Modern services (websites) ubiquitously deploy CAPTCHAs for protection, complicating life for developers, SEO specialists, and automation engineers (although the original aim was not to frustrate automators but rather to minimize excessive load on resources from such actors). Among the multitude of CAPTCHAs, Google reCAPTCHA Enterprise stands out as one of the most advanced bot protection systems in this line-up. It is capable of analyzing user behavior and blocking suspicious activity, thereby significantly hindering the recognition of reCAPTCHA Enterprise and its automated bypass. Let’s break down what reCAPTCHA Enterprise is, how it differs from versions v2/v3, and why it is so difficult to bypass (or is it?).
What is reCAPTCHA Enterprise and How Does It Differ from v2/v3
reCAPTCHA Enterprise is an enhanced version of Google’s CAPTCHA, designed for large-scale projects and corporate clients with elevated security requirements. Essentially, Enterprise encompasses the functionality of both reCAPTCHA v2 and v3 but offers additional features, fine-tuning capabilities, and more powerful bot detection algorithms. For clarity, here are the main versions of reCAPTCHA and their differences:
reCAPTCHA v2:
The classic version where the user must confirm that they are not a robot – by checking a box (“I’m not a robot”), solving a visual puzzle (selecting images with specific objects), or passing an audio test. reCAPTCHA v2 can operate in two modes: explicit (a visible checkbox or immediately displayed images) and invisible (Invisible reCAPTCHA v2, where the CAPTCHA appears only when suspicion arises after form submission). This version directly involves the user and yields a binary outcome based on the result: CAPTCHA solved (valid token) or not.reCAPTCHA v3:
An invisible version without interactive tasks for the user. The reCAPTCHA v3 script continuously runs in the background on the page, monitoring user actions (mouse movements, scrolling, time spent on the page, and other behavioral signals). Consequently, upon certain actions (e.g., form submission, login), a token is generated with a score ranging from 0.0 to 1.0 – representing the likelihood that the user is human rather than a bot. The user does nothing; what happens next depends on the developer’s configuration (for example, if the score is low – an additional check might be displayed, a v2 CAPTCHA might be shown, or the action may be blocked). reCAPTCHA v3 minimizes user involvement in the recognition process for genuine users but requires proper interpretation of the score on the website’s side.reCAPTCHA Enterprise:
The Enterprise version can operate either in v2 mode (displaying visual challenges when necessary) or in v3 mode (behavioral scoring). For the end user, it appears similar: there is Enterprise v2 (with the “I’m not a robot” checkbox and challenges) and Enterprise v3 (invisible). The main difference lies in the backend and the capabilities available to the website owner (or service provider). reCAPTCHA Enterprise is deployed through Google Cloud and is intended for paid business use. It offers deeper risk analysis, 11 levels of score gradation (compared to 4 levels in the free version), reason codes, integration with other security measures (e.g., WAF – web application firewall, network-level bot attack protection), reports and statistics in the Google Cloud Console, as well as support for additional signals. For example, on mobile devices, reCAPTCHA Enterprise may automatically use data from the Play Integrity API (a device integrity check) to enhance the verification reliability. Website owners can configure score thresholds, view detailed logs of challenges, and receive support from Google. Moreover, the Enterprise version comes with a guaranteed SLA (99.9% uptime) and reduced false positives due to more sophisticated algorithms and machine learning.
Another important aspect is the cost. The standard reCAPTCHA v2/v3 used to be free for a vast number of requests (formerly up to 1 million per month), although recently Google introduced a limit of 100k free assessments per month, after which it costs $8 per 100k (for the standard reCAPTCHA). In contrast, reCAPTCHA Enterprise has recently become paid after the first 10k requests per month, at a rate of approximately $1 per 1,000 checks (with possible variations at higher volumes). Thus, websites pay for enhanced protection, while Google provides a more powerful service. For the end user, the difference is not visually obvious, but for those attempting to automate bypass, Enterprise presents a much more formidable barrier.
