google recaptcha returns false due to "invalid-input-secret"

Question

I have installed the latest recaptcha from google but it always returns false upon post submit and always returning "invalid-input-secret" error even though the verification is always correct from the frontend view. What could be the reason on this. Btw I am testing everything in localhost xampp with phalcon framework. Here is the part where I check the captcha:

protected function validate_data($post, $ip){

    $validation = new Validation();
    $validation->add(
        'user_name',
        new PresenceOf(
            array(
                'message' => 'The Username is required'
            )
        )
    );
    $validation->add(
        'email',
        new PresenceOf(
            array(
                'message' => 'The e-mail is required'
            )
        )
    );
    $validation->add(
        'password',
        new PresenceOf(
            array(
                'message' => 'The Password is required'
            )
        )
    );
    $validation->add(
        'cpassword',
        new PresenceOf(
            array(
                'message' => 'The Confirmation Password is required'
            )
        )
    );
    $validation->add(
        'email',
        new Email(
            array(
                'message' => 'The e-mail is not valid'
            )
        )
    );

    $validation->add('password', 
        new Confirmation(array(
           'message' => 'Password doesn\'t match confirmation',
           'with' => 'cpassword'
           )
        )
    );

    $error = $validation->validate($post);
    $errors = array();
    if(count($error)){
        foreach($error as $e){
            $errors[] = $e;
        }
    }

    $data = array(
        'secret' => "my secret key",
        'response' => $post['g-recaptcha-response'],
        'remoteip' => $ip
    );

    $verify = curl_init();
    curl_setopt($verify, CURLOPT_URL, "https://www.google.com/recaptcha/api/siteverify");
    curl_setopt($verify, CURLOPT_POST, true);
    curl_setopt($verify, CURLOPT_POSTFIELDS, http_build_query($data));
    curl_setopt($verify, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($verify, CURLOPT_RETURNTRANSFER, true);
    $res = curl_exec($verify);

    $captcha = json_decode($res);

    if($captcha->success == false){
        $errors[] = "Invalid Captcha, You are a freakin robot!";
    }

    return $errors;

}

what could be the reason here? here is the output when you dump the response:

object(stdClass)#70 (2) { ["success"]=> bool(false) ["error-codes"]=> array(1) { [0]=> string(20) "invalid-input-secret" } }

anyone who have encountered this before? – MusicManDev Apr 29 '16 at 13:48 — MusicManDev, Apr 29 '16 at 13:48

score 28 · Answer 1 · answered Apr 01 '21 at 08:08

28

The whole problem arises because of confused peeps at Google. They have created multiple channels to implement reCAPTCHA Registration. If you have encountered this error, I am sure you have followed the first method to generate SECRET KEY for your reCAPTCHA Application.

You visit the website: https://console.cloud.google.com/security/recaptcha and generate reCAPTCHA key for your website. Note that this is a Google Cloud Console link, and you must have received just a single key for both the frontend and the backend.
You visit the website: https://www.google.com/recaptcha/admin/create and generate reCAPTCHA keys for your application. Note that this is not a Google Cloud Console Website, but an individual website which will serve you 2 different keys, one for your backend, and other for your frontend to be used. Use these keys, and you should be good to go.

This is bad on Google's end that they have multiple sources for the same targeted facility, and one of those ways is sort of deprecated or not-working.

answered Apr 01 '21 at 08:08

Sarthik Gupta

852
11
15

4

King , you saved my day! :) – Gokul NC Apr 19 '21 at 14:28
1

Awesome. I was pulling my hair out because of this, and thanks to you, I found the solution. So, I have created the keys using the second site, "google.com/recaptcha/admin/create," and now it is working flawlessly. – jose miguel rivera rodríguez Jun 14 '21 at 20:56
1

So we can not use the key that we created in Google Cloud? – Dean Christian Armada Aug 19 '21 at 07:45
@DeanChristianArmada In my case, I couldn't get the keys from Google Cloud to get working! – Sarthik Gupta Aug 19 '21 at 11:32
@SarthikGupta, oh ok. What I meant was you can not use the https://www.google.com/recaptcha/api/siteverify with the site keys that you obtained in Google Cloud – Dean Christian Armada Aug 20 '21 at 07:47
1

Absolute LEGEND! – Shean Hoxie Oct 02 '21 at 18:00
1

Here are the docs on the backend setup for Enterprise: https://cloud.google.com/recaptcha-enterprise/docs/using-features#migrate-backend. If you're not using Google Cloud, I would strongly recommend considering another CAPTCHA API. I never had an issue with v2 or v3, but Enterprise is a completely different beast. – lgants Nov 16 '21 at 23:21
1

Thank you. I have been frustrated for hours due to this. Google have made re-captcha VERY messy and confusing for developers to understand/use – Ste Mar 03 '22 at 10:56

score 20 · Accepted Answer · answered Apr 30 '16 at 04:37

20

Silly me, I doubled check the secret key and it was just missing a single character at the beginning. That solved it.

answered Apr 30 '16 at 04:37

MusicManDev

335
1
3
9

5

that seems to be some issue with Google's recaptcha page, because same happened with me twice.. first character didn't copy – sohaiby Oct 24 '16 at 13:32
Totally agree with @sohaiby here. In my case, last character wasn't copied with double-clicking on it. – Jagdeep Singh Dec 28 '17 at 09:39
1

yeah... double clicking the secret key wont select it in its entirety – Toskan Dec 22 '18 at 02:37

Aathi · Answer 3 · 2020-05-29T18:47:29.547

For javascript

In my case I used environment variable I defined the variable with double quotes"6Lfg1_0UAAAAABWdUn5gNhXEuLxhpkQyheDpLbnB". So when the secret key passed via url it will be included with double quotes. it was the issue in my case. the double quotes should not be included in the url.

When you define the environment variable define with single quotes like below:

RECAPTCHA_SECRET_KEY='6Lfg1_0UAAAAABWdUn5gNhXEuLxhpkQyheDpLbnB'

score 0 · Answer 4 · answered Jun 02 '22 at 09:28

A complement to Sarthik Gupta' answer:

This issue is due to the type of recaptcha account you want to use:

https://www.google.com/recaptcha/admin/create is for an enterprise account, so in that case, once the client key is created, authentication should be performed using an API key created in the google cloud console, or a service account, as described here https://cloud.google.com/recaptcha-enterprise/docs/using-features?_ga=2.231710239.-1292418016.1646407998#migrate-backend
https://www.google.com/recaptcha/admin/create is for a free account, in which case both client and server keys are created and available directly

google recaptcha returns false due to "invalid-input-secret"

4 Answers4

Linked