Chrome DevTools is the fastest way to extract CAPTCHA parameters from a page, monitor challenge loading, and verify that solved tokens are submitted correctly. The Network tab shows every request involved in the CAPTCHA lifecycle.
What You Can Find with DevTools
| Task | Where to Look |
|---|---|
| Find the reCAPTCHA sitekey | Network requests to google.com/recaptcha |
| Find the Turnstile sitekey | Network requests to challenges.cloudflare.com |
| Verify token injection | Form submission POST data |
| See challenge loading | Script and XHR requests from CAPTCHA iframe |
| Check CAPTCHA errors | Console tab error messages |
| Monitor callback execution | Event listeners and console logs |
Finding CAPTCHA Parameters
Opening DevTools
- Navigate to the page with the CAPTCHA
- Press
F12orCtrl+Shift+I(Windows/Linux) /Cmd+Option+I(macOS) - Click the Network tab
- Reload the page (
Ctrl+R) to capture all requests from the start
Extracting reCAPTCHA Sitekey
Filter the Network tab to find the reCAPTCHA initialization:
- In the filter box, type
recaptcha - Look for a request to
google.com/recaptcha/api2/anchororgoogle.com/recaptcha/enterprise/anchor - Click the request and check the Query String Parameters
- The
kparameter is the sitekey
Request URL: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LcR_RsTAAAAACHE...&co=aHR0c...
^^^^^^^^^^^^^^^^
This is the sitekey
Alternative — Console tab:
// Find reCAPTCHA sitekey from the page DOM
document.querySelector('[data-sitekey]')?.getAttribute('data-sitekey')
// or
document.querySelector('.g-recaptcha')?.getAttribute('data-sitekey')
Extracting Turnstile Sitekey
- Filter Network tab for
challenges.cloudflare.com - Look for the Turnstile script loading request
- Check the page source for the sitekey:
// Find Turnstile sitekey from the page DOM
document.querySelector('[data-sitekey]')?.getAttribute('data-sitekey')
// or check the turnstile render call
document.querySelector('.cf-turnstile')?.getAttribute('data-sitekey')
Extracting hCaptcha Sitekey
- Filter Network tab for
hcaptcha.com - Look for requests to
hcaptcha.com/checksiteconfig - The
sitekeyparameter is in the query string:
// Find hCaptcha sitekey
document.querySelector('[data-sitekey]')?.getAttribute('data-sitekey')
// or
document.querySelector('.h-captcha')?.getAttribute('data-sitekey')
Monitoring the CAPTCHA Lifecycle
reCAPTCHA Request Sequence
With the Network tab open, interact with the CAPTCHA and watch these requests:
| Order | Request | Purpose |
|---|---|---|
| 1 | recaptcha/api.js |
Load the reCAPTCHA library |
| 2 | recaptcha/api2/anchor |
Initialize the widget (checkbox appears) |
| 3 | recaptcha/api2/bframe |
Load the challenge frame |
| 4 | recaptcha/api2/payload |
Fetch challenge images (if image challenge triggered) |
| 5 | recaptcha/api2/userverify |
Submit the solution and get the token |
Turnstile Request Sequence
| Order | Request | Purpose |
|---|---|---|
| 1 | challenges.cloudflare.com/turnstile/v0/api.js |
Load Turnstile library |
| 2 | challenges.cloudflare.com/cdn-cgi/challenge-platform/ |
Initialize the managed challenge |
| 3 | Various challenge requests | Internal verification steps |
| 4 | Callback with token | Token returned via callback or hidden input |
Verifying Token Injection
After solving a CAPTCHA (manually or via API), verify the token is injected correctly:
Check the Hidden Input
// reCAPTCHA token
document.querySelector('#g-recaptcha-response')?.value
// or
document.querySelector('[name="g-recaptcha-response"]')?.value
// Turnstile token
document.querySelector('[name="cf-turnstile-response"]')?.value
// hCaptcha token
document.querySelector('[name="h-captcha-response"]')?.value
Watch the Form Submission
- Keep the Network tab open
- Submit the form
- Click the POST request
- Check the Payload tab (or Form Data)
- Verify the token field is present and non-empty
| Field to Check | Expected Value |
|---|---|
g-recaptcha-response |
Long base64-encoded token string |
cf-turnstile-response |
Turnstile token string |
h-captcha-response |
hCaptcha token string |
If the field is empty or missing, your token injection failed.
Debugging Common Issues
Token Not Appearing in Form Submission
Use the Console to check if the token was set:
// Check if textarea exists and has a value
const textarea = document.querySelector('#g-recaptcha-response');
console.log('Exists:', !!textarea);
console.log('Value length:', textarea?.value?.length);
console.log('Display:', textarea?.style.display);
Common causes:
- Token injected into wrong element (multiple reCAPTCHA instances on page)
- Token expired before form submission (reCAPTCHA tokens expire in ~120 seconds)
- JavaScript validation re-triggers CAPTCHA after injection
CAPTCHA Widget Not Loading
Check the Console tab for errors:
| Console Error | Meaning |
|---|---|
ERROR for site owner: Invalid key type |
Sitekey doesn't match the reCAPTCHA type (v2 vs v3 vs Enterprise) |
reCAPTCHA placeholder element must be an element or id |
Container element not found in DOM |
Refused to load script (CSP error) |
Content Security Policy blocks CAPTCHA script |
net::ERR_BLOCKED_BY_CLIENT |
Ad blocker blocking CAPTCHA resources |
reCAPTCHA v3 Score Verification
For reCAPTCHA v3, watch the Network tab after token generation:
- Filter for the site's backend endpoint that verifies the token
- Check the response from Google's
siteverifyendpoint (if proxied through the backend) - Look for the
scorefield in the response
Using the Preserve Log Feature
By default, the Network tab clears on page navigation. For CAPTCHA workflows that redirect after submission:
- Check Preserve log at the top of the Network tab
- Now requests persist across page loads
- You can see both the form submission and the redirect response
Copying Requests for Reproduction
Right-click any Network request for export options:
| Option | Use |
|---|---|
| Copy as cURL | Run the exact request from your terminal |
| Copy as fetch | Paste into Console or your JavaScript code |
| Copy request headers | Compare headers between working and failing requests |
| Copy response | Save the server's response for analysis |
Example — Copy a CAPTCHA verification request as cURL:
curl 'https://example.com/submit' \
-H 'content-type: application/x-www-form-urlencoded' \
--data-raw 'name=test&email=test%40test.com&g-recaptcha-response=TOKEN_HERE'
This helps reproduce issues outside the browser.
Performance Timing
The Timing subtab for each request shows:
| Phase | What It Tells You |
|---|---|
| Stalled | How long the request waited in queue |
| DNS Lookup | DNS resolution time for the CAPTCHA CDN |
| Initial Connection | TCP connection to CAPTCHA server |
| SSL | TLS handshake duration |
| Waiting (TTFB) | Server processing time |
| Content Download | Response body transfer time |
If CAPTCHA widgets load slowly, check whether the bottleneck is DNS, connection, or server response.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| Can't find sitekey in Network tab | CAPTCHA loaded before DevTools opened | Check "Preserve log," reload page, or search page source (Ctrl+U) |
| Token value shows as truncated | DevTools truncates long strings | Click the value to see the full token, or use Console to get value.length |
| Network tab shows too many requests | No filter applied | Filter by recaptcha, hcaptcha, cloudflare, or the site's domain |
| Form submission doesn't appear | Form uses JavaScript fetch() or XMLHttpRequest |
Filter by XHR type in Network tab to see AJAX submissions |
| CAPTCHA requests from iframe not visible | Cross-origin iframe isolation | No fix in DevTools — use Fiddler or Charles to capture iframe traffic |
FAQ
Can I solve CAPTCHAs directly from DevTools?
You can inject a solved token into the DOM using the Console, but you can't solve the CAPTCHA challenge itself from DevTools. Use CaptchaAI to get the token, then inject it via Console for testing.
Does opening DevTools affect CAPTCHA behavior?
Some CAPTCHA providers detect DevTools presence through timing or debugger detection. reCAPTCHA v3 may assign a lower score when DevTools is open. For production debugging, use a proxy tool like Fiddler instead.
How do I find parameters for CAPTCHAs loaded in Shadow DOM?
Shadow DOM encapsulates CAPTCHA elements. In Console, use: document.querySelector('element-tag').shadowRoot.querySelector('[data-sitekey]') to access elements inside shadow roots.
Related Articles
Next Steps
Once you've extracted the CAPTCHA parameters, submit them to CaptchaAI for solving. The API returns a token you can inject using the same Console techniques shown above.
Related guides:
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.