Comparison of reCAPTCHA Versions: v2, v3, and reCAPTCHA Enterprise
For clarity, here is a table outlining the main characteristics of the different reCAPTCHA versions:
Characteristic | reCAPTCHA v2 (Checkbox/Invisible) | reCAPTCHA v3 (Score) | reCAPTCHA Enterprise |
Verification Method | Explicit verification: “I’m not a robot” checkbox and/or image or audio challenge. Requires user action. | Implicit verification: behavioral analysis yielding a numerical score (0.0–1.0). User does nothing. | Can operate as either v2 (checkbox + challenges) or v3 (invisible analysis). Uses advanced analysis algorithms. |
User Interaction | Moderate/High – if suspicion arises, the user must solve challenges (selecting images, etc.). | None – the user typically never sees the CAPTCHA, as it runs entirely in the background. | At the website’s discretion: minimal (in v3 mode) or similar to v2 (if challenges are required). The threshold and challenge intensity can be configured. |
Algorithms and Signals | Basic behavioral analysis on click (mouse movement, reaction time), browser characteristics. When strongly suspicious – image challenges are shown to verify humanity. | Advanced behavioral analysis of the entire user session. May use page history, possibly cookies, etc. | The most comprehensive analysis: behavior, device, browser fingerprints, historical “reputation” data (from Google’s database), additional signals (e.g., Integrity API on Android). Machine learning-based algorithms, 11-level risk gradation, and risk reasons. |
Verification Outcome | A token (string) confirming that the user has passed the check. The website sends it to Google for verification and receives success/failure. | A token with an encoded score (0.0–1.0). The website sends it for verification and receives a score along with a list of flags (reasons). | A token similar to v2/v3. Upon API verification, Google returns a score (for Enterprise v3) or simply success. Additionally, reason codes and extended metrics are provided in the console. |
Customization Options | Minimal – only the widget type (checkbox or invisible), language, and theme can be chosen. The challenge logic cannot be influenced. | Only the score threshold (0.0–1.0) for making a decision on the site is configurable. The rest is handled by Google. | Extensive customization – threshold settings, integration with other services, choice of mode (v2 or v3), enabling MFA (additional SMS/Email verification for Enterprise Standard), and mobile application integration via SDK. |
Purpose | Protecting forms, registrations, logins, etc. A point verification when performing a specific action. | Continuous monitoring of traffic and actions. Suitable for protecting payment pages or critical actions where the user must be preliminarily evaluated. | Protection for highly sensitive resources: banking services, major portals, APIs. Preventing fraud, script attacks, and reducing false blocks for real users. Used by large businesses willing to pay for security. |
Cost to Website Owner | Free (up to ~100k per month), then conditionally free (Standard). Limited only by the Terms of Service. | Free (within the same quota, as it is part of reCAPTCHA). | Paid after 10k checks/month. Approximately $1 per 1,000 requests above that threshold (plus a possible charge of $8 per 100k for standard, depending on the Google Cloud pricing). |
Difficulty of Bypass for Bot Developers | Relatively low. With recognition services, a solution (token) can be obtained within 10–30 seconds. In the case of an audio CAPTCHA, speech recognition bypass methods exist. Minimal interaction (click, token submission) is required. | Above average. It is necessary to simulate genuine behavior on the page; otherwise, the token will have a low score and the website will block the action. Often, paid APIs are used to obtain tokens with a good “reputation” or specially trained algorithms. | Very high. In addition to solving the CAPTCHA (in v2 mode), multiple behavioral filters must be bypassed. Often proxies, full browser emulation, or the use of powerful third-party solvers are required. Even with the correct solution, the website may further analyze IP correspondence and other signals. Without specialized services, bypassing is practically impossible. |
From the table, it is evident that reCAPTCHA Enterprise is the most advanced and “toughest” version to bypass. While v2 can be solved relatively easily by a human or algorithm, and v3 can be attempted to be tricked, Enterprise combines the best of both worlds and adds its own checks.
How to Determine if a Site Is Using reCAPTCHA Enterprise
Before attempting any bypass, it is important to verify that you are dealing with reCAPTCHA Enterprise and not the standard v2/v3. Externally, an Enterprise widget might look identical to the usual reCAPTCHA, so you need to inspect the page’s code and network requests. Here are some indicators that the Enterprise version is in use:
Included Script:
Open the page’s HTML source code (via “View Source” or by pressing F12) and look for the inclusion of a JavaScript file such as recaptcha/enterprise.js (or recaptcha/enterprise.js?onload=...) instead of the standard . This is a key sign that you are dealing with Enterprise. For example:
<script src="https://www.google.com/recaptcha/enterprise.js" async defer></script>In the case of standard v2/v3, you would see something like
…/.Also, in Enterprise pages the object grecaptcha.enterprise is typically used instead of just grecaptcha (e.g., calls likegrecaptcha.enterprise.render(...)orgrecaptcha.enterprise.execute(...)clearly indicate Enterprise).Request URLs:
If you open the Network tab in your developer tools and track the requests when the CAPTCHA loads, for the Enterprise version you will see URLs containing the path/recaptcha/enterprise/(or the subdomain recaptchaenterprise.googleapis.com) – these are the endpoints of the Enterprise API. In contrast, for standard reCAPTCHA v2 you would see requests to…/recaptcha/api2/...(for example,api2/payloadorapi2/userverify). Thus, the presence of/enterprisein the background request URLs is an indicator of Enterprise (visible only after reloading the page in developer mode – a minor, albeit somewhat tedious, aside).Integration Parameters:
Some sites explicitly indicate the use of Enterprise in their code. For instance, there may be settings likeisEnterprise: truewithin the CAPTCHA parameters’ JavaScript object. If you have access to the source JS, search for the string “enterprise” or method calls containing that word.
Site Key:
Formally, the site key format is similar (usually a string starting with “6Lc...” or “6Lf...”); therefore, distinguishing Enterprise solely by the key is challenging. However, recall that Enterprise keys are issued via a Google Cloud Project and sometimes have characteristic suffixes. For example, some Enterprise site keys may end with “…_domain-com” or similar. This is not the most reliable criterion but might work if an unusually long or clearly corporate key is visible.
In general, if you see that the site uses the enterprise.js script and corresponding method calls, you can confidently say that it is reCAPTCHA Enterprise. Next, you need to determine which mode it operates in (v2 or v3) to choose the correct approach. A simple guideline is as follows:
If a CAPTCHA widget is visibly present on the page (checkbox “I’m not a robot” or a CAPTCHA field), it is reCAPTCHA Enterprise v2 (visible).
If no widget is visible but a challenge window pops up upon form submission, it is reCAPTCHA Enterprise v2 Invisible (an invisible CAPTCHA triggered by an action).
If nothing appears visually and the action either goes through silently or is blocked, it is most likely reCAPTCHA Enterprise v3, which operates via scoring.
The recommendation here is simple – be attentive when preparing the source data for bypass!
