Skip to main content

Stop Guessing, Start Challenging: Introducing reCAPTCHA's Policy-based challenges

  • October 7, 2025
  • 5 replies
  • 7949 views
Sheik
Staff
Forum|alt.badge.img+1

TL;DR: We're launching Policy-based challenges for reCAPTCHA. This new feature bridges the gap between passive, score-based protection and user-facing challenges, giving you precise, deterministic control. Now you can:

  • Trigger challenges based on your selected risk scores, not a black box.
  • Set custom risk score thresholds for specific user actions (e.g., login, checkout).
  • Intelligently apply friction only to suspicious traffic, protecting user experience and your properties.

reCAPTCHA previously offered two distinct capabilities for protecting your web properties from fraud and abuse.

First, there's score-based detection, a powerful, frictionless way to assess interaction risk behind the scenes, providing a score from 0.0 to 1.0. This option offers flexibility, giving you the final decision on how to act on the score.

Second, there are checkbox challenges, which provide a clear "pass/fail" verification with a risk score. While effective, the timing of these challenges was not customizable.

Now, we're empowering organizations with greater control over their fraud prevention strategies.

Bridging the Gap: The Power of Policy-based challenges 🎯

 

Policy-based challenges combines the sophisticated risk analysis of reCAPTCHA with the explicit verification using CAPTCHA, all under your control.

Think of it as a smart security guard. Instead of checking everyone's ID or no one's, you can now give the guard a specific rulebook: "If someone tries to access a high value action (action: 'checkout') and they look less trustworthy (score < 0.1), then issue a challenge to verify their identity."

 

With Policy-based challenges, you can:

  • Apply Surgical Precision: Trigger a CAPTCHA only when a user's risk score falls below a threshold you define. 
  • Implement Granular, Action-Based Control: Secure high-value actions more aggressively. For example, set a strict score threshold of 0.2 for signup to prevent fake account creation, but a more lenient 0.5 for add_to_cart. This is controlled using the action parameter you already use in your assessments.
  • Deploy Intelligent Friction: Let legitimate users prove they're human when their score is borderline, reducing false positives. Force bots to face a challenge, reducing false negatives.

 

How It Works: The Technical Details

 

Implementation is straightforward and designed to integrate cleanly into your existing reCAPTCHA setup.

  1. Frontend: When a user performs an action, your frontend calls grecaptcha.enterprise.execute() with the site key and an action name to get a reCAPTCHA token. 
  2. Backend: reCAPTCHA now evaluates the request, generates a risk score and compares it with the default threshold configured in Policy-based challenge. If the score is equal to or less than the threshold, a challenge is shown to the user.  Once the user solves the challenge, a token is generated.  You send this token to your backend, which calls the createAssessment API endpoint.
  3. The API Response: The JSON response from createAssessment now includes a new challengeMetrics object. If your policy triggers a challenge, this object will tell you the outcome.
    JSON
{
  "name":"ASSESSMENT_ID",   
  "riskAnalysis": {
    "score": 0.3,
    "reasons": ["AUTOMATION"],
    "challenge" : "PASS"
},
  1. Your backend logic can then inspect challengeMetrics.passed or challengeMetrics.failed to deterministically confirm if the user solved the challenge.

Getting Started: Configuration in 3 Steps

Configuring your policy is simple:

  1. Create or Edit Your Key: In the Google Cloud Console, navigate to Security > reCAPTCHA. When creating a key (or editing an existing one), enable the "Use challenges" option.
  2. Select "Policy-Based Challenge": This will reveal the policy configuration. You can set a default score threshold that applies to all actions. For example, a threshold of 0.5 will trigger a challenge for any assessment scoring below 0.5.
  3. (Optional) Add Action-Specific Overrides: Use the console or gcloud commands to set different thresholds for specific actions (e.g., login, signup, password_reset). This gives you fine-grained control over your most critical user flows.

You can monitor the performance of your policies, including challenge rates and pass/fail trends, directly from the reCAPTCHA dashboard in the Cloud Console. For more details, check out the official documentation.

What's Next? A New Foundation for Control 🚀

Policy-based challenges are more than just a feature; they are the foundation for a more powerful and adaptable approach to abuse prevention. By giving you direct control over challenge logic, we're empowering you to build more nuanced security strategies tailored to the unique risks facing your business.

We're committed to building the future of abuse prevention—one that is intelligent, customizable, and puts you in control. Get started with Policy-based challenges today and take the guesswork out of your security.

Sheikji Nazirudeen, Product Manager, Google
JoshD
jfontanez
kapilm

5 replies

gildor
Forum|alt.badge.img
  • gildorBronze 1
  • Bronze 1
  • November 10, 2025

Are there any plans for implementing Policy Based Challenge for mobile SDKs? 

For exactly the same reasoning which you mentioned in your post

Sheik
Staff
Forum|alt.badge.img+1
  • Sheik
  • Author
  • Staff
  • November 11, 2025

Hi,

 We do not have any plans at this moment, but would like to know would that help your use case ? If so, can you briefly describe your use case  along with the Mobile environement you are interested in deploying ? 

Sheikji Nazirudeen, Product Manager, Google
Reed_Lim
Forum|alt.badge.img
  • Reed_Lim
  • New Member
  • November 14, 2025

Hi,

 

When using a testing key, does the challengeMetrics always return a ‘pass’ value?

deliberately failing the image/audio challenge didn’t achieve the result I expected, could you advice or is this an expected behaviour? 

Cheers.

gildor
Forum|alt.badge.img
  • gildorBronze 1
  • Bronze 1
  • November 19, 2025

@Sheik  Hey, thanks for the answer

 

Our use case is the same as for web. We would like to have captcha challenge for users with low rating.

We would like to have it on Android and iOS, so still have control over captcha and scores, balanicing score only and invisible rating with challenge where we feel it appropriate

It was available for reCaptcha with SafetyNet SDK, and it how it still works on web

 

 

davidreghay
davidreghay
Forum|alt.badge.img+1
  • davidreghay
  • New Member
  • December 1, 2025

It looks like for policy based challenge keys, as opposed to action keys, it’s impossible to obtain tokens in quick succession for successive actions. If, for example at first grecaptcha.enterprise.execute is called on the site key passing in an action like “login”, a token is successfully obtained. However, there is a significant wait time imposed before another token can be obtained even if no challenge needs to be rendered for either the first or second action. This is problematic for cases where, for example, one protected action needs to be undertaken immediately after the first one proceeds. Is there any particular reason this is the case? Is it possible this could be updated so that this limitation is removed?

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.