Domain/Package Name Validation
Stay organized with collections
Save and categorize content based on your preferences.
A reCAPTCHA key is normally tied to a set of individual domains or package
names. For web users, the API key pair is unique to the domains and first-level
subdomains that you specify. Specifying more than one domain could come in handy
if you serve your website from multiple top level domains.
For example, if you specify the API key pair to yoursite.com
, the following
table shows whether or not reCAPTCHA will work for the domain and its subdomain
variations. If you specify other domain names or TLDs (for example: anothersite.com
, yoursite.net
), the same reCAPTCHA conditions apply.
Specified domain
Website domain
Will reCAPTCHA work?
yoursite.com
yoursite.com
Yes
subdomain. yoursite.com
Yes
subdomain. yoursite.com
:8080
Yes
If you would like to use "localhost" for development, you must add it to the list of domains.
For mobile users, the API key pair is only unique to the specified package
names
(for
example, com.google.recaptcha.test).
However, if your domain or package name list is extremely long, fluid, or unknown, we give you the
option to turn off the domain or package name checking on reCAPTCHA's end, and instead check on your
server.
To do so, in the admin console
, go to "Advanced Settings" for
your key, and untick the "Domain/Package Name Validation" box.
Security Warning
Turning off this protection by itself poses a large security risk - your key could be taken and used
by anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a
solution, you are requiredto check the hostname/package
field
and reject any solutions that are coming from unexpected
sources.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License
, and code samples are licensed under the Apache 2.0 License
. For details, see the Google Developers Site Policies
. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-07-10 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-07-10 UTC."],[[["\u003cp\u003ereCAPTCHA keys are linked to specific domains or package names for security.\u003c/p\u003e\n"],["\u003cp\u003eYou can allow reCAPTCHA to work across multiple subdomains and domains by specifying them when creating the key.\u003c/p\u003e\n"],["\u003cp\u003eFor local development, "localhost" needs to be added to the allowed domains.\u003c/p\u003e\n"],["\u003cp\u003eDisabling domain/package name validation in reCAPTCHA settings introduces significant security risks and requires server-side hostname/package verification.\u003c/p\u003e\n"]]],["reCAPTCHA keys are tied to specific domains or package names. For websites, a key works for the specified domain and its first-level subdomains. Multiple domains can be added to a single key. For mobile apps, keys are tied to package names. If the domain/package list is extensive, checking can be disabled in the admin console's \"Advanced Settings.\" However, disabling it requires manual hostname/package verification on the server to prevent unauthorized use. Turning off domain or package checking without server side checking is a large security risk.\n"],null,["# Domain/Package Name Validation\n\nA reCAPTCHA key is normally tied to a set of individual domains or package\nnames. For web users, the API key pair is unique to the domains and first-level\nsubdomains that you specify. Specifying more than one domain could come in handy\nif you serve your website from multiple top level domains.\n\nFor example, if you specify the API key pair to *yoursite.com* , the following\ntable shows whether or not reCAPTCHA will work for the domain and its subdomain\nvariations. If you specify other domain names or TLDs (for example:\n*anothersite.com* , *yoursite.net*), the same reCAPTCHA conditions apply.\n\n| Specified domain | Website domain | Will reCAPTCHA work? |\n|------------------|-------------------------------|----------------------|\n| *yoursite.com* | *yoursite.com* | Yes |\n| *yoursite.com* | www.*yoursite.com* | Yes |\n| *yoursite.com* | subdomain.*yoursite.com* | Yes |\n| *yoursite.com* | subdomain.*yoursite.com*:8080 | Yes |\n| *yoursite.com* |\n| *yoursite.com* |\n\nIf you would like to use \"localhost\" for development, you must add it to the list of domains.\n\nFor mobile users, the API key pair is only unique to the specified [package\nnames](https://developer.android.com/guide/topics/manifest/manifest-element.html#package) (for\nexample, com.google.recaptcha.test).\n\nHowever, if your domain or package name list is extremely long, fluid, or unknown, we give you the\noption to turn off the domain or package name checking on reCAPTCHA's end, and instead check on your\nserver.\n\nTo do so, in the [admin console](//www.google.com/recaptcha/admin), go to \"Advanced Settings\" for\nyour key, and untick the \"Domain/Package Name Validation\" box.\n\nSecurity Warning\n----------------\n\nTurning off this protection by itself poses a large security risk - your key could be taken and used\nby anyone, as there are no restrictions as to the site it's on. For this reason, when verifying a\nsolution, you are **required** to check the [hostname/package\nfield](/recaptcha/docs/verify#api-response) and reject any solutions that are coming from unexpected\nsources."]]
