What's Happening to reCAPTCHA?
Three things are converging at once, and they all hit in Q1 2026:
- Free tier slashed 99%. Google cut reCAPTCHA's free assessment quota from 1,000,000 to 10,000 per month. If you run a mid-traffic site — even a blog with a contact form — you will exceed this in days. Overage pricing starts at $8/month for the 10K–100K tier.
- Standalone reCAPTCHA is shutting down. Google is folding reCAPTCHA into the broader reCAPTCHA Enterprise product. The standalone API endpoints that millions of sites rely on stop working after the April 2, 2026 legal shift date.
- Migration is mandatory, not optional. If you do nothing, your forms break. Period. There is no grace period — the API keys stop validating.
If your site uses www.google.com/recaptcha/api.js or recaptcha/api/siteverify,
you must migrate before April 2 or your forms will silently fail. Google's own migration guide admits
there is "no backward compatibility" for standalone keys. This is the time to reconsider whether
you need Google in the loop at all.
The timing is not accidental. Google is monetizing what was previously a free data-collection mechanism. For years, reCAPTCHA provided free bot protection in exchange for behavioral data that trained Google's AI models. Now the free ride is over — but the data collection hasn't stopped. If you're being forced to migrate anyway, this is the moment to choose something that actually respects your users. For context on why bot protection matters, see our deep dive on credential stuffing defense.
Why This Matters More Than You Think
The reCAPTCHA shutdown is a pricing story on the surface. Underneath, it's a GDPR compliance crisis that most site operators have been ignoring for years.
Here's what reCAPTCHA actually does when a user loads your page:
- Sets cookies (
_GRECAPTCHA) that persist across sessions - Sends user IP addresses, browser fingerprints, mouse movements, and keystrokes to Google servers in the United States
- Feeds that behavioral data into Google's risk analysis models — models that benefit Google's advertising business
- Provides no mechanism for users to opt out of this data collection without breaking the form
Under GDPR Article 5(1)(c) — data minimization — processing must be "adequate, relevant, and limited to what is necessary." Sending full behavioral telemetry to a US advertising company to determine whether someone is a bot is not minimized processing. Multiple EU data protection authorities have already flagged reCAPTCHA as problematic, and the Austrian DSB and French CNIL have both issued guidance that reCAPTCHA requires explicit consent under GDPR.
Post-Schrems II, transferring personal data to US-based processors (including Google) without adequate
safeguards is a compliance risk. reCAPTCHA doesn't offer data residency options. Every form submission
sends data to www.google.com — that's a cross-border transfer by definition. If
you serve EU users, this matters. See our full analysis on
GDPR-compliant biometric processing for the broader picture.
The bottom line: reCAPTCHA was never GDPR-compliant by design. The April 2 shutdown gives you the reason to fix this. Don't migrate from reCAPTCHA to reCAPTCHA Enterprise — you're just paying Google for the same compliance problem.
Your Options (Honest Comparison)
There are four credible alternatives. Here's an honest comparison — we include competitors because you deserve to evaluate your options fairly.
| Feature | reCAPTCHA v3 | Cloudflare Turnstile | hCaptcha | H33 BotShield |
|---|---|---|---|---|
| Free tier | 10K/mo | Unlimited* | 100K/mo | 2,500/mo |
| Price after free | $8/mo (100K) | Free (CF customers) | $99/mo (500K) | $29.99/mo (10K) |
| Tracking cookies | Yes (persistent) | Minimal (session) | Yes (functional) | None |
| Data sent to 3rd party | Full telemetry to Google US | Minimal to Cloudflare | Behavioral to Intuition Machines | Nothing. All local. |
| GDPR by architecture | No | Partial | Partial | Yes |
| User interaction required | None (invisible) | None (invisible) | Sometimes (image tasks) | None (invisible PoW) |
| Bot detection method | Behavioral ML + risk score | Behavioral ML + challenge | Behavioral ML + image labeling | SHA-256 proof-of-work |
| Challenge integrity | Google-signed token | Cloudflare-signed token | hCaptcha-signed token | Dilithium PQ-signed |
| Bypassed by human farms | Yes | Yes | Yes | No (PoW is economic) |
| Vendor lock-in | Google ecosystem | Cloudflare DNS required* | Low | None |
*Cloudflare Turnstile's free tier requires being a Cloudflare customer. "Unlimited" is subject to fair-use policies. Turnstile is an excellent product if you're already in the Cloudflare ecosystem.
