When a user solves a reCAPTCHA, the browser receives a token. That token is meaningless until the site's backend validates it with Google. Understanding this verification flow clarifies why CaptchaAI tokens work — they pass the same Google validation that browser-generated tokens do.
The Complete Flow
1. Browser loads reCAPTCHA widget (site key)
↓
2. User solves challenge (or v3 scores silently)
↓
3. Browser receives token (g-recaptcha-response)
↓
4. Browser submits token with form data to site backend
↓
5. Site backend sends token + secret key to Google siteverify
↓
6. Google returns success/failure + metadata
↓
7. Site backend decides: allow or block the request
When using CaptchaAI, steps 1–3 happen on CaptchaAI's infrastructure. You receive the token and continue from step 4.
Token Anatomy
A reCAPTCHA token looks like:
03AGdBq26nPjQJovXYXN0t...about 500 characters...xKp9
Properties:
- Base64-encoded string, approximately 500–600 characters
- Contains encrypted challenge response data
- Includes a timestamp (token creation time)
- Bound to the site key that generated it
- Valid for approximately 2 minutes (120 seconds)
- Single-use — Google invalidates it after the first verification
Where the Token Appears
After solving, the token populates a hidden field:
<textarea id="g-recaptcha-response" name="g-recaptcha-response"
style="display: none;">03AGdBq26nPjQ...</textarea>
For v3 and programmatic reCAPTCHA, it's returned via callback:
grecaptcha.execute('SITE_KEY', { action: 'login' })
.then(function(token) {
// token is the g-recaptcha-response value
document.getElementById('captcha-field').value = token;
});
Google's siteverify Endpoint
The site backend validates the token by calling:
POST https://www.google.com/recaptcha/api/siteverify
Content-Type: application/x-www-form-urlencoded
secret=6LdR_RsTBBBBB...&response=03AGdBq26nPjQ...&remoteip=203.0.113.50
| Parameter | Required | Description |
|---|---|---|
secret |
Yes | The site's secret key (private, server-side only) |
response |
Yes | The token from the browser / CaptchaAI |
remoteip |
No | The user's IP address (optional but recommended) |
Successful Response
{
"success": true,
"challenge_ts": "2026-04-04T12:00:00Z",
"hostname": "example.com"
}
For reCAPTCHA v3, the response also includes:
{
"success": true,
"score": 0.9,
"action": "login",
"challenge_ts": "2026-04-04T12:00:00Z",
"hostname": "example.com"
}
Failed Response
{
"success": false,
"error-codes": ["timeout-or-duplicate"]
}
Common Error Codes from Google
| Error code | Meaning |
|---|---|
missing-input-secret |
Secret key not provided |
invalid-input-secret |
Secret key is malformed or incorrect |
missing-input-response |
Token not provided |
invalid-input-response |
Token is malformed or incorrect |
timeout-or-duplicate |
Token expired (>2 min) or already used |
bad-request |
Request is malformed |
What Sites Actually Check
Different sites validate different fields:
| Check | How common | What it verifies |
|---|---|---|
success === true |
Always | Token is valid |
score >= threshold |
v3 only | Risk score meets minimum |
action === expected |
v3, some sites | Action matches the expected context |
hostname === domain |
Sometimes | Token was generated on the correct domain |
challenge_ts freshness |
Rarely | Token was generated recently |
| Token + IP match | Rarely | IP that solved matches IP that submitted |
Why Hostname Checking Matters
Some sites verify that the hostname in Google's response matches their domain. Since CaptchaAI generates tokens using the correct pageurl, the hostname in the verification response matches the target site.
Why IP Checking Rarely Matters
The remoteip parameter in siteverify is optional. Most sites either don't send it or don't check whether the solving IP matches the submitting IP. CaptchaAI tokens work because the token itself doesn't contain a fixed IP — Google uses remoteip only for additional risk analysis.
Token Lifecycle
Token created → Valid for ~120 seconds → Submitted with form →
Backend calls siteverify → Google validates → Token invalidated (single-use)
Critical timing: A token expires approximately 2 minutes after creation. If your workflow takes longer between receiving the token from CaptchaAI and submitting it to the site, the token will be rejected with timeout-or-duplicate.
Enterprise Verification Differences
reCAPTCHA Enterprise uses a different endpoint:
POST https://recaptchaenterprise.googleapis.com/v1/projects/PROJECT_ID/assessments
Authorization: Bearer ACCESS_TOKEN
{
"event": {
"token": "03AGdBq26nPjQ...",
"siteKey": "6LcR_Rs...",
"expectedAction": "login"
}
}
Enterprise responses include richer data:
{
"tokenProperties": {
"valid": true,
"action": "login",
"createTime": "2026-04-04T12:00:00Z"
},
"riskAnalysis": {
"score": 0.9,
"reasons": []
}
}
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
timeout-or-duplicate |
Token expired or already used | Submit within 60 seconds; never reuse tokens |
invalid-input-response |
Token corrupted during transfer | Ensure no URL encoding issues — submit raw token |
| Token valid but site rejects | Site checks score/action/hostname | Verify action and min_score in CaptchaAI request |
| Works in testing, fails in production | Different site keys per environment | Extract site key from the production page |
FAQ
Does CaptchaAI generate real Google tokens?
CaptchaAI solves reCAPTCHA challenges and returns the actual token that Google's systems generate. When the site's backend calls siteverify, Google validates the token as legitimate.
Can I verify a CaptchaAI token myself before submitting?
No. Calling siteverify consumes the token — it's single-use. If you verify it first, the site's verification will fail with timeout-or-duplicate. Submit the token directly to the target site.
How long do I have to use a token?
Approximately 2 minutes from creation. In practice, submit within 60 seconds to account for network delays and processing time.
Related Articles
- How To Solve Recaptcha V2 Callback Using Api
- Recaptcha V2 Turnstile Same Site Handling
- Recaptcha Token Lifecycle Explained
Next Steps
Get valid reCAPTCHA tokens that pass server-side verification — sign up for CaptchaAI and start solving.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.