Invisible reCAPTCHA v2

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude

Invisible reCAPTCHA v2 is a variant of Google’s reCAPTCHA that operates without user interaction—unless the system suspects bot activity. It’s commonly used on forms, login pages, or actions like clicking a button or submitting data.

You can identify invisible reCAPTCHA by:

• The presence of size=invisible in the reCAPTCHA configuration.
• A DOM element positioned far off-screen (e.g., top: -10000px), making it invisible to users.
• Dynamic execution triggered by user actions (e.g., form submission) or page load.

Demo: See how it works at Google’s invisible reCAPTCHA v2 demo.

Integration Workflow

1. Locate the Site Key and Page URL

   • Check for data-sitekey in the HTML or the k parameter in reCAPTCHA script URLs.
   • Note the full page URL where the invisible reCAPTCHA is active.

2. Submit the task:

   • For API V1: Send a request to in.php with method=userrecaptcha, googlekey, pageurl, and invisible=1.
     → See API V1 – Invisible reCAPTCHA v2
   • API V2 COMING SOON

3. Receive a task ID and wait 15–20 seconds.

4. Poll for the result:

   • API V1: via res.php
     → See API V1 – Get Result
   • API V2 COMING SOON

5. Apply the token based on the site’s implementation:

   • Standard injection (most common):

     document.getElementById("g-recaptcha-response").innerHTML = "TOKEN_FROM_CAPTCHAAI";

     Then Trigger the protected action (e.g., form submission, button click) immediately after token injection.

   • Callback-based execution (if the site uses one):

     // Replace `onVerify` with the actual callback name
     onVerify("TOKEN_FROM_CAPTCHAAI");

Note: Invisible reCAPTCHA often validates the token only when the protected action occurs—so ensure the token is set before triggering that action.