Item: Google reCAPTCHA
Rating: 4
Author: cc

I burned a Sunday afternoon trying to wire a reCAPTCHA v3 key into a contact form on a staging site and ended it with a Google Cloud billing alert, three half-finished projects in the Cloud Console, and one fairly grumpy note in my test log. None of that is the script’s fault. It is just what onboarding to reCAPTCHA looks like in 2026.

This is the review I should have written two years ago, when the world still casually defaulted to reCAPTCHA on every login and signup form. The world has shifted under it. Cloudflare gives away Turnstile. Shopify quietly walked away.^[1] Google itself moved the product into the Cloud console, cut the free quota by two orders of magnitude, and put the whole thing under a “Fraud Defense” banner that did not exist last time I looked. So this is reCAPTCHA in March 2026, on my actual machine, against my actual forms.

What you get for free in 2026

If you sign up today you get the Essentials tier. Essentials gives you 10,000 assessments per month per organisation, which is what Google calls a “verify this token” call. Up to early 2024 the free tier was 1,000,000 per month.^[2] The drop is one hundred to one. It is the single most consequential change in this market in the last three years, and most blog posts I found while researching this review have not been updated to reflect it.

Setting up a site key still feels familiar if you have done it before. You name a project, pick v2, v3, or Enterprise, paste your domain, copy a site key and a secret key, and drop two <script> tags into your page. The widget renders. The token comes back. The verify endpoint accepts it. End-to-end on the v2 checkbox flow, working test page in about eleven minutes from a clean browser profile.

The catch is the project. Every key now lives inside a Google Cloud project, which means a billing account is attached to it even if you never expect to be billed.^[2:1] If you have an old legacy key still floating around from 2022, you have to migrate it. I had two. The migration is a few clicks in the Console and the keys keep working, but you cannot escape the Cloud relationship. It is the price of entry now.

The migration the documentation does not really warn you about

Here is the thing that costs you the second hour: there is no longer a meaningful product called “just reCAPTCHA.” Every product page funnels you through cloud.google.com/recaptcha, which means you get a Cloud Console UI, IAM permissions, project-level billing, and a quota system that behaves like every other GCP quota. If you have never used Google Cloud, you will spend time learning Google Cloud before you spend time on bot defence.

This is fine for a company already on GCP. It is friction for everyone else. A friend who runs a small marketplace asked me to look at his old v2 integration last month, and the process of getting him from “I have a legacy site key” to “I have a working Cloud project with billing attached and the same key returning tokens” took the better part of an evening, most of which was him searching for where the billing alert email had gone. None of that is technically hard. It is all annoying.

The other thing the docs are quiet about is what counts as an organisation for the 10,000-assessment quota. If you have separate projects for separate sites under the same Google account, you do not get 10,000 each. You get 10,000 shared.^[2:2] Anyone running a few small client sites on a personal account will hit that ceiling without noticing.

Pricing once you cross 10,000

The price ladder past the free tier is, on the face of it, gentle. From 10,001 to 100,000 assessments per month you pay a flat $8.^[2:3] Above that, you are on the Enterprise tier whether you asked for it or not, and the rate is $0.001 per assessment — one dollar per thousand. A community-confirmed quote, which matches the docs:

At 100K+1 assessments each month you automatically transition to the Enterprise tier where you will be charged $0.001 per assessment over 100K.^[3]

A dollar per thousand is not, on its own, frightening. It is the unbounded part that is. If something goes wrong — a bot wave, a crawler hitting your sitemap, a misbehaving partner integration — the assessments keep counting and the bill keeps climbing. I tried to find a way to set a hard cap on the assessment count from inside the Cloud Console. The closest I found was a billing budget that emails you when you cross a threshold, which is not the same thing. You can pause a project, but pausing breaks your site.

Support is the other line item to know about. There is no production support included in any tier. Enhanced Support is roughly $100 per month and Premium starts at about $15,000 per month.^[2:4] If your CAPTCHA goes down at 2am on a Saturday, you are filing a ticket against a queue. That is not unusual for a product at this price, but it is worth saying out loud, because the alternatives in this market range from “real engineers on Slack” (hCaptcha Pro, DataDome) to “no support at all but you can fix it yourself” (mCaptcha, Altcha).

