Google reCAPTCHA integration

Adds Google reCAPTCHA v3 (invisible, score-based) to a form. Each submission is verified server-side before the spam pipeline lets it through. Configured per-form rather than globally.

What you need

• A Google account.
• A reCAPTCHA admin account at https://www.google.com/recaptcha/admin (uses your Google login).

* * *

Step 1 - Register a reCAPTCHA site

1. Go to https://www.google.com/recaptcha/admin/create.
2. Label: Formspring - <form name>.
3. reCAPTCHA type: reCAPTCHA v3 (invisible, score-based).
4. Domains: add the domains the form embed runs on (e.g. formspring.io, localhost).
5. Accept the Terms of Service.
6. Submit.

* * *

Step 2 - Copy the keys

The next page shows two keys:

• Site key (public): for the form embed.
• Secret key (private): for server-side verification.

* * *

Step 3 - Connect in Formspring

1. Open your form → Settings → Spam & abuse.
2. Enable reCAPTCHA.
3. Paste the Site key and Secret key.
4. Save.

The form's embed now loads the reCAPTCHA script. Submissions without a valid token are rejected with HTTP 422.

* * *

hCaptcha alternative

For most Formspring users, hCaptcha is a better default than reCAPTCHA - privacy-friendly, EU-compliant, and no Google adtech cookies. See hcaptcha.md.

* * *

Security

• Rotate at https://www.google.com/recaptcha/admin → site → settings → Reset secret key. Old secret is revoked immediately.
• The site key being public is by design - don't worry about it leaking.
• Watch the score threshold: too low and you let bots through; too high and you reject legitimate users. 0.5 is a sane default; tune by watching your spam dashboard.

* * *

Privacy

• reCAPTCHA places Google's _GRECAPTCHA cookie on the visitor. EU laws require disclosure + a consent banner if you're outside the strict-transactional exemption.
• Add a privacy line on the form: "This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply."

* * *

Troubleshooting

Symptom	Cause
422 on every submission	Embed isn't loading the reCAPTCHA widget script.
invalid-input-secret	Wrong secret or whitespace.
timeout-or-duplicate	Token expired (2 min) or user submitted twice. Resubmit.
hostname mismatch	The domain serving the form isn't in the site's domain list.
Score always low	Tune the threshold in form settings.

* * *

Provider docs

• reCAPTCHA admin: https://www.google.com/recaptcha/admin
• v3 docs: https://developers.google.com/recaptcha/docs/v3
• Verify response: https://developers.google.com/recaptcha/docs/verify