How to Tell if a Website Uses Google reCAPTCHA

To tell if a website uses Google reCAPTCHA, view the page source or open the DevTools Network tab and look for a script loaded from www.google.com/recaptcha/api.js (or its privacy-friendly mirror www.recaptcha.net) — that is reCAPTCHA, and finding it is close to conclusive. Confirm it in the Console by checking typeof grecaptcha, and inspect protected forms for a g-recaptcha div carrying a data-sitekey attribute. The version is usually readable from behaviour: a visible "I'm not a robot" checkbox means v2, while an invisible background score with only a small badge in the corner means v3. This guide covers every signal, how to distinguish the versions, the main alternatives (hCaptcha and Cloudflare Turnstile), and the bot-protection context.

It sits within the security side of detection, alongside how to read a website's HTTP response headers, and fits the broader how to find out what technology a website uses.

What reCAPTCHA is, and why it is detectable

reCAPTCHA is Google's bot-protection service. Sites add it to forms, logins, sign-ups and checkouts to tell humans from automated abuse — credential stuffing, spam submissions, scraping and the like. It works by loading a Google script in the browser, which either presents a challenge (the classic checkbox or image grid) or silently assesses the visitor's behaviour and returns a token; the site then verifies that token server-side with Google before trusting the submission. That client-side mechanism is exactly what makes reCAPTCHA detectable: the script must load from Google's domain, it exposes a JavaScript global, and the interactive version renders a widget with a public site key right in the page. Each of those is a fingerprint a browser can read, so identifying reCAPTCHA — and usually its version — is quick.

Signal 1: the api.js script

The primary fingerprint is the loading script. reCAPTCHA is installed by including a script from Google:

• https://www.google.com/recaptcha/api.js is the standard source.
• https://www.recaptcha.net/recaptcha/api.js is the alternative domain Google offers for regions or contexts where google.com is blocked or undesirable.
• For v3 and invisible v2, you will often see the URL include a ?render=<sitekey> parameter.

Open DevTools (F12), go to the Network tab, reload, and watch for a request to recaptcha/api.js; or open View Source (Ctrl/Cmd + U) and search for recaptcha. Seeing that script load is essentially proof reCAPTCHA is present — no other tool loads from that path.

Signal 2: the grecaptcha global and the g-recaptcha div

Once the script loads, reCAPTCHA exposes a JavaScript object called grecaptcha. Open the Console and type typeof grecaptcha; if it returns "object", reCAPTCHA's API is loaded and ready. This is a fast confirmation that complements the Network view — the object only exists when the script actually ran.

The interactive (v2) version also renders from a specific element: a <div class="g-recaptcha" data-sitekey="...">. Right-click the CAPTCHA widget on a form and choose Inspect, and you will see that g-recaptcha container with a data-sitekey attribute. The site key is the public identifier of the site's reCAPTCHA configuration; it is meant to be visible (the secret key stays on the server). Finding a g-recaptcha div with a data-sitekey confirms reCAPTCHA is wired into that specific form.

Signal 3: telling v2 from v3 by behaviour

The version is usually obvious from what you see and do:

• reCAPTCHA v2 (checkbox) is interactive. It shows the familiar "I'm not a robot" checkbox, and if the system is suspicious it follows up with an image challenge ("select all the buses"). Rendered from a visible g-recaptcha widget.
• reCAPTCHA v2 (invisible) binds to a button rather than showing a checkbox, presenting a challenge only when it deems one necessary.
• reCAPTCHA v3 is fully invisible: it runs in the background, scores the interaction from 0.0 to 1.0, and never shows a challenge. Its only visible trace is usually a small reCAPTCHA badge in a bottom corner of the page (the "protected by reCAPTCHA" logo with Privacy and Terms links).

So a visible checkbox means v2; an invisible badge with no challenge, and an api.js?render= URL, means v3. The badge is a reliable v3 tell because Google's terms require sites to either show it or display a text disclosure instead.

The signal table

Signal	Where to find it	What it means
recaptcha/api.js script	Network tab, View Source	reCAPTCHA loading — definitive
?render=<sitekey> on api.js	Network tab, View Source	Strong hint of reCAPTCHA v3 / invisible
typeof grecaptcha → "object"	DevTools Console	reCAPTCHA API present and ready
g-recaptcha div with data-sitekey	Inspect the form	Interactive v2 widget wired to a form
"I'm not a robot" checkbox / image grid	The page	reCAPTCHA v2 (interactive)
Small reCAPTCHA badge, no challenge	Bottom corner of page	reCAPTCHA v3 (invisible scoring)

A single matching row usually settles which CAPTCHA is in use; the script domain plus the version behaviour give you both the tool and the version.

Method 1: View Source

The quickest single check is View Source. Open the page (ideally one with a form — a login, contact or signup page), press Ctrl/Cmd + U, and search for recaptcha. You are looking for the api.js script source and, on v2 forms, the g-recaptcha div with its data-sitekey. Because these are placed directly in the HTML so the widget can render, they appear in the server-rendered source. A source search is therefore a fast first pass that confirms both that reCAPTCHA is present and, from the markup and the render parameter, often which version — the same approach used throughout technology detection.