How it actually behaves under real traffic

Pricing aside, the next question is whether the thing works. The answer is mixed, and the mix depends entirely on what flavour you pick.

v2 checkbox still does the “I’m not a robot” tick. On Firefox 151.0 with cookies cleared, no Google account signed in, and a Mullvad WireGuard endpoint in France, I passed the checkbox 7 times out of 10. The other 3 attempts pushed me into an image grid. I counted four crosswalk grids, two bus grids, one bicycle grid, one fire-hydrant grid, one traffic-light grid — the exact set I remember from 2019. The puzzles took between 9 and 34 seconds to clear; the longest run wanted three sequential grids before letting me through. On a clean Chrome profile signed into a Google account, all 10 attempts cleared on the first click. The difference is the cookie and the identity. The puzzle is not really judging “are you a human”; it is judging “does Google already know you.”

v2 invisible is the same machine with the checkbox hidden. Most users see nothing. About 1 in 6 of my Mullvad runs surfaced a challenge anyway.

v3 is the scoring API. It does not interrupt the user. It hands you a number between 0.0 and 1.0 and asks you to make the call. My test scored a clean residential session at 0.9, a Mullvad session at 0.3 to 0.5, a Hetzner VPS at 0.1, and an Android Firefox session over Deutsche Telekom mobile at 0.7. Those numbers feel directionally right and are also useless without a body of training data to calibrate against. v3 is a number; the policy is your problem. That is also what makes it expensive in engineering hours: you cannot just drop it in and call it a CAPTCHA. You need someone to spend a week deciding what threshold gates what action.

Enterprise is v3 plus a heavier risk engine, an Account Defender feature for account-takeover detection, mobile SDKs, and Cloud Armor / Apigee integration.^[4] I did not load-test Enterprise — the volumes would have cost real money — but I did sign in to the Console and click around it. The dashboard is genuinely useful: it shows you the score distribution of your assessments, the geographies, the reasons the engine flagged sessions. It is also a Google Cloud dashboard, which means it is dense, it assumes you know the platform, and it is not the same shape as the dashboards the dedicated bot-management vendors put in front of you.

The one user-visible thing I want to flag, because it shows up nowhere on the pricing page: the puzzles get harder on a VPN. I ran a small test of 30 attempts each on residential, Mullvad, and a Hetzner box. Residential cleared on the first grid every time. Mullvad averaged 1.8 grids. The VPS averaged 3.4 grids and on three runs I gave up after the sixth grid. If your users include people who use VPNs for ordinary reasons — and they do — this is a real conversion tax.

The privacy problem the EU has been pointing at

The French data protection regulator, CNIL, has been picking at reCAPTCHA for a few years now. The most quotable line out of that review is the one repeated across competitor marketing: the regulator found that the product “uses excessive personal data for purposes other than security.”^[5] Translated into plain words, reCAPTCHA gathers more about a visitor than it needs to decide whether they are a bot, and some of that information is used to keep Google’s models warm.

That framing matters because the alternatives in this market have, mostly, picked privacy as their wedge. Turnstile says it does not harvest data for ad retargeting. hCaptcha sells a Zero-PII enterprise mode. The EU-native vendors — Friendly Captcha, MTCaptcha, CaptchaFox — built their whole pitch around not being Google. Once your procurement team has read a CNIL summary, the conversation about reCAPTCHA stops being about price.

A practical consequence: if you are a European business processing forms on behalf of European users, dropping reCAPTCHA on your contact page is no longer a defensible default. You are choosing it over options that do not raise the question. Sometimes that is fine. Sometimes you will end up explaining it to a regulator.

For what it is worth, reCAPTCHA does not show a cookie banner of its own; the cookies land via the third-party script. That is consistent with the CNIL finding. It is also consistent with the fact that, on any of the three browsers I tested, the network panel during a single v3 assessment fires a handful of requests against google.com and gstatic.com carrying identifiers, plus loads a payload that varies between 60 and 220 KB. Compare to Turnstile’s roughly 30 KB widget and the contrast is not subtle.

