{"id":815,"date":"2026-04-16T06:24:21","date_gmt":"2026-04-16T06:24:21","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-recaptcha-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T06:24:21","modified_gmt":"2026-04-16T06:24:21","slug":"google-cloud-recaptcha-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-recaptcha-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud reCAPTCHA Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>reCAPTCHA is Google Cloud\u2019s bot detection and abuse-prevention service used to protect web and mobile applications from automated traffic, credential stuffing, fake account creation, and other forms of fraud and abuse.<\/p>\n\n\n\n<p>In simple terms: you add reCAPTCHA to login pages, signup forms, checkout flows, password reset forms, and APIs to tell real users apart from bots\u2014without forcing every user to solve a puzzle.<\/p>\n\n\n\n<p>Technically, reCAPTCHA works by collecting signals from a client (web, Android, iOS) and issuing a short-lived token. Your backend then sends that token to the reCAPTCHA service to create an \u201cassessment\u201d and receive a risk analysis result (for score-based flows) or challenge outcomes (for checkbox\/challenge flows). You use that result to allow, deny, rate-limit, or step up verification for suspicious traffic.<\/p>\n\n\n\n<p>It solves a common Security problem: automated abuse scales cheaply for attackers, while manual review and over-aggressive blocking hurts user experience. reCAPTCHA helps you apply risk-based controls and step-up challenges only when needed.<\/p>\n\n\n\n<blockquote>\n<p>Naming clarification (important): In the Google Cloud console and documentation, the product is <strong>reCAPTCHA Enterprise<\/strong>. Many developers also know the free\/consumer \u201creCAPTCHA\u201d product used on websites. This tutorial focuses on the <strong>Google Cloud<\/strong> service (reCAPTCHA Enterprise). You will still see \u201creCAPTCHA\u201d used throughout this article as the primary service name, but steps and APIs align to <strong>reCAPTCHA Enterprise<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<p>Official docs: https:\/\/cloud.google.com\/recaptcha-enterprise\/docs<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is reCAPTCHA?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>reCAPTCHA (reCAPTCHA Enterprise on Google Cloud) is a managed Security service that helps you <strong>detect abusive traffic<\/strong> and <strong>protect user interactions<\/strong> (forms, logins, transactions, API calls) from bots and fraud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high-level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bot detection and risk scoring<\/strong> for web and mobile interactions<\/li>\n<li><strong>Token-based verification<\/strong> where your backend validates client tokens through the reCAPTCHA API<\/li>\n<li><strong>Challenge \/ checkbox experiences<\/strong> in supported integrations (use-case dependent; verify the latest product options in official docs)<\/li>\n<li><strong>WAF integration<\/strong> patterns (commonly with Google Cloud Armor) to challenge suspicious traffic at the edge (availability depends on configuration and features; verify in official docs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>reCAPTCHA key<\/strong>: Configuration object that represents an app\/site integration (web domain or mobile app). Keys define platform and allowed domains\/apps.<\/li>\n<li><strong>Client-side integration<\/strong>: JavaScript for web, SDK calls for Android\/iOS, producing a <strong>token<\/strong>.<\/li>\n<li><strong>Assessment API<\/strong>: Backend creates an assessment for a token to obtain a <strong>risk analysis<\/strong> and reasons\/signals.<\/li>\n<li><strong>Policy logic (your code)<\/strong>: Threshold-based decisions (allow, block, step-up verification, require MFA, throttle, queue for review).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fully managed Google Cloud service consumed via API and client-side libraries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (project\/global\/regional)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Project-scoped<\/strong>: Keys and assessments live under a <strong>Google Cloud project<\/strong>.<\/li>\n<li>Generally treated as a <strong>global<\/strong> service from a consumer perspective (you call a Google API endpoint). Data handling and service specifics can vary; always confirm data residency and compliance requirements in official documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n<p>reCAPTCHA is typically used alongside:\n&#8211; <strong>Cloud Run \/ GKE \/ Compute Engine<\/strong> for backend verification endpoints\n&#8211; <strong>Cloud Load Balancing<\/strong> and <strong>Cloud Armor<\/strong> for edge protection and WAF enforcement (where applicable)\n&#8211; <strong>Identity Platform<\/strong> or your identity system to protect login\/signup flows\n&#8211; <strong>Cloud Logging \/ Cloud Monitoring<\/strong> for visibility\n&#8211; <strong>Secret Manager<\/strong> for storing sensitive configuration (even though reCAPTCHA Enterprise commonly uses service accounts rather than shared \u201csecret keys,\u201d you may still store thresholds, allowlists, or integration config securely)<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use reCAPTCHA?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduce fraud losses (fake signups, promo abuse, credential stuffing).<\/li>\n<li>Protect brand trust by minimizing account takeovers and spam.<\/li>\n<li>Improve conversion by applying friction only to risky users (risk-based UX).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed risk analysis without building and maintaining your own bot detection pipeline.<\/li>\n<li>Works across <strong>web and mobile<\/strong>.<\/li>\n<li>API-driven verification makes it easy to integrate into modern architectures (microservices, serverless, API gateways).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized key management per app\/site within a Google Cloud project.<\/li>\n<li>Integrates with Google Cloud observability (Audit Logs, metrics) and typical SRE practices.<\/li>\n<li>Scales without you managing detection infrastructure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps enforce controls aligned with common security requirements:<\/li>\n<li>Account protection<\/li>\n<li>Abuse prevention<\/li>\n<li>Fraud reduction<\/li>\n<li>Supports auditability via Google Cloud Audit Logs for admin changes (exact event coverage depends on configuration; verify in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Lightweight client integration; backend verification is an API call.<\/li>\n<li>Lets you shift from \u201cblock everything\u201d to \u201cscore and step up\u201d at scale.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose reCAPTCHA<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You operate internet-facing apps with authentication and high-value actions.<\/li>\n<li>You see bot-driven abuse (spikes, signup spam, password spraying, API scraping).<\/li>\n<li>You want a managed, widely adopted approach rather than maintaining ML pipelines and device fingerprinting infrastructure.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose reCAPTCHA<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Offline\/internal-only systems<\/strong> with no public user interaction.<\/li>\n<li>Apps where <strong>any third-party risk signal collection<\/strong> is prohibited by policy (privacy constraints, regulatory constraints, or internal rules). You should verify your legal and compliance posture.<\/li>\n<li>Very low-risk sites where simple rate limiting and basic input validation is sufficient.<\/li>\n<li>If your threat model requires fully self-hosted detection with complete control over data collection and processing (note: building this well is costly).