To complete the process of integrating Google reCAPTCHA into your website, you’ll need to follow a few additional steps, including verifying the token with Google’s reCAPTCHA API on your server side. Let’s walk through the process in detail.
Step-by-Step Guide
1. Add the reCAPTCHA Script to Your Website’s HTML
You’ve already done this part. Here’s a quick recap:
<head>
<script src="https://www.google.com/recaptcha/enterprise.js?render=6LcRvdYqAAAAAPWGmknZ4P5rcj1Ly04nvZXGiJwi"></script>
</head>
This script includes Google’s reCAPTCHA JavaScript API on your page. It’s important to replace the 6LcRvdYqAAAAAPWGmknZ4P5rcj1Ly04nvZXGiJwi key with your actual reCAPTCHA site key.
2. Call grecaptcha.execute() for Actions You Want to Protect
Next, in your JavaScript code, you’ve already written the function onClick(e) to call grecaptcha.execute() when a user interacts with the form (e.g., by clicking a button). This will generate a token that is valid for two minutes.
Here’s a breakdown of the existing code:
<script>
function onClick(e) {
e.preventDefault(); // Prevents the default form submission action
grecaptcha.enterprise.ready(async () => {
// Execute reCAPTCHA and specify the action name, such as 'LOGIN'
const token = await grecaptcha.enterprise.execute('6LcRvdYqAAAAAPWGmknZ4P5rcj1Ly04nvZXGiJwi', {action: 'LOGIN'});
// You will need to send this token to your backend to verify it
// This could be done by adding the token to the form data or sending it via an API request
});
}
</script>
3. Sending the Token to Your Backend
After generating the reCAPTCHA response token (token), you need to send it to your backend server so it can be verified. You can either send it as part of a form submission or send it via an AJAX request. Here’s how you might send it via a simple AJAX request using fetch:
<script>
function onClick(e) {
e.preventDefault();
grecaptcha.enterprise.ready(async () => {
const token = await grecaptcha.enterprise.execute('6LcRvdYqAAAAAPWGmknZ4P5rcj1Ly04nvZXGiJwi', {action: 'LOGIN'});
// Now send the token to the backend for verification
const response = await fetch('/verify-recaptcha', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ token: token })
});
const result = await response.json();
if (result.success) {
// Continue with the login or whatever action you are performing
} else {
// Handle failure, e.g., show an error message
alert("reCAPTCHA verification failed.");
}
});
}
</script>
In the above code:
/verify-recaptchais the endpoint on your backend where you’ll handle the verification.- You send the token in a JSON payload using
fetch.
4. Verify the reCAPTCHA Token on Your Backend
Now, on your server side, you need to verify the token by making a POST request to Google’s reCAPTCHA verification endpoint. This requires sending the response token, along with your secret key, to Google for validation.
Here’s a sample backend verification using Node.js (you can adapt it for your server-side language):
Example in Node.js:
const fetch = require('node-fetch'); // Ensure you have 'node-fetch' installed
// Endpoint to verify the reCAPTCHA token
app.post('/verify-recaptcha', async (req, res) => {
const token = req.body.token;
const secretKey = 'YOUR_SECRET_KEY'; // Replace with your secret key
const verifyUrl = 'https://www.google.com/recaptcha/api/siteverify';
const response = await fetch(verifyUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: `secret=${secretKey}&response=${token}`
});
const data = await response.json();
if (data.success) {
// Token is valid, proceed with the requested action (e.g., login)
res.json({ success: true });
} else {
// Token is invalid, reject the action
res.json({ success: false, error: 'reCAPTCHA verification failed' });
}
});
In this code:
- The backend receives the token from the frontend.
- The server sends the token, along with your
secretKey(provided by Google when you created the reCAPTCHA) to Google’s verification endpoint (https://www.google.com/recaptcha/api/siteverify). - The verification response will tell you if the token is valid or not.
5. Handle the Verification Result
Once you verify the reCAPTCHA token, you can proceed with the action the user is trying to perform (e.g., login). If the verification fails, you should handle it appropriately, such as showing an error message to the user.
Summary of Steps:
- Frontend:
- Load the reCAPTCHA API using the
<script>tag. - Execute
grecaptcha.execute()when the user interacts with the form. - Send the response token to your backend for verification.
- Load the reCAPTCHA API using the
- Backend:
- Verify the token by sending a POST request to Google’s reCAPTCHA verification endpoint (
https://www.google.com/recaptcha/api/siteverify), passing the token and your secret key. - Handle the response, checking for
data.successto determine whether the verification passed or failed.
- Verify the token by sending a POST request to Google’s reCAPTCHA verification endpoint (
Additional Notes:
- Token Expiry: The response token is valid for only two minutes. Make sure your backend verifies it within that window.
- Security Considerations: Always keep your secret key secure and never expose it on the client side.
- Risk Score: The verification response from Google may also include a risk score, which you can use to determine the likelihood of a legitimate user versus a bot.
By following these steps, you’ll be able to fully integrate Google reCAPTCHA into your site and protect your forms or actions from bots.