Google's bot detection service protecting websites from spam and abuse. v3 works invisibly while v2 uses challenges.

28496 detections
20 websites tracked
Updated 15 Jun 2026

Websites Using reCAPTCHA

What Is Google reCAPTCHA?

Google reCAPTCHA is a free bot-protection service from Google that helps websites distinguish human visitors from automated traffic. It guards login forms, signup flows, comment boxes, checkout pages, and APIs against abuse such as credential stuffing, spam, and scraping. This profile is strictly defensive: it explains how reCAPTCHA works and how to detect its presence on a site, not how to bypass or defeat it.

reCAPTCHA has evolved through several generations. The original distorted-text challenges gave way to "No CAPTCHA reCAPTCHA" (the famous "I'm not a robot" checkbox) and then to invisible and score-based versions. According to Google's official documentation, the two widely deployed versions today are reCAPTCHA v2 (the checkbox and invisible variants that may show an image challenge) and reCAPTCHA v3 (which returns a risk score from 0.0 to 1.0 without interrupting the user). Google also offers reCAPTCHA Enterprise for higher-volume, more configurable deployments.

Detecting reCAPTCHA is comparatively straightforward because, unlike a server-side language, it runs in the browser and loads identifiable client-side resources. Its presence is visible in page source, network requests, and the JavaScript environment.

The name reCAPTCHA itself has historical roots: early versions asked users to transcribe distorted words, and that human effort was reused to help digitize books and improve optical character recognition. Modern versions no longer rely on that approach. They lean on behavioral analysis and risk scoring, which is why the latest version can protect a page without ever showing a visible challenge. For anyone evaluating a website's defensive posture, recognizing which generation is in use is a useful, purely observational skill.

How Google reCAPTCHA Works

reCAPTCHA combines a client-side widget with a server-side verification step. The high-level flow is:

  1. The website embeds Google's reCAPTCHA JavaScript, typically loaded from www.google.com/recaptcha/api.js (or the recaptcha.net mirror).
  2. The script registers a site key (data-sitekey) tied to the website's domain in the Google admin console.
  3. When the user interacts with the page, reCAPTCHA collects behavioral and environmental signals in the browser.
  4. reCAPTCHA produces a token. In v2 this happens after the checkbox or an image challenge; in v3 it happens silently during page activity.
  5. The website sends that token, along with a private secret key, to Google's verification endpoint (www.google.com/recaptcha/api/siteverify) from its own server.
  6. Google responds with success or failure (and, for v3, a score and action name) so the site can decide whether to allow the request.

The crucial design point is that the secret key never appears in the browser. Verification is a server-to-server call, which is why detection from the client side reveals the widget and site key but not the secret.

v2 versus v3 behavior

  • reCAPTCHA v2 (checkbox) shows the "I'm not a robot" box and may escalate to an image-selection challenge when the risk signals are ambiguous.
  • reCAPTCHA v2 (invisible) binds to a button or action and only shows a challenge when needed, with no permanent checkbox.
  • reCAPTCHA v3 never shows a challenge. It returns a score that the site interprets, often combined with an action label like login or checkout, so the site can apply step-up authentication or silently block low-scoring requests.

Where the site key and secret key fit

Every reCAPTCHA integration uses a key pair. The site key is public and embedded in the page so the widget can load; you can read it in the HTML. The secret key is private, stored only on the website's server, and used in the server-to-server verification call. This split is fundamental to the design: anyone can see that a site uses reCAPTCHA and read its site key, but the secret that actually validates tokens is never exposed to the browser. That is why client-side detection is about confirming presence and configuration, never about obtaining anything sensitive.

How to Tell if a Website Uses Google reCAPTCHA

Because reCAPTCHA is a client-side widget, it is one of the easier technologies to confirm. StackOptic surfaces these signals from a server-side fetch of the page, and you can reproduce the checks in any browser.

View the page source

Open View Source (Ctrl+U or Cmd+U) and search (Ctrl+F) for recaptcha. Tell-tale strings include:

  • A script tag loading https://www.google.com/recaptcha/api.js (or https://recaptcha.net/recaptcha/api.js).
  • A <div class="g-recaptcha"> element with a data-sitekey attribute, which is the classic v2 checkbox embed.
  • For v3, a script URL of the form api.js?render=<site-key>, where the site key is passed as a query parameter.

Inspect the DevTools Network tab

Open DevTools, go to the Network tab, reload the page, and filter for recaptcha. You should see requests to www.google.com/recaptcha/..., including api.js and, when a challenge runs, additional anchor and bframe frame requests. These network calls are a reliable confirmation that reCAPTCHA is active.

Check the JavaScript console for the grecaptcha global

In the DevTools Console, type grecaptcha and press Enter. If reCAPTCHA is loaded, the global grecaptcha object exists and exposes methods such as render, execute, and ready. The presence of this global is a strong, direct confirmation. (Use this only to observe presence, not to interfere with the widget.)

Look at response headers and curl

While reCAPTCHA itself is loaded client-side, you can still fetch the HTML server-side to scan for the embed:

curl -s https://example.com | grep -i recaptcha

This returns the script tags and g-recaptcha markup if they are present in the initial HTML. Note that some sites inject reCAPTCHA dynamically after page load, in which case the browser DevTools Network tab is more reliable than a single curl of the static HTML.

Distinguish v2 from v3

  • If you see a visible "I'm not a robot" checkbox or an image challenge, it is v2.
  • If there is no visible widget but you find api.js?render= in the source and a grecaptcha.execute call in the scripts, it is most likely v3.
  • A small reCAPTCHA badge in the bottom-right corner ("protected by reCAPTCHA") commonly accompanies v3 and invisible v2.

Use Wappalyzer

Wappalyzer and similar extensions list reCAPTCHA under security or CAPTCHA categories when they detect the script. This is a fast confirmation, though as always you can corroborate with the grecaptcha global and the network requests.

A quick detection checklist

To confirm reCAPTCHA efficiently, work through these steps in order:

  1. View Source and search for recaptcha to find the api.js script and any g-recaptcha div.
  2. Note whether the script URL includes ?render=<site-key> (a v3 hint) or pairs with a visible data-sitekey div (a v2 hint).
  3. Open the Console and check that the grecaptcha global exists.
  4. In the Network tab, filter for recaptcha and confirm requests to www.google.com/recaptcha/.
  5. Look in the bottom-right corner for the "protected by reCAPTCHA" badge, which often accompanies v3 and invisible v2.

Two or more of these together give a confident, entirely passive confirmation.

Key Features

  • Multiple modes: checkbox v2, invisible v2, and score-based v3 to fit different UX needs.
  • Risk scoring in v3 that enables frictionless protection without interrupting users.
  • Behavioral and environmental analysis performed by Google's models.
  • Action labels in v3 that let sites tune thresholds per workflow (login, checkout, signup).
  • Server-side verification that keeps the secret key off the client.
  • Enterprise tier with granular controls, reason codes, and higher quotas.

Pros and Cons

AspectProsCons
User experiencev3 and invisible v2 add little frictionCheckbox challenges can frustrate users
EffectivenessStrong against common bots and spamDetermined adversaries and solving services exist
CostFree standard tierEnterprise tier is paid; quotas apply
PrivacyBacked by Google's threat dataSends signals to Google; privacy-conscious users may object
IntegrationWell-documented, widely supportedRequires both client embed and server verification
DetectionEasy to confirm from the client(Defensive note: visibility helps auditors, not bypassers)

Google reCAPTCHA vs Alternatives

ServiceModelPrivacy postureNotes
Google reCAPTCHACheckbox, invisible, v3 scoreSends signals to GoogleMost widely deployed; free standard tier
hCaptchaCheckbox and challengePrivacy-focused positioningPopular drop-in alternative; can pay site owners
Cloudflare TurnstileInvisible, non-interactivePrivacy-focused, no challenge by defaultFree; integrates with Cloudflare ecosystem
Friendly CaptchaProof-of-workEU/GDPR-friendly positioningAvoids tracking-style signals
Arkose LabsInteractive challengesEnterprise fraud focusTargets high-value abuse

If you are evaluating privacy-oriented options, compare reCAPTCHA with the hCaptcha profile, which is a common like-for-like replacement with a different data-handling stance.

Use Cases

  • Login and signup protection against credential stuffing and fake accounts.
  • Form spam prevention on contact, comment, and registration forms.
  • Checkout and payment safeguards to reduce carding and fraud.
  • API and endpoint protection where v3 scores gate sensitive actions.
  • Scraper deterrence on pages that expose valuable data.
  • Security audits and trust checks, where confirming a site uses reCAPTCHA is one positive signal among many about its defensive posture.

Detecting reCAPTCHA is also useful when assessing whether a site you are about to trust takes basic abuse prevention seriously, which complements broader checks like reviewing TLS, headers, and reputation.

Frequently Asked Questions

How can I tell which version of reCAPTCHA a site uses, and why does it matter?

Look at the embed. A visible "I'm not a robot" checkbox or image challenge means v2. No visible widget plus an api.js?render=<site-key> script and a grecaptcha.execute call points to v3. A floating "protected by reCAPTCHA" badge in the corner usually accompanies v3 or invisible v2. The distinction matters for the site owner too: v2 interrupts users and returns a simple pass/fail token, while v3 runs silently and returns a 0.0-to-1.0 score plus an action label, leaving the accept-or-block decision (and threshold tuning) to the site. Our guide on how to tell if a website uses reCAPTCHA walks through each case.

What is the grecaptcha global and how do I check for it?

grecaptcha is the JavaScript object Google's script exposes once reCAPTCHA loads. Open the DevTools Console, type grecaptcha, and press Enter. If it returns an object with methods like render, execute, and ready, reCAPTCHA is present. This is a direct, reliable confirmation and is purely an observation, not an interaction with the challenge.

Does reCAPTCHA stop all bots?

No defensive control is absolute. reCAPTCHA significantly raises the cost of automated abuse and blocks the large majority of unsophisticated bots and spam, especially when v3 scores are combined with sensible server-side thresholds. Determined adversaries and commercial solving services exist, so reCAPTCHA is best used as one layer alongside rate limiting, monitoring, and other defenses described in how to protect your website from bots and scrapers.

Can I detect reCAPTCHA with curl?

Often yes. Running curl -s https://example.com | grep -i recaptcha reveals the script tags and g-recaptcha markup when they are in the initial HTML. However, some sites inject reCAPTCHA dynamically after the page loads, so a single curl may miss it. In those cases, the DevTools Network tab and the grecaptcha console check are more dependable. See reading a website's HTTP headers for related techniques.

Is the presence of reCAPTCHA a sign a website is safe?

It is a positive signal but not proof on its own. A site using reCAPTCHA is taking at least one credible step against abuse, which is reassuring. Trust should still rest on the full picture: valid HTTPS, sensible security headers, domain reputation, and transparency. Our checklist in is this website safe puts CAPTCHA detection in context.

How is reCAPTCHA different from hCaptcha or Turnstile?

All three protect against bots, but they differ in data handling and UX. reCAPTCHA is the most widely deployed and shares signals with Google. hCaptcha positions itself around privacy and can pay site owners. Cloudflare Turnstile aims for a non-interactive, privacy-friendly experience with no challenge by default. Compare details in the hCaptcha profile to choose the right fit.

Want to see which bot-protection and security tools a site uses? Scan any URL with StackOptic at https://stackoptic.com.