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is reCAPTCHA used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>E-commerce (checkout, account creation, promo redemption)<\/li>\n<li>Financial services (login, payments, transfers\u2014often as part of layered fraud controls)<\/li>\n<li>Media and publishing (comment spam, scraping)<\/li>\n<li>SaaS (trial signups, password resets, API abuse)<\/li>\n<li>Gaming (cheat\/bot prevention around account actions)<\/li>\n<li>Healthcare and education (protect portals and forms)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security engineering (abuse prevention, fraud controls)<\/li>\n<li>Platform\/DevOps\/SRE (edge protections, reliability)<\/li>\n<li>Application engineering (login\/signup flows, anti-spam)<\/li>\n<li>IAM teams (account protection)<\/li>\n<li>Data teams (fraud analytics\u2014often export\/analysis outside reCAPTCHA)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web apps (SPA + API, server-rendered apps)<\/li>\n<li>Mobile apps (Android\/iOS)<\/li>\n<li>API backends protecting high-value endpoints<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monolith + web forms<\/li>\n<li>Microservices (token verified by an auth gateway or dedicated anti-abuse service)<\/li>\n<li>Serverless (Cloud Run \/ Cloud Functions verification endpoint)<\/li>\n<li>WAF\/edge gating (commonly Cloud Armor in front of load balancers)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: tuned thresholds, step-up verification, monitoring and alerts, fallback behavior.<\/li>\n<li><strong>Dev\/test<\/strong>: separate keys\/projects, relaxed thresholds, test domains (<code>localhost<\/code>) where supported, and careful handling to avoid polluting production signals.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where reCAPTCHA is commonly deployed. Each includes the problem, why reCAPTCHA fits, and a short example.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Protect signup forms from fake account creation<\/strong><br\/>\n   &#8211; Problem: Bot-driven signup floods lead to spam, resource waste, and fraudulent trials.<br\/>\n   &#8211; Why reCAPTCHA fits: Risk scoring lets you block or challenge only suspicious signups.<br\/>\n   &#8211; Example: If score &lt; 0.3, require email verification + phone OTP; otherwise allow signup.<\/p>\n<\/li>\n<li>\n<p><strong>Defend login endpoints from credential stuffing<\/strong><br\/>\n   &#8211; Problem: Attackers test leaked credentials at scale.<br\/>\n   &#8211; Why reCAPTCHA fits: Detect automation and step up verification for risky attempts.<br\/>\n   &#8211; Example: Low score triggers MFA or temporary lockout; normal users log in without friction.<\/p>\n<\/li>\n<li>\n<p><strong>Protect password reset flows<\/strong><br\/>\n   &#8211; Problem: Resets are abused to enumerate users or take over accounts.<br\/>\n   &#8211; Why reCAPTCHA fits: Add risk checks before sending reset emails\/SMS.<br\/>\n   &#8211; Example: Only send password reset email if score is above threshold, otherwise require additional verification.<\/p>\n<\/li>\n<li>\n<p><strong>Reduce comment\/contact form spam<\/strong><br\/>\n   &#8211; Problem: Bots submit spam links and malicious content.<br\/>\n   &#8211; Why reCAPTCHA fits: Quick client token + server verification blocks automation.<br\/>\n   &#8211; Example: Drop submissions below threshold or queue them for moderation.<\/p>\n<\/li>\n<li>\n<p><strong>Prevent promo code and coupon abuse<\/strong><br\/>\n   &#8211; Problem: Automated scripts redeem promotions repeatedly.<br\/>\n   &#8211; Why reCAPTCHA fits: Add friction\/risk gating to redemption endpoint.<br\/>\n   &#8211; Example: If score is low, require challenge or rate-limit by account\/device.<\/p>\n<\/li>\n<li>\n<p><strong>Protect \u201cadd to cart\u201d and inventory hoarding<\/strong><br\/>\n   &#8211; Problem: Bots reserve inventory or create denial-of-inventory attacks.<br\/>\n   &#8211; Why reCAPTCHA fits: Gate add-to-cart or reserve endpoints.<br\/>\n   &#8211; Example: Low score attempts are blocked or delayed.<\/p>\n<\/li>\n<li>\n<p><strong>Stop ticket scalping automation<\/strong><br\/>\n   &#8211; Problem: Bots buy tickets faster than humans.<br\/>\n   &#8211; Why reCAPTCHA fits: Detect automation; apply step-up.<br\/>\n   &#8211; Example: Force challenge for risky sessions during on-sale windows.<\/p>\n<\/li>\n<li>\n<p><strong>Protect high-cost backend operations<\/strong><br\/>\n   &#8211; Problem: Attackers trigger expensive workflows (PDF generation, ML inference).<br\/>\n   &#8211; Why reCAPTCHA fits: Verify humanity before compute-heavy operations.<br\/>\n   &#8211; Example: If score &lt; threshold, deny request before Cloud Run triggers batch job.<\/p>\n<\/li>\n<li>\n<p><strong>Reduce scraping and automated content harvesting<\/strong><br\/>\n   &#8211; Problem: Competitors scrape pricing\/catalog pages or APIs.<br\/>\n   &#8211; Why reCAPTCHA fits: Pair risk scoring with rate limits and WAF rules.<br\/>\n   &#8211; Example: Low score + high request rate triggers block or challenge.<\/p>\n<\/li>\n<li>\n<p><strong>Secure account profile changes (email, phone, payout details)<\/strong><br\/>\n   &#8211; Problem: Attackers try to change account recovery methods.<br\/>\n   &#8211; Why reCAPTCHA fits: Step up verification for sensitive actions.<br\/>\n   &#8211; Example: Low score requires re-authentication + MFA.<\/p>\n<\/li>\n<li>\n<p><strong>Protect API endpoints used by web apps<\/strong><br\/>\n   &#8211; Problem: Bots call APIs directly, bypassing UI controls.<br\/>\n   &#8211; Why reCAPTCHA fits: Backend verifies tokens tied to expected actions.<br\/>\n   &#8211; Example: Require a valid token to call <code>\/api\/checkout<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>Fraud triage and investigation support<\/strong><br\/>\n   &#8211; Problem: You need signals to classify suspicious events.<br\/>\n   &#8211; Why reCAPTCHA fits: Risk analysis provides structured output for decisioning\/logging.<br\/>\n   &#8211; Example: Store assessment results (score + reasons) with auth logs for later analysis.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by platform (web vs mobile), integration type (score-based vs challenge), and product updates. Always confirm in the official docs: https:\/\/cloud.google.com\/recaptcha-enterprise\/docs<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Keys for web and mobile apps<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you create platform-specific keys (web domains, Android package signatures, iOS bundle IDs).  <\/li>\n<li><strong>Why it matters<\/strong>: Prevents reuse of keys on unauthorized sites\/apps.  <\/li>\n<li><strong>Practical benefit<\/strong>: Reduces token theft and unauthorized embedding.  <\/li>\n<li><strong>Caveats<\/strong>: Domain\/app restrictions must be correct; misconfiguration can break verification.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Client-side token generation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Client code requests a token representing the interaction.  <\/li>\n<li><strong>Why it matters<\/strong>: The token is the link between the user interaction and backend verification.  <\/li>\n<li><strong>Practical benefit<\/strong>: Lightweight integration; no user friction for score-based flows.  <\/li>\n<li><strong>Caveats<\/strong>: Tokens are short-lived; you must verify promptly. Avoid logging tokens.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Assessment creation (server-side verification)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Your backend calls the reCAPTCHA Enterprise API to create an assessment from a token.  <\/li>\n<li><strong>Why it matters<\/strong>: This is the authoritative verification step; client-only checks are not secure.  <\/li>\n<li><strong>Practical benefit<\/strong>: Centralized enforcement in backend services.  <\/li>\n<li><strong>Caveats<\/strong>: Requires IAM permissions and correct expected action matching.