reCAPTCHA Enterprise uses two different keys — and confusing them is one of the most common configuration mistakes. The site key renders the CAPTCHA widget on the page. The API key authenticates server-side verification requests to Google. You need the site key when sending tasks to CaptchaAI, not the API key.
The Two Keys Explained
Site Key (Public)
The site key is embedded in the page HTML. It identifies which reCAPTCHA configuration to load:
<script src="https://www.google.com/recaptcha/enterprise.js?render=6LcR_RsTAAAAADge..."></script>
Or in a grecaptcha.enterprise.execute call:
grecaptcha.enterprise.execute('6LcR_RsTAAAAADge...', { action: 'login' });
Properties:
- Starts with
6L(same prefix as standard reCAPTCHA) - Visible in page source — public by design
- Tied to specific domains in Google Cloud Console
- This is what CaptchaAI needs to solve the challenge
API Key (Private)
The API key authenticates server-to-Google communication for token verification:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/assessments?key=AIzaSy...
Properties:
- Starts with
AIzaSy(Google Cloud API key format) - Never exposed in client-side code
- Used only by the site's backend to verify tokens
- CaptchaAI does not need this key
Key Comparison
| Property | Site Key | API Key |
|---|---|---|
| Format | 6L... (40 chars) |
AIzaSy... (39 chars) |
| Visibility | Public (in HTML/JS) | Private (server-side only) |
| Purpose | Load CAPTCHA widget | Verify tokens with Google |
| Where found | Page source, JS calls | Server config, env vars |
| CaptchaAI needs? | Yes | No |
reCAPTCHA Enterprise vs Standard
reCAPTCHA Enterprise differs from the free version in how keys work:
| Feature | Standard (free) | Enterprise |
|---|---|---|
| Site key source | reCAPTCHA admin console | Google Cloud Console |
| Verification endpoint | siteverify |
assessments |
| Auth for verification | Secret key (shared secret) | API key or service account |
| Score response | score field (0.0–1.0) |
riskAnalysis.score + reasons |
| CaptchaAI task type | RecaptchaV2Task / RecaptchaV3Task |
RecaptchaV2EnterpriseTask / RecaptchaV3EnterpriseTask |
Finding the Site Key
Method 1: Page Source Search
Search the HTML for enterprise.js:
View Source → Ctrl+F → "enterprise.js"
The render parameter contains the site key:
<script src="https://www.google.com/recaptcha/enterprise.js?render=6LcR_RsTAAAAADge..."></script>
Method 2: JavaScript Console
Run in the browser console:
// Check for Enterprise grecaptcha
if (window.grecaptcha && window.grecaptcha.enterprise) {
console.log('reCAPTCHA Enterprise detected');
}
// Find site key from rendered widgets
document.querySelectorAll('[data-sitekey]').forEach(el => {
console.log('Site key:', el.getAttribute('data-sitekey'));
});
Method 3: Network Tab
Filter network requests for enterprise.js or recaptcha/enterprise — the site key appears in the request URL or payload.
Sending to CaptchaAI
Once you have the site key, submit it as the websiteKey parameter:
POST https://ocr.captchaai.com/in.php
Required parameters:
| Parameter | Value |
|---|---|
key |
Your CaptchaAI API key (YOUR_API_KEY) |
method |
userrecaptcha |
googlekey |
The site key from the page (6LcR_Rs...) |
pageurl |
The full URL where the CAPTCHA appears |
enterprise |
1 (flags this as Enterprise) |
Optional Enterprise parameters:
| Parameter | Purpose |
|---|---|
enterprise_type |
Specify v2 or v3 Enterprise |
action |
The action name (for v3 Enterprise) |
min_score |
Minimum score needed (for v3 Enterprise) |
How Enterprise Verification Differs
Understanding the full flow helps explain why only the site key matters for solving:
- Browser loads
enterprise.jsusing the site key - Browser runs challenge, gets token
- Site backend sends token + API key to Google's
assessmentsendpoint - Google returns risk score and assessment details
- Site backend decides whether to accept based on score
CaptchaAI replaces steps 1–2. It generates a valid token using the site key. The site's backend then verifies that token with its own API key — CaptchaAI is not involved in verification.
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| "ERROR_WRONG_CAPTCHA_ID" | Sent API key instead of site key | Use the 6L... key from the page, not the AIzaSy... key |
| Token rejected by site | Wrong Enterprise type (v2 vs v3) | Set enterprise=1 and correct enterprise_type |
| "Invalid sitekey" | Key from wrong environment (staging vs prod) | Extract key from the exact target URL |
| No Enterprise flag | Submitted as standard reCAPTCHA | Add enterprise=1 to your request |
FAQ
How do I tell if a site uses Enterprise or standard reCAPTCHA?
Check the script URL. Enterprise loads from /recaptcha/enterprise.js while standard uses /recaptcha/api.js. In the JavaScript, Enterprise uses grecaptcha.enterprise.execute() instead of grecaptcha.execute().
Can I use the same CaptchaAI API key for both standard and Enterprise?
Yes. Your CaptchaAI API key works for all CAPTCHA types. Set enterprise=1 in your request to indicate an Enterprise challenge — the solving is charged at the same rate.
Does the site's API key rotation affect my solving?
No. The API key is only used for server-side verification between the site's backend and Google. It has no impact on token generation or CaptchaAI's solving process.
Related Articles
- How To Solve Recaptcha V2 Callback Using Api
- Captchaai Ip Whitelisting Api Key Security
- Captchaai Api Key Rotation
Next Steps
Solve reCAPTCHA Enterprise challenges — get your CaptchaAI API key and submit the site key with the enterprise=1 flag.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.