DEV Community

Cover image for Why your reCAPTCHA v3 score is low — and how to actually raise it
Bassem Shahin
Bassem Shahin

Posted on • Originally published at blog.captchaai.com

Why your reCAPTCHA v3 score is low — and how to actually raise it

Why your reCAPTCHA v3 score is low — and how to actually raise it

reCAPTCHA v3 is the one that never shows a checkbox or a puzzle. Instead it watches the whole session and hands the site a score from 0.0 to 1.0 — roughly "how human does this look." The site then decides what to do with it (allow, step up, block) based on its own threshold. So when your automation "fails reCAPTCHA v3," there's nothing to click — you're just scoring too low. The fix is understanding what it scores.

What v3 is actually scoring

v3 doesn't test whether you can solve something. It builds a risk score from signals across the page load and session:

  • IP reputation — datacenter ranges score low almost by default; residential/mobile score higher.

  • Browser fingerprint — navigator.webdriver, headless/automation tells, missing or inconsistent client-hints, a TLS/JA3 that doesn't match the UA you claim.

  • Behavior + history — mouse movement, timing, whether you have Google cookies / a browsing history, how you arrived at the page.

  • The action parameter — v3 tags each execution with an action (e.g. login); a mismatch or a generic action looks off.

The key mental model: a low score is a "you look automated" verdict, assembled before you ever submit. There's no token to "solve" your way past it — you raise the score or you produce a token that already scores high.

Why yours is low (the usual suspects)

  • Running from a datacenter IP (AWS/GCP/cloud) — the single biggest score killer.

  • Default Selenium/Playwright — leaks navigator.webdriver + CDP/headless artifacts.

  • A cold session — no cookies, no history, straight to the protected action.

  • Machine-speed behavior — instant navigation/clicks, no human-ish timing.

  • Fingerprint mismatch — a Chrome UA over a Pythonrequests TLS fingerprint, or a geo/timezone that disagrees with the IP.

How to actually raise it

  1. Fix the IP first — residential/mobile, geo-consistent with the rest of the profile. This alone moves the score the most.

  2. Kill the automation tells — a stealth/patched browser (or a real one) so navigator.webdriver is false, client-hints are consistent, and the TLS fingerprint matches the UA.

  3. Warm the session — keep cookies, do a little real navigation before the scored action, don't jump straight to the endpoint.

  4. Human-ish behavior — realistic timing and interaction, not perfect machine cadence.

  5. Use the right action — match the action the site expects for that step.

For automation that still scores too low after the fundamentals, the practical route is to fetch a token from a solving service that produces high-scoring v3 tokens, then submit it. One important nuance people miss: the minimum score is set by the target site, not by you or the solver — so you can't "request 0.9"; you produce the best token possible and the site's threshold decides. Getting the fundamentals right is what makes that token land above their cutoff.


import requests, time

API_KEY, SITEKEY, PAGEURL = "YOUR_API_KEY", "6Lc...", "https://target.example/login"

rid = requests.post("https://ocr.captchaai.com/in.php", data={

    "key": API_KEY, "method": "userrecaptcha",

    "version": "v3", "action": "login",

    "googlekey": SITEKEY, "pageurl": PAGEURL, "json": 1,

}).json()["request"]

token = None

for _ in range(40):

    time.sleep(3)

    res = requests.get("https://ocr.captchaai.com/res.php", params={

        "key": API_KEY, "action": "get", "id": rid, "json": 1}).json()

    if res["status"] == 1:

        token = res["request"]; break

# submit token as g-recaptcha-response for the matching action

Enter fullscreen mode Exit fullscreen mode

TL;DR

  • v3 gives a 0.0–1.0 score, not a puzzle — a low score means "looks automated," assembled from IP + fingerprint + behavior.

  • Biggest levers, in order: residential geo-matched IP → no automation fingerprint → warm session → human-ish behavior → correct action.

  • The site sets the min-score threshold, not you — so fix the fundamentals; a token only lands if the rest looks legit.


If you want to test the token flow against your own target, CaptchaAI returns reCAPTCHA v3 tokens (with action) and is 2Captcha-API-compatible, so an existing client is mostly a base-URL change — the trial is free (3 days, no card).

Top comments (0)