reCAPTCHA v3
and CapMonster Cloud

Captcha solving, website integration, and testing.

Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses reCAPTCHA v3, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate reCAPTCHA v3 so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is Google reCAPTCHA v3

reCAPTCHA v3 is an invisible Google protection that distinguishes real users from bots without a “I’m not a robot” checkbox. A hidden script runs on the page, analyzes user behavior, and returns a trust score from 0.0 to 1.0. The developer sets a threshold below which additional verification or blocking may be required, providing protection without extra steps for the user.

How to solve reCAPTCHA v3 via CapMonster Cloud

When testing forms that include reCAPTCHA v3, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

Open the form page and make sure the captcha renders.
Try submitting the form without solving it — the server should return an error.
After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a task

At this stage, you send your API key, captcha type, and its parameters. The service returns a unique taskId which you can use later to get the result.

Sending an API request

Your request to solve reCAPTCHA v3 must include the following parameters:

type - RecaptchaV3TaskProxyless;

websiteURL - the page address where the captcha is solved;

websiteKey - the key identifier (sitekey) specified on the page of your site with the captcha;

minScore - can have a value from 0.1 to 0.9;

pageAction - the value of the action parameter that is passed by the ReCaptcha widget in Google. Default value: verify.

Find more details about the parameters and how to gather them automatically before sending a task in the CapMonster Cloud documentation.

Endpoint for sending the task:

https://api.capmonster.cloud/createTask

Request example:

{
  "clientKey": "API_KEY",
  "task": {
    "type": "RecaptchaV3TaskProxyless",
    "websiteURL": "https://lessons.zennolab.com/captchas/recaptcha/v3.php?level=beta",
    "websiteKey": "6Le0xVgUAAAAAIt20XEB4rVhYOODgTl00d8juDob",
    "minScore": 0.7,
    "pageAction": "myverify"
  }
}

Response:

{
  "errorId":0,
  "taskId":407533072
}

Receiving the result

After creating the task, poll the solution status.

Address to receive the result:

https://api.capmonster.cloud/getTaskResult

Request example:

{
  "clientKey":"API_KEY",
  "taskId": 407533072
}

Response:

{
  "errorId": 0,
  "status": "ready",
  "solution": {
    "gRecaptchaResponse": "3AHJ_VuvYIBNBW5yyv0zRYJ75VkOKv…hKj9_xGBJKnQimF72rfoq3Iy-DyGHMwLAo6a3"
  }
}

Placing the token on the page

The token you receive (the "gRecaptchaResponse" value) can be inserted into a hidden form field or used to call a JS function on the site to confirm the solution. After that, the server will accept the form as correctly completed. For automation and testing it is convenient to use Puppeteer, Selenium or Playwright, which allow you to emulate user actions, inject tokens, and submit forms.

Solving reCAPTCHA v3 using ready-made libraries

CapMonster Cloud provides ready-made libraries for convenient use with Python, JavaScript (Node.js), and C#.

Python

JavaScript

Solving, injecting the token, and submitting the form

A Node.js example for the full cycle of solving a captcha on your web page. Possible approaches: use HTTP requests to fetch the HTML and captcha parameters, then send the answer and process the result; or use automation tools (for example, Playwright) to open the page, wait for the captcha to appear, send parameters (for testing, you can send both valid and invalid data), get the result through the CapMonster Cloud client, insert the token into the form, and see the outcome.

const { chromium } = require('playwright');
const { 
  CapMonsterCloudClientFactory, 
  ClientOptions, 
  RecaptchaV3ProxylessRequest 
} = require('@zennolab_com/capmonstercloud-client');

(async () => {
  const TARGET_URL = 'https://lessons.zennolab.com/captchas/recaptcha/v3.php?level=beta'; // URL of your page with the captcha
  const SITE_KEY = '6Le0xVgUAAAAAIt20XEB4rVhYOODgTl00d8juDob';
  const API_KEY = 'your_capmonster_cloud_api_key'; // Specify your CapMonster Cloud API key

  // Create a CapMonster client
  const cmcClient = CapMonsterCloudClientFactory.Create(new ClientOptions({ clientKey: API_KEY }));

  // Open the browser
  const browser = await chromium.launch({ headless: false });
  const page = await browser.newPage();
  await page.goto(TARGET_URL, { waitUntil: 'domcontentloaded' });

  // Configure the reCAPTCHA v3 task
  const recaptchaRequest = new RecaptchaV3ProxylessRequest({
    websiteURL: TARGET_URL,
    websiteKey: SITE_KEY,
    minScore: 0.6,
    pageAction: 'myverify', // match the action on the page
  });

  // Solve the captcha
  const solution = await cmcClient.Solve(recaptchaRequest);
  const token = solution.solution?.gRecaptchaResponse;

  if (!token) {
    console.error('Token is empty, check the sitekey and URL');
    await browser.close();
    return;
  }

  console.log('Token received:', token);

  // Insert the token into a hidden field and emulate a click on the button 
  // Replace with the required selectors
  await page.evaluate((t) => {
    const input = document.querySelector('#v3_token');
    if (input) input.value = t;

    const form = document.querySelector('#v3_form');
    if (form) form.submit();
  }, token);

  console.log('Token inserted and form submitted');

  await page.waitForTimeout(5000);
  await browser.close();
})();

You can also conveniently test captcha solving using the CapMonster Cloud browser extension, which allows you to quickly check how a captcha works directly on the page and watch the solving process in real time without writing any code – available for installation in Chrome and Firefox.

