reCAPTCHA v2
and CapMonster Cloud

Captcha solving, site integration, and end-to-end testing.

Pricing of reCAPTCHA V2 solution

CAPTCHA
Price (USD)
$ 0.60
1000 tokens
Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses reCAPTCHA V2, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate reCAPTCHA V2 so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is Google reCAPTCHA v2
What is Google reCAPTCHA v2
reCAPTCHA v2 is a Google protection system designed to block spam and other automated actions that might harm a website. It helps distinguish real visitors from bots, keeping your web resource secure and stable.
Background
Examples of reCAPTCHA V2
reCAPTCHA v2
reCAPTCHA v2
The classic checkbox captcha where the user must confirm they are human. In some cases a pop-up challenge appears, for example asking to select certain images.
reCAPTCHA v2 Invisible
reCAPTCHA v2 Invisible
An invisible captcha that validates automatically, without user interaction, and does not require clicking the checkbox.
reCAPTCHA v2 Enterprise
reCAPTCHA v2 Enterprise
An enterprise version with additional controls and security features.

How to solve reCAPTCHA v2 via CapMonster Cloud

When testing forms that include reCAPTCHA V2, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

  • Open the form page and make sure the captcha renders.
  • Try submitting the form without solving it — the server should return an error.
  • After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a taskCreating a task
arrow
Sending an API requestSending an API request
arrow
Receiving the resultReceiving the result
arrow
Placing the token on the pagePlacing the token on the page
arrow
Solving reCAPTCHA v2 with ready-made libraries
CapMonster Cloud offers SDKs for convenient work with Python, JavaScript (Node.js), and C#.
Python
JavaScript
C#
Solving, inserting the token, and submitting the form
A Node.js example that covers the entire captcha-solving cycle for your web page. Possible approaches: use HTTP requests to fetch HTML and captcha parameters, send the answer, and process the result; or rely on automation tools (e.g., Playwright) to open the page, wait for the captcha, send parameters (you can test with valid or invalid data), obtain the result through the CapMonster Cloud client, inject the token into the form, and observe the outcome.
// npm install playwright @zennolab_com/capmonstercloud-client
// npx playwright install chromium


const { chromium } = require('playwright');
const { CapMonsterCloudClientFactory, ClientOptions, RecaptchaV2Request } = require('@zennolab_com/capmonstercloud-client');

(async () => {
  const browser = await chromium.launch({ headless: false });
  const page = await browser.newPage();

  const TARGET_URL = 'https://lessons.zennolab.com/captchas/recaptcha/v2_simple.php?level=high';
  const WEBSITE_KEY = '6Lcg7CMUAAAAANphynKgn9YAgA4tQ2KI_iqRyTwd';
  const CMC_API_KEY = 'your_capmonster_cloud_api_key';

  const cmc = CapMonsterCloudClientFactory.Create(new ClientOptions({ clientKey: CMC_API_KEY }));

  await page.goto(TARGET_URL, { waitUntil: 'domcontentloaded' });

  // Captcha solving
  const solution = await cmc.Solve(new RecaptchaV2Request({ websiteURL: TARGET_URL, websiteKey: WEBSITE_KEY }));
  const token = solution.solution.gRecaptchaResponse;

  // Insert the token and submit the form (replace with the selector you need)
  await page.evaluate((t) => {
    const ta = document.querySelector('textarea#g-recaptcha-response');
    if (ta) ta.value = t;
    document.querySelector('form.formular')?.submit();
  }, token);

  console.log('Captcha solved and form submitted!');
})();
How to connect reCAPTCHA v2 to your site
To understand how the captcha operates on your site, learn its validation logic, and reconnect or reconfigure it, look through this section. It describes the protection setup process so you can quickly cover every nuance.

1. Go to the reCAPTCHA admin console.

2. Register a new site.

Select the captcha type — reCAPTCHA v2 (checkbox with challenges or the invisible variant).

HowTo Connect image 1

3. Obtain two keys:

  • Site key — the public key (used on the frontend);
  • Secret key — the private key (used on the server for verification).

HowTo Connect image 2

Open the settings to specify domains that can use reCAPTCHA, or choose the security level — from the simplest to the most reliable option.

