Hello @Sunil3 ,

Which is a good approach to validate tokens by siteverify API or creating an assessment in C#?

---

If you do not create assessments in the backend, attackers can forge the request sent from the browser and make your application vulnerable to abuse and fraudulent activities. You can check the documentation here as reference.

"Does the number of payload requests sent by BurpSuite count towards the billing for Google reCAPTCHA Enterprise when using a Score-based sitekey?"

---

If you wish to make more than 1000 calls per second or 1000000 calls per month, you must use reCAPTCHA Enterprise or fill out this form and wait for an exception approval. If a site key exceeds 1000 QPS, then some requests may not be processed. If a v3 site key exceeds its monthly quota, then site_verify may fail open by returning a static score 0.9 and an error message `"Over free quota."` for the remainder of the month. There are no user-visible indications when v3 sites are over quota. If a v2 site key exceeds its monthly quota, then the following or a similar message may be displayed to users in the reCAPTCHA widget for the remainder of the month: `This site is exceeding reCAPTCHA quota.` Before quota is enforced, site owners will be notified by email three times and given at least 90 days to migrate to reCAPTCHA Enterprise. Site keys are considered over quota if more than 1000000 calls per month are used for any domain. This includes if this volume is spread across multiple keys on the same domain. Here is the FAQ as reference.