CAPTCHA: reCAPTCHA v2

Drive the real Google checkbox widget and verify the token server-side

What you will learn

Enter the reCAPTCHA anchor iframe and click the checkbox via frame context switching
Wait for the hidden g-recaptcha-response token to populate before submitting
Know that test keys always pass (deterministic) while a real prod key needs a solver

reCAPTCHA v2 — "I'm not a robot"

Google's checkbox widget rendered in a cross-origin iframe, verified server-side via siteverify

Tick the checkbox below. The widget hands your callback a token, which we POST to /api/captcha/vendor. Our server calls Google's siteverify endpoint and returns the verdict.

Why this is automatable: the default sitekey is Google's published test key — it ALWAYS passes, deterministically and legally. A real production sitekey (set via NEXT_PUBLIC_RECAPTCHA_V2_SITEKEY) makes the checkbox genuinely hard: risk-analysis can demand an image challenge, so you'd need a solver service rather than a bypass.

Mode: practice — the test key passes; great for wiring up your automation end to end.

Verify you're human

The widget loads asynchronously — wait for the checkbox before interacting

Waiting for you to tick the checkbox…

Testing Tips

Automation hints

✓ The checkbox lives inside a nested cross-origin iframe (title="reCAPTCHA") — switch into it with a frame locator (Playwright frameLocator, Cypress iframe plugin) before clicking #recaptcha-anchor
✓ After clicking, wait for the hidden <textarea id="g-recaptcha-response"> to become non-empty — that value IS the token passed to your callback
✓ Then assert #captcha-result[data-verdict="human"] once the auto-POST to /api/captcha/vendorresolves — don't just check that any result appeared
✓ The default TEST sitekey always passes; a real prod key (env) can force an image challenge — no deterministic bypass, you'd need a solver service
✓ Don't query the inner iframe's DOM from the top frame (cross-origin will throw) — and wait for #recaptcha-container to gain a child iframe, the SDK loads async

Related Challenges

reCAPTCHA v2 — "I'm not a robot"

Google's checkbox widget rendered in a cross-origin iframe, verified server-side via siteverify

Tick the checkbox below. The widget hands your callback a token, which we POST to /api/captcha/vendor. Our server calls Google's siteverify endpoint and returns the verdict.

Mode: practice — the test key passes; great for wiring up your automation end to end.

Testing Tips

Automation hints

✓ The checkbox lives inside a nested cross-origin iframe (title="reCAPTCHA") — switch into it with a frame locator (Playwright frameLocator, Cypress iframe plugin) before clicking #recaptcha-anchor
✓ After clicking, wait for the hidden <textarea id="g-recaptcha-response"> to become non-empty — that value IS the token passed to your callback
✓ Then assert #captcha-result[data-verdict="human"] once the auto-POST to /api/captcha/vendorresolves — don't just check that any result appeared
✓ The default TEST sitekey always passes; a real prod key (env) can force an image challenge — no deterministic bypass, you'd need a solver service
✓ Don't query the inner iframe's DOM from the top frame (cross-origin will throw) — and wait for #recaptcha-container to gain a child iframe, the SDK loads async

CAPTCHA: reCAPTCHA v2

What you will learn

reCAPTCHA v2 — "I'm not a robot"

Verify you're human

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop

CAPTCHA: reCAPTCHA v2

What you will learn

reCAPTCHA v2 — "I'm not a robot"

Verify you're human

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop