Choose the appropriate reCAPTCHA key type

reCAPTCHA keys (also known as keys ) , let you protect your endpoints by verifying user interactions on your web pages and mobile applications.

To choose the appropriate reCAPTCHA key type, you must understand the types of keys that are supported for each platform and their differences.

Types of reCAPTCHA keys

The following table lists reCAPTCHA keys that are supported for each platform:

Choose a reCAPTCHA key type for web

To verify user interactions on websites, reCAPTCHA provides score-based keys , which don't trigger CAPTCHA challenges, checkbox keys, which trigger non-deterministic CAPTCHA challenges, and policy-based challenge keys, which trigger deterministic CAPTCHA challenges.

All the key types return a score for each request, which is based on user interactions with your site. This score lets you understand the level of risk that the interaction poses and helps you to take appropriate actions for your site.

The following table summarizes the differences between score-based keys, checkbox keys, and policy-based challenge keys:

Comparison category

Score-based key (Recommended)

Checkbox key

Policy-based challenge key ( preview )

Description

Score-based keys let you verify whether an interaction is legitimate without any user interaction.

Checkbox keys use a checkbox challenge that requires user interaction to verify that the user is not a robot. Also, you can use checkbox keys to protect specific actions with CAPTCHA challenges.

Policy-based challenge keys trigger CAPTCHA challenges based on the configured score threshold. You can use policy-based challenge keys to protect specific actions using CAPTCHA challenges.

How it works

With score-based keys, the reCAPTCHA Enterprise API returns a score, which you can use to take action in the context of your site.

Examples of actions you might take include requiring additional factors of authentication, sending a post to moderation, or throttling bots that might be scraping content.

A checkbox key renders an I'm not a robot checkbox that a user must click to verify that they're not a robot. This checkbox key might or might not challenge them with CAPTCHA challenges. In both cases, the reCAPTCHA Enterprise API returns a score.

CAPTCHA challenges require a user to select certain kinds of objects, such as street signs, from a collection of images.

The following animated GIF is an example of a checkbox key:

The following image shows a sample CAPTCHA challenge:

Before using CAPTCHA challenges, you must understand the CAPTCHA challenges caveats.

With policy-based challenge keys, CAPTCHA challenges are triggered if the initial score that is computed by reCAPTCHA is below the configured score threshold. Policy-based challenge keys differ from checkbox keys because they can deterministically trigger CAPTCHA challenges.

CAPTCHA challenges require a user to select certain kinds of objects, such as street signs, from a collection of images.

The following image shows a sample CAPTCHA challenge:

Before using CAPTCHA challenges, you must understand the CAPTCHA challenges caveats.

Supported platforms

Websites and mobile platforms.

Websites only.

Websites only.

Use cases

Score-based keys are appropriate for the following use cases:

• Websites that have accessibility requirements.
• For payment-related transactions that prefer less friction for better conversion rates.
• Situations where you want to use additional features such as password check (Password defense) or Multi-factor authentication (MFA).
• Sites accessed through mobile applications.

Checkbox keys are appropriate for forms, logins, and signups on web pages. Though it might cause extra friction for users, an extra step such as CAPTCHA challenge helps to deter unsophisticated attackers.

Policy-based challenge keys are appropriate for forms, logins, and signups on web pages. Though it might cause extra friction for users, an extra step such as CAPTCHA challenge helps to deter unsophisticated attackers.

Caveats with CAPTCHA challenges

If you want to use checkbox keys with CAPTCHA challenges to protect against automated attacks, be aware of the following caveats:

• CAPTCHAs require user interaction, which increases friction and might decrease conversion rates.
• Due to the advances in computer vision and machine intelligence, CAPTCHAs are becoming less useful to distinguish between humans and bots.
• CAPTCHAs are also under threat from paid attackers who can solve all types of challenges.
• CAPTCHAs are not accessible for all users, so they might not be suitable if your website has accessibility requirements.

Choose reCAPTCHA key types for WAF

reCAPTCHA for Google Cloud Armor integrations support action-tokens, session-tokens, challenge page, and reCAPTCHA express

You can use one or more reCAPTCHA for Google Cloud Armor features in a single application. For example, you can choose to apply a session-token for all pages, and based on the session-token's score, you can redirect suspicious requests to the reCAPTCHA challenge page. Also, you can use an action-token for high-profile actions, such as checkout. For more information, see examples .

The following table shows a brief comparison of the available reCAPTCHA for Google Cloud Armor features:

Choose reCAPTCHA express keys for APIs

Use reCAPTCHA express when your environment does not support a reCAPTCHA client integration like the JavaScript API or the mobile SDKs. reCAPTCHA express is suitable for APIs, websites, mobile applications, and IoT devices such as TVs and gaming consoles, but can also be used to protect websites or mobile applications when a client-side integration is infeasible.

Because reCAPTCHA express is a server-side only integration, it lacks client-side signal collection. This typically results in a lower detection accuracy than integrations that involve a client-side component.

What's next

• Create reCAPTCHA keys for websites .
• Create reCAPTCHA keys for mobile applications .
• Learn more about reCAPTCHA keys for WAF .
• Learn more about reCAPTCHA express keys for APIs .