I’m currently running a Morse Code translator website that performs real-time conversion of plain text into Morse code and vice versa using JavaScript on the frontend. The application includes dynamic input handling, instant visual dot-dash rendering, and optional audio playback for each Morse sequence. Recently, I integrated Google reCAPTCHA (v2 and later tested v3) to protect certain endpoints from spam and abuse particularly the API routes responsible for processing translation requests.
Since implementing reCAPTCHA, I’ve started encountering issues where the real-time translation feature intermittently fails or becomes unresponsive. The problem seems to occur when the reCAPTCHA token expires or isn’t properly validated before asynchronous translation requests are triggered. In some cases, users typing quickly into the input field cause multiple parallel requests, and not all of them include a valid or refreshed token, leading to failed verification responses from the backend.
Additionally, I’ve noticed that reCAPTCHA introduces latency that disrupts the smooth UX of instant translation. Because my morse code tapping tool relies on event listeners (like oninput) to trigger live conversions, adding reCAPTCHA validation into this flow complicates things. I’m unsure whether I should debounce requests, cache tokens, or shift verification entirely to specific actions like form submissions instead of continuous background processing.
On the backend (Node.js), I’m validating the reCAPTCHA response token with Google’s verification API before allowing the translation logic to proceed. However, this adds overhead and sometimes results in false negatives, especially when multiple rapid requests reuse the same token or when users are on slower connections. I’m also concerned about properly securing the API without degrading performance or blocking legitimate users.
I’ve explored approaches like implementing reCAPTCHA only on high-risk actions (e.g., bulk translations or audio playback requests), but I’m unsure if that’s sufficient from a security standpoint. I also considered invisible reCAPTCHA, but I’m not clear on how well it integrates with real-time applications like mine