Skip to main content

TL;DR: We're launching Policy-based challenges for reCAPTCHA. This new feature bridges the gap between passive, score-based protection and user-facing challenges, giving you precise, deterministic control. Now you can:

  • Trigger challenges based on your selected risk scores, not a black box.
  • Set custom risk score thresholds for specific user actions (e.g., login, checkout).
  • Intelligently apply friction only to suspicious traffic, protecting user experience and your properties.

reCAPTCHA previously offered two distinct capabilities for protecting your web properties from fraud and abuse.

First, there's score-based detection, a powerful, frictionless way to assess interaction risk behind the scenes, providing a score from 0.0 to 1.0. This option offers flexibility, giving you the final decision on how to act on the score.

Second, there are checkbox challenges, which provide a clear "pass/fail" verification with a risk score. While effective, the timing of these challenges was not customizable.

Now, we're empowering organizations with greater control over their fraud prevention strategies.

Bridging the Gap: The Power of Policy-based challenges 🎯

 

Policy-based challenges combines the sophisticated risk analysis of reCAPTCHA with the explicit verification using CAPTCHA, all under your control.

Think of it as a smart security guard. Instead of checking everyone's ID or no one's, you can now give the guard a specific rulebook: "If someone tries to access a high value action (action: 'checkout') and they look less trustworthy (score < 0.1), then issue a challenge to verify their identity."

 

With Policy-based challenges, you can:

  • Apply Surgical Precision: Trigger a CAPTCHA only when a user's risk score falls below a threshold you define. 
  • Implement Granular, Action-Based Control: Secure high-value actions more aggressively. For example, set a strict score threshold of 0.2 for signup to prevent fake account creation, but a more lenient 0.5 for add_to_cart. This is controlled using the action parameter you already use in your assessments.
  • Deploy Intelligent Friction: Let legitimate users prove they're human when their score is borderline, reducing false positives. Force bots to face a challenge, reducing false negatives.

 

How It Works: The Technical Details

 

Implementation is straightforward and designed to integrate cleanly into your existing reCAPTCHA setup.

  1. Frontend: When a user performs an action, your frontend calls grecaptcha.enterprise.execute() with the site key and an action name to get a reCAPTCHA token. 
  2. Backend: reCAPTCHA now evaluates the request, generates a risk score and compares it with the default threshold configured in Policy-based challenge. If the score is equal to or less than the threshold, a challenge is shown to the user.  Once the user solves the challenge, a token is generated.  You send this token to your backend, which calls the createAssessment API endpoint.
  3. The API Response: The JSON response from createAssessment now includes a new challengeMetrics object. If your policy triggers a challenge, this object will tell you the outcome.
    JSON
{
  "name":"ASSESSMENT_ID",   
  "riskAnalysis": {
    "score": 0.3,
    "reasons": ["AUTOMATION"],
    "challenge" : "PASS"
},
  1. Your backend logic can then inspect challengeMetrics.passed or challengeMetrics.failed to deterministically confirm if the user solved the challenge.

Getting Started: Configuration in 3 Steps

Configuring your policy is simple:

  1. Create or Edit Your Key: In the Google Cloud Console, navigate to Security > reCAPTCHA. When creating a key (or editing an existing one), enable the "Use challenges" option.
  2. Select "Policy-Based Challenge": This will reveal the policy configuration. You can set a default score threshold that applies to all actions. For example, a threshold of 0.5 will trigger a challenge for any assessment scoring below 0.5.
  3. (Optional) Add Action-Specific Overrides: Use the console or gcloud commands to set different thresholds for specific actions (e.g., login, signup, password_reset). This gives you fine-grained control over your most critical user flows.

You can monitor the performance of your policies, including challenge rates and pass/fail trends, directly from the reCAPTCHA dashboard in the Cloud Console. For more details, check out the official documentation.

What's Next? A New Foundation for Control 🚀

Policy-based challenges are more than just a feature; they are the foundation for a more powerful and adaptable approach to abuse prevention. By giving you direct control over challenge logic, we're empowering you to build more nuanced security strategies tailored to the unique risks facing your business.

We're committed to building the future of abuse prevention—one that is intelligent, customizable, and puts you in control. Get started with Policy-based challenges today and take the guesswork out of your security.

Be the first to reply!
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.