What is the logic of verifying the response?

[Aaron Tan]

Hi There,

I have a questoin about the logic of verifying the response. According to the guide, server should use below API to verify the recaptcha response:

API Request

URL: https://www.google.com/recaptcha/api/siteverify

METHOD: POST

POST Parameter Description

secret Required. The shared key between your site and reCAPTCHA.

response Required. The user response token provided by reCAPTCHA, verifying the user on your site.

remoteip Optional. The user's IP address.

API Response

The response is a JSON object:

{

  "success": true|false,

  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)

  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved

  "error-codes": [...]        // optional

}

I assume the success in API response should be false if it fails to verify the recaptcha response. But looks like I'm wrong. I tried several different recaptcha values and every time the success is true. Can someone help to explain to to check if the recaptcha response is valid or did I do something wrong?

Here are values I'ved tried with postman (the secret key is from V1):

1. valid secret / no response parameter: success = true

2. invalid secret / no response parameter: success = false, [ missing-input-response, invalid-input-secret ]

3. valid secret / response parameter name only and no any value: success = true

4. invalid secret / response parameter name only and no any value: success = false, [ missing-input-response, invalid-input-secret ]

5. valid secret / response = xxxx: success = true

6. invalid secret / response = xxxx: success =false, [ invalid-input-response, invalid-input-secret ]

looks like the success is always true if the secret is a valid one. Is that caused by some special configuration in my site?

Thanks a lot