Where BotShield wins: Zero tracking by architecture (not by policy — there is no data to collect), post-quantum signed challenges that can't be forged, proof-of-work economics that make bot farms unprofitable, and GDPR compliance that doesn't require a cookie banner because there are no cookies.
Where competitors win: Cloudflare Turnstile has a larger free tier and deep integration with Cloudflare's network. hCaptcha has a higher free tier at 100K/month. If volume is your only concern and privacy isn't, those are valid choices.
Migrate in 5 Minutes
Whether you're on reCAPTCHA v2 (checkbox), v3 (invisible), or Enterprise, the migration is the same three steps.
Step 1: Remove reCAPTCHA
Find and remove the reCAPTCHA script tag from your HTML:
<!-- DELETE THIS --> <script src="https://www.google.com/recaptcha/api.js" async defer></script> <!-- ALSO DELETE any v3 variant --> <script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script> <!-- ALSO DELETE the widget div if using v2 --> <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>
On your server, remove the siteverify call:
// DELETE THIS — the endpoint stops working April 2 POST https://www.google.com/recaptcha/api/siteverify secret=YOUR_SECRET_KEY&response=USER_TOKEN
Step 2: Add BotShield
Option A: Script tag (simplest — works with any framework)
<!-- H33 BotShield — proof-of-work bot protection --> <script src="https://api.h33.ai/v1/botshield/script.js" async defer></script>
Then protect any form:
<form action="/submit" method="POST"> <input type="email" name="email" required> <button type="submit">Sign Up</button> <!-- BotShield solves the PoW challenge automatically on submit --> <div data-botshield data-key="YOUR_BOTSHIELD_KEY"></div> </form>
Option B: npm (for React, Vue, Next.js, Nuxt, etc.)
npm install @h33/botshield
import { BotShield } from '@h33/botshield'; const shield = new BotShield({ key: 'YOUR_BOTSHIELD_KEY' }); // Before submitting a form or sensitive action: const token = await shield.solve(); // Send the token with your request await fetch('/api/submit', { method: 'POST', headers: { 'X-BotShield-Token': token }, body: JSON.stringify(formData) });
Step 3: Verify Server-Side
curl -X POST https://api.h33.ai/v1/botshield/verify \ -H "Authorization: Bearer $H33_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "token": "USER_BOTSHIELD_TOKEN" }' // Response { "valid": true, "difficulty": 16, "solve_time_ms": 340, "signature": "dilithium_signed...", "session_ttl": 3600, "pq_verified": true }
That's it. Your forms are protected, your users see nothing (no checkbox, no image puzzles), and zero data leaves the user's browser except the proof-of-work solution.
How BotShield Works (Under the Hood)
BotShield uses a fundamentally different approach than reCAPTCHA. Instead of analyzing behavior to guess whether someone is human, it uses SHA-256 proof-of-work to make bot attacks economically unprofitable.
Here's the flow:
- Challenge issued. When a user loads a protected page, BotShield issues a unique cryptographic challenge — a random nonce plus a target difficulty.
- Client solves. The user's browser finds a value that, when hashed with SHA-256 alongside the nonce, produces a hash with the required number of leading zero bits. This happens in a Web Worker — the user sees nothing.
- Solution verified. The server checks the hash in constant time. Valid solutions receive a Dilithium-signed session token that's valid for 1 hour.
- Session reuse. Subsequent requests within the session window are verified by the PQ-signed token alone — no re-solving needed.
BotShield adjusts proof-of-work difficulty based on threat level. Normal traffic gets 16-bit difficulty (~300ms solve on a modern laptop). Suspicious traffic patterns escalate to 20-bit (~5 seconds) or 24-bit (~80 seconds). A botnet running 10,000 simultaneous sessions at 20-bit difficulty burns real CPU cycles and real electricity — making the attack more expensive than the value of the target.
Challenge tokens are signed with CRYSTALS-Dilithium (ML-DSA, FIPS 204) — a post-quantum digital signature. This means BotShield tokens can't be forged even by an adversary with a quantum computer. No other CAPTCHA provider offers this. For the full technical deep dive, see BotShield: Proof-of-Work Bot Prevention.
Why Proof-of-Work Beats Behavioral Analysis
reCAPTCHA, Turnstile, and hCaptcha all rely on behavioral analysis — ML models that classify users as human or bot based on mouse movements, keystrokes, and browser fingerprints. This approach has a fundamental weakness: human farms bypass it trivially. For $1–2 per 1,000 solves, services like 2Captcha and AntiCaptcha route challenges to real humans in low-wage markets. The ML model sees real human behavior because it is real human behavior.
