Google reCAPTCHA is Google's widely deployed CAPTCHA and risk-scoring service, embedded by site owners as a JavaScript widget or invisible script on forms, logins, signups, and other sensitive flows. It sits at the application layer as a challenge and scoring gate: the protected site receives a token or score from Google and decides server-side whether to allow, add friction to, or reject the request. It appears across many verticals, including sites in our registry such as Funda, Resy, and LinkedIn.
reCAPTCHA combines several signal classes into a risk assessment before or instead of showing a visible challenge. It weighs IP reputation and network context, browser environment checks executed in JavaScript, cookie and account state within Google's ecosystem, and behavioral signals such as pointer movement, timing, and interaction patterns on the page. In v2, low-confidence sessions are escalated to an interactive challenge such as image selection, while high-confidence sessions pass with the checkbox alone; in v3 and Enterprise, no challenge is rendered at all and the site receives a score plus a token that it verifies server-side and maps to its own actions, such as allowing, adding friction, or blocking. Because the site controls the threshold and the response, the same underlying assessment can gate signup forms, logins, search endpoints, and checkout flows differently on different properties.
Because IP reputation feeds the risk score before any challenge is rendered, the address class you arrive from largely determines your starting trust position: datacenter ranges are broadly distrusted, and pooled residential ranges that have been resold and abused are increasingly pre-flagged. Real mobile carrier IPs sit behind CGNAT shared with millions of legitimate phone users, making them the hardest class to blocklist wholesale, which is why proxies.sx runs physically owned carrier modems plus an opt-in paid peer network with auditable provenance. For any large-scale collection, respect robots.txt, each site's Terms of Service, and applicable law, and collect only what you are permitted to.
Observed via public response signatures, reviewed July 2026. Read-only reference.
Responsible use. This is a technical reference to how a protection technology works, not a guide to defeating it. Respect each site's robots.txt, Terms of Service and applicable law, and collect only data you are permitted to.
reCAPTCHA v2 is interactive: it shows the checkbox widget and, when confidence is low, an image-selection challenge the visitor must solve. reCAPTCHA v3 is invisible: it runs in the background, scores each request based on environmental and behavioral signals, and returns that score to the site, which decides on its own action such as allowing the request, requiring login, or blocking. reCAPTCHA Enterprise extends the score-based model with additional risk signals and integration options for large organizations. Many sites layer v3 scoring on most traffic and fall back to an interactive challenge only for low-confidence sessions.
Not directly. reCAPTCHA issues a token or a risk score, and the protected site verifies it server-side with Google and then decides what to do. That means the same reCAPTCHA deployment can behave very differently across sites: one operator may block anything below its chosen threshold, another may only add friction to sensitive actions like signup or checkout. The gating you experience is the combination of Google's risk assessment and the site's own policy.
IP reputation is one of the earliest and strongest inputs to reCAPTCHA's risk assessment. Datacenter address space carries little history of ordinary human browsing, and heavily shared residential proxy ranges accumulate abuse reports over time, so both tend to start from a lower trust position and get challenged or scored down more often. Addresses behind mobile carrier CGNAT are shared with large numbers of legitimate phone users, which makes them harder to penalize as a class. None of this changes the compliance baseline: respect robots.txt, the site's Terms of Service, and applicable law, and collect only data you are permitted to collect.