You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many applications prompt for reCAPTCHA keys, save them, and use them to generate the UI as needed. Ideally we'd be able to validate those keys before accepting them.
We can validate the private key by submitting an empty response to the verification API, and if 'invalid-input-secret' isn't in the 'error-codes' array in the result, the private key is valid. That's a bit indirect, but workable.
However, the verification API doesn't take the public key as a parameter, so it can't be validated that way. Best I've been able to figure out is to use the public key to show the reCAPTCHA UI on the client, and ask the user to confirm that it displayed correctly.
Some server-side way to test that the public key is valid for this domain would be vastly preferable. Ideally we could test both keys at once, without the fake verification step above.
The text was updated successfully, but these errors were encountered:
This issue doesn't appear to be getting any traction. Could someone on the dev team please explain to me what existing techniques there are to procedurally validate the public and private keys before saving them in the above scenario, or why that's not necessary?
Many applications prompt for reCAPTCHA keys, save them, and use them to generate the UI as needed. Ideally we'd be able to validate those keys before accepting them.
We can validate the private key by submitting an empty response to the verification API, and if 'invalid-input-secret' isn't in the 'error-codes' array in the result, the private key is valid. That's a bit indirect, but workable.
However, the verification API doesn't take the public key as a parameter, so it can't be validated that way. Best I've been able to figure out is to use the public key to show the reCAPTCHA UI on the client, and ask the user to confirm that it displayed correctly.
Some server-side way to test that the public key is valid for this domain would be vastly preferable. Ideally we could test both keys at once, without the fake verification step above.
The text was updated successfully, but these errors were encountered: