reCAPTCHA v3
and CapMonster Cloud

Captcha solving, website integration, and testing.

Pricing of reCAPTCHA v3 solution

CAPTCHA
Price (USD)
$ 0.90
1000 tokens
Inherited a site with a captcha or another protection layer but no access to the source code? In that case you naturally ask: which solution is installed, is it configured correctly, and how can the workflow be tested?

In this article, we have tried to answer all the key questions. The first step in solving the task is to determine which protection system is being used. To do this, you can refer to the list of popular captchas and anti-bot protection systems, where you will find visual examples and key indicators that help you quickly understand what you are dealing with.

If you discover that your site uses reCAPTCHA v3, the next step is to study its properties and operation in more detail. In this article, you can also review the instructions on how to integrate reCAPTCHA v3 so that you fully understand how it functions on your site. This will help you not only understand the current protection, but also properly plan its maintenance.

What is Google reCAPTCHA v3
What is Google reCAPTCHA v3
reCAPTCHA v3 is an invisible Google protection that distinguishes real users from bots without a “I’m not a robot” checkbox. A hidden script runs on the page, analyzes user behavior, and returns a trust score from 0.0 to 1.0. The developer sets a threshold below which additional verification or blocking may be required, providing protection without extra steps for the user.

How to solve reCAPTCHA v3 via CapMonster Cloud

When testing forms that include reCAPTCHA v3, you often need to verify that the captcha works and is integrated correctly.

You can verify the captcha embedded on your site manually.

  • Open the form page and make sure the captcha renders.
  • Try submitting the form without solving it — the server should return an error.
  • After a successful solution, the form must be submitted without issues.

For automatic solving you can use tools like CapMonster Cloud, which accepts captcha parameters, processes them on its servers, and returns a ready-to-use token. Insert this token into the form to pass the check without user interaction.

Working with CapMonster Cloud via API typically involves the following steps:

Creating a taskCreating a task
arrow
Sending an API requestSending an API request
arrow
Receiving the resultReceiving the result
arrow
Placing the token on the pagePlacing the token on the page
arrow
Solving reCAPTCHA v3 using ready-made libraries
CapMonster Cloud provides ready-made libraries for convenient use with Python, JavaScript (Node.js), and C#.
Python
JavaScript
C#
Solving, injecting the token, and submitting the form
A Node.js example for the full cycle of solving a captcha on your web page. Possible approaches: use HTTP requests to fetch the HTML and captcha parameters, then send the answer and process the result; or use automation tools (for example, Playwright) to open the page, wait for the captcha to appear, send parameters (for testing, you can send both valid and invalid data), get the result through the CapMonster Cloud client, insert the token into the form, and see the outcome.
const { chromium } = require('playwright');
const { 
  CapMonsterCloudClientFactory, 
  ClientOptions, 
  RecaptchaV3ProxylessRequest 
} = require('@zennolab_com/capmonstercloud-client');

(async () => {
  const TARGET_URL = 'https://lessons.zennolab.com/captchas/recaptcha/v3.php?level=beta'; // URL of your page with the captcha
  const SITE_KEY = '6Le0xVgUAAAAAIt20XEB4rVhYOODgTl00d8juDob';
  const API_KEY = 'your_capmonster_cloud_api_key'; // Specify your CapMonster Cloud API key

  // Create a CapMonster client
  const cmcClient = CapMonsterCloudClientFactory.Create(new ClientOptions({ clientKey: API_KEY }));

  // Open the browser
  const browser = await chromium.launch({ headless: false });
  const page = await browser.newPage();
  await page.goto(TARGET_URL, { waitUntil: 'domcontentloaded' });

  // Configure the reCAPTCHA v3 task
  const recaptchaRequest = new RecaptchaV3ProxylessRequest({
    websiteURL: TARGET_URL,
    websiteKey: SITE_KEY,
    minScore: 0.6,
    pageAction: 'myverify', // match the action on the page
  });

  // Solve the captcha
  const solution = await cmcClient.Solve(recaptchaRequest);
  const token = solution.solution?.gRecaptchaResponse;

  if (!token) {
    console.error('Token is empty, check the sitekey and URL');
    await browser.close();
    return;
  }

  console.log('Token received:', token);

  // Insert the token into a hidden field and emulate a click on the button 
  // Replace with the required selectors
  await page.evaluate((t) => {
    const input = document.querySelector('#v3_token');
    if (input) input.value = t;

    const form = document.querySelector('#v3_form');
    if (form) form.submit();
  }, token);

  console.log('Token inserted and form submitted');

  await page.waitForTimeout(5000);
  await browser.close();
})();
How to connect reCAPTCHA v3 to your site
To understand how the captcha works on your site, how its validation logic behaves, and how to reconnect or reconfigure it, we recommend reading this section. It describes the process of enabling protection — this will help you quickly understand all the nuances.

1. Go to the reCAPTCHA admin console page.

2. Register a new site and choose the captcha type — reCAPTCHA v3

HowTo Connect image 1

3. Get the two keys:

  • Site key — public key (used on the frontend);
  • Secret key — private key (used on the server for verification)

HowTo Connect image 2

You can open the settings where you can, for example, specify domains that are allowed to use reCAPTCHA or configure alerts for site issues or spikes in suspicious traffic.

4. Client-side code examples

The simplest way to use reCAPTCHA v3 is to include the JavaScript API and add attributes to a button.

Connecting the API:

<script src="https://www.google.com/recaptcha/api.js"></script>

Callback function for the form:

<script>
  function onSubmit(token) {
    document.getElementById("form").submit();
  }
</script>

Button with reCAPTCHA attributes:

<button class="g-recaptcha" 
        data-sitekey="reCAPTCHA_sitekey" 
        data-callback='onSubmit' 
        data-action='submit'>Submit</button>

For full control, use grecaptcha.execute with the render parameter:

Connecting the API with the key:

<script src="https://www.google.com/recaptcha/api.js?render=reCAPTCHA_site_key"></script>

Programmatic call:

<script>
  function onClick(e) {
    e.preventDefault();
    grecaptcha.ready(function() {
      grecaptcha.execute('reCAPTCHA_sitekey', {action: 'submit'}).then(function(token) {
          // Send the token to the server for verification
      });
    });
  }
</script>

The token should be sent to the server for verification immediately.

Important notes:

  • Token lifetime: the token received from reCAPTCHA v3 is valid for 2 minutes. Make sure you send it to the server within this time.
  • Server-side verification: after receiving the token on the server, send a POST request to https://www.google.com/recaptcha/api/siteverify with the following parameters:
    – secret: your secret key
    – response: the token received from the client
    – remoteip (optional): the user’s IP address
  • Google’s server will return a JSON response containing details about the verification result.

5. Now verify the response on the server side

PHP examplePHP example
arrow

Notes:

  • Make sure that on the client the token is sent in a hidden form field named recaptcha-token:
    • <input type="hidden" name="recaptcha-token" id="recaptcha-token">

      • The score threshold can be adjusted depending on how strict you want to be (for example, 0.3–0.7).
      • Checking action === 'submit' increases security by making sure the token is issued for the specific action on the page.
Background
Possible errors and debugging
Bug Icon
Incorrect site or key
The captcha does not load or returns invalid-input-secret.
Bug Icon
Solving timeout
The server did not receive a response in time, increase the timeout value.
Bug Icon
Empty token
Error while passing the result to the page.
Bug Icon
Response success=false
The token is expired, reused, or forged. For diagnostics, enable request logging and check the error-codes field in Google’s response.
Bug Icon
Low score (for example, <0.5)
This may lead to rejection even when success=true, because Google uses the score to assess trust in the user.
Bug Icon
Check the action
To make sure the token is intended for a specific action on the page
Protection resilience checks
After integration, make sure the system really protects the site from automated actions.
Security and optimization tips
Store the <span class="font-bold">Secret Key</span> only on the server and never expose it to the client side.
Log error codes (<span class="font-bold">error-codes</span>) and the <span class="font-bold">score</span> value to understand the reasons for rejections.
<span class="font-bold">Check the action field</span> in Google’s response to ensure the token is intended for the correct action on the page.
Add links to your <span class="font-bold">Privacy Policy</span> and <span class="font-bold">Google Terms of Service</span> at the bottom of the form, as required by the license.
Conclusion

If you’ve taken over a website that already has a captcha or another protection system installed, but you don’t have access to the code, don’t worry! It’s quite easy to identify which technology is being used. To verify that everything works correctly, you can use the CapMonster Cloud recognition service in an isolated test environment to make sure that the token processing mechanism and the validation logic are functioning properly.

In the case of reCAPTCHA v3, it’s enough to detect the system, observe its behavior, and confirm that the protection is working correctly. In this article, we showed how to identify reCAPTCHA v3 and where to find instructions on how to integrate or reconfigure it, so you can confidently maintain the protection and keep its operation under control.

Conclusion

Frequently Asked Questions about reCAPTCHA v3

CapMonster Cloud provides official client libraries for Python, JavaScript (Node.js), and C#. These libraries simplify reCAPTCHA v3 integration and allow you to avoid manually implementing HTTP requests.

For example, in Node.js you can use the @zennolab_com/capmonstercloud-client package, which lets you obtain a token and inject it into a form in just a few lines of code.

If there is no dedicated library for your language, you can use the universal REST API (createTask / getTaskResult). It works with any HTTP client, including curl, requests, axios, and others.

The full request structure is available in the API documentation.

The minScore parameter accepts values from 0.1 to 0.9 and tells CapMonster Cloud the minimum trust score the returned token must carry. You can set the 0.7 value as a reasonable starting point. Setting it too high (e.g. 0.9) increases the chance of solving failures; setting it too low may return tokens with a score your server-side threshold should reject anyway. Tune the value against actual rejection rates in your test environment.

A token received from reCAPTCHA v3 is valid for approximately 2 minutes. Your automation pipeline must submit the token to the server within that window; after it expires, Google's siteverify endpoint returns success: false. Keep the solve step as close to the form submission as possible, and avoid caching tokens across requests.

To inject a reCAPTCHA v3 token, find the hidden response field (usually a textarea or input with the ID g-recaptcha-response) and insert the token retrieved from your CAPTCHA solver service. Here is how to do it across the three automation frameworks.

Playwright / Puppeteer (Node.js)

const token = "YOUR_TOKEN";
await page.evaluate((t) => {
  document.getElementById('g-recaptcha-response').value = t;
}, token);
await page.click('#submit-btn');

Selenium (Python)

token = "YOUR_TOKEN"
driver.execute_script(f"document.getElementById('g-recaptcha-response').value = '{token}';")
driver.find_element("id", "submit-btn").click()

Some websites use callback functions to validate the token. If the form does not submit, find the function name via the console (___grecaptcha_cfg.clients) and call it manually:

// Example of calling a callback in Playwright/Puppeteer
await page.evaluate((t) => { window.onSuccessCallback(t); }, token);

A success: true response from Google only means the token is valid. Your backend may still reject the request if the token score is below your configured threshold.

Another common issue is an action mismatch. The token must be verified against the same action value that was used when creating the task.

To debug the issue:

  • check the score field in the siteverify response;
  • verify that the action value matches;
  • inspect error-codes when success is false.

If success is true, the error-codes array is usually empty, so score and action are the main fields to inspect.