How reCAPTCHA Enterprise Works (Technical Overview for easy reCAPTCHA Enterprise bypass)
The internal workings of reCAPTCHA Enterprise are largely similar to the basic reCAPTCHA, but it employs a more advanced signal collection and analysis system. It is essential to understand what you are dealing with before engaging:
Data Collection About the User:
When an Enterprise CAPTCHA loads, it immediately begins collecting information about the client. This includes standard details such as the browser’s User-Agent, screen resolution, time zone, installed plugins, cookies (especially Google cookies if the user is logged into their account – which can boost trust), Canvas fingerprinting (via drawing and reading from an HTML5 canvas), WebGL fingerprinting, fonts, audio context – essentially everything that a modern fingerprinting script can collect. In addition, it tracks mouse movements, keyboard events, page scrolling, the speed and trajectory of the cursor when hovering over the CAPTCHA element, delays between events – that is, behavioral analysis. All this data is encrypted and sent to Google’s servers.Risk Assessment and Challenge Issuance:
On Google’s side, a machine learning model—trained on a vast dataset of interactions between humans and bots with reCAPTCHA—analyzes these factors. For Enterprise, the model is enriched with additional signals. For example, it takes into account the reputation of the IP address (whether it is known as a source of bot traffic), the browser’s history (Google may cross-reference how often CAPTCHAs have been solved with this fingerprint and whether they were successful), and the presence of suspicious patterns (such as overly fast or perfectly straight cursor movement—an indicator of a robot). If it is Enterprise v2, these factors determine whether to show the user a challenge (images) or to let them pass immediately. reCAPTCHA Enterprise strives to minimize unnecessary challenges for real users; therefore, a genuine user might simply click the checkbox and immediately see a checkmark, while a bot is almost immediately presented with a complex challenge (e.g., selecting all images containing crosswalks, followed by dynamically loaded additional images until an error is made or proof of humanity is established). In the case of Enterprise v3, the model simply calculates a score from 0.0–1.0, where, conventionally, a score >0.7 is considered human, and <0.3 is considered bot (the threshold can be set by the site owner).Additional Enterprise Checks:
The Enterprise version includes features not available in the free version. For instance, Account Defender—if multiple Google protection products are in use on a site, their data may be combined. Enterprise can take into account password leak detection and other risk factors within the context of a particular session. Additionally, the Enterprise CAPTCHA can operate in tandem with two-factor authentication—for example, if Enterprise detects risk, the site may send an SMS confirmation (this logic is implemented by the site owner, while the CAPTCHA simply provides a trigger signal). All of this raises the bar for attackers.Token Generation:
When a user (or bot) interacts with an Enterprise CAPTCHA, a front-end method such asgrecaptcha.enterprise.execute()orgrecaptcha.enterprise.getResponse()(for v2) is called. This generates a token—a very long string (usually ~500+ characters) that encodes the verification result. This token is typically placed in a hidden form field calledg-recaptcha-responseand then sent to the website’s server.Token Verification on the Server:
Upon receiving the token from the client, the website sends it to Google for verification. In the free version, the request goes tohttps://www.google.com/recaptcha/api/siteverifyalong with a secret key. In Enterprise, the request is made through the Google Cloud API (or library) and can provide a more detailed response. For example, for Enterprise v3, in addition to the score, reason codes (explaining low scores such as Automation, SuspectedAttacker, TooFast, etc.) are returned. For Enterprise v2, the outcome is simply success/failure, although the site owner still sees detailed statistics in the Google Console. If the token is invalid or expired, verification returns a negative result.
Site Actions Based on the Outcome:
Based on the CAPTCHA response, the website decides whether to allow the user to proceed (if everything is in order) or to block/show an error/additional verification (if Google signals a bot). Enterprise provides a more confident result, so site owners can more strictly block suspicious users—thus paying for fewer false positives.
It is important to understand that a reCAPTCHA token is tied to a specific domain and is only valid for a short time (usually around 2 minutes). You cannot solve a CAPTCHA on one site and reuse the token on another—it will simply fail verification. Also, note that one token is issued per attempt.
Now it becomes clearer why Enterprise is so challenging to bypass. In summary, it not only checks whether you can solve an image challenge, but also monitors the entire context. Even if a bot manages to get the correct answer to an image (for instance, using a neural network), Enterprise may “suspect” something amiss based on the aggregate signals (for example, synthetic mouse movement or a browser lacking genuine cookies). Consequently, the token may either not be generated at all or, upon server verification, be found to have a low score or be marked as risky. In other words, simply solving the images is not enough – you must deceive the entire system holistically. This is the core difficulty in bypassing reCAPTCHA Enterprise.
Why reCAPTCHA Enterprise Bypass Is a Challenging Task
Based on its internal architecture, here are the key problems that bot developers face when attempting to bypass the Enterprise CAPTCHA:
Enhanced Fingerprinting:
reCAPTCHA Enterprise gathers maximum data about your environment. Simple scripted requests (e.g., simulating a form submission via requests without a browser) fail immediately – they lack the necessary JS signals and proper cookies. Even browser emulation through headless Chrome can be detected (Google is capable of determining headless mode via indirect cues). To bypass this, one must use real browsers or well-masked headless browsers with stealth configurations so that the fingerprint appears as that of an ordinary user.Behavioral Analysis:
It is not enough to simply load a page – one must behave like a human. This is critical for Enterprise v3: if a script loads the page and submits the form instantly, it is likely to receive a score of 0.1. A bot must “linger” on the page, move the mouse, scroll, possibly click on some elements, and generate a visible “human” trail. Perfectly simulating this is challenging – it requires specialized libraries that generate random, plausible events (tools such as Puppeteer Extra Stealth or Playwright Stealth exist, which mask automation and mimic human actions).Time Constraints:
The token must be obtained quickly. If you solve the CAPTCHA too slowly (several minutes), the token may expire or the site may deem the process suspicious. CAPTCHA solving services typically complete the process within ~20–60 seconds. When developing your own bot, you must meet these time constraints while simultaneously simulating realistic page activity – a non-trivial task.IP and Environment Binding:
Enterprise may detect discrepancies – for example, if the CAPTCHA was solved from an IP address in a different country than the one from which the form is submitted. This can happen when using online services: your bot might operate from Germany while submitting the CAPTCHA solution to a server in India. The solution is received, the token is inserted, but during verification Google notices that the token was obtained from a completely different region – which is suspicious. Therefore, proxies are often required so that the CAPTCHA is solved from the same IP as the bot. This increases both complexity and cost.