How to connect reCAPTCHA v3 to your site

To understand how the captcha works on your site, how its validation logic behaves, and how to reconnect or reconfigure it, we recommend reading this section. It describes the process of enabling protection — this will help you quickly understand all the nuances.

1. Go to the reCAPTCHA admin console page.

2. Register a new site and choose the captcha type — reCAPTCHA v3

HowTo Connect image 1

3. Get the two keys:

Site key — public key (used on the frontend);
Secret key — private key (used on the server for verification)

HowTo Connect image 2

You can open the settings where you can, for example, specify domains that are allowed to use reCAPTCHA or configure alerts for site issues or spikes in suspicious traffic.

4. Client-side code examples

The simplest way to use reCAPTCHA v3 is to include the JavaScript API and add attributes to a button.

Connecting the API:

<script src="https://www.google.com/recaptcha/api.js"></script>

Callback function for the form:

<script>
  function onSubmit(token) {
    document.getElementById("form").submit();
  }
</script>

Button with reCAPTCHA attributes:

<button class="g-recaptcha" 
        data-sitekey="reCAPTCHA_sitekey" 
        data-callback='onSubmit' 
        data-action='submit'>Submit</button>

For full control, use grecaptcha.execute with the render parameter:

Connecting the API with the key:

<script src="https://www.google.com/recaptcha/api.js?render=reCAPTCHA_site_key"></script>

Programmatic call:

<script>
  function onClick(e) {
    e.preventDefault();
    grecaptcha.ready(function() {
      grecaptcha.execute('reCAPTCHA_sitekey', {action: 'submit'}).then(function(token) {
          // Send the token to the server for verification
      });
    });
  }
</script>

The token should be sent to the server for verification immediately.

Important notes:

Token lifetime: the token received from reCAPTCHA v3 is valid for 2 minutes. Make sure you send it to the server within this time.
Server-side verification: after receiving the token on the server, send a POST request to https://www.google.com/recaptcha/api/siteverify with the following parameters:
– secret: your secret key
– response: the token received from the client
– remoteip (optional): the user’s IP address
Google’s server will return a JSON response containing details about the verification result.

You can find more detailed information in the captcha’s own documentation.

5. Now verify the response on the server side

PHP example

<?php
// Your reCAPTCHA v3 secret key
$secret = 'YOUR_SECRET_KEY';

// Get the token from the form
$token = $_POST['recaptcha-token'] ?? '';

// Send a request to Google to verify the token
$response = file_get_contents(
    "https://www.google.com/recaptcha/api/siteverify?secret={$secret}&response={$token}"
);

$result = json_decode($response, true);

// Check success and the trust score
if ($result['success'] && $result['score'] >= 0.5 && $result['action'] === 'submit') {
    echo "Verification passed";
} else {
    http_response_code(403);
    echo "Verification failed";
}
?>

Notes:

Make sure that on the client the token is sent in a hidden form field named recaptcha-token:

<input type="hidden" name="recaptcha-token" id="recaptcha-token">

The score threshold can be adjusted depending on how strict you want to be (for example, 0.3–0.7).
Checking action === 'submit' increases security by making sure the token is issued for the specific action on the page.

Possible errors and debugging

Incorrect site or key

The captcha does not load or returns invalid-input-secret.

Solving timeout

The server did not receive a response in time, increase the timeout value.

Empty token

Error while passing the result to the page.

Response success=false

The token is expired, reused, or forged. For diagnostics, enable request logging and check the error-codes field in Google’s response.

Low score (for example, <0.5)

This may lead to rejection even when success=true, because Google uses the score to assess trust in the user.

Check the action

To make sure the token is intended for a specific action on the page

Protection resilience checks

After integration, make sure the system really protects the site from automated actions.

Try sending a request without solving the captcha — the server should return success: false.

Run load testing (for example, using k6 or JMeter) at more than 100 requests per second — the captcha should be displayed correctly and the validation system should remain stable.

Check how the server reacts to an expired, reused, or forged token — the expected response is 403 Forbidden or a rejection based on the trust threshold (score lower than the minimum value).

Security and optimization tips

Store the <b>Secret Key</b> only on the server and never expose it to the client side.

Store the Secret Key only on the server and never expose it to the client side.

Log error codes (<b>error-codes</b>) and the <b>score</b> value to understand the reasons for rejections.

Log error codes (error-codes) and the score value to understand the reasons for rejections.

<b>Check the action field</b> in Google’s response to ensure the token is intended for the correct action on the page.

Check the action field in Google’s response to ensure the token is intended for the correct action on the page.

Add links to your <b>Privacy Policy</b> and <b>Google Terms of Service</b> at the bottom of the form, as required by the license.

Add links to your Privacy Policy and Google Terms of Service at the bottom of the form, as required by the license.

Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of reCAPTCHA v3, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify reCAPTCHA v3 and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Helpful links

reCAPTCHA v3 documentation →

CapMonster Cloud documentation (working with reCAPTCHA v3) →

How to solve ReCaptcha v3 in Python using Selenium & CapMonster Cloud →

How to solve ReCaptcha v3 in JavaScript using Selenium & CapMonster Cloud →

How to solve ReCaptcha v3 in C# using Selenium & CapMonster Cloud →

The CapMonster Cloud browser extension is available for Chrome and Firefox. Full installation and usage instructions are available here.

reCAPTCHA v3 and CapMonster Cloud

How to solve reCAPTCHA v3 via CapMonster Cloud

reCAPTCHA v3
and CapMonster Cloud