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Risk scoring and reasons (score-based)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Returns a score (risk level) and supporting signals\/reasons (exact fields depend on API response).  <\/li>\n<li><strong>Why it matters<\/strong>: Enables adaptive Security controls and reduced user friction.  <\/li>\n<li><strong>Practical benefit<\/strong>: Allows \u201callow\/deny\/step-up\u201d flows based on thresholds.  <\/li>\n<li><strong>Caveats<\/strong>: You must tune thresholds per endpoint; don\u2019t use one threshold for everything.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Challenge \/ checkbox support (where applicable)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Presents a user challenge\/checkbox flow to verify humanity.  <\/li>\n<li><strong>Why it matters<\/strong>: Useful when you need a stronger assertion than \u201cscore.\u201d  <\/li>\n<li><strong>Practical benefit<\/strong>: High-confidence gating for sensitive actions.  <\/li>\n<li><strong>Caveats<\/strong>: Adds user friction; can impact accessibility and conversion. Confirm current options and recommended patterns in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Action binding (expectedAction \/ action names)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Associates a token with an \u201caction\u201d (e.g., <code>login<\/code>, <code>signup<\/code>, <code>checkout<\/code>). Backend verifies the token matches the expected action.  <\/li>\n<li><strong>Why it matters<\/strong>: Helps prevent token replay across endpoints.  <\/li>\n<li><strong>Practical benefit<\/strong>: Safer implementations with clearer analytics per user journey.  <\/li>\n<li><strong>Caveats<\/strong>: Action mismatch is a common cause of false negatives.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 IAM-based access control (Enterprise)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses Google Cloud IAM for administrative actions and API calls.  <\/li>\n<li><strong>Why it matters<\/strong>: Enables least privilege, auditability, and service account usage.  <\/li>\n<li><strong>Practical benefit<\/strong>: You avoid shared secrets in many server-to-server patterns.  <\/li>\n<li><strong>Caveats<\/strong>: Mis-scoped service accounts can leak permissions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Observability hooks (logs\/metrics)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Admin activity can be captured in Cloud Audit Logs; API usage is visible via Google Cloud operations tooling (exact metrics\/logs vary).  <\/li>\n<li><strong>Why it matters<\/strong>: Helps SRE and Security teams monitor impact, detect misconfigurations, and respond to incidents.  <\/li>\n<li><strong>Practical benefit<\/strong>: Enables alerting on sudden spikes in assessments (possible attack).  <\/li>\n<li><strong>Caveats<\/strong>: Avoid logging PII or tokens; log only the minimal necessary outcomes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Integration patterns with edge Security (commonly Cloud Armor)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you design architectures where suspicious traffic is challenged\/filtered at the edge, reducing load on origin services.  <\/li>\n<li><strong>Why it matters<\/strong>: Pushes abuse controls \u201cleft\u201d (earlier in the request path).  <\/li>\n<li><strong>Practical benefit<\/strong>: Better performance and cost under attack.  <\/li>\n<li><strong>Caveats<\/strong>: Integration specifics can be feature- and SKU-dependent; verify the current Cloud Armor + reCAPTCHA guidance.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>At a high level, reCAPTCHA introduces a <strong>client token<\/strong> and a <strong>server verification<\/strong> step:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>User loads your web\/mobile UI.<\/li>\n<li>UI requests a reCAPTCHA token for a named action (e.g., <code>login<\/code>).<\/li>\n<li>UI sends token to your backend along with the user request (login\/signup\/etc.).<\/li>\n<li>Backend calls reCAPTCHA Enterprise <strong>CreateAssessment<\/strong> API using a service account.<\/li>\n<li>Backend receives risk score \/ challenge result and decides: allow, deny, step-up, throttle, or log for review.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data flow<\/strong>: token \u2192 backend \u2192 assessment \u2192 decision  <\/li>\n<li><strong>Control flow<\/strong>: your backend (not the client) is the policy enforcement point.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations in Google Cloud:\n&#8211; <strong>Cloud Run<\/strong>: host verification API endpoints.\n&#8211; <strong>Cloud Functions<\/strong>: lightweight verification logic (watch cold starts and latency).\n&#8211; <strong>API Gateway \/ Apigee<\/strong>: enforce verification before routing to internal APIs (implementation pattern varies; often done in the backend or via policy logic).\n&#8211; <strong>Cloud Armor<\/strong>: edge policies, rate limiting, and (where configured) reCAPTCHA enforcement\/challenges.\n&#8211; <strong>Identity Platform \/ IAM \/ IAP<\/strong>: layered defenses for auth flows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reCAPTCHA Enterprise API enabled in the project.<\/li>\n<li>A service account (or workload identity) with permissions to create assessments.<\/li>\n<li>Client-side integration scripts\/SDKs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Client-side<\/strong>: no secrets; uses a site key (public) to request token.<\/li>\n<li><strong>Server-side<\/strong>: authenticated to Google Cloud via:<\/li>\n<li>Service account key (not recommended long-term), or<\/li>\n<li>Default service account identity on Cloud Run\/GKE\/Compute Engine, or<\/li>\n<li>Workload Identity Federation (recommended for non-Google environments)<\/li>\n<li><strong>Authorization<\/strong>: IAM roles grant permission to call CreateAssessment.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clients call Google endpoints to obtain tokens (web JS or mobile SDK flows).<\/li>\n<li>Backend calls Google APIs over HTTPS.<\/li>\n<li>If using Cloud Armor, traffic may be filtered before reaching your backend.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor:<\/li>\n<li>Volume of assessments<\/li>\n<li>Error rates (invalid tokens, action mismatch)<\/li>\n<li>Latency added to user-critical flows<\/li>\n<li>Governance:<\/li>\n<li>Use separate keys for environments (dev\/stage\/prod)<\/li>\n<li>Rotate\/replace keys if a domain\/app config changes<\/li>\n<li>Use naming conventions and labels for clarity (where supported)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User Browser \/ Mobile App] --&gt;|Load app| FE[Frontend UI]\n  FE --&gt;|Request token (action=login)| RC[reCAPTCHA]\n  FE --&gt;|Send token + request| BE[Backend API]\n  BE --&gt;|CreateAssessment| RCE[reCAPTCHA Enterprise API]\n  RCE --&gt;|Score \/ verdict| BE\n  BE --&gt;|Allow \/ Block \/ Step-up| U\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet\n    U[Users]\n    B[Bots \/ Attackers]\n  end\n\n  subgraph Edge[Edge]\n    LB[Cloud Load Balancer]\n    CA[Cloud Armor Policy\\n(rate limit \/ WAF rules\\n+ optional reCAPTCHA enforcement)]\n  end\n\n  subgraph App[Application]\n    FE[Web Frontend\\n(Cloud Run or GCS+CDN)]\n    API[Backend APIs\\n(Cloud Run \/ GKE)]\n    AUTH[Auth Service\\n(Identity Platform or custom)]\n  end\n\n  subgraph Security[Security Services]\n    RCE[reCAPTCHA Enterprise API]\n    LOG[Cloud Logging \/ Audit Logs]\n    MON[Cloud Monitoring]\n    SM[Secret Manager\\n(thresholds\/config)]\n  end\n\n  U --&gt; LB\n  B --&gt; LB\n  LB --&gt; CA --&gt; FE\n  CA --&gt; API\n\n  FE --&gt;|Get token| RCE\n  FE --&gt;|Send token| API\n  API --&gt;|CreateAssessment| RCE\n\n  API --&gt; AUTH\n\n  API --&gt; LOG\n  FE --&gt; LOG\n  LOG --&gt; MON\n  API --&gt; SM\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/project requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>Google Cloud project<\/strong> with <strong>billing enabled<\/strong> (reCAPTCHA Enterprise is a billed service).