Proof-of-work doesn't care who or what is solving the challenge. A human farm still has to burn CPU cycles on every single request. At 20-bit difficulty, that's ~5 seconds of full core utilization per solve. A botnet of 10,000 machines doing 12 solves/minute/core costs real electricity. The economics don't scale for the attacker — there's no shortcut, no ML model to fool, no image labeling task to outsource.
Three structural advantages of proof-of-work over behavioral CAPTCHA:
- No ML model to retrain. Behavioral CAPTCHAs are in a constant arms race with bot developers. Every few months, the ML model needs retraining as adversaries adapt. SHA-256 doesn't degrade over time — the mathematics are permanent.
- No false positives. reCAPTCHA v3's risk scoring produces false positives that block legitimate users — especially users with disabilities, VPN users, Tor users, and users in regions with unusual browsing patterns. Proof-of-work doesn't discriminate. If you can compute SHA-256, you pass.
- No data collection required. The entire security model is the computational cost of finding a hash collision. No behavioral data is needed, collected, or transmitted. Privacy is a structural property, not a policy promise.
Pricing
BotShield pricing is straightforward. No per-assessment overages, no surprise bills.
| Plan | Challenges/Month | Price | Per Challenge |
|---|---|---|---|
| Free | 2,500 | $0 | $0.000 |
| Starter | 10,000 | $29.99/mo | $0.003 |
| Pro | 100,000 | $49/mo | $0.0005 |
| Business | 1,000,000 | $249/mo | $0.00025 |
For comparison: reCAPTCHA Enterprise charges $8/month for 10K–100K assessments, but that's $8/month plus sending your users' behavioral data to Google. BotShield Starter at $29.99/month gives you 10K challenges with zero tracking. Pro at $49/month is 100K challenges — equivalent to reCAPTCHA's paid tier but without the GDPR liability.
The free tier at 2,500 challenges/month covers most personal sites, blogs, and small business contact forms without paying a cent.
WordPress, Shopify, React — It Works Everywhere
WordPress
// Add BotShield to WordPress function h33_botshield_enqueue() { wp_enqueue_script( 'h33-botshield', 'https://api.h33.ai/v1/botshield/script.js', array(), null, true ); } add_action('wp_enqueue_scripts', 'h33_botshield_enqueue'); // Add BotShield widget to comment forms, login forms, etc. function h33_botshield_field() { echo '<div data-botshield data-key="YOUR_KEY"></div>'; } add_action('comment_form', 'h33_botshield_field'); add_action('login_form', 'h33_botshield_field');
Shopify (Liquid)
{%- comment -%} H33 BotShield for Shopify {%- endcomment -%} <script src="https://api.h33.ai/v1/botshield/script.js" async defer></script> {%- comment -%} Add to your contact form or newsletter signup: {%- endcomment -%} <div data-botshield data-key="YOUR_KEY"></div>
React / Next.js
import { useBotShield } from '@h33/botshield/react'; export default function ContactForm() { const { solve, isReady } = useBotShield({ key: 'YOUR_KEY' }); const handleSubmit = async (e) => { e.preventDefault(); const token = await solve(); await fetch('/api/contact', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-BotShield-Token': token, }, body: JSON.stringify({ name, email, message }), }); }; return ( <form onSubmit={handleSubmit}> {/* your form fields */} <button type="submit" disabled={!isReady}>Send</button> </form> ); }
Vue / Nuxt
<script setup> import { useBotShield } from '@h33/botshield/vue'; const { solve, isReady } = useBotShield({ key: 'YOUR_KEY' }); async function onSubmit() { const token = await solve(); await $fetch('/api/contact', { method: 'POST', headers: { 'X-BotShield-Token': token }, body: { name, email, message }, }); } </script> <template> <form @submit.prevent="onSubmit"> <!-- your form fields --> <button type="submit" :disabled="!isReady">Send</button> </form> </template>
BotShield works with any framework, any hosting provider, and any backend language. The script tag approach works everywhere — static sites, PHP, Rails, Django, Express, you name it. The npm package provides framework-specific hooks for React, Vue, Svelte, and Solid.
Migration Checklist
- Remove
google.com/recaptcha/api.jsscript tag - Remove
g-recaptchadiv elements - Remove server-side
siteverifycalls - Add BotShield script tag or npm package
- Add
data-botshieldwidget to protected forms - Add server-side token verification
- Test in staging
- Deploy before April 2, 2026