I have created a fresh set of reCAPTCHA v3 keys and integrated them on a high-traffic form.
For the front-end implementation, I followed the steps outlined here:
<script src='https://www.google.com/recaptcha/api.js'></script>
<input type="submit"
class="submit g-recaptcha"
name="form_submit"
value="Submit"
data-sitekey="RECAPTCHA_SITE_KEY"
data-callback="onRecaptchaSubmit"
data-action="submit" />
<script type="text/javascript">
function onRecaptchaSubmit(token) {
document.getElementById('FORM_ID').submit();
}
</script>
For the back-end implementation, I am making a cURL request through PHP:
<?php
// Make the API request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"https://www.google.com/recaptcha/api/siteverify");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
'secret' => 'RECAPTCHA_SECRET_KEY',
'response' => $token,
'remoteip' => $ip_address,
)));
// Fetch response
$response = json_decode(curl_exec($ch));
curl_close($ch);
When I test a form submission, the verification process works correctly. When API errors occur, these are logged and emailed to me. I have noticed that several requests, seemingly at random, return the error code invalid-keys. This error code is missing from the reCAPTCHA documentation.
This thread indicates the invalid-keys error occurs when using an incorrect (but existing) secret key. I was able to confirm this - I can replicate the error consistently with a mis-matched site and secret key from two different implementations. However, I know my keys are correct because I'm able to get a positive response back from the reCAPTCHA API and ~60% of requests go through without issue.
The same thread suggests that it takes a few hours for the key to process, but it's been over 16 hours. I've also swapped the key out for other reCAPTCHA implementations that have existing without any problems for months with no change. I'm unsure of how to proceed.