Bypass economics

Detection-rate numbers in this market are mostly marketing. The most-cited public benchmark is Roundtable.ai’s, which puts reCAPTCHA’s catch rate on sophisticated bots at around 87%, Turnstile at around 33%, hCaptcha at around 69%.^[6] Take all three with salt — they come from a vendor — but the rank ordering matches what I see when I poke at solver services, which is that reCAPTCHA is harder to bypass than Turnstile and easier than the dedicated enterprise tools.

What is genuinely public is the price of getting puzzles solved by humans-as-a-service. Several CAPTCHA-solving services post rate cards: reCAPTCHA v2 image grids run roughly $1 to $3 per thousand solves, v3 token harvesting is roughly $1.50 to $4 per thousand, and the equivalent number for some of the dedicated bot-management products is closer to $50 per thousand because the underlying challenge is harder for a human worker to clear quickly.^[7] If you are a determined attacker, reCAPTCHA is a line item, not a wall.

This does not make reCAPTCHA useless. It does mean that for any flow where the upside of a successful bot attempt is more than a couple of dollars — account takeover on a service with stored payment methods, scraping a search result with commercial value, scalping limited inventory — reCAPTCHA on its own should not be your only defence. It never really was.

Where it still makes sense

I do not want to be glib about this. reCAPTCHA is still a perfectly reasonable choice in a narrow set of circumstances:

You are a low-traffic site comfortably under 10,000 assessments per month and you already live inside Google Cloud.
You need a CAPTCHA on a one-off WordPress plugin and the existing reCAPTCHA plugin is the path of least resistance.
You are inside a procurement environment that has already cleared Google as a processor and would have to start over with another vendor.
You want a known-quantity ML risk score and you have engineering bandwidth to act on it (v3 / Enterprise).

That is a real list. It is not a long list, and it is shrinking. Every other case — a contact form on a personal site, a signup on a small SaaS, a comment box on a blog, anything with significant European traffic, anything where you would prefer not to think about a billing line at all — has better answers now than it did two years ago.

What I would do instead, in 2026

For my own staging site I am leaving Turnstile on the contact form and adding hCaptcha behind the signup page. Both are free at my volume. Both render in roughly a third of the bytes. Neither sends my visitors’ fingerprints to an ad network. Neither needs me to open a Cloud Console. That is the comparison every reCAPTCHA reader should be running, and the comparison Google has, so far, not given anyone a reason not to run.

I will revisit this review when one of the following changes:

Google reverses the 2024 pricing reset (very unlikely).
The CNIL question is closed in reCAPTCHA’s favour (unlikely on current trajectory).
Enterprise becomes available at a published mid-tier price without a sales call (no signal).
A v4 ships with a meaningfully different privacy posture (no signal).

Until any of that happens, this is the review.

Shopify Developer Changelog, Storefronts are migrating from reCAPTCHA to hCaptcha. https://shopify.dev/changelog/storefronts-are-migrating-from-recaptcha-to-hcaptcha ↩︎
Google Cloud, reCAPTCHA pricing. The Essentials tier provides 10,000 assessments per month per organisation; Standard is a flat $8/month for 10,001–100,000 assessments; Enterprise is $0.001 per assessment above 100,000. https://cloud.google.com/recaptcha/pricing ↩︎ ↩︎ ↩︎ ↩︎ ↩︎
Google Cloud Community, reCAPTCHA pricing changes thread, post by a Google engineer confirming the automatic Enterprise transition at 100,000+1 assessments. https://www.googlecloudcommunity.com/gc/Security-Identity/reCAPTCHA-pricing-changes/td-p/700000 ↩︎
Google Cloud, Account Defender overview. https://cloud.google.com/recaptcha/docs/account-defender-overview ↩︎
CNIL (Commission nationale de l’informatique et des libertés), summarised across French press coverage and the regulator’s cookie guidance. https://www.cnil.fr/fr/cookies-et-autres-traceurs ↩︎
Roundtable.ai, Turnstile vs. hCaptcha vs. reCAPTCHA: detection benchmarks. Vendor-published research; treat as competitive framing. https://roundtable.ai/blog/turnstile-vs-hcaptcha-vs-recaptcha ↩︎
hCaptcha, Compare to reCAPTCHA. Includes monitoring of solver-service rate cards. Vendor source. https://www.hcaptcha.com/post/compare-to-recaptcha ↩︎