reCAPTCHA Enterprise Assessment API Deep Dive

reCAPTCHA Enterprise is Google's premium CAPTCHA service that extends reCAPTCHA v3 with detailed risk analysis, score reasons, fraud detection signals, and account defender capabilities. Unlike the standard free version that returns only a score and action, Enterprise provides explainable assessments with specific risk factors. This guide covers the Enterprise Assessment API architecture, response structure, and how to handle Enterprise-protected sites in automation.

Enterprise vs standard reCAPTCHA

Feature	reCAPTCHA v3 (free)	reCAPTCHA Enterprise
Scoring	0.0-1.0 score	0.0-1.0 score + score reasons
Risk analysis	Basic	Detailed (fraud signals, account info)
Score reasons	Not provided	Specific reasons explaining the score
Account Defender	No	Yes (tracks account lifecycle)
WAF integration	No	Yes (Cloudflare, Fastly, F5)
Express assessment	No	Yes (server-side only, no JS)
Password leak detection	No	Yes
Pricing	Free (1M assessments/month)	$1 per 1000 assessments (0-1M free)
API endpoint	google.com/recaptcha/api/siteverify	recaptchaenterprise.googleapis.com

Enterprise Assessment API flow

Client-side:

  1. Load reCAPTCHA Enterprise script
  2. Call grecaptcha.enterprise.execute(SITE_KEY, {action: 'LOGIN'})
  3. Receive token
  4. Send token to your backend

Server-side:

  1. Create assessment via Enterprise API
  2. Receive detailed risk analysis
  3. Make access decision based on score + reasons
  4. Optionally annotate the assessment (report fraud/legitimate)

Client-side integration

JavaScript SDK

<script src="https://www.google.com/recaptcha/enterprise.js?render=SITE_KEY"></script>
<script>
    grecaptcha.enterprise.ready(function() {
        grecaptcha.enterprise.execute('SITE_KEY', { action: 'LOGIN' })
            .then(function(token) {
                // Send token to backend
                fetch('/api/verify', {
                    method: 'POST',
                    headers: { 'Content-Type': 'application/json' },
                    body: JSON.stringify({ token: token })
                });
            });
    });
</script>

Key differences from standard reCAPTCHA v3:

Script URL uses .../recaptcha/enterprise.js instead of .../recaptcha/api.js
API object is grecaptcha.enterprise instead of grecaptcha
execute() returns the same token format

Detection in page source

import requests
import re

def detect_recaptcha_enterprise(url):
    """Detect if a page uses reCAPTCHA Enterprise."""
    html = requests.get(url, timeout=10).text

    indicators = {
        "is_enterprise": False,
        "is_standard": False,
        "site_key": None,
        "actions": [],
    }

    # Enterprise detection
    if "recaptcha/enterprise.js" in html:
        indicators["is_enterprise"] = True
        match = re.search(r"render=([A-Za-z0-9_-]+)", html)
        if match:
            indicators["site_key"] = match.group(1)

    # Standard v3 detection
    elif "recaptcha/api.js?render=" in html:
        indicators["is_standard"] = True
        match = re.search(r"render=([A-Za-z0-9_-]+)", html)
        if match:
            indicators["site_key"] = match.group(1)

    # Extract action names
    actions = re.findall(r"action:\s*['\"](\w+)['\"]", html)
    indicators["actions"] = list(set(actions))

    return indicators

print(detect_recaptcha_enterprise("https://example.com/login"))

Server-side Assessment API

Creating an assessment (Google Cloud API)

from google.cloud import recaptchaenterprise_v1
from google.cloud.recaptchaenterprise_v1 import Assessment

def create_assessment(project_id, site_key, token, action):
    """Create a reCAPTCHA Enterprise assessment."""
    client = recaptchaenterprise_v1.RecaptchaEnterpriseServiceClient()

    event = recaptchaenterprise_v1.Event()
    event.site_key = site_key
    event.token = token
    event.expected_action = action

    assessment = recaptchaenterprise_v1.Assessment()
    assessment.event = event

    request = recaptchaenterprise_v1.CreateAssessmentRequest()
    request.assessment = assessment
    request.parent = f"projects/{project_id}"

