← Glossary / reCAPTCHA v3

What is reCAPTCHA v3?

reCAPTCHA v3 is Google's invisible risk-scoring engine that evaluates client telemetry in the background and returns a score from 0.0 (bot) to 1.0 (human). Unlike v2, it never interrupts the user with image puzzles. For scraping pipelines, it shifts the battleground from solving visual challenges to maintaining pristine browser fingerprints and realistic interaction profiles over the session lifecycle.

Anti-BotRisk ScoringTelemetryInvisible CAPTCHAFingerprinting
// 02 — definitions

Invisible,
continuous scoring.

The mechanics of how Google evaluates your scraper's humanity without ever showing a traffic light or crosswalk.

Ask a DataFlirt engineer →

TL;DR

reCAPTCHA v3 runs continuously on the target page, collecting hardware, network, and behavioral signals to generate a risk score. A score below 0.3 typically triggers a hard block or a fallback v2 challenge. Bypassing it requires a coherent browser profile, residential IP, and an execution context free of headless automation leaks.

01Definition & structure
reCAPTCHA v3 is an invisible risk analysis engine. Instead of challenging the user, it loads a JavaScript payload (api.js) that monitors the browser environment and user behavior. When an action occurs (like a page load or form submission), the client calls grecaptcha.execute(), which sends the collected telemetry to Google and returns an encrypted token. The target server then verifies this token with Google's backend API to receive a score between 0.0 and 1.0.
02The scoring model
The score represents the probability that the interaction was generated by a human.
  • 0.9 – 0.7: Highly likely human. Clean IP, coherent fingerprint, realistic interaction.
  • 0.5 – 0.4: Suspicious. Often triggers a fallback challenge or requires email verification.
  • 0.3 – 0.1: Highly likely bot. Datacenter IP, headless browser flags, or impossible hardware configurations.
The target website sets its own threshold for what score is acceptable.
03Telemetry vectors
v3 collects extensive telemetry before generating a token. This includes network data (IP reputation, ASN), hardware data (Canvas rendering, WebGL, hardware concurrency, device memory), software data (navigator properties, installed fonts), and behavioral data (mouse trajectories, click cadence, scroll depth). Failing any single major check (like leaving navigator.webdriver = true) overrides other positive signals and forces a low score.
04How DataFlirt handles it
We bypass v3 by engineering the environment, not by solving puzzles. Our fleet uses residential proxies to ensure high IP reputation. We run fully headed instances of Chrome and WebKit, ensuring that hardware concurrency, WebGL strings, and Canvas hashes naturally align with the advertised OS. We simulate human-like interaction delays before triggering the token generation, ensuring our pipelines consistently return scores above 0.7.
05The v2 fallback loop
Many sites implement a hybrid approach: they evaluate the v3 score first, and if it falls below a certain threshold (e.g., 0.5), they dynamically render a v2 image challenge. This means a scraper might run smoothly for hours, then suddenly encounter a DOM change requiring a puzzle solution. Handling this requires pipeline logic that can detect the fallback state and either route to a solver or rotate the session entirely.
// 03 — the scoring model

How is the
score calculated?

Google's exact weights are proprietary, but empirical testing across DataFlirt's fleet reveals the dominant factors driving a 0.9 versus a 0.1.

IP Reputation Weight = Sip = f(ASN_history, subnet_abuse_rate)
Datacenter IPs cap the maximum possible score at ~0.3, regardless of browser quality. Empirical observation
Fingerprint Coherence = C = 1 − (hardware_mismatches / total_checks)
Mismatched GPU/OS strings or patched navigator properties instantly tank the score. DataFlirt telemetry analysis
DataFlirt Target Score = Starget0.7
Minimum acceptable score for production pipelines before rotating the session. Internal SLO
// 04 — token generation trace

Intercepting the
reCAPTCHA payload.

A live trace of a DataFlirt worker executing the v3 script, generating the encrypted payload, and receiving a score from Google's verification endpoint.

grecaptcha.executetoken payloadscore: 0.9
edge.dataflirt.io — live
CAPTURED
// init grecaptcha
script.load: "https://www.google.com/recaptcha/api.js?render=SITE_KEY"
window.grecaptcha.execute: "action=search"

// telemetry collection (client-side)
payload.length: 4,822 bytes
telemetry.mouse_events: present
telemetry.webdriver: false
token.generated: "03AFcWeA7...[truncated]"

// backend verification (target server -> google)
response.success: true
response.score: 0.9
response.action: "search"
response.hostname: "target-site.com"

// pipeline router
pipeline.status: proceeding // score > 0.7 threshold
// 05 — score penalties

What tanks your
v3 score.