Ultimately, bypassing reCAPTCHA Enterprise is a technological arms race between Google and developers. Writing a reliable script for Enterprise is extremely challenging. Specialized services and tools—discussed further below—are employed to achieve bypass.
Methods for Bypassing reCAPTCHA Enterprise (popular reCAPTCHA Enterprise solvers)
There are several approaches to solving the CAPTCHA, which can be broadly categorized as manual, automated, or hybrid. Here’s what might work for reCAPTCHA Enterprise:
Manual Bypass Method
The “manual” method involves a human participating in the CAPTCHA solving process. The most obvious approach is to solve the CAPTCHA manually. In test scenarios (e.g., QA), it might be easier for an engineer to click the widget manually. However, in the context of automation or mass bypass, this approach does not scale. Nevertheless, manual methods form the basis of many online CAPTCHA-solving services.Outsourcing to People (Human CAPTCHA Solving):
There is a whole industry of services where real people solve CAPTCHAs around the clock for a small fee. You send them an image or challenge—they return the answer. For reCAPTCHA Enterprise, it works as follows: a bot or script retrieves the CAPTCHA parameters (sitekey, URL, and possibly an image if already provided), sends them to the service’s server, and a human operator solves the CAPTCHA and sends back the token, which the bot then uses to pass the verification. Services like 2Captcha, ruCaptcha, SolveCaptcha, DeathByCaptcha, etc., rely on human labor.
Advantage – high accuracy (humans can usually handle the task), flexibility (any new Google update is still solvable by a human).
Disadvantage – delay in solving (usually 10–30 seconds, though it may increase with complexity) and cost at scale. You pay per solved CAPTCHA, and even if the solution is incorrect, reputable services offer a refund for unsolvable CAPTCHAs, so you only pay for successfully solved ones.In-House “Manual” Solver:
Some companies create their own CAPTCHA-solving teams (for example, Amazon) or use crowdsourcing platforms. Essentially, this is like creating a personal version of 2Captcha. In most cases, it is more cost-effective to use an existing service; however, if a company is concerned about data leakage (if the CAPTCHA appears on internal systems), they might use their own staff. This is a specific case, and apart from Amazon, examples are few, though they certainly exist.
Automated Bypass Methods
Automated methods attempt to solve the CAPTCHA without human intervention using algorithms, neural networks, and clever tricks. In the case of reCAPTCHA Enterprise, this is particularly challenging, but progress is ongoing. The main automated approaches include:Computer Vision for Image Solving:
Since reCAPTCHA v2 (and Enterprise v2) presents images, one can attempt automatic recognition. The task reduces to image classification: for example, “find all nine images that contain a traffic light.” Modern CV (Computer Vision) models can detect many objects, and some companies have trained neural networks to solve typical CAPTCHA challenges. There are solvers that almost entirely recognize reCAPTCHA images without human intervention. For instance, the service SolveCaptcha markets itself as an AI solver using neural networks instead of humans. The algorithms operate very quickly (on the order of seconds or even fractions of a second) and relatively inexpensively at scale. However, there is no 100% guarantee: Google selects images designed to confuse both humans and machines (blurred images, unusual angles, multiple objects in one image). The neural network may make mistakes, and the CAPTCHA will not be considered solved. Nonetheless, the accuracy is already quite high (claims of success rates above 90+%). Automated recognition allows for high-throughput solving without delays but requires significant resources for model development and maintenance. Developers can use ready-made APIs without building their own neural networks.Bypassing via Audio (Speech-to-Text):
reCAPTCHA traditionally offers an audio CAPTCHA option for visually impaired users. One can switch to the audio version and obtain a sound file. There was even a method where this sound was sent to a speech recognition service (even Google Speech API) to retrieve text, thereby automatically solving the CAPTCHA. Of course, Google has improved its protection – adding interference, and in Enterprise the audio option is provided even less frequently. However, some bots still use this as a backup: if the visual challenge fails, try the audio route. The effectiveness of this method in modern times is debatable – modern AI for images can quite well compete with the audio method, but it should not be completely ruled out.Emulating a “Proper” Client:
This approach is more applicable to v3 bypass. The idea is that if the CAPTCHA assigns a low score to the bot, you transform the bot into a “human” sufficiently to obtain a high score. How? For example, you can launch a full-fledged Chrome/Firefox browser, load the page, and let it “live” under scripted control: simulate movements, possibly even actually browse the site, click on some buttons like a real user. After that, callgrecaptcha.enterprise.getResponse()to obtain the token. Such a token will contain behavioral signals, increasing the chance of a decent score. Some automated solvers do exactly this – under the hood, they launch a browser (often using Chromium, the engine behind Chrome). Frameworks like Selenium WebDriver, Playwright, or Puppeteer are used to control the browser. This is hidden from the developer, but essentially your request is solved by a bot pretending to be a human. Advantage – no human intervention is required; Disadvantage – increased cost (since it requires considerable resources, cloud browsers, etc.). Nevertheless, such solutions exist for Enterprise v3. In addition, CAPTCHA-solving services often maintain their own pools of proxies and browsers – with “warmed-up” sessions that might even include real Google cookies, ensuring that the request is made within a trusted context.Exploiting Vulnerabilities or APIs:
In rare cases, there might be integration vulnerabilities. For example, a misconfigured site might accept unverified tokens or reuse a token. Such errors are exceptions and cannot be relied upon, especially in an Enterprise environment.
