Set up Google reCAPTCHA

Add reCAPTCHA v2 checkbox or v3 invisible verification to your forms.

What is reCAPTCHA?

reCAPTCHA is Google's bot detection service. It comes in two versions that work differently:

reCAPTCHA v2 (checkbox) — shows an "I'm not a robot" checkbox on your form. Users click it and sometimes solve an image puzzle (like "select all traffic lights"). It is the most widely recognized captcha on the web.
reCAPTCHA v3 (invisible) — runs entirely in the background with no visible widget. Google monitors how the user interacts with the page and assigns a score from 0.0 (likely bot) to 1.0 (likely human). Your form is protected without the user doing anything at all.

Both versions are supported on all Pro plans.

Does not work in China: reCAPTCHA relies on Google domains (google.com, gstatic.com) which are completely blocked in mainland China. Forms using reCAPTCHA will fail for visitors in China — the widget will not load and submissions will be flagged as spam. If your audience includes Chinese users, use GeeTest v4 (works natively in China) or hCaptcha instead.

Google Cloud migration (2024): In 2024, Google moved reCAPTCHA management from the standalone admin console (google.com/recaptcha/admin) to Google Cloud Console. Existing keys created in the old console continue to work. New keys should be created in Cloud Console. The old admin URL redirects to Cloud Console for most accounts. The reCAPTCHA JavaScript API (www.google.com/recaptcha/api.js) and server-side verification endpoint (www.google.com/recaptcha/api/siteverify) are unchanged — FormBlade works with both old and new keys.

Pricing and limits

Google offers reCAPTCHA in two tiers (as of April 2026):

Tier	Monthly assessments	Price	Credit card
reCAPTCHA (standard)	10,000	$0	Not required
reCAPTCHA Enterprise	First 10,000 free, then $1 per 1,000	Pay-as-you-go	Required above free tier

The free 10,000 assessments per month applies to both v2 and v3. Each form load that renders the reCAPTCHA widget counts as one assessment, not just submissions. A form with 500 visitors per day would use roughly 15,000 assessments per month — above the free tier.

For high-traffic forms, consider Cloudflare Turnstile (unlimited, free) or hCaptcha (1M free/month) as alternatives with higher free limits.

Step 1: Get your keys from Google

Google migrated reCAPTCHA to Google Cloud Console in 2024. You can still use the legacy admin console (it redirects), or go directly through Cloud Console:

Go to Google Cloud Console → reCAPTCHA (or the legacy admin console which redirects there).
Create a project if you do not have one, then click Create Key.
Enter a display name (e.g., "Contact Form").
Choose the key type:
- Select Checkbox (v2) if you want the visible "I'm not a robot" checkbox.
- Select Score-based (v3) if you want invisible, score-based verification.
Under Domains, add:
- Your own domain (e.g., yoursite.com)
- formblade.com if you use the hosted form page
Click Create.
Google will show you two keys — copy both:
- Site Key (public, goes in your HTML)
- Secret Key (private, stays on the server)

Tip: Google provides test keys for development. For v2, use site key 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI and secret key 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe. These always pass verification so you can test without real keys.

Step 2: Add keys in FormBlade

Open your form in the FormBlade dashboard.
Go to the Form Designer tab.
Scroll down to the Captcha section.
Select reCAPTCHA v2 or reCAPTCHA v3 from the dropdown.
Paste your Site Key into the Site Key field.
Paste your Secret Key into the Secret Key field.
If you chose v3, set the Score Threshold (more on this below).
Click Save.

If you use a hosted form, the captcha widget is added automatically. If you use a custom HTML form, you need to add the widget code yourself (see below).

reCAPTCHA v2: how the checkbox works

When a user loads your form, they see a small "I'm not a robot" checkbox. After clicking it, Google may show a quick image challenge if the user's behavior seems suspicious. Once the user passes, a hidden g-recaptcha-response field is added to the form. FormBlade verifies this token server-side using your Secret Key before accepting the submission.

There is nothing to configure beyond the site and secret keys. Every user who fails the challenge is blocked.

reCAPTCHA v3: invisible scoring

With v3, there is no visible widget. Google silently scores every visitor based on behavior patterns — mouse movements, browsing history, how fast the form was filled out, and other signals. The score ranges from 0.0 (very likely a bot) to 1.0 (very likely human).