Method 2: the DevTools Network and Console

For a live, definitive read, combine Network and Console. In Network, reload and watch for the recaptcha/api.js request (note any ?render= parameter, a v3 tell) and the follow-up calls reCAPTCHA makes as it loads its frames. In Console, run typeof grecaptcha to confirm the API initialised, and on a v3 page you can sometimes observe grecaptcha.execute being called. This pairing confirms the tool is genuinely running rather than merely referenced, and it is the same Network-tab discipline that supports reading the rest of a site's security and delivery, such as in how to read a website's HTTP response headers.

Method 3: inspect the form and the badge

If a CAPTCHA is visible, inspect it. Right-click the checkbox widget and choose Inspect to read the g-recaptcha div and its data-sitekey (v2). If there is no widget but a small "protected by reCAPTCHA" badge sits in a corner, that is the v3 signature — inspect the badge to confirm it links to Google's reCAPTCHA Privacy and Terms. This visual method is the fastest way to pin down the version, because the difference between an interactive checkbox and an invisible badge is immediately apparent on screen. Where the widget is themed or embedded in an iframe, the element classes and the badge still betray reCAPTCHA.

The alternatives: hCaptcha and Cloudflare Turnstile

reCAPTCHA is the most common CAPTCHA, but not the only one, so it is worth knowing the main alternatives by their fingerprints:

• hCaptcha loads from hcaptcha.com (js.hcaptcha.com/1/api.js) and renders from an h-captcha div with its own data-sitekey, exposing an hcaptcha global. It is frequently chosen for privacy reasons and is the default CAPTCHA in some platforms.
• Cloudflare Turnstile loads from challenges.cloudflare.com/turnstile/v0/api.js and renders a cf-turnstile widget. It is a non-interactive challenge designed to avoid puzzles, and its presence usually indicates the site is in Cloudflare's ecosystem.

So if you do not find the reCAPTCHA script but a form is clearly protected, check for hcaptcha.com or challenges.cloudflare.com — the script domain tells the three apart cleanly. Identifying the specific tool, rather than just noting "a CAPTCHA", is the accurate read.

A worked example

You want to know how a site protects its login. You open the login page and View Source, searching for recaptcha — you find a script tag for www.google.com/recaptcha/api.js?render=6Lx..., the render parameter hinting at v3. There is no checkbox on the form, but a small "protected by reCAPTCHA" badge sits in the bottom-right corner, linking to Google's Privacy and Terms — the v3 signature. You open the Console and confirm typeof grecaptcha is "object", and you observe a grecaptcha.execute call fire as the page settles. So the read is clear: this site uses reCAPTCHA v3, scoring visitors invisibly rather than challenging them. Compare that with a contact form elsewhere on the site that shows the classic "I'm not a robot" checkbox — that page uses reCAPTCHA v2. Sites do mix versions by context, so checking the relevant page (login, signup, contact, checkout) matters.

The bot-protection context

CAPTCHAs exist to separate legitimate humans from automated abuse, and where a site places them tells you what it is defending. Logins and signups get CAPTCHA to resist credential stuffing and fake-account creation; contact and comment forms to resist spam; checkouts and high-value actions to resist fraud and scraping. The choice of version reflects a trade-off: v2 asks the user to do something, which is more friction but a clearer gate, while v3 scores invisibly for less friction but hands the decision to a threshold the site sets. So detecting the CAPTCHA, and noting where it appears, sketches a site's abuse-resistance posture — part of the same security picture as its headers and TLS. It is a small signal, but combined with others it indicates how seriously a site guards its sensitive endpoints.

What detection can and cannot see

Be clear about the boundary. Detection reliably tells you which CAPTCHA a site uses, which version (from the visible behaviour), and which forms it protects — all observable in the browser. The public site key is visible by design. What stays private is the server side: the secret key, the score threshold a v3 site uses to decide pass or fail, and the verification logic that runs when the token reaches the back end. You also cannot see how the site responds to a low score — block, challenge, flag for review — because that is server-side policy. So report the tool and version with confidence, and treat the thresholds and back-end handling as private. This is the same client-side boundary that applies across detection: you see what loads and renders, not the server's decisions.

How accurate is CAPTCHA detection?

Highly accurate for the tool and version. The api.js script domain, the grecaptcha global and the g-recaptcha/data-sitekey markup are intrinsic to how reCAPTCHA installs, so naming it is reliable; the visible checkbox-versus-badge difference makes the version clear; and the alternative tools (hCaptcha, Turnstile) have equally distinct domains. The honest gaps are the server-side configuration (secret key, score threshold, response policy), which is invisible, and the need to check the right page, since a site may protect only certain forms or use different versions in different places. So "which CAPTCHA does this form use, and which version?" is answerable with confidence, while "what score does it require and what does it do on failure?" is not. Confirm the tool and version from the page, and leave the back-end policy as the private part it is.

The workflow

1. Open a page with a form (login, signup, contact, checkout) and View Source; search for recaptcha.
2. Watch the Network tab for recaptcha/api.js and note any ?render= parameter (a v3 hint).
3. Check the Console with typeof grecaptcha to confirm the API loaded.
4. Read the behaviour — checkbox/image grid means v2; an invisible badge means v3.
5. If reCAPTCHA is absent, check for hcaptcha.com or challenges.cloudflare.com instead.

Go deeper

• The whole stack: how to find out what technology a website uses.
• The metadata layer: how to read a website's HTTP response headers.
• The analytics beside it: how to find out what analytics a website uses.
• The tag manager that may load it: how to check if a website uses Google Tag Manager.

Want a site's bot protection, security headers and full stack identified automatically? Analyse any site with StackOptic — free, no sign-up.