Request CAPTCHA from Arbitrary Domain Before you start Please make sure you have a reCAPTCHA site key: if not, here’s how to request it: https://www.google.com/recaptcha/admin#list .
Secure Token We are introducing a new input field (datastoken) to our reCAPTCHA request. This field contains an encrypted string of a json object: Name
Required?
Description
Example
session_id
Y
A unique string that identifies this request. Please note every CAPTCHA request from your site needs a distinct session_id.
e6e9c56ea7da43b889fa8 e668cc0b86f (generated from UUID.randomUUID() using JDK7)
ts_ms
Y
Current timestamp in milliseconds.
1421774317718
Why do we need this secure token? This secure token will make sure the CAPTCHA challenge is generated from your site, not some spammers acting on behalf of you, since it is encrypted with your site secret. Also because each token is unique, it will prevent dupattack which reuses the same token. With this token, you can now request a CAPTCHA challenge from any domains.
How to use this secure token? 1. Prepare a token in json format {"session_id": e6e9c56ea7da43b889fa8e668cc0b86f,"ts_ms":1421774317718} 2. Encrypt it with your site secret (after encryption it looks like this: "Fg2rtWDZ6kf_Cc1fZs5xKJWnkkVvZgNCF5fVhPS5_r1fB2NRXPg3WobIUUsyOvfNElyBz3zz29lK5 v9NE0ByWrGzicUWecnoV8hwSb6W4") 3. Request a CAPTCHA using this secure token : ...
Sample Java code for encryption: https://github.com/google/recaptchajava/tree/master/appengine