Skip to main content
Question

Google reCAPTCHA Implementation Inquiry v2 |Implementation dispute

  • January 15, 2026
  • 1 reply
  • 32 views
Introvert09

Hi Team,

We would like to seek clarification regarding the implementation of reCAPTCHA v2.

We implemented reCAPTCHA v2 a few years ago and would like to confirm whether server-side validation was mandatory at that time. Based on the documentation available then, it does not explicitly state that Step 3 (server-side verification) was mandatory. We are referring to the documentation linked below.
reCAPTCHA v2  |  Google for Developers

Please note that this clarification is specifically for our old implementation carried out in 2020. Kindly provide your response considering the documentation and circumstances that were applicable during that period, rather than the current implementation guidelines.

1 reply

faube
Staff
Forum|alt.badge.img+7
  • faube
  • Staff
  • January 15, 2026

Hello, 

reCAPTCHA v2 and v3, as well as their equivalents in the reCAPTCHA Enterprise API,  all return tokens that your server must verify via a call to https://www.google.com/recaptcha/api/siteverify or recaptchaenterprise.googleapis.com 

An attacker can bypass reCAPTCHA if you do not verify that they created a legitimate reCAPTCHA token on your site.

 

More information about how reCAPTCHA works:

https://docs.cloud.google.com/recaptcha/docs/overview#how-recaptcha-enterprise-works

 

 

 

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.