reCAPTCHA is a free service provided by Google that protects websites from spam and abuse by using risk analysis techniques to differentiate between humans and bots.

Developers can use reCAPTCHA to detect and block malicious user sign-ups, usually automated bots that attempt to create fake accounts. Additionally, reCAPTCHA acts as a guardrail against data scraping bots accessing and collecting information from a website, ensuring the protection of sensitive information.

In this article, you'll learn about reCAPTCHA and how to implement it on your own site. More specifically, you'll create a sign-up form in a React application and use reCAPTCHA to verify that the user is a human before they can submit that form.

What Is reCAPTCHA?

Before you implement reCAPTCHA on your website, let's take a look at how it works and its common use cases.

How reCAPTCHA Works

When users visit a website with reCAPTCHA enabled, they're presented with a challenge they must complete to prove that they're human. This challenge can take several forms:

• An image challenge: The user is presented with a distorted image of letters and numbers and asked to type the characters they see into a text box.
• An audio challenge: Instead of images, an audio recording of letters and numbers is used and the user is asked to type the characters they hear into a text box.
• A No CAPTCHA reCAPTCHA: The user is asked to click on a checkbox to indicate that they're not a robot. In some cases, Google might also ask the user to complete a separate image or audio challenge if it needs further proof that the user is human. You'll use this type of reCAPTCHA in the tutorial later in this article.

Once the user completes the challenge, the website will receive a response from the reCAPTCHA server indicating whether the user is human or not. Based on this response, the website can decide whether to allow the user to access certain pages or forms or deny access if it determines that the user is likely a bot.

Note that there's also a form of reCAPTCHA that doesn't actually present a challenge to the user. Instead, the system uses advanced risk analysis techniques to determine whether the user is human. This method is called invisible reCAPTCHA.

reCAPTCHA Use Cases

These are some prominent use cases for reCAPTCHA:

• Preventing spam and bots on online forms: This is a top use case. reCAPTCHA can protect online forms such as survey forms, blog post comment forms, and customer feedback from spamming bots.

• Protecting login pages: reCAPTCHA can be used to protect login pages from automated bots trying to gain unauthorized access by brute-force attacks. Requiring a user to solve a reCAPTCHA challenge before completing the login process makes it much more difficult for bots to gain access to an account.

• Preventing scraping and data harvesting: Adding reCAPTCHA verification stops automated bots from accessing the website, which stops attempts at data scraping and harvesting at an early stage. For example, Cloudflare runs bot checks as a measure to prevent bots from opening websites and scraping data.

Implementing reCAPTCHA in Your React Application

In this tutorial, you'll create a newsletter sign-up page to collect users' email addresses and names using React. You'll then add a reCAPTCHA to the sign-up form on this page to verify if the user is a human and filter out bots and spam.

Before getting started, ensure that you have the following installed on your computer:

• Node.js (version 16 or above)
• npm (version 8 or above)
• A code editor (Visual Studio Code is recommended)

You can also clone this GitHub repository to try the example application.

Set Up a React Project

Open your terminal and run the following command to initialize a React project using Create React App:

1
npx create-react-app react-recaptcha-example -y

Now change the directory to the project and open it in your code editor:

1
cd react-recaptcha-example

First, update the title on the public/index.html page to "reCAPTCHA example".

1
<!DOCTYPE html>
2
<html lang="en">
3
  <head>
4
    <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />
5
    <!-- Rest meta tags -->
6
    <title>reCAPTCHA example</title>
7
  </head>
8
  <body>
9
    <!-- Rest of the body -->
10
  </body>
11
</html>

Then, open the src/App.js file to update the application to show a simple <h1> tag with "Sign up for Newsletter" as the content.

1
function App() {
2
  return (
3
    <div>
4
      <h1>Sign up for Newsletter</h1>
5
    </div>
6
  );
7
}
8

9
export default App;

Run npm start in the terminal to start the application. This command will run the React application on http://localhost:3000 and open it in your default browser.

The initial setup is now ready. Next, you'll create the sign-up form for the newsletter.

Create a Sign-Up Form

To create a sign-up form, open the App.js file in the code editor and add a form element in the App component. In the form element, add two input boxes—Email and Name—to collect the user's email address and name. To allow users to submit the form, add a button in the form.

