How does Google's reCAPTCHA v3 work?

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.


In addition to the user behavior tracking on your site (as explained by Jonas Wilms), the v3 (and v2) also makes decisions based on your IP, ASN, browser and any kind of information about your system based on the information sent via your HTTP request.

The only difference is that V2 is a complete solution i.e, if it thinks a user may be a bot, it will pose additional challenges until it is convinced the user is a human. On the other hand, V3 is non-intrusive. It generates a score based on the parameters discussed above and passes it onto you. It is then your decision to take appropriate steps (like post challenges, or have two-factor authentication, etc.) based on this score.

IMO, it is better to start with a V2 solution and implement V3 if you want more control or have a better way to challenge the user if they have a low score.

(Here is an interesting article on the differences)