<\/li>\n<li>Access to the <strong>Google Cloud Console<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You need permissions to:\n&#8211; Enable APIs\n&#8211; Create and manage reCAPTCHA keys\n&#8211; Deploy backend resources (Cloud Run in this lab)<\/p>\n\n\n\n<p>Common roles (verify exact role names and scope in official IAM docs for reCAPTCHA Enterprise):\n&#8211; reCAPTCHA admin role (for managing keys)\n&#8211; reCAPTCHA agent role (for creating assessments)\n&#8211; Cloud Run Admin and Service Account User (for deployment)\n&#8211; Viewer or Logging Viewer for validation<\/p>\n\n\n\n<p>If you\u2019re in an organization with centralized policy, you may need a platform admin to grant you access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Billing account linked to the project.<\/li>\n<li>Ability to view billing usage (optional but recommended).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cloud.google.com\/sdk\/docs\/install\">Google Cloud SDK (gcloud)<\/a><\/li>\n<li>A code editor<\/li>\n<li>Python 3.10+ (for the sample backend) or Node.js if you prefer<\/li>\n<li>curl (for testing) optional<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Run is regional.<\/li>\n<li>reCAPTCHA Enterprise is accessed via Google APIs; regional availability constraints can exist for compliance\/data residency. <strong>Verify in official docs<\/strong> if you have strict residency requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reCAPTCHA assessments have quotas (per minute\/day) and limits; these can vary.<\/li>\n<li>Cloud Run has request\/instance quotas.\nCheck:<\/li>\n<li>reCAPTCHA Enterprise quotas in the Google Cloud console (APIs &amp; Services) and official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For the hands-on lab:\n&#8211; Cloud Run API\n&#8211; Cloud Build API\n&#8211; Artifact Registry API (may be used by Cloud Build\/Run)\n&#8211; reCAPTCHA Enterprise API<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Official pricing page (start here):<br\/>\nhttps:\/\/cloud.google.com\/recaptcha-enterprise\/pricing<\/p>\n\n\n\n<p>Google Cloud Pricing Calculator (for surrounding infrastructure):<br\/>\nhttps:\/\/cloud.google.com\/products\/calculator<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical)<\/h3>\n\n\n\n<p>reCAPTCHA Enterprise pricing is generally <strong>usage-based<\/strong>, commonly driven by:\n&#8211; Number of <strong>assessments<\/strong> (server-side verification calls)\n&#8211; Number\/type of <strong>challenges<\/strong> (if using challenge-based approaches)\n&#8211; Potentially feature-tier dimensions (if Google offers multiple SKUs\/tiers\u2014<strong>verify current SKUs in official pricing<\/strong>)<\/p>\n\n\n\n<p>Because pricing can change and may differ by contract\/edition, do not hardcode numbers. Use the official page for exact rates.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Some Google Cloud services include free quotas. For reCAPTCHA Enterprise, any free tier or trial credits must be confirmed on the official pricing page.<br\/>\n&#8211; <strong>Action<\/strong>: Check https:\/\/cloud.google.com\/recaptcha-enterprise\/pricing for current free quotas (if any).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>High traffic to protected endpoints (login, signup)<\/li>\n<li>Bots triggering more verification attempts<\/li>\n<li>Protecting \u201cevery request\u201d rather than just high-risk interactions<\/li>\n<li>Inefficient implementations (verifying tokens multiple times per request)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cloud Run \/ GKE costs<\/strong> for the verification endpoint (compute + requests)<\/li>\n<li><strong>Logging costs<\/strong> if you log excessively (Cloud Logging ingestion\/retention)<\/li>\n<li><strong>Operational overhead<\/strong>: tuning thresholds, managing false positives, support work<\/li>\n<li><strong>User experience costs<\/strong>: too many challenges can reduce conversion<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Calls to Google APIs occur over HTTPS; typical payload sizes are small.<\/li>\n<li>If your backend runs outside Google Cloud, egress costs from your platform and latency may matter.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect <strong>high-value actions<\/strong> rather than every single page view.<\/li>\n<li>Cache decisions carefully only when safe (generally you should not reuse tokens; tokens are short-lived).<\/li>\n<li>Use risk-based flows:<\/li>\n<li>Only step up when score is below a threshold.<\/li>\n<li>Apply stricter rules during attack windows.<\/li>\n<li>Monitor assessment volume spikes and respond with edge controls (rate limiting, Cloud Armor) to reduce origin hits.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (model, not numbers)<\/h3>\n\n\n\n<p>For an MVP:\n&#8211; Protect only signup + login + password reset.\n&#8211; Assume a modest daily user volume; cost scales primarily with assessments.\n&#8211; Use Cloud Run with minimal instance configuration and scale-to-zero.\n&#8211; Keep logs minimal (score + decision + endpoint), avoid full payload logging.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production:\n&#8211; Multiple protected endpoints across multiple apps.\n&#8211; You may run a centralized \u201canti-abuse\u201d service that verifies tokens for many downstream services.\n&#8211; Significant spikes during attacks; ensure budget alerts and rate limiting.\n&#8211; Consider a layered model:\n  &#8211; Cloud Armor rate limiting reduces load\n  &#8211; reCAPTCHA verifies interaction risk for sensitive endpoints<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a small, real integration:\n&#8211; A simple web page that requests a reCAPTCHA token for an action.\n&#8211; A Cloud Run backend that verifies the token by creating an assessment.\n&#8211; A decision rule that allows or blocks based on score and action match.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Deploy a working, end-to-end reCAPTCHA (reCAPTCHA Enterprise) integration on Google Cloud using Cloud Run, and verify that:\n&#8211; Valid tokens produce assessments.\n&#8211; The backend receives a score\/verdict.\n&#8211; You can enforce a basic allow\/deny decision.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create\/select a Google Cloud project and enable required APIs.\n2. Create a reCAPTCHA key for a web application.\n3. Build a Cloud Run service that serves:\n   &#8211; a web page (<code>\/<\/code>)\n   &#8211; a verification endpoint (<code>\/verify<\/code>) that calls the reCAPTCHA Enterprise API\n4. Test and validate.\n5. Clean up.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create\/select a project and set environment variables<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open Google Cloud Console: https:\/\/console.cloud.google.com\/<\/li>\n<li>Select an existing project or create a new one.<\/li>\n<\/ol>\n\n\n\n<p>In Cloud Shell (or your terminal with gcloud configured), set variables:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\nexport REGION=\"us-central1\"\ngcloud config set project \"$PROJECT_ID\"\ngcloud config set run\/region \"$REGION\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> <code>gcloud config list<\/code> shows your project and region.<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud config list\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Enable required APIs<\/h3>\n\n\n\n<p>Enable reCAPTCHA Enterprise and deployment APIs:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable \\\n  recaptchaenterprise.googleapis.com \\\n  run.googleapis.com \\\n  cloudbuild.googleapis.com \\\n  artifactregistry.googleapis.com\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> APIs enable successfully.