Skip to content

Google reCAPTCHA API Key

Service Name: Google reCAPTCHA

Service Description: Google reCAPTCHA is a free service that protects websites from spam and abuse by using advanced risk analysis techniques to tell humans and bots apart. It helps prevent automated software from engaging in abusive activities on websites.

Service Address: https://www.google.com/recaptcha/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured in the reCAPTCHA admin console by specifying domains where the reCAPTCHA can be used.

Secret Access Scope: Grants access to Google's reCAPTCHA service for verifying whether a user is human or a bot. The API key allows websites to implement CAPTCHA challenges.

Secret Revokement URL: https://www.google.com/recaptcha/admin

Secret Example: 6LdQPnIUAAAAAMtfIQ1LLJHkpZGjFhGz9Mz3VQbX

Suspicious Activity Investigation Instructions:

  • Check the Google Cloud Console for unusual usage patterns or spikes in reCAPTCHA API calls.

  • Review server logs for unauthorized domains using your reCAPTCHA keys.

  • Monitor for increased failed verification attempts which could indicate abuse.

  • Check if the key is being used on domains not registered in your reCAPTCHA settings.

  • Review the geographic distribution of verification requests for anomalies.

Mitigation Instructions:

  • Log in to the Google reCAPTCHA Admin Console at https://www.google.com/recaptcha/admin.

  • Locate the compromised site key in your list of reCAPTCHA keys.

  • Delete the compromised key by clicking the trash icon next to it.

  • Create a new reCAPTCHA key with proper domain restrictions.

  • Update all legitimate applications and websites with the new key.

  • Restrict the domains where the reCAPTCHA can be used by specifying exact domains in the admin console.

  • Consider implementing additional security measures like rate limiting on your server side.