How I Stopped Fake Sign-Ups with Invisible reCAPTCHA v3
Published March 24, 2026, 2:52 a.m. by wielandtech
I used to get a steady stream of fake accounts and spam through my sign-up and contact forms. Not a huge volume, but enough to be annoying and make me question my data.
So I added Invisible reCAPTCHA v3. Since then, I haven't had a single fake account.
Why reCAPTCHA v3?
It works differently than the old checkbox version. There's no "I'm not a robot" challenge.
Instead, it gives each request a score based on how human it looks. You decide what score is acceptable and block the rest. Real users never see anything.
How I Implemented It
1. Load the script
``` html
```
2. Attach it to form submission
``` javascript async function getRecaptchaToken(action) { return await grecaptcha.execute("YOUR_SITE_KEY", { action }); }
document.querySelector("#signup-form").addEventListener("submit", async (e) => { e.preventDefault();
const token = await getRecaptchaToken("signup");
const formData = new FormData(e.target); formData.append("recaptcha_token", token);
await fetch("/api/signup", { method: "POST", body: formData, }); }); ```
3. Verify on the backend
``` python import httpx
RECAPTCHA_SECRET = "YOUR_SECRET_KEY"
async def verify_recaptcha(token: str) -> float: async with httpx.AsyncClient() as client: resp = await client.post( "https://www.google.com/recaptcha/api/siteverify", data={ "secret": RECAPTCHA_SECRET, "response": token, }, ) return resp.json().get("score", 0.0) ```
4. Enforce a threshold
``` python score = await verify_recaptcha(token)
if score < 0.5: raise ValueError("Suspicious activity detected") ```
Results
Before this, I'd get regular fake sign-ups.
After adding it, zero.
No extra friction for real users, no puzzles, and no spam getting through.
Final Thought
If you have public forms and aren't using reCAPTCHA v3, it's one of the easiest wins you can get.
Please log in to add a comment.