCAPTCHA.\n4. reCAPTCHA returns an encrypted reCAPTCHA token to the client for later use.\n5. The client sends the encrypted reCAPTCHA token to the backend for assessment.\n6. The backend sends the create assessment (`assessments.create`) request and the encrypted reCAPTCHA token to reCAPTCHA.\n7. reCAPTCHA returns a verdict to the backend based on the risk evaluated for this request. This verdict consists of scores from 0.0 through 1.0 and reason codes.\n8. Depending on the verdict, you (as the developer) can determine the next steps to take for that specific user request or action.\n\nThe following sequence diagram shows the graphical representation of the\nreCAPTCHA workflow:\n\nWhat's next\n-----------\n\n- [Test reCAPTCHA in a demo website](/recaptcha/docs/quickstart-app).\n- [Get started with reCAPTCHA](/recaptcha/docs/getting-started).\n- To get started with plugins, [find the legacy reCAPTCHA secret key](/recaptcha/docs/create-key-website#find-key)."]]