Skip to Content
FeaturesSpam ProtectionCAPTCHA IntegrationGoogle reCAPTCHA v3

Google reCAPTCHA v3

Available on all plans. See pricing.

reCAPTCHA v3 is Google’s invisible bot detection system. There’s no widget to render and no challenge for the user to complete. Instead, it silently analyzes visitor behavior and returns a score from 0.0 (likely a bot) to 1.0 (likely human). Formtorch uses that score to decide whether to accept the submission.

Because it’s completely invisible, reCAPTCHA v3 has zero impact on your form’s user experience. The trade-off is that it requires a small amount of JavaScript to execute, which means it won’t work on pages where JS is disabled.

How it works

reCAPTCHA v3 works differently from Turnstile and hCaptcha. There’s no widget that injects a token automatically. You have to call the reCAPTCHA API yourself and insert the token into your form before submitting. The JavaScript below handles that. Formtorch receives the token, sends it to Google’s verification API, and checks the returned score. Submissions with a score below 0.5 are rejected with a 400 error.

Formtorch uses a fixed score threshold of 0.5. Submissions scoring below 0.5 are rejected. This threshold is not configurable per-form at this time.

Prerequisites

  • A Google account
  • A Formtorch form to attach reCAPTCHA v3 to

Setup

Register a reCAPTCHA v3 site

Go to google.com/recaptcha/admin  and click Create (the + icon). Give the site a label, then select Score based (v3) as the reCAPTCHA type.

Under Domains, add the domain where your form lives, for example yoursite.com. Do not include https:// or a trailing slash.

Accept the Terms of Service and click Submit.

Copy your site key and secret key

After creating the site, Google shows two keys: a Site Key (public, goes in your JavaScript) and a Secret Key (private, goes in Formtorch). Copy both.

Never put your secret key in your HTML or JavaScript. It belongs only in your Formtorch form settings.

Enable reCAPTCHA v3 in Formtorch

Open your form in the Formtorch dashboard , go to Settings → Protection → CAPTCHA, and toggle CAPTCHA on. Select Google reCAPTCHA v3 from the provider list.

Paste your Site Key into the Site Key field and your Secret Key into the Secret Key field. Click Save.

Add reCAPTCHA v3 to your form

Unlike Turnstile and hCaptcha, reCAPTCHA v3 doesn’t render anything in the form. You load the reCAPTCHA script, then call grecaptcha.execute() right before the form submits. The returned token goes into a hidden input named g-recaptcha-response, which Formtorch reads.

contact.html
<!-- In your <head> -->
<script
  src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"
></script>
 
<!-- Your form — no widget needed -->
 
<form id="contact-form" action="https://formtorch.com/f/YOUR_FORM_ID" method="POST">
  <label>
    Name
    <input type="text" name="name" required />
  </label>
 
<label>
  Email
  <input type="email" name="email" required />
</label>
 
<label>
  Message
  <textarea name="message" required></textarea>
</label>
 
  <!-- reCAPTCHA injects its token here before submit -->
 
<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response" />
 
  <button type="submit">Send message</button>
</form>
 
<script>
  document
    .getElementById("contact-form")
    .addEventListener("submit", function (e) {
      e.preventDefault();
      const form = this;
 
      grecaptcha.ready(function () {
        grecaptcha
          .execute("YOUR_SITE_KEY", { action: "submit" })
          .then(function (token) {
            document.getElementById("g-recaptcha-response").value = token;
            form.submit();
          });
      });
    });
</script>

Replace YOUR_SITE_KEY with the site key from Step 2, and YOUR_FORM_ID with your Formtorch form ID.

The action string passed to grecaptcha.execute() ("submit" in the examples above) is a label that appears in your reCAPTCHA analytics. Use a name that describes what the user is doing, such as "contact", "signup", or "checkout".

Test the integration

Submit your form. Open the Submissions tab in your Formtorch dashboard . You should see the submission listed. If the reCAPTCHA score was too low, the submission would have been rejected before reaching your dashboard.

That’s it. reCAPTCHA v3 is protecting your form.

Troubleshooting

Submissions are rejected with a 400 error

The most likely cause is that grecaptcha.execute() didn’t run before the form submitted, leaving the g-recaptcha-response field empty. Make sure you’re calling execute() inside the form’s submit handler and only submitting the form after the token has been inserted into the hidden input. Also confirm the site key in your script URL (?render=YOUR_SITE_KEY) matches the one saved in Formtorch.

reCAPTCHA v3 isn’t working for some users

reCAPTCHA v3 requires JavaScript. Unlike Turnstile or hCaptcha, there is no fallback for visitors with JS disabled: submissions without a valid token are rejected. If your audience may have JS disabled, consider using Cloudflare Turnstile instead.

Test scores are lower than expected

reCAPTCHA v3 scores are based on behavioral signals accumulated over time. During development, scores may be lower than what real users produce in production because test traffic doesn’t match typical usage patterns. Scores of 0.3 to 0.7 during testing are normal. Production scores for genuine users typically land above 0.5.

The reCAPTCHA badge appears in the corner

When you load reCAPTCHA v3, Google renders a small floating badge in the bottom-right of the page. You can hide it with CSS (visibility: hidden), but per Google’s terms you must then include a text disclosure near your form, for example: “This site is protected by reCAPTCHA and the Google Privacy Policy  and Terms of Service  apply.”

Further reading

Last updated on
hCaptchaEmail Notifications