In your form settings, the Score Threshold (also called "min score") controls the cutoff:

Threshold	Effect
`0.1`	Very permissive — only blocks obvious bots
`0.5`	Balanced — good default for most forms
`0.7`	Strict — may block some legitimate users on VPNs or shared IPs
`0.9`	Very strict — only for high-security forms, expect some false positives

The default threshold is 0.5. Start there and lower it if legitimate users report being blocked.

The "fail reject" toggle

In the Captcha section of your form settings, you will see a Fail Reject toggle. When enabled (the default), any submission that fails captcha verification is rejected outright — the user sees an error and the submission is not stored. When disabled, failed submissions are still accepted but marked as spam in your dashboard. This lets you review borderline cases instead of losing them entirely.

Add reCAPTCHA v2 to a custom HTML form

If you are not using a hosted form, add the reCAPTCHA script and widget div to your page:

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

<form action="https://formblade.com/f/contact" method="POST">
  <label>Name</label>
  <input type="text" name="name" required>

  <label>Email</label>
  <input type="email" name="email" required>

  <label>Message</label>
  <textarea name="message" required></textarea>

  <!-- reCAPTCHA v2 widget -->
  <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>

  <button type="submit">Send</button>
</form>

Replace /f/contact with your own form link from the dashboard.

Replace YOUR_SITE_KEY with your actual site key. The widget renders the checkbox automatically. When the user completes the challenge, a hidden g-recaptcha-response field is injected into the form.

Add reCAPTCHA v3 to a custom HTML form

Since v3 is invisible, there is no widget div. Instead, you load the script with your site key and execute it on form submit:

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

<form id="myForm" action="https://formblade.com/f/contact" method="POST">
  <input type="text" name="name" required>
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  <input type="hidden" name="g-recaptcha-response" id="recaptchaResponse">
  <button type="submit">Send</button>
</form>

<script>
document.getElementById('myForm').addEventListener('submit', function(e) {
  e.preventDefault();
  grecaptcha.ready(function() {
    grecaptcha.execute('YOUR_SITE_KEY', {action: 'submit'}).then(function(token) {
      document.getElementById('recaptchaResponse').value = token;
      document.getElementById('myForm').submit();
    });
  });
});
</script>

Replace /f/contact with your own form link from the dashboard.

Replace both instances of YOUR_SITE_KEY with your actual site key. The script intercepts the form submission, requests a token from Google, injects it into the hidden field, and then submits the form. FormBlade checks the token and score server-side.

Tips

v3 provides better UX — users never see a challenge or checkbox. It is the best choice when you want invisible protection without any friction.
v2 is more reliable for stopping targeted bots — the visible challenge is harder for bots to bypass. Use it for high-value forms like registration or payment pages.
Test with Google's test keys first — before going live, use the test keys (listed above) to verify your integration works. Test keys always pass, so you can confirm the flow without worrying about scores or challenges.
You can check score distributions — log in to the Google Cloud Console → reCAPTCHA to see what scores your visitors are getting. This helps you tune the threshold.
Add both domains — if you use both a custom HTML form on your site and a hosted form on formblade.com, add both domains in the Google admin console.

Troubleshooting

Captcha widget not showing (v2)

If the checkbox does not appear on your page, check the following:

Make sure the api.js script tag is present and loading (check your browser's Network tab for errors).
Verify that your domain is listed in the reCAPTCHA admin console. The domain in the console must match the domain where the form is displayed.
Check for JavaScript errors in the browser console — another script may be conflicting with reCAPTCHA.

Submissions being blocked unexpectedly (v3)

If legitimate users are getting rejected:

Lower the score threshold — try 0.3 instead of 0.5. Users on VPNs, Tor, or shared networks often get lower scores.
Turn off Fail Reject — set submissions to be marked as spam instead of rejected, so you can review them in the dashboard.
Check the reCAPTCHA admin console for score distributions. If most of your legitimate users score below 0.5, you need a lower threshold.

Secret key error

If submissions fail with a captcha verification error, double-check that you pasted the Secret Key (not the Site Key) into the Secret Key field in FormBlade. The two keys are not interchangeable.