    response = client.create_assessment(request)
    return response

Assessment response structure

{
    "name": "projects/123456/assessments/abcdef123",
    "event": {
        "token": "...",
        "siteKey": "6Le...",
        "expectedAction": "LOGIN",
        "hashedAccountId": "abc123..."
    },
    "riskAnalysis": {
        "score": 0.9,
        "reasons": [
            "AUTOMATION",
            "TOO_MUCH_TRAFFIC"
        ],
        "extendedVerdictReasons": [
            "BROWSER_ERROR"
        ]
    },
    "tokenProperties": {
        "valid": true,
        "hostname": "example.com",
        "action": "LOGIN",
        "createTime": "2025-01-15T10:30:00Z",
        "invalidReason": ""
    },
    "accountDefenderAssessment": {
        "labels": ["PROFILE_MATCH"]
    }
}

Enterprise score reasons

Enterprise provides specific reasons explaining why a score is low:

Reason	Description	Score impact
`AUTOMATION`	Automated user agent or headless browser detected	-0.3 to -0.7
`UNEXPECTED_ENVIRONMENT`	Browser or device environment inconsistencies	-0.2 to -0.4
`TOO_MUCH_TRAFFIC`	High request volume from this IP or session	-0.1 to -0.3
`UNEXPECTED_USAGE_PATTERNS`	Behavioral signals deviate from human norms	-0.2 to -0.5
`LOW_CONFIDENCE_SCORE`	Insufficient data to make a confident assessment	Variable
`SUSPECTED_CARDING`	Transaction pattern matches credit card fraud	-0.3 to -0.6
`SUSPECTED_CHARGEBACK`	Risk of chargeback based on transaction signals	-0.2 to -0.4

Extended verdict reasons (additional detail)

Reason	Description
`BROWSER_ERROR`	JavaScript execution errors in CAPTCHA SDK
`SITE_MISMATCH`	Token created for different site than validated on
`FAILED_TWO_FACTOR`	Two-factor authentication failed recently

Account Defender

Enterprise's Account Defender tracks user accounts across their lifecycle:

{
    "accountDefenderAssessment": {
        "labels": [
            "PROFILE_MATCH",
            "SUSPICIOUS_LOGIN_ACTIVITY",
            "SUSPICIOUS_ACCOUNT_CREATION",
            "RELATED_ACCOUNTS_NUMBER_HIGH"
        ]
    }
}

Label	Meaning
`PROFILE_MATCH`	Behavior matches the known profile for this account
`SUSPICIOUS_LOGIN_ACTIVITY`	Login pattern deviates from normal (new device, location)
`SUSPICIOUS_ACCOUNT_CREATION`	Account creation looks automated
`RELATED_ACCOUNTS_NUMBER_HIGH`	Multiple accounts linked to same device/session

WAF integration

reCAPTCHA Enterprise integrates with WAF providers to add CAPTCHA challenges at the network edge:

Cloudflare WAF integration

Request arrives at Cloudflare edge
    ↓
Cloudflare WAF rule evaluates request
    ↓
Rule triggers reCAPTCHA Enterprise challenge
    ↓
Client solves CAPTCHA → token returned
    ↓
Cloudflare validates token via Enterprise API
    ↓
If valid + score above threshold → request forwarded to origin

F5 BIG-IP integration

F5 iRule or policy evaluates request
    ↓
Triggers reCAPTCHA Enterprise challenge page
    ↓
Client solves → token validated server-side
    ↓
F5 forwards or blocks based on assessment score

Handling Enterprise reCAPTCHA in automation

CaptchaAI solves Enterprise the same way as standard reCAPTCHA

From an API solver perspective, reCAPTCHA Enterprise tokens work identically to standard reCAPTCHA tokens:

import requests
import time

API_KEY = "YOUR_API_KEY"

