reCAPTCHA v2 shows a visible challenge — the "I'm not a robot" checkbox and image grids. reCAPTCHA v3 runs silently in the background and returns a score without any user interaction.
Both versions protect against bots, but they work in fundamentally different ways. This guide breaks down the key differences and explains how to handle each version.
Side-by-side comparison
| Feature | reCAPTCHA v2 | reCAPTCHA v3 |
|---|---|---|
| User interaction | Checkbox + image challenge | None (invisible) |
| Result type | Pass/fail | Score (0.0–1.0) |
| UX impact | Interrupts user flow | Zero friction |
| Detection method | Challenge-response | Behavioral analysis |
| Action parameter | Not used | Required |
| Enterprise variant | Yes | Yes |
| JavaScript file | api.js |
api.js?render=SITEKEY |
| DOM element | g-recaptcha div |
No visible element |
| Token field | g-recaptcha-response |
g-recaptcha-response |
How reCAPTCHA v2 works
- Page loads
api.jsand renders the checkbox widget - User clicks "I'm not a robot"
- Google analyzes browser signals (cookies, mouse movement, IP)
- If signals are clean → immediate pass
- If suspicious → image grid challenge appears
- User solves the grid → token generated
- Site backend verifies token with Google
<!-- v2 on the page -->
<div class="g-recaptcha" data-sitekey="6Le-wvkSAAAAAPBMRTvw..."></div>
<script src="https://www.google.com/recaptcha/api.js"></script>
How reCAPTCHA v3 works
- Page loads
api.js?render=SITEKEY— no visible widget - JavaScript continuously monitors user behavior
- When an action triggers,
grecaptcha.execute()is called - Google returns a token with an embedded score
- Site backend verifies token and reads the score
- Backend decides: allow, challenge, or block based on score
<!-- v3 on the page -->
<script src="https://www.google.com/recaptcha/api.js?render=6LfZil0UAAAAADM1..."></script>
<script>
grecaptcha.ready(function() {
grecaptcha.execute('6LfZil0UAAAAADM1...', {action: 'submit'}).then(function(token) {
document.getElementById('g-recaptcha-response').value = token;
});
});
</script>
How to identify which version a site uses
| Check | v2 indicator | v3 indicator |
|---|---|---|
| Visible checkbox | ✅ | ❌ |
api.js?render= in source |
❌ | ✅ |
grecaptcha.execute() with action |
❌ | ✅ |
g-recaptcha div in DOM |
✅ | ❌ (usually) |
data-sitekey attribute |
✅ | ❌ |
invisible parameter |
✅ (invisible v2) | ❌ |
See How to Identify reCAPTCHA Version for detailed detection steps.
Solving v2 with CaptchaAI
import requests, time
# Submit v2 task
resp = requests.get("https://ocr.captchaai.com/in.php", params={
"key": "YOUR_API_KEY",
"method": "userrecaptcha",
"googlekey": "6Le-wvkSAAAAAPBMRTvw...",
"pageurl": "https://example.com/form",
"json": 1
})
task_id = resp.json()["request"]
# Poll for token
for _ in range(30):
time.sleep(5)
result = requests.get("https://ocr.captchaai.com/res.php", params={
"key": "YOUR_API_KEY", "action": "get", "id": task_id, "json": 1
}).json()
if result.get("status") == 1:
v2_token = result["request"]
break
Solving v3 with CaptchaAI
# Submit v3 task — note the version and action parameters
resp = requests.get("https://ocr.captchaai.com/in.php", params={
"key": "YOUR_API_KEY",
"method": "userrecaptcha",
"version": "v3",
"googlekey": "6LfZil0UAAAAADM1...",
"action": "submit",
"pageurl": "https://example.com/form",
"json": 1
})
task_id = resp.json()["request"]
for _ in range(30):
time.sleep(5)
result = requests.get("https://ocr.captchaai.com/res.php", params={
"key": "YOUR_API_KEY", "action": "get", "id": task_id, "json": 1
}).json()
if result.get("status") == 1:
v3_token = result["request"]
break
Key difference: v3 requires version=v3 and action parameters.
When sites use both
Many sites use v3 as the first layer and fall back to v2 if the v3 score is low:
- v3 runs silently on page load → score = 0.2
- Site threshold is 0.5 → v3 fails
- Site shows v2 checkbox as fallback
- User solves v2 → access granted
Strategy for automation:
- Try v3 first — it's faster and cheaper
- If the site still blocks you, look for a v2 fallback
- Solve the v2 challenge and submit that token instead
Which version is harder to solve?
| Aspect | v2 | v3 |
|---|---|---|
| Solving speed | 15–30 seconds (image challenges) | 5–10 seconds (no visual challenge) |
| Success rate | High (binary pass/fail) | Variable (depends on score threshold) |
| Cost per solve | Higher (more complex) | Lower (simpler task) |
| Reliability | More predictable | Score may not meet threshold |
v2 is more reliable but slower. You always get a pass/fail result. v3 is faster but less predictable. The token may have a low score that the site rejects.
FAQ
Can a site use both v2 and v3?
Yes. This is a common pattern — v3 runs first, and v2 appears as a fallback for low scores.
Do v2 and v3 use the same sitekey?
No. Each version has its own sitekey. A v2 sitekey will not work for a v3 solve and vice versa.
Which version should I solve first?
Try v3 first — it's faster and does not require image recognition. If the token is rejected, fall back to v2.
Can I tell the reCAPTCHA version from the sitekey alone?
No. The sitekey format is the same for both versions. You must check how the page loads and uses the captcha.
Is reCAPTCHA v3 replacing v2?
Google still supports both versions. Many legacy sites use v2, and new sites often deploy v3. Enterprise customers can choose either or both.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.