Explainers

reCAPTCHA Enterprise Assessment API Deep Dive

Automation reCAPTCHA v2
By Irina
Published at Mar 04, 2026
reCAPTCHA Enterprise Assessment API Deep Dive
Featured image unavailable

reCAPTCHA Enterprise is Google's premium CAPTCHA service that extends reCAPTCHA v3 with detailed risk analysis, score reasons, fraud detection signals, and account defender capabilities. Unlike the standard free version that returns only a score and action, Enterprise provides explainable assessments with specific risk factors. This guide covers the Enterprise Assessment API architecture, response structure, and how to handle Enterprise-protected sites in automation.

Enterprise vs standard reCAPTCHA

Feature reCAPTCHA v3 (free) reCAPTCHA Enterprise
Scoring 0.0-1.0 score 0.0-1.0 score + score reasons
Risk analysis Basic Detailed (fraud signals, account info)
Score reasons Not provided Specific reasons explaining the score
Account Defender No Yes (tracks account lifecycle)
WAF integration No Yes (Cloudflare, Fastly, F5)
Express assessment No Yes (server-side only, no JS)
Password leak detection No Yes
Pricing Free (1M assessments/month) $1 per 1000 assessments (0-1M free)
API endpoint google.com/recaptcha/api/siteverify recaptchaenterprise.googleapis.com

Enterprise Assessment API flow

Client-side:

  1. Load reCAPTCHA Enterprise script
  2. Call grecaptcha.enterprise.execute(SITE_KEY, {action: 'LOGIN'})
  3. Receive token
  4. Send token to your backend

Server-side:

  1. Create assessment via Enterprise API
  2. Receive detailed risk analysis
  3. Make access decision based on score + reasons
  4. Optionally annotate the assessment (report fraud/legitimate)

Client-side integration

JavaScript SDK

<script src="https://www.google.com/recaptcha/enterprise.js?render=SITE_KEY"></script>
<script>
    grecaptcha.enterprise.ready(function() {
        grecaptcha.enterprise.execute('SITE_KEY', { action: 'LOGIN' })
            .then(function(token) {
                // Send token to backend
                fetch('/api/verify', {
                    method: 'POST',
                    headers: { 'Content-Type': 'application/json' },
                    body: JSON.stringify({ token: token })
                });
            });
    });
</script>

Key differences from standard reCAPTCHA v3:

  • Script URL uses .../recaptcha/enterprise.js instead of .../recaptcha/api.js
  • API object is grecaptcha.enterprise instead of grecaptcha
  • execute() returns the same token format

Detection in page source

import requests
import re

def detect_recaptcha_enterprise(url):
    """Detect if a page uses reCAPTCHA Enterprise."""
    html = requests.get(url, timeout=10).text

    indicators = {
        "is_enterprise": False,
        "is_standard": False,
        "site_key": None,
        "actions": [],
    }

    # Enterprise detection
    if "recaptcha/enterprise.js" in html:
        indicators["is_enterprise"] = True
        match = re.search(r"render=([A-Za-z0-9_-]+)", html)
        if match:
            indicators["site_key"] = match.group(1)

    # Standard v3 detection
    elif "recaptcha/api.js?render=" in html:
        indicators["is_standard"] = True
        match = re.search(r"render=([A-Za-z0-9_-]+)", html)
        if match:
            indicators["site_key"] = match.group(1)

    # Extract action names
    actions = re.findall(r"action:\s*['\"](\w+)['\"]", html)
    indicators["actions"] = list(set(actions))

    return indicators

print(detect_recaptcha_enterprise("https://example.com/login"))