The most common reasons a scraper receives a 0.1 score, ranked by frequency across our diagnostic telemetry.

SAMPLE SIZE ·  ·  ·  ·    1.8M sessions
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Headless browser leaks

navigator.webdriver · Default Puppeteer/Playwright flags
02

Datacenter / Hosting ASN

IP reputation · AWS, DigitalOcean, Hetzner IPs
03

Hardware concurrency mismatch

navigator.hardwareConcurrency · Spoofed core counts vs actual rendering
04

Zero interaction telemetry

behavioral · Executing token immediately on load
05

Token reuse / expiration

lifecycle · Tokens expire after 2 minutes
// 06 — our stack

Don't solve puzzles,

engineer the environment.

Because v3 is invisible, you can't easily outsource it to a CAPTCHA-solving farm without complex token injection flows that slow down the pipeline. The score is a direct reflection of your execution environment. DataFlirt achieves consistent 0.9 scores by running fully headed browsers on residential exit nodes, with hardware-level fingerprint coherence. We don't fake the telemetry; we provide an environment where the real telemetry looks human.

v3_token_verification.json

Decoded verification response for a DataFlirt session.

success true
score 0.9
action submit_form
challenge_ts 2026-05-19T14:22:10Z
hostname target-site.com
ip_reputation residential_clean
environment headed_chrome_mac

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About v3 scoring, token injection, fallback challenges, and how DataFlirt maintains high scores at scale.

Ask us directly →
What is the difference between reCAPTCHA v2 and v3? +
v2 requires explicit user interaction — clicking a checkbox or solving an image puzzle (traffic lights, crosswalks). v3 is entirely invisible. It runs a background script that monitors the session and returns a score (0.0 to 1.0) to the target server. The target server decides what to do based on that score.
Can I use a CAPTCHA solving service (like 2Captcha) for v3? +
Yes, but it's inefficient. You have to send the site key and URL to the service, wait for their workers to generate a token, and then inject that token into your scraper's request. This adds 10–30 seconds of latency per request. Engineering your environment to naturally score a 0.7+ is much faster and cheaper at scale.
Why am I getting a 0.3 score even on a residential proxy? +
IP reputation is only half the battle. If you are running standard headless Chrome, Puppeteer, or Playwright without proper stealth patches, Google's script detects the automation environment immediately. A residential IP with a bot fingerprint still yields a low score.
How does DataFlirt maintain high v3 scores at scale? +
We don't rely on token injection. We run a fleet of real, headed browsers on bare-metal hardware, routed through high-quality residential ISPs. Our browsers generate genuine interaction telemetry (mouse movements, scroll events) before triggering the grecaptcha.execute() call, consistently yielding scores of 0.7 to 0.9.
Is it legal to bypass reCAPTCHA v3? +
Bypassing a CAPTCHA to access public data is generally lawful in the US and EU, provided you are not breaching authenticated areas, committing fraud, or causing a denial of service. However, bypassing technical measures may violate a site's Terms of Service. Consult legal counsel for your specific jurisdiction and use case.
What happens if the target site requires a 0.9 score and I get a 0.7? +
The target site's backend logic dictates the response. Usually, they will either return an HTTP 403, or they will serve a fallback reCAPTCHA v2 challenge. If a DataFlirt session drops below the target's required threshold, our router automatically discards the session, rotates the IP and fingerprint, and retries.
$ dataflirt scope --new-project --target=recaptcha-v3 READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Bot Bypass

reCAPTCHA v2

The predecessor to v3, relying on explicit visual puzzles rather than invisible scoring.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The primary telemetry vector reCAPTCHA v3 uses to determine if you are a bot.

Read →
Anti-Bot Bypass

Headless Browser Detection

Why standard Playwright scripts instantly receive a 0.1 score from Google.

Read →
Anti-Bot Bypass

Residential IP Detection

How Google weighs your network exit node when calculating the final v3 score.

Read →