To track the input value of the two input fields, create two state variables: email and name. Add the onChange event handler on the input elements to update the input value using setEmail and setName functions:

1
import { useState } from "react";
2
import "./App.css";
3

4
function App() {
5
  const [email, setEmail] = useState("");
6
  const [name, setName] = useState("");
7
  return (
8
    <div>
9
      <h1>Sign up for Newsletter</h1>
10
      <form>
11
        <input
12
          name="Email"
13
          type={"email"}
14
          value={email}
15
          required
16
          placeholder="joe@example.com"
17
          onChange={(event) => setEmail(event.target.value)}
18
        />
19
        <input
20
          name="Name"
21
          type={"name"}
22
          value={name}
23
          required
24
          placeholder="Joe"
25
          onChange={(event) => setName(event.target.value)}
26
        />
27
        <button type="submit">Sign up</button>
28
      </form>
29
    </div>
30
  );
31
}
32

33
export default App;

You'll see a basic sign-up form, as shown below:

While functional, this form doesn't look very stylish. To make it look nicer, open the App.css file, remove all existing styles, and paste the CSS rules from below to align the form in the center and add some padding:

1
h1 {
2
  text-align: center;
3
}
4

5
form {
6
  margin: 40px auto;
7
  width: 300px;
8
  display: flex;
9
  flex-direction: column;
10
}
11

12
input {
13
  margin-bottom: 20px;
14
  padding: 5px;
15
  border-radius: 5px;
16
}
17

18
button {
19
  padding: 5px;
20
  border-radius: 5px;
21
  margin-bottom: 20px;
22
}

After you add the above styles, the sign-up form should look more welcoming.

Configure reCAPTCHA

Now that the sign-up form is ready, it's time to configure the reCAPTCHA verification. To use Google's reCAPTCHA, you must register a site on the reCAPTCHA admin console.

In the admin console, use react-example as the Label. Then, select reCAPTCHA v2 > "I'm not a robot" Checkbox as the reCAPTCHA type.

Add the domains where you want to use the reCAPTCHA, starting with localhost.

Select Accept the reCAPTCHA Terms of Service and click Submit.

On the next page, click on COPY SITE KEY and COPY SECRET KEY to copy the values.

Now create a new .env file in your project and paste these values, as shown below:

1
REACT_APP_SITE_KEY=<from-admin-dashboard>
2
SITE_SECRET=<from-admin-dashboard>

Note: You must append environment variables used in Create React App with REACT_APP_, as per the documentation.

To use the reCAPTCHA in your React application, install the react-google-recaptcha npm package by running the following command:

1
npm i react-google-recaptcha

In the App.js file, import the ReCAPTCHA component and place it below the <button>. Pass the siteKey prop and assign it to the process.env.REACT_APP_SITE_KEY so Google can recognize your reCAPTCHA:

1
import { useState } from "react";
2
import "./App.css";
3
import ReCAPTCHA from "react-google-recaptcha";
4

5
function App() {
6
  const [email, setEmail] = useState("");
7
  const [name, setName] = useState("");
8
  return (
9
    <div>
10
      <h1>Sign up for Newsletter</h1>
11
      <form>
12
        <input
13
          name="Email"
14
          type={"email"}
15
          value={email}
16
          required
17
          placeholder="joe@example.com"
18
          onChange={(event) => setEmail(event.target.value)}
19
        />
20
        <input
21
          name="Name"
22
          type={"name"}
23
          value={name}
24
          required
25
          placeholder="Joe"
26
          onChange={(event) => setName(event.target.value)}
27
        />
28
        <button type="submit">Sign up</button>
29
        <ReCAPTCHA sitekey={process.env.REACT_APP_SITE_KEY} />
30
      </form>
31
    </div>
32
  );
33
}
34

35
export default App;

You'll now see the reCAPTCHA rendering inside the form:

Test reCAPTCHA

To test the reCAPTCHA on form submission, you need to call the getValue method on the reCAPTCHA instance and verify its value. For this, you need to keep a reference to the reCAPTCHA component, which you can do using the useRef hook.

Create a recaptcha reference using the useRef hook and assign it as the value for the ref prop on the ReCAPTCHA component:

1
import { useRef, useState } from "react";
2
import "./App.css";
3
import ReCAPTCHA from "react-google-recaptcha";
4

5
function App() {
6
  const recaptcha = useRef();
7
  const [email, setEmail] = useState("");
8
  const [name, setName] = useState("");
9
  return (
10
    <div>
11
      <h1>Sign up for Newsletter</h1>
12
      <form>
13
        {/* input elements*/}
14
        <button type="submit">Sign up</button>
15
        <ReCAPTCHA ref={recaptcha} sitekey={process.env.REACT_APP_SITE_KEY} />
16
      </form>
17
    </div>
18
  );
19
}
20

21
export default App;

To handle form submission, create a submitForm function that'll execute on the form submit event and verify the reCAPTCHA before form submission.