Server-side Assessment API

Creating an assessment (Google Cloud API)

from google.cloud import recaptchaenterprise_v1
from google.cloud.recaptchaenterprise_v1 import Assessment

def create_assessment(project_id, site_key, token, action):
    """Create a reCAPTCHA Enterprise assessment."""
    client = recaptchaenterprise_v1.RecaptchaEnterpriseServiceClient()

    event = recaptchaenterprise_v1.Event()
    event.site_key = site_key
    event.token = token
    event.expected_action = action

    assessment = recaptchaenterprise_v1.Assessment()
    assessment.event = event

    request = recaptchaenterprise_v1.CreateAssessmentRequest()
    request.assessment = assessment
    request.parent = f"projects/{project_id}"

    response = client.create_assessment(request)
    return response

Assessment response structure

{
    "name": "projects/123456/assessments/abcdef123",
    "event": {
        "token": "...",
        "siteKey": "6Le...",
        "expectedAction": "LOGIN",
        "hashedAccountId": "abc123..."
    },
    "riskAnalysis": {
        "score": 0.9,
        "reasons": [
            "AUTOMATION",
            "TOO_MUCH_TRAFFIC"
        ],
        "extendedVerdictReasons": [
            "BROWSER_ERROR"
        ]
    },
    "tokenProperties": {
        "valid": true,
        "hostname": "example.com",
        "action": "LOGIN",
        "createTime": "2025-01-15T10:30:00Z",
        "invalidReason": ""
    },
    "accountDefenderAssessment": {
        "labels": ["PROFILE_MATCH"]
    }
}

Enterprise score reasons

Enterprise provides specific reasons explaining why a score is low:

Reason Description Score impact
AUTOMATION Automated user agent or headless browser detected -0.3 to -0.7
UNEXPECTED_ENVIRONMENT Browser or device environment inconsistencies -0.2 to -0.4
TOO_MUCH_TRAFFIC High request volume from this IP or session -0.1 to -0.3
UNEXPECTED_USAGE_PATTERNS Behavioral signals deviate from human norms -0.2 to -0.5
LOW_CONFIDENCE_SCORE Insufficient data to make a confident assessment Variable
SUSPECTED_CARDING Transaction pattern matches credit card fraud -0.3 to -0.6
SUSPECTED_CHARGEBACK Risk of chargeback based on transaction signals -0.2 to -0.4

Extended verdict reasons (additional detail)

Reason Description
BROWSER_ERROR JavaScript execution errors in CAPTCHA SDK
SITE_MISMATCH Token created for different site than validated on
FAILED_TWO_FACTOR Two-factor authentication failed recently

Account Defender

Enterprise's Account Defender tracks user accounts across their lifecycle:

{
    "accountDefenderAssessment": {
        "labels": [
            "PROFILE_MATCH",
            "SUSPICIOUS_LOGIN_ACTIVITY",
            "SUSPICIOUS_ACCOUNT_CREATION",
            "RELATED_ACCOUNTS_NUMBER_HIGH"
        ]
    }
}
Label Meaning
PROFILE_MATCH Behavior matches the known profile for this account
SUSPICIOUS_LOGIN_ACTIVITY Login pattern deviates from normal (new device, location)
SUSPICIOUS_ACCOUNT_CREATION Account creation looks automated
RELATED_ACCOUNTS_NUMBER_HIGH Multiple accounts linked to same device/session

WAF integration

reCAPTCHA Enterprise integrates with WAF providers to add CAPTCHA challenges at the network edge:

Cloudflare WAF integration

Request arrives at Cloudflare edge
    ↓
Cloudflare WAF rule evaluates request
    ↓
Rule triggers reCAPTCHA Enterprise challenge
    ↓
Client solves CAPTCHA → token returned
    ↓
Cloudflare validates token via Enterprise API
    ↓
If valid + score above threshold → request forwarded to origin

F5 BIG-IP integration

F5 iRule or policy evaluates request
    ↓
Triggers reCAPTCHA Enterprise challenge page
    ↓
Client solves → token validated server-side
    ↓
F5 forwards or blocks based on assessment score

Handling Enterprise reCAPTCHA in automation

CaptchaAI solves Enterprise the same way as standard reCAPTCHA

From an API solver perspective, reCAPTCHA Enterprise tokens work identically to standard reCAPTCHA tokens:

import requests
import time

API_KEY = "YOUR_API_KEY"

