reCAPTCHA v3 returns a score between 0.0 and 1.0 with every token — no checkbox, no image grid. The score represents Google's confidence that the interaction is human. Sites decide their own threshold per action: a login page might require 0.7, while a search page accepts 0.3. Understanding these thresholds helps you configure CaptchaAI correctly.
How reCAPTCHA v3 Scoring Works
Every reCAPTCHA v3 interaction produces a score:
| Score range | Google's assessment | Typical action |
|---|---|---|
| 0.9 – 1.0 | Very likely human | Allow without friction |
| 0.7 – 0.9 | Probably human | Allow, maybe log |
| 0.5 – 0.7 | Uncertain | Add verification step |
| 0.3 – 0.5 | Suspicious | Block or challenge |
| 0.0 – 0.3 | Very likely bot | Block entirely |
The score is returned in the verification response, not to the browser. The site's backend decides what to do with it.
Actions and Per-Action Thresholds
reCAPTCHA v3 supports named "actions" — labels that identify what the user is doing. Sites configure different thresholds for each:
// Login — site may require score >= 0.7
grecaptcha.execute('SITE_KEY', { action: 'login' });
// Search — site may accept score >= 0.3
grecaptcha.execute('SITE_KEY', { action: 'search' });
// Purchase — site may require score >= 0.9
grecaptcha.execute('SITE_KEY', { action: 'purchase' });
Common Action Names and Typical Thresholds
| Action | Typical threshold | Rationale |
|---|---|---|
login |
0.7 | Protect accounts, but don't block legitimate users |
register / signup |
0.7 – 0.8 | Prevent fake account creation |
submit |
0.5 – 0.7 | Form submissions, moderate risk |
search |
0.3 – 0.5 | Low-risk, high-volume |
purchase / checkout |
0.7 – 0.9 | Financial transactions, high stakes |
contact |
0.5 | Anti-spam for contact forms |
homepage |
0.1 – 0.3 | Just tracking, rarely blocks |
These thresholds are set by the site owner in their backend code. They are not visible in the page source.
Finding a Site's Action Name
Method 1: Browser Console
// Override execute to capture action
const originalExecute = grecaptcha.execute;
grecaptcha.execute = function(siteKey, options) {
console.log('Action:', options?.action);
return originalExecute.apply(this, arguments);
};
Method 2: Network Tab
Filter for recaptcha in the Network tab. The action appears in the request payload when grecaptcha.execute is called.
Method 3: Search Page Source
Ctrl+F → "action:" or "action'"
Look for grecaptcha.execute calls with action parameters.
Configuring CaptchaAI's min_score
When submitting a reCAPTCHA v3 task, set min_score to request a token that meets the site's threshold:
POST https://ocr.captchaai.com/in.php
key=YOUR_API_KEY
&method=userrecaptcha
&googlekey=SITE_KEY
&pageurl=https://example.com/login
&version=v3
&action=login
&min_score=0.7
Available min_score Values
| Value | When to use |
|---|---|
0.3 |
Low-security pages (search, browsing) |
0.7 |
Standard forms (login, submit, contact) |
0.9 |
High-security actions (purchase, registration) |
If you omit min_score, CaptchaAI defaults to returning the best score available. Setting it explicitly ensures the returned token meets your target.
How Score Verification Works
The site's backend verifies the token and checks the score:
POST https://www.google.com/recaptcha/api/siteverify
secret=SECRET_KEY
&response=TOKEN_FROM_CAPTCHAAI
Google returns:
{
"success": true,
"score": 0.9,
"action": "login",
"challenge_ts": "2026-04-04T12:00:00Z",
"hostname": "example.com"
}
The site then checks:
successistruescoremeets its threshold (e.g.,>= 0.7)actionmatches what was expected (e.g.,"login")hostnamematches the expected domain
If any check fails, the token is rejected.
Why Action Matching Matters
The action in the token must match what the site expects. If the site calls grecaptcha.execute with action: 'login' but your CaptchaAI request uses action: 'submit', the verification will show a mismatch — even if the score is high enough.
Always extract the exact action name from the page and pass it to CaptchaAI.
Estimating a Site's Threshold
Since thresholds aren't publicly visible, use these strategies:
- Start with 0.7 — the most common threshold for forms
- If rejected, try 0.9 — the site may have a strict threshold
- For search/browse pages, try 0.3 — low-risk pages use low thresholds
- Check for fallback behavior — some sites show a v2 checkbox when v3 scores are low instead of blocking outright
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| Token accepted but action blocked | Action name mismatch | Extract exact action from page JS |
| Token rejected, score is high | Token expired (2 min lifetime) | Use token within 60 seconds of receiving it |
| Consistently low scores | Browser fingerprint signals weak | Use min_score=0.9 in CaptchaAI request |
| Site falls back to v2 challenge | v3 score below site threshold | Score may be fine — solve the v2 fallback separately |
| "timeout-or-duplicate" error | Token already verified or expired | Request a fresh token for each submission |
FAQ
Can I guarantee a specific score from CaptchaAI?
CaptchaAI's min_score parameter requests a token that meets the specified threshold. Higher scores may take slightly longer to generate. For most sites, 0.7 is sufficient.
Does the same site always use the same threshold?
Not necessarily. Sites can configure different thresholds per action and adjust them over time. A login action might require 0.7 while a search action on the same site accepts 0.3.
What happens if CaptchaAI can't achieve my requested min_score?
CaptchaAI will attempt to generate a token meeting your threshold. If the min_score is set to 0.9 and the returned token has a lower score, you can retry the request or try with a lower threshold.
Related Articles
- How To Solve Recaptcha V3 Enterprise Using Api
- Recaptcha V3 Enterprise Vs Standard
- Recaptcha Score Factors Technical Analysis
Next Steps
Get high-score reCAPTCHA v3 tokens — sign up for CaptchaAI and configure min_score for your target action.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.