<\/p>\n\n\n\n<p>Verification:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --filter=\"name:recaptchaenterprise\"\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a reCAPTCHA key (web)<\/h3>\n\n\n\n<p>You typically create keys in the Console.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Security<\/strong> \u2192 <strong>reCAPTCHA<\/strong> in the Google Cloud Console (or search \u201creCAPTCHA Enterprise\u201d).<\/li>\n<li>Create a <strong>key<\/strong> for <strong>Web<\/strong>.<\/li>\n<li>Choose an integration type suitable for score-based verification (often described as score-based).<br\/>\n   &#8211; If you don\u2019t see the option you expect, <strong>verify in official docs<\/strong>; UI and options can evolve.<\/li>\n<li>Add allowed domains:\n   &#8211; For local testing, include <code>localhost<\/code> if supported.\n   &#8211; For Cloud Run testing, include your Cloud Run service URL host (you\u2019ll get it after deployment). Some configurations may allow patterns; if not, you may need to update the key after you know the exact domain.<\/li>\n<\/ol>\n\n\n\n<p>Record the <strong>site key<\/strong> (you will embed it in the frontend).<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have a site key string (public).<\/p>\n\n\n\n<blockquote>\n<p>Note: reCAPTCHA Enterprise verification usually uses <strong>service-to-service IAM<\/strong> rather than a shared \u201csecret key.\u201d Your backend will authenticate with a service account to call the API.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create a service account for verification (least privilege)<\/h3>\n\n\n\n<p>Create a dedicated service account for the Cloud Run service:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export SA_NAME=\"recaptcha-verifier\"\nexport SA_EMAIL=\"${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com\"\n\ngcloud iam service-accounts create \"$SA_NAME\" \\\n  --display-name=\"reCAPTCHA verification service account\"\n<\/code><\/pre>\n\n\n\n<p>Grant it the ability to create assessments.<\/p>\n\n\n\n<p>The exact role name can vary; in many projects this is a role in the reCAPTCHA Enterprise IAM set (for example, an \u201cagent\u201d role). <strong>Verify the correct role in the IAM roles list for reCAPTCHA Enterprise<\/strong>.<\/p>\n\n\n\n<p>You can search roles:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud iam roles list --filter=\"recaptcha\" --format=\"table(name,title)\"\n<\/code><\/pre>\n\n\n\n<p>Then bind the appropriate role (replace ROLE_NAME with what your project supports):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export ROLE_NAME=\"roles\/recaptchaenterprise.agent\"\ngcloud projects add-iam-policy-binding \"$PROJECT_ID\" \\\n  --member=\"serviceAccount:${SA_EMAIL}\" \\\n  --role=\"$ROLE_NAME\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> The service account exists and has least-privilege permission to call CreateAssessment.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Create the Cloud Run app (frontend + verification endpoint)<\/h3>\n\n\n\n<p>Create a local directory:<\/p>\n\n\n\n<pre><code class=\"language-bash\">mkdir -p recaptcha-cloudrun-lab\ncd recaptcha-cloudrun-lab\n<\/code><\/pre>\n\n\n\n<p>Create <code>requirements.txt<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-txt\">Flask==3.0.3\ngunicorn==22.0.0\ngoogle-cloud-recaptcha-enterprise==1.25.0\n<\/code><\/pre>\n\n\n\n<blockquote>\n<p>If dependency versions drift, use the latest compatible versions. Verify the official sample dependencies in docs or PyPI.<\/p>\n<\/blockquote>\n\n\n\n<p>Create <code>main.py<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-python\">import os\nfrom flask import Flask, request, jsonify\n\nfrom google.cloud import recaptchaenterprise_v1\nfrom google.cloud.recaptchaenterprise_v1 import Assessment\nfrom google.cloud.recaptchaenterprise_v1 import Event\n\napp = Flask(__name__)\n\nPROJECT_ID = os.environ.get(\"PROJECT_ID\", \"\")\nSITE_KEY = os.environ.get(\"RECAPTCHA_SITE_KEY\", \"\")\n# Choose an action name and use it consistently in frontend + backend\nEXPECTED_ACTION = os.environ.get(\"EXPECTED_ACTION\", \"login\")\n\n# Decision threshold (tune in real deployments per endpoint)\n# Do NOT copy this threshold blindly; calibrate with your traffic.\nSCORE_THRESHOLD = float(os.environ.get(\"SCORE_THRESHOLD\", \"0.5\"))\n\n\ndef create_assessment(token: str) -&gt; dict:\n    \"\"\"\n    Calls reCAPTCHA Enterprise to create an assessment.\n    Returns a simplified response for the demo UI.\n    \"\"\"\n    if not PROJECT_ID or not SITE_KEY:\n        raise RuntimeError(\"Missing PROJECT_ID or RECAPTCHA_SITE_KEY environment variables\")\n\n    client = recaptchaenterprise_v1.RecaptchaEnterpriseServiceClient()\n    parent = f\"projects\/{PROJECT_ID}\"\n\n    event = Event(token=token, site_key=SITE_KEY, expected_action=EXPECTED_ACTION)\n    assessment = Assessment(event=event)\n\n    response = client.create_assessment(\n        request={\"parent\": parent, \"assessment\": assessment}\n    )\n\n    # The response structure can include token properties and risk analysis.\n    # Use only what you need and avoid logging sensitive info.\n    token_props = response.token_properties\n    risk = response.risk_analysis\n\n    # Basic decision example:\n    valid = bool(token_props.valid)\n    action_ok = (token_props.action == EXPECTED_ACTION)\n    score = float(getattr(risk, \"score\", 0.0))\n\n    allow = valid and action_ok and (score &gt;= SCORE_THRESHOLD)\n\n    return {\n        \"valid\": valid,\n        \"invalidReason\": str(getattr(token_props, \"invalid_reason\", \"\")),\n        \"actionFromToken\": token_props.action,\n        \"expectedAction\": EXPECTED_ACTION,\n        \"actionMatch\": action_ok,\n        \"score\": score,\n        \"scoreThreshold\": SCORE_THRESHOLD,\n        \"allow\": allow,\n        # Reasons can exist; exact field names can evolve:\n        \"reasons\": [str(r) for r in getattr(risk, \"reasons\", [])],\n    }\n\n\n@app.get(\"\/\")\ndef index():\n    # Minimal page served from the same Cloud Run service.\n    # In production, you might host frontend separately and call the backend API.\n    site_key = SITE_KEY\n    action = EXPECTED_ACTION\n    return f\"\"\"\n&lt;!doctype html&gt;\n&lt;html&gt;\n&lt;head&gt;\n  &lt;meta charset=\"utf-8\" \/&gt;\n  &lt;title&gt;reCAPTCHA Enterprise + Cloud Run Lab&lt;\/title&gt;\n  &lt;meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" \/&gt;\n  &lt;script src=\"https:\/\/www.google.com\/recaptcha\/enterprise.js?render={site_key}\"&gt;&lt;\/script&gt;\n  &lt;style&gt;\n    body {{ font-family: Arial, sans-serif; margin: 2rem; line-height: 1.4; }}\n    code {{ background: #f4f4f4; padding: 0.2rem 0.3rem; }}\n    .ok {{ color: #0a7; }}\n    .bad {{ color: #c00; }}\n    pre {{ background: #f7f7f7; padding: 1rem; overflow-x: auto; }}\n  &lt;\/style&gt;\n&lt;\/head&gt;\n&lt;body&gt;\n  &lt;h2&gt;reCAPTCHA (Google Cloud) hands-on lab&lt;\/h2&gt;\n  &lt;p&gt;This page requests a token for action &lt;code&gt;{action}&lt;\/code&gt; and sends it to &lt;code&gt;\/verify&lt;\/code&gt;.&lt;\/p&gt;\n\n  &lt;button id=\"btn\"&gt;Get token and verify&lt;\/button&gt;\n  &lt;p id=\"status\"&gt;&lt;\/p&gt;\n  &lt;pre id=\"out\"&gt;&lt;\/pre&gt;\n\n  &lt;script&gt;\n    const statusEl = document.getElementById(\"status\");\n    const outEl = document.getElementById(\"out\");\n    const btn = document.getElementById(\"btn\");\n\n    btn.addEventListener(\"click\", async () =&gt; {{\n      statusEl.textContent = \"Requesting token...\";\n      outEl.textContent = \"\";\n\n      try {{\n        const token = await grecaptcha.enterprise.execute(\"{site_key}\", {{ action: \"{action}\" }});\n        statusEl.textContent = \"Token received. Verifying with backend...