# Enterprise is solved with the same method
# The solver handles the Enterprise variant automatically
submit = requests.post("https://ocr.captchaai.com/in.php", data={
    "key": API_KEY,
    "method": "userrecaptcha",
    "googlekey": "6LcR_RsTAAAAAN_r0GEkGBfq3L7KmU5JbPHJtwNp",
    "pageurl": "https://enterprise-site.com/login",
    "enterprise": 1,  # Flag for Enterprise variant
    "json": 1,
})

task_id = submit.json()["request"]

for _ in range(60):
    time.sleep(5)
    result = requests.get("https://ocr.captchaai.com/res.php", params={
        "key": API_KEY,
        "action": "get",
        "id": task_id,
        "json": 1,
    }).json()

    if result.get("status") == 1:
        token = result["request"]
        print(f"Enterprise token: {token[:50]}...")
        break

Node.js

const axios = require("axios");

async function solveEnterprise(sitekey, pageurl) {
    const API_KEY = "YOUR_API_KEY";

    const { data: submit } = await axios.post(
        "https://ocr.captchaai.com/in.php",
        new URLSearchParams({
            key: API_KEY,
            method: "userrecaptcha",
            googlekey: sitekey,
            pageurl: pageurl,
            enterprise: 1,
            json: 1,
        })
    );

    const taskId = submit.request;

    for (let i = 0; i < 60; i++) {
        await new Promise(r => setTimeout(r, 5000));
        const { data: result } = await axios.get(
            "https://ocr.captchaai.com/res.php",
            { params: { key: API_KEY, action: "get", id: taskId, json: 1 } }
        );

        if (result.status === 1) return result.request;
    }

    throw new Error("Timeout");
}

How to detect Enterprise vs standard on a target page

def identify_recaptcha_version(html):
    """Determine which reCAPTCHA version a page uses."""
    if "recaptcha/enterprise.js" in html:
        return "enterprise"
    elif "recaptcha/api.js?render=" in html:
        return "v3"
    elif "g-recaptcha" in html and 'data-size="invisible"' in html:
        return "v2_invisible"
    elif "g-recaptcha" in html:
        return "v2"
    else:
        return "none"

Enterprise troubleshooting

Issue Diagnosis Solution
Token rejected by Enterprise API Using standard method for Enterprise site Add enterprise=1 to solver request
Score always 0.1 despite valid token Action parameter mismatch Verify the action matches what the page sends
"SITE_MISMATCH" in reasons Token generated for wrong domain Ensure pageurl exactly matches the target
"AUTOMATION" in score reasons Solver environment detected CaptchaAI handles this — if persisting, contact support
Token valid but site still blocks Site uses additional checks beyond CAPTCHA Check for other bot detection layers (WAF, fingerprint)

Frequently asked questions

Is reCAPTCHA Enterprise harder to solve than standard reCAPTCHA?

The token generation process is the same. Enterprise adds server-side analysis features (score reasons, Account Defender) but the client-side challenge is identical. API solvers generate tokens for Enterprise the same way they do for standard versions.

Do I need a Google Cloud account to solve Enterprise CAPTCHAs?

No. As an automation developer solving Enterprise CAPTCHAs on target websites, you only need the sitekey from the page and an API solver like CaptchaAI. The Google Cloud account is needed by the website operator to validate assessments, not by the CAPTCHA solver.

How do I tell if a site uses Enterprise or standard reCAPTCHA?

Check the script URL. Enterprise uses recaptcha/enterprise.js while standard uses recaptcha/api.js. The JavaScript API object name also differs: grecaptcha.enterprise.execute() vs grecaptcha.execute().

Can Enterprise score reasons be used to improve my automation?

If you operate the target site (testing your own CAPTCHA implementation), yes — the reasons tell you which detection signals fired. If you are solving CAPTCHAs on third-party sites, the reasons are not visible to you — only the site operator sees them.

Summary

reCAPTCHA Enterprise extends standard reCAPTCHA with detailed risk analysis, score reasons, Account Defender, and WAF integration. From an automation perspective, Enterprise CAPTCHAs are solved identically to standard reCAPTCHA — add the enterprise=1 parameter to your CaptchaAI API request. Detect Enterprise by checking for recaptcha/enterprise.js in the page source. The key operational difference is ensuring you pass the correct enterprise flag and matching action parameter.

Discussions (0)

No comments yet.