splitforms.com
Get free key
guide · captcha & spam

reCAPTCHA v3 Setup — Working Code and Score Thresholds

reCAPTCHA v3 runs invisibly and returns a score from 0.0 (bot) to 1.0 (human). Set up the script, attach a token to every submission, verify the token server-side, reject submissions below your threshold. Or skip all of this and use a honeypot — splitforms ships one free.

html
<!-- HEAD: load the reCAPTCHA v3 script -->
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

<form id="contact" action="https://splitforms.com/api/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
  <input type="hidden" name="g-recaptcha-response" id="g-token" />

  <input name="name" required />
  <input name="email" type="email" required />
  <textarea name="message" required></textarea>
  <button type="submit">Send</button>
</form>

<script>
const form = document.getElementById("contact");
form.addEventListener("submit", async (e) => {
  e.preventDefault();
  const token = await grecaptcha.execute("YOUR_SITE_KEY", { action: "submit" });
  document.getElementById("g-token").value = token;
  form.submit();
});
</script>

<!-- Server-side: verify the token with Google's API -->
<!--
POST https://www.google.com/recaptcha/api/siteverify
  secret=YOUR_SECRET_KEY
  response=THE_TOKEN

Response JSON:
{
  "success": true,
  "score": 0.9,        // 0.0 (bot) to 1.0 (human)
  "action": "submit",
  "challenge_ts": "...",
  "hostname": "..."
}

Block submissions where score < 0.5 (your threshold).
-->

reCAPTCHA v3 is the invisible version of Google's CAPTCHA. Unlike v2 (the 'I'm not a robot' checkbox + image puzzle), v3 runs entirely in the background, scoring every page visit and form submission from 0.0 (definitely a bot) to 1.0 (definitely a human). You pick a threshold below which submissions are blocked.

Setup has three parts. (1) Load the reCAPTCHA script with your site key in the page `<head>`. (2) Get a token on form submit via `grecaptcha.execute('YOUR_SITE_KEY', { action: 'submit' })` and attach it to the form as a hidden `g-recaptcha-response` field. (3) Server-side, POST the token + your secret key to `https://www.google.com/recaptcha/api/siteverify` and read the returned score.

Threshold selection is the hardest part. Google recommends 0.5 as the default; we recommend running with no threshold initially, logging scores for a few days, and picking a threshold that catches your bots without blocking legitimate users. Some sites can use 0.7+; high-traffic public sites often need 0.3-0.4 to avoid false positives.

The cost of reCAPTCHA v3 is privacy and page weight. The script is ~600KB and runs on every page where it's loaded, profiling every visitor for Google. For most contact forms, the cheaper option is a honeypot field (catches 40-60% of automated spam) plus splitforms's AI classifier (catches the rest). No third-party script, no user profiling, no false-positive friction.

How to set this up

Step 01

Get a site key and secret key

Register at google.com/recaptcha/admin. Site key is public; secret key stays on the server.

Step 02

Load the script with your site key

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"> in <head>.

Step 03

Get a token on submit

await grecaptcha.execute(siteKey, { action: 'submit' }) returns a token. Attach as hidden g-recaptcha-response field.

Step 04

Verify server-side

POST token + secret to Google's siteverify endpoint. Read the score. Reject if below your threshold.

Three parts: script, client token, server verify. Or: skip it, use honeypot.

Frequently asked questions

What is reCAPTCHA v3?

Google's invisible CAPTCHA. Runs in the background, scores every page visit and form submission from 0.0 (bot) to 1.0 (human). Lower friction than v2's checkbox + puzzle, but harvests more behavioral data.

What threshold should I use for reCAPTCHA v3?

Google recommends 0.5 as default. Run with no threshold for a few days, log scores, then pick a threshold that blocks bots without blocking legitimate users. Low-traffic sites can often use 0.7+; high-traffic public sites may need 0.3-0.4 to avoid false positives.

Is reCAPTCHA v3 GDPR-compliant?

Marginally — Google is the data controller, you're the data processor. Document the data flow in your privacy policy. Some EU regulators (notably France's CNIL) have flagged reCAPTCHA as problematic. hCaptcha is the safer choice for EU-heavy traffic.

Do I need reCAPTCHA on a contact form?

Probably not. A honeypot field + a backend AI spam classifier (like splitforms ships) catches 95% of automated spam with zero user friction, zero third-party JS, and zero accessibility tax. Reach for reCAPTCHA only if those two layers aren't enough.

Does reCAPTCHA v3 slow down my page?

Yes — the script is ~600KB minified and loads on every page where it's referenced. It also runs background behavioral profiling. For a contact form on a marketing site, that's a steep cost for spam protection that honeypots handle better.

Related guides

Captcha & spam

reCAPTCHA vs hCaptcha — Which to Use in 2026

Captcha & spam

Invisible reCAPTCHA — How It Works and When to Use It

Captcha & spam

Stop Form Spam Bots — Honeypot + AI Classifier Strategy

Ship the form, not the backend.

Free for 1,000 submissions/month. Email delivery, AI spam filtering, signed webhooks, real dashboard — all on the free plan. No credit card.

Get a free access key →