Combined Approaches
The most effective real-world solutions combine human and machine efforts. Examples include:AI + Human (Backup):
Services attempt to automate everything possible since it is cheaper and faster. For example, SolveCaptcha might first try to solve a challenge using its neural network. If confidence is insufficient or the answer fails, the CAPTCHA is then forwarded to a human. The service’s user may not even notice the switch, except that the solving time might be slightly longer. Such a hybrid approach can achieve nearly 100% success while optimizing costs. In this way, machines handle routine tasks and humans tackle borderline cases.Human + Bot (Assisted Solution):
The opposite scenario: the bot-script performs everything up to the final step, and a human assists only at one stage. For example, a QA engineer may write a script that automates website testing, but when the script reaches the CAPTCHA, it pauses and waits for a human to solve it before continuing. This is applicable when the number of CAPTCHAs is small and automation of the rest is important. Essentially, it is a manual solution embedded within an automated scenario – saving time when CAPTCHAs are infrequent. In my opinion, such a solution might work for small projects and startups, but it is not viable at an industrial scale.Using Multiple Services:
One combined approach for enhancing reliability is to send the request to several CAPTCHA-solving services simultaneously. For instance, using Service A (AI) and Service B (human) in parallel and taking whichever result comes first. If one fails for some reason, there is hope that the other will provide the correct answer. This increases the chance of solving it on the first try at the cost of doubling the expense for one CAPTCHA.
In summary, in real combat scenarios, bypassing reCAPTCHA Enterprise involves comprehensive solutions – advanced algorithms combined with human intervention and robust infrastructure (browsers, proxies, sessions). In my view, before deciding whether to develop an in-house bypass or use third-party services, one must carefully calculate and understand what is cost-effective and what is not, and, naturally, compare the prices.
Overview of Popular Services for Solving reCAPTCHA Enterprise (reCAPTCHA Enterprise solvers)
Today, there are several popular services and tools on the market that offer “turnkey” bypass of Google reCAPTCHA Enterprise. They differ in their approaches (human or AI), pricing, and speed. Below is a comparison table of some well-known solutions:
Service | Solution Method | Price (reCAPTCHA Enterprise) | Speed | Features |
2Captcha / ruCaptcha | Human (crowdsourcing real people). | Approximately $1.5–3 per 1,000 solutions (≈65–160 ₽ per 1,000). Payment is only for successfully solved CAPTCHAs. | 15–30 seconds on average per CAPTCHA (may be longer in complex cases). | One of the oldest services. Provides an API, supports multiple languages, and code examples. Requires specifying |
Anti-Captcha (AntiCaptcha) | Human + elements of automation. | Approximately $5 per 1,000 (reCAPTCHA Enterprise v2/v3). Higher than for standard reCAPTCHA. | Usually 5–20 seconds. The service may hold a queue upon load. | A popular service with a convenient API. Claims to select the best workers for Enterprise tasks. Offers an option to specify a minimum score for v3. Also offers subscriptions for fixed monthly rates. |
SolveCaptcha | AI solution (own neural networks + browser infrastructure), with human backup if needed. | Very low price: $0.55 per 1,000 reCAPTCHA Enterprise solutions. | 5–10 seconds | Solves multiple types of CAPTCHAs. For reCAPTCHA Enterprise, uses either its own browser engine or direct image recognition. High success rate (~97%). |
DeathByCaptcha | Human. | $2.89 per 1,000 (for reCAPTCHA v2/v3). Claims support for Enterprise, though the price may be higher. | 20–40 seconds | An older service, also oriented toward Western markets. Slightly lower price for standard CAPTCHAs, but may employ experienced workers for Enterprise tasks. The interface is somewhat outdated. |
NopeCHA | AI (neural network) + browser extension. | Subscription-based model, equivalent to $0.5 to $2 per 1,000 (depending on the plan). | 5–15 seconds | An interesting service, mainly offering a browser extension with an AI CAPTCHA solver (with a free limit available). Less popular for direct code integration, though an API is provided. Can solve CAPTCHAs directly on the user’s page. |
NextCaptcha | Combined approach (details undisclosed, likely AI + human). | Approximately $0.8 per 1,000 Enterprise (on promotion). | 5–15 seconds | A new service oriented toward the bypass market in 2024+. Offers a low price and trial period. Limited information available, but declares support for reCAPTCHA Enterprise. |
Notes: The speed of solving depends on load and the specific CAPTCHA. Many services offer options to expedite solving (e.g., “priority purchase”) or slightly reduce the price by accepting slower solving times (entering a slower queue). Also, note that for Enterprise CAPTCHAs, it is often necessary to provide a proxy from the same location as the user, especially when using an AI service.
The choice of service depends on your needs: if you only need to solve a few CAPTCHAs, a difference of a few cents is not significant – 2Captcha with its familiar API may suffice. However, if you are building a large-scale parser that needs to bypass tens of thousands of CAPTCHAs a day, it might be worth considering AI services like SolveCaptcha for the sake of cost efficiency and speed.
