Skip to main content

We are integrating Google reCAPTCHA with our website; however, we notice that, if we call Google to verify an invalid/expired reCAPTCHA token, our Google reCAPTCHA assessment usage will also be deducted. This raises a security concern: supposing if a malicious user uses a Python Script and keeps calling our API using a random string as reCAPTCHA token, and we bring this token to Google for verification, our reCAPTCHA quota will be exhausted very quickly. If we are transited to enterprise tier, we will lose $1 after processing every 1000 calls from the hacker. If a hacker is using DDOS attack, we may suffer great lost.

So we have question to Google: 

  1. Why calling Google to verify an invalid/expired reCAPTCHA token is also counted in reCAPTCHA usage?
  2. What's the Google's suggestion to handle such case? According to our research, blocking IP may be a effective way to protect us from being attacked. However, blocking IP may also harm the normal user, if the normal user shares the same public IP with the malicious user due to NAT technology. So this is not a preferred way to us. 

Also, there is an additional question to Google:
If we use V2 visible reCAPTCHA on the first page (the checkbox), after user clicks "continue" button, he will be redirected to a second page, which contains an invisible reCAPTCHA (and we hide the badge), should we still display the sentence on the second page?

This site is protected by reCAPTCHA and the Google

In other words, we place Google reCAPTCHA on different places in our website. do we have to display sentence for every part which contains invisible reCAPTCHA and the badge is hidden?
Thank you. 

Hello JoeyWu, reCAPTCHA protects your site against many kinds of abuse, including attackers trying to send tokens that do not represent a legitimate interaction with your site. If you have other means of identifying abusive requests, you may choose not to invoke reCAPTCHA for them.


Regarding the reCAPTCHA badge and terms, please see this guidance: https://cloud.google.com/recaptcha/docs/faq#id_like_to_hide_the_badge_what_is_allowed


"include the reCAPTCHA branding visibly in the user flow"


 

Hello JoeyWu, reCAPTCHA protects your site against many kinds of abuse, including attackers trying to send tokens that do not represent a legitimate interaction with your site. If you have other means of identifying abusive requests, you may choose not to invoke reCAPTCHA for them.


Regarding the reCAPTCHA badge and terms, please see this guidance: https://cloud.google.com/recaptcha/docs/faq#id_like_to_hide_the_badge_what_is_allowed


"include the reCAPTCHA branding visibly in the user flow"


 


Hi Faube,

Thank you very much for your reply. Yeah I understand that reCAPTCHA protects my site against abuse. That's why I am using reCAPTCHA to protect my API. However, how to prevent the abuse against Google reCAPTCHA? If a user writes a simple python script which keeps calling our API with invalid reCAPTCHA token, and we verify the reCAPTCHA token each time when we get API request, then our bill will piles up crazily, and we will be charged 1 dollar for every 1000 reCAPTCHA token assessments (if we are in enterprise tier) 

 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.