To verify the reCAPTCHA, the submitForm function calls the getValue method on the recaptcha ref object. The getValue method returns a token or undefined. If it's a token, the user has verified themselves. Otherwise, you show them an alert. Add the submitForm to the onChange event handler on the form element:

1
import { useRef, useState } from "react";
2
import "./App.css";
3
import ReCAPTCHA from "react-google-recaptcha";
4

5
function App() {
6
  const recaptcha = useRef();
7
  const [email, setEmail] = useState("");
8
  const [name, setName] = useState("");
9

10
  async function submitForm(event) {
11
    event.preventDefault();
12
    const captchaValue = recaptcha.current.getValue();
13
    if (!captchaValue) {
14
      alert("Please verify the reCAPTCHA!");
15
    } else {
16
      // make form submission
17
      alert("Form submission successful!");
18
    }
19
  }
20

21
  return (
22
    <div>
23
      <h1>Sign up for Newsletter</h1>
24
      <form onSubmit={submitForm}>{/* other elements */}</form>
25
    </div>
26
  );
27
}
28

29
export default App;

Server-Side Validation

So far, you've only checked if the user verified themselves using the reCAPTCHA, but you have yet to determine whether the token value is valid. If you open your reCAPTCHA admin console, you'll see the following message.

To rectify this, you can request Google's reCAPTCHA verify API to confirm whether the provided token is valid. As this operation requires you to share the SITE_SECRET with Google, you must handle this operation on the server side for security reasons.

You can create a simple HTTP server using Node.js to implement the server-side validation. To quickly create a Node.js server, you need the following dependencies:

• express: to create the server application
• axios: to make network requests on the server side
• cors: to allow requests coming from a different origin (localhost: 3000)
• dotenv: to read the environment variables from the .env file

Run the following command to install all these dependencies:

1
npm i express axios dotenv cors

Now create the new file server.js, and set up a server that listens on port 8000. Use the cors middleware to allow incoming requests from all origins and the express.json middleware to parse the JSON payload in the request body. Retrieve the SITE_SECRET from the environment variables.

The server accepts POST requests on the /verify route. In the POST request handler, you use the Google reCAPTCHA API to verify the captchaValue sent in the request body. You then send the response back to the user with the data returned from the reCAPTCHA API:

1
require("dotenv").config();
2
const express = require("express");
3
const cors = require("cors");
4
const axios = require("axios");
5
const app = express();
6
const port = 8000;
7

8
const SITE_SECRET = process.env.SITE_SECRET;
9

10
app.use(cors());
11
app.use(express.json());
12

13
app.post("/verify", async (request, response) => {
14
  const { captchaValue } = request.body;
15
  const { data } = await axios.post(
16
    `https://www.google.com/recaptcha/api/siteverify?secret=${SITE_SECRET}&response=${captchaValue}`
17
  );
18
  response.send(data);
19
});
20

21
app.listen(port, () => {
22
  console.log(`Server listening at ${port}`);
23
});

Run node server.js to start the server application.

On the frontend, you need to update the submitForm method to send the captchaValue to the /verify endpoint in a POST request. In the App.js file, update the submitForm function to request the http://localhost:8000/verify endpoint for server-side validation and show the user an alert based on whether the validation was successful using the returned success property on the response data:

1
async function submitForm(event) {
2
  event.preventDefault();
3
  const captchaValue = recaptcha.current.getValue();
4
  if (!captchaValue) {
5
    alert("Please verify the reCAPTCHA!");
6
  } else {
7
    const res = await fetch("http://localhost:8000/verify", {
8
      method: "POST",
9
      body: JSON.stringify({ captchaValue }),
10
      headers: {
11
        "content-type": "application/json",
12
      },
13
    });
14
    const data = await res.json();
15
    if (data.success) {
16
      // make form submission
17
      alert("Form submission successful!");
18
    } else {
19
      alert("reCAPTCHA validation failed!");
20
    }
21
  }
22
}

The reCAPTCHA validation flow is now complete. See it in action below.

Conclusion

In this article, you learned the importance of reCAPTCHA validation and how to use it to prevent malicious users from misusing your application. By following this tutorial, you successfully created a sign-up form with reCAPTCHA validation and you also created a Node.js server to further validate the reCAPTCHA value for better security.

Clerk provides an easy way to add authentication and user management to your application. It offers beautiful components ready to plug into your application and build the authentication flow in no time. If you're looking for a complete authentication and identity platform, sign up to try Clerk today.