Overview

Spam and automated bot submissions are common problems for website contact forms. Google reCAPTCHA v3 helps prevent these by analyzing user behavior and assigning a risk score before allowing form submissions.

Unlike earlier versions, reCAPTCHA v3 does not show a checkbox or challenge. It works invisibly in the background by generating a verification token that your server validates.

This guide explains how to add Google reCAPTCHA v3 to a static website or custom PHP contact form.

What you will need

Before starting, prepare the following:

  • A Google account
  • A website domain (example: example.com)
  • Access to your website files
  • A server-side language such as PHP for form processing

Step 1: Register Your Website in Google reCAPTCHA

Visit the Google reCAPTCHA admin console:

https://www.google.com/recaptcha/admin/create

Configure your site:

  • Label: Example Website
  • reCAPTCHA type: reCAPTCHA v3
  • Domains: example.com

After registration, Google will generate two keys:

  • Site Key
  • Secret Key

Important:

  • Site Key → Used in HTML and JavaScript
  • Secret Key → Used on the server for verification

Keep your Secret Key private.

Step 2. Load the reCAPTCHA script

Add the reCAPTCHA JavaScript to the <head> section of your page.

Example:

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

Replace:

YOUR_SITE_KEY

with your site key.

Example:

<script src="https://www.google.com/recaptcha/api.js?render=6LcExampleSiteKey123456789"></script>

Step 3: Add a Hidden Captcha Field to Your Form

reCAPTCHA v3 generates a token that must be submitted with the form.

Add a hidden field inside your contact form:

<form action="contact.php" method="POST" id="contact-form">

<input type="text" name="name" required placeholder="Your name">
<input type="email" name="email" required placeholder="Email address">
<textarea name="message" required></textarea>

<input type="hidden" name="g-recaptcha-response" id="g-recaptcha-response">

<button type="submit">Send Message</button>

</form>

Do not change the name of this field. Google expects the token in:

g-recaptcha-response

Step 4: Generate the Token Before Form Submission

Add the following JavaScript before the closing </body> tag.

Example:

<script>

var form = document.getElementById("contact-form");

if (form) {

form.addEventListener("submit", function(event){

event.preventDefault();

grecaptcha.ready(function() {

grecaptcha.execute('YOUR_SITE_KEY', {action: 'submit'}).then(function(token) {

document.getElementById("g-recaptcha-response").value = token;

form.submit();

});

});

});

}

</script>
Replace YOUR_SITE_KEY with your Site Key.

This script performs the following actions:

  1. Prevents the form from submitting immediately
  2. Requests a reCAPTCHA verification token
  3. Inserts the token into the hidden field
  4. Submits the form normally

Step 5: Verify the Token on the Server (PHP)

For security, reCAPTCHA must be verified server-side using your Secret Key.

Create a form handler file such as:

contact.php

Example implementation:

<?php

$secret = "YOUR_SECRET_KEY";

if (empty($_POST['g-recaptcha-response'])) {
die("Captcha token missing.");
}

$response = $_POST['g-recaptcha-response'];

$verify = file_get_contents(
"https://www.google.com/recaptcha/api/siteverify?secret=".$secret."&response=".$response
);

$captcha = json_decode($verify);

if (!$captcha || !$captcha->success || $captcha->score < 0.5) {
die("Captcha verification failed.");
}

if ($captcha->action !== 'submit') {
die("Invalid captcha action.");
}

/* Continue with form processing */

$name = htmlspecialchars($_POST['name'] ?? '');
$email = htmlspecialchars($_POST['email'] ?? '');
$message = htmlspecialchars($_POST['message'] ?? '');

$to = "admin@example.com";
$subject = "New website enquiry";

$body = "Name: $name\n";
$body .= "Email: $email\n\n";
$body .= "Message:\n$message\n";

$headers = "From: Website <no-reply@example.com>\r\n";
$headers .= "Reply-To: $email\r\n";

mail($to, $subject, $body, $headers);

echo "Message sent.";

?>
Replace the following placeholders:
  • YOUR_SECRET_KEY
  • admin@example.com
  • no-reply@example.com

with your own values.

Understanding the reCAPTCHA v3 Score

Google returns a risk score between 0.0 and 1.0:

  • 0.9 → Very likely human
  • 0.7 → Probably human
  • 0.5 → Suspicious
  • 0.3 → Likely bot

Recommended threshold: 0.5

You can adjust this value depending on your spam levels.

Common Mistakes When Implementing reCAPTCHA v3

Using the Site Key in PHP

The server verification must use the Secret Key, not the Site Key.

Not verifying captcha on the server

Frontend validation alone is not secure.

Always verify the token using:

https://www.google.com/recaptcha/api/siteverify

Changing the hidden field name

The field must remain:

g-recaptcha-response

Final Implementation Overview

A typical structure looks like this:

index.html
contact.php

index.html

  • contact form
  • hidden captcha field
  • reCAPTCHA script
  • JavaScript token generation

contact.php

  • captcha verification
  • form validation
  • email sending

Conclusion

Google reCAPTCHA v3 is an effective way to protect contact forms without affecting user experience. By combining JavaScript token generation with server-side verification, websites can block automated submissions while keeping forms easy to use.

For most static or custom websites, the integration requires only:

  • One JavaScript script
  • One hidden field
  • A server-side verification request

Once configured correctly, reCAPTCHA v3 provides continuous protection against spam and automated attacks.