Step-by-Step Guide: How to reCAPTCHA Enterprise Bypass via API
Let’s move on to a practical demonstration. Although there is a lot of text (which might not always be ideal for a Habr audience), here it is (today’s menu is lean turkey, with no dramatic plot twists nonetheless).
Suppose you have a script that must automatically navigate to a website and perform an action protected by reCAPTCHA Enterprise (for example, account registration). When the script reaches the CAPTCHA, it must solve it. We will use an external CAPTCHA solving service via its API. For this example, we will use 2Captcha (ruCaptcha) since it has a simple API and broad support, though you may substitute another service (the algorithm is similar).
Step 1: Retrieve the Site Key and Determine the CAPTCHA Type
Typically, in the HTML code of a page with embedded reCAPTCHA, you will find an element like:
<div class="g-recaptcha" data-sitekey="SITE_KEY" ...></div>You need to extract the value of the data-sitekey. If it is a v3 CAPTCHA, instead of such a div you might see a call like grecaptcha.enterprise.execute(site_key, {action: 'submit'}) – in which case the site key can be found inside that call or in the script itself. Suppose we found sitekey = "6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s". Also, record the page URL (e.g., https://target-site.com/register). We have confirmed that this is Enterprise (we see enterprise.js), and, let’s say, determined it is Enterprise v2 (requires a checkbox/challenge).
Step 2: Submit the CAPTCHA Task via the Solver’s API
Each service has its own format, but the idea is the same: you must pass at least the site key and the page URL. In 2Captcha, this is done by sending a POST request to their endpoint (https://2captcha.com/in.php). An additional parameter enterprise=1 indicates that it is an Enterprise CAPTCHA. If the CAPTCHA is invisible (i.e., no visible checkbox, only a JavaScript call), you should add invisible=1 (this affects how the human solver approaches the task). Other services have similar parameters. For example, Anti-Captcha requires creating a JSON task:
{ "type": "ReCaptchaV2EnterpriseTaskProxyless", "websiteURL": "...", "websiteKey": "...", "isInvisible": false }You must also specify your API key for the service, which you obtained during registration. Optionally, you may also specify a proxy for the solver to use. Many services allow you not to specify a proxy (they either don’t use one or apply their own pool). However, if the site is particularly sensitive to IP, it is better to provide a proxy from a nearby location. In my example, I will not complicate things further.
Step 3: Wait for and Retrieve the Solution (Token)
As you understand, CAPTCHA solving does not occur instantly (even though cats are born quickly, it’s not immediate) – you must periodically check if an answer is available. With 2Captcha, after submitting the CAPTCHA to the queue, you will receive a CAPTCHA ID (a numeric identifier). After a short while (usually 5+ seconds), you can start sending GET requests to https://2captcha.com/res.php with parameters: key (your API key), action=get, and id (the received ID). If the solution is not yet ready, the service will respond with CAPCHA_NOT_READY; then wait and repeat the request every 5 seconds (this interval can be adjusted at your discretion). Once the CAPTCHA is solved, you will receive a response in the form OK|<token>, where <token> is the solution string (the value to be inserted in g-recaptcha-response). In case of failure, an error such as ERROR_CAPTCHA_UNSOLVABLE may be returned (for example, if the operator could not solve it or a failure occurred). Then you must try again.
Step 4: Submit the Token to the Website and Complete the Action
After receiving the token, your script must insert it where the website expects it. This is typically a hidden form field:
<input type="hidden" name="g-recaptcha-response" value="<TOKEN>">If the interaction is via AJAX, the token is sent as a parameter. You fill in the field/parameter with the token and re-submit the request to the website’s server (for example, re-submit the registration form). On the server, the token is verified, and if all is well, the action is executed. Visually, if a user were present, the CAPTCHA would show as solved. For us, it means we have achieved the desired result automatically.
Now, let’s illustrate how this looks in code. Below are code examples in Python, PHP, and Node.js that implement the described steps using the 2Captcha API. (For other services, the code is similar; only the URLs and request formats change – refer to their documentation.)
Python Example (using requests):
import requests
import time
API_KEY = "YOUR_2CAPTCHA_API_KEY"
sitekey = "6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s"
page_url = "https://2captcha.com/demo/recaptcha-v2-enterprise"
# 1. Submit the CAPTCHA for solving
data = {
'key': API_KEY,
'method': 'userrecaptcha',
'googlekey': sitekey,
'pageurl': page_url,
'enterprise': 1
}
response = requests.post("http://2captcha.com/in.php", data=data)
if response.text.split('|')[0] != "OK":
print("Error submitting CAPTCHA:", response.text)
exit(1)
captcha_id = response.text.split('|')[1]
print(f"CAPTCHA submitted, ID = {captcha_id}")
# 2. Wait for the solution
recaptcha_token = None
for i in range(20): # maximum wait of ~100 seconds
time.sleep(5)
res = requests.get(f"http://2captcha.com/res.php?key={API_KEY}&action=get&id={captcha_id}")
if res.text == "CAPCHA_NOT_READY":
print("Solution not ready yet, waiting...")
continue
if res.text.startswith("OK|"):
recaptcha_token = res.text.split('|')[1]
break
else:
print("Error solving CAPTCHA:", res.text)
exit(1)
if not recaptcha_token:
print("Failed to obtain CAPTCHA solution in time")
exit(1)
print("Received reCAPTCHA token:", recaptcha_token)
# 3. Use the received token – for example, submit a form with it.
form_data = {
'username': 'testuser',
'password': '12345',
'g-recaptcha-response': recaptcha_token
}
final_res = requests.post(page_url, data=form_data)
print("Form submission result:", final_res.status_code)Explanation: This code sends a request to 2Captcha to solve an Enterprise CAPTCHA with the given site key and URL, retrieves the CAPTCHA ID, polls for the result every 5 seconds, and finally obtains the token. It then simulates form submission with the token (for demonstration purposes). In reality, submitting the token might be more complex: multiple form fields, callbacks, inactive “Submit” buttons, etc.