# Enterprise is solved with the same method
# The solver handles the Enterprise variant automatically
submit = requests.post("https://ocr.captchaai.com/in.php", data={
    "key": API_KEY,
    "method": "userrecaptcha",
    "googlekey": "6LcR_RsTAAAAAN_r0GEkGBfq3L7KmU5JbPHJtwNp",
    "pageurl": "https://enterprise-site.com/login",
    "enterprise": 1,  # Flag for Enterprise variant
    "json": 1,
})

task_id = submit.json()["request"]

for _ in range(60):
    time.sleep(5)
    result = requests.get("https://ocr.captchaai.com/res.php", params={
        "key": API_KEY,
        "action": "get",
        "id": task_id,
        "json": 1,
    }).json()

    if result.get("status") == 1:
        token = result["request"]
        print(f"Enterprise token: {token[:50]}...")
        break

Node.js

const axios = require("axios");

async function solveEnterprise(sitekey, pageurl) {
    const API_KEY = "YOUR_API_KEY";

    const { data: submit } = await axios.post(
        "https://ocr.captchaai.com/in.php",
        new URLSearchParams({
            key: API_KEY,
            method: "userrecaptcha",
            googlekey: sitekey,
            pageurl: pageurl,
            enterprise: 1,
            json: 1,
        })
    );

    const taskId = submit.request;

    for (let i = 0; i < 60; i++) {
        await new Promise(r => setTimeout(r, 5000));
        const { data: result } = await axios.get(
            "https://ocr.captchaai.com/res.php",
            { params: { key: API_KEY, action: "get", id: taskId, json: 1 } }
        );

        if (result.status === 1) return result.request;
    }

    throw new Error("Timeout");
}

How to detect Enterprise vs standard on a target page

def identify_recaptcha_version(html):
    """Determine which reCAPTCHA version a page uses."""
    if "recaptcha/enterprise.js" in html:
        return "enterprise"
    elif "recaptcha/api.js?render=" in html:
        return "v3"
    elif "g-recaptcha" in html and 'data-size="invisible"' in html:
        return "v2_invisible"
    elif "g-recaptcha" in html:
        return "v2"
    else:
        return "none"

Enterprise troubleshooting

Issue	Diagnosis	Solution
Token rejected by Enterprise API	Using standard method for Enterprise site	Add `enterprise=1` to solver request
Score always 0.1 despite valid token	Action parameter mismatch	Verify the `action` matches what the page sends
"SITE_MISMATCH" in reasons	Token generated for wrong domain	Ensure `pageurl` exactly matches the target
"AUTOMATION" in score reasons	Solver environment detected	CaptchaAI handles this — if persisting, contact support
Token valid but site still blocks	Site uses additional checks beyond CAPTCHA	Check for other bot detection layers (WAF, fingerprint)

Frequently asked questions

Is reCAPTCHA Enterprise harder to solve than standard reCAPTCHA?

The token generation process is the same. Enterprise adds server-side analysis features (score reasons, Account Defender) but the client-side challenge is identical. API solvers generate tokens for Enterprise the same way they do for standard versions.

Do I need a Google Cloud account to solve Enterprise CAPTCHAs?

No. As an automation developer solving Enterprise CAPTCHAs on target websites, you only need the sitekey from the page and an API solver like CaptchaAI. The Google Cloud account is needed by the website operator to validate assessments, not by the CAPTCHA solver.

How do I tell if a site uses Enterprise or standard reCAPTCHA?

Check the script URL. Enterprise uses recaptcha/enterprise.js while standard uses recaptcha/api.js. The JavaScript API object name also differs: grecaptcha.enterprise.execute() vs grecaptcha.execute().

Can Enterprise score reasons be used to improve my automation?

If you operate the target site (testing your own CAPTCHA implementation), yes — the reasons tell you which detection signals fired. If you are solving CAPTCHAs on third-party sites, the reasons are not visible to you — only the site operator sees them.

Summary

reCAPTCHA Enterprise extends standard reCAPTCHA with detailed risk analysis, score reasons, Account Defender, and WAF integration. From an automation perspective, Enterprise CAPTCHAs are solved identically to standard reCAPTCHA — add the enterprise=1 parameter to your CaptchaAI API request. Detect Enterprise by checking for recaptcha/enterprise.js in the page source. The key operational difference is ensuring you pass the correct enterprise flag and matching action parameter.