\";\n\n        const resp = await fetch(\"\/verify\", {{\n          method: \"POST\",\n          headers: {{ \"Content-Type\": \"application\/json\" }},\n          body: JSON.stringify({{ token }})\n        }});\n\n        const data = await resp.json();\n        outEl.textContent = JSON.stringify(data, null, 2);\n\n        if (data.allow) {{\n          statusEl.innerHTML = \"&lt;span class='ok'&gt;ALLOW&lt;\/span&gt; (based on demo threshold)\";\n        }} else {{\n          statusEl.innerHTML = \"&lt;span class='bad'&gt;DENY \/ STEP-UP&lt;\/span&gt; (based on demo threshold)\";\n        }}\n      }} catch (e) {{\n        statusEl.innerHTML = \"&lt;span class='bad'&gt;Error:&lt;\/span&gt; \" + e;\n      }}\n    }});\n  &lt;\/script&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;\n\"\"\"\n\n\n@app.post(\"\/verify\")\ndef verify():\n    body = request.get_json(silent=True) or {}\n    token = body.get(\"token\", \"\")\n\n    if not token:\n        return jsonify({\"error\": \"Missing token\"}), 400\n\n    try:\n        result = create_assessment(token)\n        return jsonify(result), 200\n    except Exception as e:\n        # Do not leak sensitive details in production; log appropriately instead.\n        return jsonify({\"error\": str(e)}), 500\n\n\nif __name__ == \"__main__\":\n    app.run(host=\"127.0.0.1\", port=int(os.environ.get(\"PORT\", \"8080\")), debug=True)\n<\/code><\/pre>\n\n\n\n<p>Create <code>Procfile<\/code> (optional; Cloud Run typically uses container CMD, but this is fine for clarity):<\/p>\n\n\n\n<pre><code class=\"language-txt\">web: gunicorn -b :$PORT main:app\n<\/code><\/pre>\n\n\n\n<p>Create <code>Dockerfile<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-dockerfile\">FROM python:3.11-slim\n\nWORKDIR \/app\nCOPY requirements.txt .\nRUN pip install --no-cache-dir -r requirements.txt\n\nCOPY main.py .\n\nENV PORT=8080\nCMD [\"gunicorn\", \"-b\", \":8080\", \"main:app\"]\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> You have a deployable Cloud Run service that will serve <code>\/<\/code> and <code>\/verify<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Deploy to Cloud Run<\/h3>\n\n\n\n<p>Set your site key in an environment variable (replace with your actual key):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export RECAPTCHA_SITE_KEY=\"YOUR_SITE_KEY\"\n<\/code><\/pre>\n\n\n\n<p>Deploy:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud run deploy recaptcha-lab \\\n  --source . \\\n  --region \"$REGION\" \\\n  --allow-unauthenticated \\\n  --service-account \"$SA_EMAIL\" \\\n  --set-env-vars \"PROJECT_ID=$PROJECT_ID,RECAPTCHA_SITE_KEY=$RECAPTCHA_SITE_KEY,EXPECTED_ACTION=login,SCORE_THRESHOLD=0.5\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong> Deployment completes and prints a Cloud Run service URL.<\/p>\n\n\n\n<p>Copy the URL (for example: <code>https:\/\/recaptcha-lab-&lt;hash&gt;-uc.a.run.app<\/code>).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Update allowed domains in your reCAPTCHA key (if needed)<\/h3>\n\n\n\n<p>If your key restricts domains (recommended), update the allowed domains to include the Cloud Run hostname (not the full URL path).<\/p>\n\n\n\n<p>Example hostname to allow:\n&#8211; <code>recaptcha-lab-&lt;hash&gt;-uc.a.run.app<\/code><\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> The browser is allowed to render and execute reCAPTCHA for that domain.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Test the integration<\/h3>\n\n\n\n<p>Open the Cloud Run URL in your browser. Click <strong>Get token and verify<\/strong>.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; The page obtains a token.\n&#8211; <code>\/verify<\/code> returns JSON including:\n  &#8211; <code>valid: true<\/code>\n  &#8211; <code>actionMatch: true<\/code>\n  &#8211; a <code>score<\/code> value\n  &#8211; <code>allow: true\/false<\/code> based on the demo threshold<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use these checks:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Browser UI test<\/strong>\n   &#8211; The page shows <strong>ALLOW<\/strong> or <strong>DENY\/STEP-UP<\/strong> and prints a JSON response.<\/p>\n<\/li>\n<li>\n<p><strong>Cloud Run logs<\/strong>\n   &#8211; In Cloud Console \u2192 Cloud Run \u2192 your service \u2192 Logs<br\/>\n   &#8211; You should see requests to <code>\/<\/code> and <code>\/verify<\/code>.\n   &#8211; In this lab code, we avoid logging token details by default. Keep it that way in production.<\/p>\n<\/li>\n<li>\n<p><strong>Direct API behavior (optional)<\/strong>\n   &#8211; If you see errors, validate that:<\/p>\n<ul>\n<li>The Cloud Run service account has the correct role.<\/li>\n<li>The reCAPTCHA API is enabled.<\/li>\n<li>Site key matches the one in your key configuration.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>\u201cMissing PROJECT_ID or RECAPTCHA_SITE_KEY\u201d<\/strong>\n   &#8211; Cause: Env vars not set on Cloud Run.\n   &#8211; Fix: Re-deploy or edit Cloud Run service \u2192 Variables &amp; Secrets.<\/p>\n<\/li>\n<li>\n<p><strong><code>PERMISSION_DENIED<\/code> when calling CreateAssessment<\/strong>\n   &#8211; Cause: Cloud Run service account lacks reCAPTCHA Enterprise permission.\n   &#8211; Fix:<\/p>\n<ul>\n<li>Confirm the role binding on the correct project.<\/li>\n<li>Confirm you used <code>--service-account<\/code> in the deploy.<\/li>\n<li>Verify the correct IAM role name in your environment (role names can be organization-restricted).<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Token invalid \/ <code>invalidReason<\/code> present<\/strong>\n   &#8211; Cause: Domain not allowed, wrong site key, token expired, or action mismatch.\n   &#8211; Fix:<\/p>\n<ul>\n<li>Add the correct domain to allowed domains.<\/li>\n<li>Ensure frontend and backend use the same <code>EXPECTED_ACTION<\/code> (<code>login<\/code> in this lab).<\/li>\n<li>Refresh and retry; don\u2019t reuse tokens.<\/li>\n<\/ul>\n<\/li>\n<li>\n<p><strong>Action mismatch (<code>actionMatch: false<\/code>)<\/strong>\n   &#8211; Cause: Frontend action differs from backend expected action.\n   &#8211; Fix: Ensure <code>grecaptcha.enterprise.execute(... {action:\"login\"})<\/code> matches <code>EXPECTED_ACTION=login<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>Frontend error loading reCAPTCHA script<\/strong>\n   &#8211; Cause: Network restrictions, CSP issues, ad blockers, or domain configuration.\n   &#8211; Fix: Check browser dev tools network console; allow required domains; review your CSP.<\/p>\n<\/li>\n<li>\n<p><strong>Score always low<\/strong>\n   &#8211; Cause: New integration, testing patterns, bot-like environment, or strict thresholds.\n   &#8211; Fix:<\/p>\n<ul>\n<li>Don\u2019t tune thresholds based on tiny samples.<\/li>\n<li>In production, calibrate per endpoint over real traffic and use step-up verification rather than hard blocks initially.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges, remove resources:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Delete Cloud Run service:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud run services delete recaptcha-lab --region \"$REGION\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>Remove IAM binding (optional hygiene):<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud projects remove-iam-policy-binding \"$PROJECT_ID\" \\\n  --member=\"serviceAccount:${SA_EMAIL}\" \\\n  --role=\"$ROLE_NAME\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li>Delete the service account:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud iam service-accounts delete \"$SA_EMAIL\"\n<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\">\n<li>\n<p>Delete the reCAPTCHA key:\n&#8211; In Console \u2192 reCAPTCHA \u2192 Keys \u2192 delete the key you created.<\/p>\n<\/li>\n<li>\n<p>Optionally disable APIs (only if not used elsewhere):<\/p>\n<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">gcloud services disable recaptchaenterprise.googleapis.com\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Verify tokens server-side<\/strong> every time for protected actions. Client-only checks are not security controls.