PHP Example (using cURL):
<?php
$apiKey = "YOUR_2CAPTCHA_API_KEY";
$siteKey = "6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s";
$pageURL = "https://2captcha.com/demo/recaptcha-v2-enterprise";
// 1. Submit the CAPTCHA for solving
$ch = curl_init("http://2captcha.com/in.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'key' => $apiKey,
'method' => 'userrecaptcha',
'googlekey' => $siteKey,
'pageurl' => $pageURL,
'enterprise' => 1
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$resp = curl_exec($ch);
curl_close($ch);
if(strpos($resp, "OK|") !== 0) {
die("Submission error: $resp");
}
list(, $captchaId) = explode('|', $resp);
echo "CAPTCHA submitted, ID = $captchaId\n";
// 2. Wait for the solution
$token = null;
for($i = 0; $i < 20; $i++) {
sleep(5);
$res = file_get_contents("http://2captcha.com/res.php?key=$apiKey&action=get&id=$captchaId");
if($res === "CAPCHA_NOT_READY") {
echo "Waiting...\n";
continue;
} elseif(strpos($res, "OK|") === 0) {
$token = substr($res, 3);
break;
} else {
die("Error solving CAPTCHA: $res");
}
}
if(!$token) {
die("Token not received, timeout exceeded.");
}
echo "Token received: $token\n";
// 3. Use the token (e.g., send it along with other form data)
$formFields = http_build_query([
'username' => 'testuser',
'password' => '12345',
'g-recaptcha-response' => $token
]);
$ch = curl_init($pageURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $formFields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$result = curl_exec($ch);
curl_close($ch);
echo "Server response on form submission: $result\n";
?>Explanation: This PHP script uses cURL and file_get_contents to interact with the 2Captcha API, then conditionally submits the form with the obtained token. In practice, instead of directly posting the form, your script might continue processing the page using the same mechanism or, if browser automation is used, inject the token into the page. The principle of token transmission remains the same.
Node.js Example (using fetch API)
const fetch = require('node-fetch'); // Install with: npm install node-fetch
const API_KEY = "YOUR_2CAPTCHA_API_KEY";
const siteKey = "6Lf26sUnAAAAAIKLuWNYgRsFUfmI-3Lex3xT5N-s";
const pageUrl = "https://2captcha.com/demo/recaptcha-v2-enterprise";
async function solveRecaptcha() {
// 1. Submit the CAPTCHA task
const params = new URLSearchParams();
params.append('key', API_KEY);
params.append('method', 'userrecaptcha');
params.append('googlekey', siteKey);
params.append('pageurl', pageUrl);
params.append('enterprise', '1');
let resp = await fetch('http://2captcha.com/in.php', {
method: 'POST',
body: params
});
let text = await resp.text();
if (!text.startsWith('OK|')) {
throw new Error(`Submission error: ${text}`);
}
const captchaId = text.split('|')[1];
console.log(`CAPTCHA submitted, ID = ${captchaId}`);
// 2. Wait for the result
let token = null;
for (let i = 0; i < 20; i++) {
await new Promise(res => setTimeout(res, 5000));
let resResp = await fetch(`http://2captcha.com/res.php?key=${API_KEY}&action=get&id=${captchaId}`);
let resText = await resResp.text();
if (resText === 'CAPCHA_NOT_READY') {
console.log("Waiting for solution...");
continue;
}
if (resText.startsWith('OK|')) {
token = resText.split('|')[1];
break;
} else {
throw new Error(`Error solving CAPTCHA: ${resText}`);
}
}
if (!token) {
throw new Error("Token not received within the allotted time.");
}
console.log("Token received:", token);
// 3. Use the token (e.g., send a POST request with the token)
const formParams = new URLSearchParams();
formParams.append('username', 'testuser');
formParams.append('password', '12345');
formParams.append('g-recaptcha-response', token);
let finalResp = await fetch(pageUrl, {
method: 'POST',
body: formParams
});
console.log("Form submission result:", finalResp.status);
}
solveRecaptcha().catch(err => {
console.error(err);
});Explanation: In this Node.js example, we use node-fetch for HTTP requests. The script submits the task, waits in intervals for the result, obtains the token, and then performs a final POST with that token. Note that node-fetch is asynchronous, so async/await is used. This “raw” approach demonstrates the concept clearly, though for a production environment, using an official SDK (such as the 2captcha package on npm) might be more convenient.
Integration Tips for reCAPTCHA Enterprise Bypass
Correct Insertion of the Token:
If you are controlling a browser (Selenium, Puppeteer, etc.), after receiving the token you should execute JavaScript on the page:
document.querySelector('[name="g-recaptcha-response"]').value = token;(or use
executeScript). Some sites might also expect the token in a specific JS variable – in the case of reCAPTCHA, the hidden field is usually sufficient.Be Aware of Token Expiry:
A token is valid for a limited time (~120 seconds). Therefore, once obtained, use it immediately. Do not request a solution too early before you are ready to submit the form.One Solution – One Token:
A token cannot be reused. If you need to pass the CAPTCHA again, you must solve it anew.
