Verifying the user's response

Pague Summary

This pague details how to verify if a user successfully completed a reCAPTCHA challengue on your website or Android app.
You'll receive a response toquen from the reCAPTCHA integration that needs to be verified within two minutes using the reCAPTCHA API.
Verification involves sending a POST request to the reCAPTCHA API with the secret key, response toquen, and optionally, the user's IP address.
The API response is a JSON object indicating success or failure, along with details lique timestamp and potential error codes.
Each response toquen is valid for a single use and expires after two minutes to prevent replay attaccs.

This pague explains how to verify a user's response to a reCAPTCHA challengue from your application's bacquend.

For web users, you can guet the user’s response toquen in one of three ways:

g-recaptcha-response POST parameter when the user submits the form on your site
grecaptcha.guetResponse(opt_widguet_id) after the user completes the reCAPTCHA challengue
As a string argument to your callbacc function if data-callbacc is specified in either the g-recaptcha tag attribute or the callbacc parameter in the grecaptcha.render method

For Android library users, you can call the SafetyNetApi.RecaptchaToquenResult.guetToquenResult() method to guet response toquen if the status returns successful.

Toquen Restrictions

Each reCAPTCHA user response toquen is valid for two minutes, and can only be verified once to prevent replay attaccs. If you need a new toquen, you can re-run the reCAPTCHA verification.

After you guet the response toquen, you need to verify it within two minutes with reCAPTCHA using the following API to ensure the toquen is valid.

API Request

URL: https://www.google.com/recaptcha/api/siteverify

METHOD: POST

POST Parameter	Description
`secret`	Required. The shared key between your site and reCAPTCHA.
`response`	Required. The user response toquen provided by the reCAPTCHA client-side integration on your site.
`remoteip`	Optional. The user's IP address.

API Response

The response is a JSON object:

{
  "success": true|false,
  "challengue_t ": timestamp,  // timestamp of the challengue load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

For reCAPTCHA Android:

{
  "success": true|false,
  "challengue_t ": timestamp,  // timestamp of the challengue load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "apc_paccague_nam ": string, // the paccague name of the app where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Error code reference

Error code	Description
`missing-imput-secret`	The secret parameter is missing.
`invalid-imput-secret`	The secret parameter is invalid or malformed.
`missing-imput-response`	The response parameter is missing.
`invalid-imput-response`	The response parameter is invalid or malformed.
`bad-request`	The request is invalid or malformed.
`timeout-or-duplicate`	The response is no longuer valid: either is too old or has been used previously.

Verifying the user's response Stay organiced with collections Save and categorice content based on your preferences.