<\/li>\n<li>Use <strong>separate keys per environment<\/strong> (dev\/stage\/prod) and per platform (web vs mobile).<\/li>\n<li>Centralize verification in a small internal service (an \u201canti-abuse API\u201d) if many apps need it.<\/li>\n<li>Combine with layered defenses:<\/li>\n<li>rate limiting (Cloud Armor or app-level)<\/li>\n<li>bot scoring (reCAPTCHA)<\/li>\n<li>MFA \/ step-up auth (Identity Platform \/ your IdP)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a <strong>dedicated service account<\/strong> per workload.<\/li>\n<li>Grant <strong>least privilege<\/strong>: only permissions required to create assessments.<\/li>\n<li>Prefer <strong>workload identity<\/strong> (Cloud Run\/GKE default identity) over long-lived service account keys.<\/li>\n<li>Restrict who can create\/modify keys; treat key changes as sensitive.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect high-risk endpoints first (login\/signup\/reset\/checkout).<\/li>\n<li>Don\u2019t run assessments for low-value interactions.<\/li>\n<li>Use <strong>step-up flows<\/strong> rather than hard-blocking borderline scores (reduces support costs and false positives).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep verification endpoints low-latency (Cloud Run min instances for critical flows if needed).<\/li>\n<li>Avoid extra network hops; verify in the same region as your backend when possible (latency is usually acceptable, but measure).<\/li>\n<li>Fail safely:<\/li>\n<li>Decide what happens if reCAPTCHA API is unavailable (allow with limits, degrade gracefully, or require MFA depending on risk).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement timeouts and retries carefully (don\u2019t amplify load during an outage).<\/li>\n<li>Use circuit breakers: if verification fails repeatedly, switch to alternate controls temporarily.<\/li>\n<li>Track and alert on error rates and invalid tokens.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log outcomes (score, allow\/deny decision, endpoint, user\/account identifiers hashed) but <strong>avoid logging tokens<\/strong> and sensitive payloads.<\/li>\n<li>Monitor assessment volume spikes as a likely indicator of attack.<\/li>\n<li>Maintain a playbook for:<\/li>\n<li>attack spikes<\/li>\n<li>false positive incidents<\/li>\n<li>key misconfiguration<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name keys clearly: <code>web-prod-login<\/code>, <code>web-prod-signup<\/code>, <code>android-prod<\/code>, etc.<\/li>\n<li>Use labels\/tags where supported for ownership (team, cost center).<\/li>\n<li>Manage changes via documented processes and approvals (keys affect user access and conversion).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reCAPTCHA Enterprise uses <strong>Google Cloud IAM<\/strong>.<\/li>\n<li>Separate duties:<\/li>\n<li>Admins manage keys.<\/li>\n<li>Workloads (service accounts) create assessments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data in transit: HTTPS\/TLS to Google APIs.<\/li>\n<li>Data at rest: handled by Google for managed services; confirm details in compliance documentation as needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Frontend must load reCAPTCHA scripts\/SDK flows from Google endpoints.<\/li>\n<li>Backend must reach Google APIs. If egress is restricted, allowlist required domains or use appropriate egress controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid service account keys when running on Google Cloud. Use attached identities (Cloud Run service account).<\/li>\n<li>If you store thresholds\/config, use <strong>Secret Manager<\/strong> or runtime config, not source code.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Cloud Audit Logs<\/strong> to track administrative changes (key creation\/modification, IAM changes).<\/li>\n<li>Use <strong>Cloud Logging<\/strong> for application-level decisions (allow\/deny, score band) without sensitive token content.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure you understand what signals are collected and how that aligns with your privacy policy and regional regulations.<\/li>\n<li>If you have strict data residency requirements, confirm reCAPTCHA Enterprise specifics in official documentation and with your compliance team.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trusting only client-side checks.<\/li>\n<li>Not binding actions (expectedAction) and allowing token reuse across endpoints.<\/li>\n<li>Using one global threshold without tuning (causes false positives and user lockouts).<\/li>\n<li>Logging tokens or sensitive identifiers in plaintext.<\/li>\n<li>Allowing too many IAM principals to modify keys.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement a <strong>step-up<\/strong> strategy:<\/li>\n<li>Low score \u2192 require MFA \/ email verification \/ phone verification<\/li>\n<li>Very low score + high velocity \u2192 block or rate limit<\/li>\n<li>Add <strong>rate limiting<\/strong> and <strong>IP reputation<\/strong> controls upstream (Cloud Armor) for layered protection.<\/li>\n<li>Regularly review:<\/li>\n<li>Key allowlists (domains\/apps)<\/li>\n<li>IAM bindings<\/li>\n<li>Trends in scores and false positives<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>You must tune thresholds<\/strong> per endpoint. Login and signup often need different thresholds.<\/li>\n<li><strong>Action mismatch<\/strong> is a frequent integration error; enforce expectedAction checks.<\/li>\n<li><strong>Token lifetime is short<\/strong>; don\u2019t cache tokens or reuse them.<\/li>\n<li><strong>Domain restrictions can break testing<\/strong> if you forget to add your dev domains or Cloud Run hostname.<\/li>\n<li><strong>Ad blockers \/ privacy tools<\/strong> can interfere with client-side execution; design fallback flows.<\/li>\n<li><strong>Not a full fraud solution by itself<\/strong>: reCAPTCHA is a signal. Use it with MFA, velocity checks, device\/session controls, and risk engines if needed.<\/li>\n<li><strong>Cost surprises<\/strong> happen during attacks if you assess every request. Use rate limiting and protect only high-value flows.<\/li>\n<li><strong>Quotas<\/strong> can cause <code>RESOURCE_EXHAUSTED<\/code> errors under heavy load. Monitor quotas and request increases early.<\/li>\n<li><strong>WAF\/edge integration details can vary<\/strong> by Cloud Armor features and configuration. Use official integration guides.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>reCAPTCHA is one piece of an anti-abuse strategy. Depending on your needs, alternatives may be better for certain layers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Options to consider<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud native adjacent services:<\/li>\n<li><strong>Cloud Armor<\/strong> (WAF, DDoS protection, rate limiting; some bot\/abuse controls)<\/li>\n<li><strong>Identity Platform<\/strong> (authentication, MFA; protects accounts but not generic forms)<\/li>\n<li>Other clouds:<\/li>\n<li><strong>AWS WAF CAPTCHA\/Challenge<\/strong> (edge-based CAPTCHA\/challenge)<\/li>\n<li><strong>Azure Front Door \/ WAF<\/strong> bot protections (capability varies by SKU; verify current Azure offerings)<\/li>\n<li>Third-party managed:<\/li>\n<li><strong>Cloudflare Turnstile<\/strong> (CAPTCHA alternative)<\/li>\n<li><strong>hCaptcha<\/strong> (CAPTCHA provider)<\/li>\n<li>Self-managed:<\/li>\n<li>Behavioral analysis + rate limiting + device fingerprinting (high effort, high control)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Google Cloud reCAPTCHA (reCAPTCHA Enterprise)<\/strong><\/td>\n<td>App-layer bot detection and risk scoring for web\/mobile<\/td>\n<td>Managed scoring, integrates with Google Cloud IAM and workloads, strong ecosystem<\/td>\n<td>Requires tuning; adds dependency on external service; can impact UX if overused<\/td>\n<td>You need risk-based abuse prevention on login\/signup\/forms\/APIs<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Cloud