Recommendations for Error Handling and Optimization when you working with reCAPTCHA Enterprise solver
When solving CAPTCHAs via API services, it is crucial to handle various errors correctly so that your script remains reliable and does not hang. Here are some suggestions:
Balance and Quota Checks:
Before sending a CAPTCHA to the service, ensure that your account has sufficient funds (most services offer an API method to check the balance or you can verify in the control panel). If the balance is zero, you might receive an error such asERROR_ZERO_BALANCE. Account for such responses and program your script to handle them (e.g., via notifications or switching to a backup service) so that it does not simply stop working.API Error Handling:
Various errors can occur – an incorrect API key (ERROR_WRONG_USER_KEY), wrong parameters (ERROR_WRONG_SITEKEYorERROR_BAD_PARAMETERS), exceeding the request limit (ERROR_TOO_MUCH_REQUESTS), etc. The full list is typically provided in the documentation. As soon as you receive a response that does not begin withOK|orCAPCHA_NOT_READY, log or handle it according to the error type. Some errors are temporary (e.g.,ERROR_TIMEOUT– the service did not solve the CAPTCHA within the allotted time; you can try resubmitting), while others are fatal (incorrect API key – only fixable by adjusting settings). It is best to program the script with multiple error-handling scenarios.Repeating the CAPTCHA Solution:
If the service returnsERROR_CAPTCHA_UNSOLVABLE, it means that two or three different workers have attempted but failed to solve it. This might occur due to overly complex images or if Google continuously rejects the attempts. In such cases, you may try submitting the same CAPTCHA again (with a new ID) – often the reattempt succeeds because a different worker is assigned or the images reload. However, do not retry indefinitely (usually 1–2 retries are sufficient). If it still fails, the problem might lie with the challenge itself – perhaps the site requires additional data (such as parameter s), or your IP is banned. In such a case, it is time to re-examine your approach.
Parameter s / data-s:
For reCAPTCHA Enterprise v2, sometimes the site uses an additional parameter s – an encrypted string generated by the site and tied to a specific session or action. It may appear in the site’s code, for example, in a call like:
grecaptcha.enterprise.render(..., {'sitekey':..., 's': '<long_str>'});If you see such a parameter, you must pass it to the solver. 2Captcha/Anti-Captcha, for example, allow this – by adding a parameter
data-s=<value>. This parameter is often used when Google recommends that the site enable a browser check/snippet to enhance security. Without it, your token might not be accepted. Therefore, closely examine the HTML for any hidden fielddata-sor similar.Optimizing Parallelism:
If your script is solving multiple CAPTCHAs simultaneously rather than sequentially, you can send tasks in parallel and handle the results concurrently. Most services allow dozens of simultaneous tasks from one account. The key is not to poll too frequently for each result. For instance, if you have 50 tasks, do not send 50*20 = 1000 status requests every second – it is counterproductive. Instead, use pauses of 5–10 seconds, possibly batching requests. Anti-Captcha, for example, has a JSON API that allows querying multiple task statuses in a single call – reducing load and speeding up result collection.Using Multiple Services:
For critical scenarios, consider having a backup option. For example, if no response is received from Service A within X seconds, try submitting to Service B in parallel. Or, upon receiving a specific error, switch to another provider. This adds complexity (you have to support multiple APIs) but increases reliability. In most cases, however, one well-established solver is sufficient.Caching and Reusing Sessions:
This advice is more about reducing the number of CAPTCHAs rather than speeding up solving. If you control the browser, try to use session cookies. For example, when parsing a site, log in and preserve cookies – perhaps with a logged-in account or after one successfully solved CAPTCHA, Google may continue to assign a high score without further challenges. This is especially relevant for v3 – where you can “warm up” a session. For v2 Enterprise, if a user has passed one CAPTCHA, Google might not issue a new one for some time on the same site. Therefore, if possible, store the context (Google’s cookie SID and the site cookies) between requests so that you do not start “from scratch” each time.Rate Limiting Requests:
If your script performs actions en masse on a site, remember that triggering CAPTCHAs can be a reaction to frequent requests. For example, Google might increase CAPTCHA difficulty if it detects suspicious traffic. Sometimes, slightly reducing the parsing speed (adding short delays between page requests) can decrease the frequency of CAPTCHA appearances – saving both money and time. It’s a balance: faster scraping means more CAPTCHA costs.Logging All Events:
Implement robust logging: record when you submit a task to the solver, the task ID, the service’s response, the waiting time, and the final outcome. This helps diagnose issues when they arise. For example, you may notice that during certain hours, solving takes longer (perhaps due to service overload – then dynamically switch to an alternative service or increase timeout). Or, for a specific site, you consistently receiveERROR_UNSOLVABLE– indicating that the site might be employing additional anti-bot measures beyond reCAPTCHA, warranting further investigation.
In Summary
reCAPTCHA Enterprise is a powerful anti-automation tool, but it is not insurmountable. Bypassing reCAPTCHA Enterprise is possible, but it requires a comprehensive approach. It is not something that can be defeated by a simple ten-line script. You must use the right tools (CAPTCHA solving services, proxies, browser emulation) and account for numerous details.
Remember the balance: as protection becomes smarter, so do the solutions. Nonetheless, the basic principles remain the same: analyze how you are being detected and mimic a normal user closely enough to succeed.
I hope this detailed breakdown helps you understand what lies behind reCAPTCHA Enterprise and how to deal with it. Happy automating without obstacles!
