Static Forms - Secure form backend and form endpoint for contact forms
Spam Protection

reCAPTCHA Integration

Protect your forms with Google reCAPTCHA v2 or v3

Google reCAPTCHA is a widely-used CAPTCHA service that protects your forms from automated spam. Static Forms supports both reCAPTCHA v2 (checkbox) and v3 (invisible - Pro only). This guide covers setup and implementation for both versions.

reCAPTCHA v2

User clicks "I'm not a robot" checkbox

  • ✅ Available on all tiers
  • ✅ User interaction required
  • ✅ Widely recognized

reCAPTCHA v3

PRO

Invisible, score-based verification

  • ✅ No user interaction
  • ✅ Better user experience
  • ✅ Pro tier required

Getting reCAPTCHA Keys

Before you can use reCAPTCHA, you need to register your site with Google and get API keys:

1

Visit Google reCAPTCHA Admin

Go to Google reCAPTCHA Admin Console and sign in with your Google account.

2

Register Your Site

Click "+" to create a new site. Fill in:

  • Label: A name for your site (e.g., "My Website")
  • reCAPTCHA type: Choose v2 (checkbox) or v3 (invisible)
  • Domains: Add your domain(s) where the form will be used
3

Get Your Keys

After registration, you'll receive two keys:

  • Site Key: Used in your HTML form (public, safe to expose)
  • Secret Key: Used in Static Forms dashboard (keep private)
4

Configure in Static Forms

Go to your CAPTCHA settings in the dashboard and enter your Secret Key (not the Site Key).

Important

Make sure to add all domains where your form will be used to the reCAPTCHA domain list. This includes localhost for testing. reCAPTCHA will not work on domains not registered in the admin console.

reCAPTCHA v2 (Checkbox)

reCAPTCHA v2 displays a checkbox that users must click to verify they're human. This version is available on all tiers.

Dashboard Configuration

In your Static Forms dashboard:

  1. Go to Settings → CAPTCHA
  2. Select the reCAPTCHA tab
  3. Choose "reCAPTCHA v2"
  4. Enter your Secret Key from Google
  5. Save your settings

HTML Implementation

Add reCAPTCHA v2 to your form:

HTML

Key Points for v2

  • Load the reCAPTCHA script in the <head> or before the form
  • Use your Site Key (not Secret Key) in the data-sitekey attribute
  • The widget automatically generates a token when the user clicks the checkbox
  • The token is sent as g-recaptcha-response in the form submission

reCAPTCHA v3 (Invisible)

reCAPTCHA v3 runs in the background and provides a score-based verification without user interaction. This version is available only for Pro tier users.

Pro Feature

reCAPTCHA v3 requires a Pro tier account. Upgrade to Pro to use this feature.

Dashboard Configuration

In your Static Forms dashboard:

  1. Go to Settings → CAPTCHA
  2. Select the reCAPTCHA tab
  3. Choose "reCAPTCHA v3"
  4. Enter your Secret Key from Google
  5. Save your settings

HTML Implementation

Add reCAPTCHA v3 to your form:

HTML

Key Points for v3

  • Load the reCAPTCHA script with your Site Key in the URL parameter
  • Prevent default form submission and handle it with JavaScript
  • Call grecaptcha.execute() to get a token before submitting
  • Set the token in a hidden field named g-recaptcha-response
  • Submit the form after receiving the token

Which Version Should You Use?

Choose based on your needs:

Featurev2 (Checkbox)v3 (Invisible)
User InteractionRequired (checkbox click)None (invisible)
AvailabilityAll tiersPro tier only
User ExperienceGood (visible checkbox)Excellent (no interaction)
Setup ComplexitySimpleModerate (requires JavaScript)
EffectivenessExcellentExcellent

Troubleshooting

reCAPTCHA Not Loading

  • Check that the reCAPTCHA script is loaded before the form
  • Verify your Site Key is correct
  • Ensure your domain is registered in Google reCAPTCHA console
  • Check browser console for JavaScript errors

"Invalid reCAPTCHA" Error

  • Verify your Secret Key is correctly entered in Static Forms dashboard
  • Ensure you're using the Secret Key (not Site Key) in dashboard
  • Check that reCAPTCHA version matches (v2 vs v3)
  • Verify the token is being sent in the form submission

v3 Not Working

  • Confirm you have a Pro tier account
  • Check that form submission is prevented and handled with JavaScript
  • Verify grecaptcha.execute() is called before form submission
  • Ensure the token is set in the hidden field before submitting

Best Practices

Use Site Key in HTML, Secret Key in Dashboard

The Site Key goes in your HTML form (safe to expose). The Secret Key goes in your Static Forms dashboard settings (keep private).

Register All Domains

Add all domains where your form will be used, including localhost for testing and any staging domains.

Test Before Going Live

Always test reCAPTCHA integration on a staging environment before deploying to production.

Alternative: ALTCHA

For a privacy-first alternative that doesn't require a Google account, consider ALTCHA. It's available for Pro users and provides excellent spam protection without external dependencies.

Previous
Honeypot Field
Next
ALTCHA

Documentation