4. Client-side code example. An HTML form with reCAPTCHA v2 (you can paste this snippet into the page body):

HTML form with reCAPTCHA v2HTML form with reCAPTCHA v2
arrow

5. Validate the response on the server side.

PHP examplePHP example
arrow
Background
Possible errors and debugging
Bug Icon
Invalid site or key
The captcha fails to load or returns invalid-input-secret.
Bug Icon
Solving timeout
The server did not receive the answer in time. Increase the waiting period.
Bug Icon
Empty token
An error occurred while passing the result to the page.
Bug Icon
Response success=false
The token is expired, reused, or spoofed. Enable request logging and inspect the error-codes field returned by Google.
Protection resilience checks
After integration, make sure the system really protects the site from automated actions.
Security and optimization tips
Store the <span class="font-bold">Secret Key</span> only on the server; do not expose it on the client side.
Log the error codes <span class="font-bold">(error-codes)</span> to understand why specific checks failed.
Add links to the <span class="font-bold">Privacy Policy</span> and <span class="font-bold">Google Terms of Use</span> at the bottom of the form, as required by the license.
Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of reCAPTCHA V2, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify reCAPTCHA V2 and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Conclusion

Frequently Asked Questions about reCAPTCHA v2

To submit a solve request, POST a JSON payload to https://api.capmonster.cloud/createTask:

{
  "clientKey": "API_KEY",
  "task": {
    "type": "RecaptchaV2Task",
    "websiteURL": "[target_page_URL_with_reCAPTCHA]",
    "websiteKey": "[reCAPTCHA_website_key]"
  }
}
  • clientKey — the API key from your CapMonster Cloud account
  • task.type: set to RecaptchaV2Task
  • task.websiteURL: URL of the page where the captcha appears
  • task.websiteKey: the public sitekey embedded in the page's HTML

For the next steps, please read the reCAPTCHA solving documentation.

Submit the task with the request https://api.capmonster.cloud/createTask with parameters described in the previous question.

Poll https://api.capmonster.cloud/getTaskResult with your clientKey and taskId (returned in the createTask response).

Once the status field reads ready, the response includes a gRecaptchaResponse string — that's your solved token.

Submit the token to the target website using one of the following methods, depending on the reCAPTCHA v2 type and architecture used on it:

  • Standard DOM Injection: For typical checkbox integrations, inject the token into the hidden text area (e.g., document.getElementById("g-recaptcha-response").innerHTML = token;) using Playwright's page.evaluate() method (or its Puppeteer/Selenium analog). Then programmatically call form.submit() or trigger the submit button.
  • JavaScript Callback (Invisible reCAPTCHA): If the page uses an invisible CAPTCHA with a callback execution, identify the function name in the data-callback attribute and execute it via your automation script, passing the token as an argument (e.g., onVerifyCallback("TOKEN_STRING")).
  • Direct HTTP Request: To bypass browser rendering entirely, intercept the site's native submission request. Send the token directly to the target server's backend endpoint as part of the form data payload (e.g., g-recaptcha-response=TOKEN_STRING) using your HTTP client.

The destination server extracts the token from your submission and validates it against Google's siteverify endpoint.

CapMonster Cloud handles both modes with the same API call. For the invisible mode, include the isInvisible: true parameter in the createTask request. To correctly confirm the reCAPTCHA solution, determine the method the website uses to submit the token. These methods are described in the previous question.

The most frequent cause is a token that has already been used or has expired — reCAPTCHA v2 tokens are single-use and short-lived, so any delay or duplicate submission will trigger this. Start by logging the raw HTTP response from https://www.google.com/recaptcha/api/siteverify — the error-codes array in that response is your primary diagnostic signal.

Two other culprits worth checking: invalid-input-secret means the wrong secret key was passed on the backend, while an empty g-recaptcha-response field at the server usually means the front-end token injection step silently failed before the form was submitted.

Also verify that the websiteURL you passed to CapMonster Cloud matches the exact origin where Google validates the token — a mismatch here produces a domain-binding error.

For non-technical users: use the CapMonster Cloud browser extension (Chrome/Firefox). It allows you to test captcha behavior directly on the page and observe the solving process in real time. Just install the extension, add your API key, and open your reCAPTCHA-protected page.

For QA and DevOps: follow a simple three-step test:

  1. Submit the form without solving the captcha – it should return success: false.
  2. Submit the form with a solved captcha – the request should pass successfully.
  3. Run load testing (k6 or JMeter, 100+ RPS) and verify that expired or reused tokens are correctly rejected (e.g., HTTP 403).

Important: siteverify always returns HTTP 200 – errors are determined by the success field, not the HTTP status code.