Armor<\/strong><\/td>\n<td>Edge protection (WAF, rate limiting)<\/td>\n<td>Stops attacks before origin; good for volumetric abuse and known patterns<\/td>\n<td>Not a replacement for user-interaction verification; may not fully stop human-like bots<\/td>\n<td>You need edge enforcement + lower origin load, often alongside reCAPTCHA<\/td>\n<\/tr>\n<tr>\n<td><strong>Identity Platform (MFA\/step-up)<\/strong><\/td>\n<td>Account security<\/td>\n<td>Strong identity controls; reduces account takeovers<\/td>\n<td>Doesn\u2019t solve generic form spam; doesn\u2019t score non-auth actions<\/td>\n<td>Combine with reCAPTCHA for layered login protection<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS WAF CAPTCHA\/Challenge<\/strong><\/td>\n<td>AWS edge-based gating<\/td>\n<td>Edge-native, integrated with AWS WAF<\/td>\n<td>Different ecosystem; less direct integration with Google Cloud apps<\/td>\n<td>You\u2019re fully on AWS and want WAF-layer challenges<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloudflare Turnstile<\/strong><\/td>\n<td>CAPTCHA-like gating with simpler UX<\/td>\n<td>Often easier UX; WAF\/CDN integration<\/td>\n<td>Different trust model; requires vendor integration<\/td>\n<td>You use Cloudflare and want friction-based gating<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed bot detection<\/strong><\/td>\n<td>Full control and bespoke needs<\/td>\n<td>Complete control of data and logic<\/td>\n<td>High build\/ops cost; hard to match attacker evolution<\/td>\n<td>Strict policies require self-hosting and you can invest heavily<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (multi-region SaaS protecting login and high-risk actions)<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nA SaaS company experiences:\n&#8211; credential stuffing on login\n&#8211; automated trial signups\n&#8211; scripted API abuse on \u201cexport report\u201d endpoints (expensive)<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Cloud Load Balancer + Cloud Armor:\n  &#8211; rate limits on <code>\/login<\/code>, <code>\/signup<\/code>, <code>\/api\/export<\/code>\n  &#8211; block known bad patterns\n&#8211; reCAPTCHA:\n  &#8211; score-based tokens on login\/signup\/export flows\n  &#8211; backend verification service on Cloud Run\n&#8211; Identity:\n  &#8211; step-up MFA on low scores for privileged accounts\n&#8211; Observability:\n  &#8211; Logging of scores (bucketed), decisions, endpoint, account ID (hashed)\n  &#8211; Alerts on spikes in assessments and low-score rates<\/p>\n\n\n\n<p><strong>Why reCAPTCHA was chosen<\/strong>\n&#8211; Needed risk scoring to avoid forcing every user through challenges.\n&#8211; Works across web and mobile clients.\n&#8211; Integrates cleanly with Google Cloud services and IAM.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced successful credential stuffing attempts.\n&#8211; Lower spam account creation.\n&#8211; Lower backend costs from blocked export abuse.\n&#8211; Better UX due to risk-based step-up rather than blanket CAPTCHA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example (e-commerce site protecting checkout and signup)<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nSmall e-commerce startup faces:\n&#8211; fake signups (marketing spam)\n&#8211; promo abuse on coupon redemption\n&#8211; checkout automation attempts<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Cloud Run monolith app\n&#8211; reCAPTCHA integrated into:\n  &#8211; signup\n  &#8211; coupon redeem endpoint\n  &#8211; checkout finalization\n&#8211; Simple policy:\n  &#8211; allow if score \u2265 threshold\n  &#8211; else require email verification (step-up) or deny for extreme cases\n&#8211; Minimal logging + budget alerts<\/p>\n\n\n\n<p><strong>Why reCAPTCHA was chosen<\/strong>\n&#8211; Fast to implement, managed service, minimal ops.\n&#8211; Allows frictionless experience for most legitimate customers.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced spam and promo abuse.\n&#8211; Improved operational focus (less manual review).\n&#8211; Controlled costs by limiting assessments to high-value endpoints.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is \u201creCAPTCHA\u201d on Google Cloud the same as the free reCAPTCHA I used years ago?<\/strong><br\/>\n   Google Cloud\u2019s product is <strong>reCAPTCHA Enterprise<\/strong> (often referred to as reCAPTCHA in conversation). The free\/consumer reCAPTCHA is managed separately. Use the Google Cloud docs for Enterprise behavior: https:\/\/cloud.google.com\/recaptcha-enterprise\/docs<\/p>\n<\/li>\n<li>\n<p><strong>Do I need to verify tokens on the server?<\/strong><br\/>\n   Yes. Client-side checks can be bypassed. The secure pattern is to create an assessment server-side.<\/p>\n<\/li>\n<li>\n<p><strong>What is a reCAPTCHA \u201cassessment\u201d?<\/strong><br\/>\n   It\u2019s the server-side verification result created by calling the reCAPTCHA Enterprise API with a token, returning risk analysis and token properties.<\/p>\n<\/li>\n<li>\n<p><strong>What does the score mean?<\/strong><br\/>\n   The score indicates likelihood of legitimate vs abusive interaction. Exact semantics and recommended thresholds must be validated and tuned using your own traffic.<\/p>\n<\/li>\n<li>\n<p><strong>Should I block users automatically below a score threshold?<\/strong><br\/>\n   Often you should start with <strong>step-up verification<\/strong> (MFA, email verification, rate limit) rather than immediate blocks to reduce false positives.<\/p>\n<\/li>\n<li>\n<p><strong>How do I prevent token replay across endpoints?<\/strong><br\/>\n   Use action binding: assign an action on the client (e.g., <code>login<\/code>) and validate it server-side with expectedAction checks.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use reCAPTCHA to protect APIs that are called directly (not from a browser)?<\/strong><br\/>\n   It\u2019s designed around client interactions (web\/mobile). For machine-to-machine APIs, use authentication, authorization, and rate limiting. If a browser\/app is involved, you can require tokens for sensitive endpoints.<\/p>\n<\/li>\n<li>\n<p><strong>Does reCAPTCHA replace Cloud Armor?<\/strong><br\/>\n   No. Cloud Armor is edge security (WAF\/rate limiting). reCAPTCHA is interaction verification and risk scoring. They are complementary.<\/p>\n<\/li>\n<li>\n<p><strong>Where should I implement the decision logic?<\/strong><br\/>\n   In your backend services (or a dedicated anti-abuse service). The backend is the enforcement point.<\/p>\n<\/li>\n<li>\n<p><strong>Should I log the token for debugging?<\/strong><br\/>\n   Generally no. Tokens are sensitive and short-lived. Log minimal outcomes (valid\/invalid, score band, decision).<\/p>\n<\/li>\n<li>\n<p><strong>What happens if reCAPTCHA API calls fail?<\/strong><br\/>\n   Define a fallback policy per endpoint: fail closed for very sensitive actions or fail open with compensating controls (rate limiting, MFA) for usability. Test this during incident simulations.<\/p>\n<\/li>\n<li>\n<p><strong>How do I handle accessibility concerns?<\/strong><br\/>\n   Prefer score-based flows to minimize interactive challenges. If challenges are required, ensure you offer alternative verification and monitor conversion\/accessibility impact.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use reCAPTCHA with Cloud Run, GKE, and Compute Engine?<\/strong><br\/>\n   Yes. The backend calls the reCAPTCHA Enterprise API using service identity (service accounts \/ workload identity).<\/p>\n<\/li>\n<li>\n<p><strong>Do I need a secret key like classic reCAPTCHA?<\/strong><br\/>\n   reCAPTCHA Enterprise commonly uses service-to-service IAM authentication rather than a shared secret. Confirm your integration type in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>How do I estimate costs?<\/strong><br\/>\n   Start with the number of protected actions per day (assessments) and expected attack spikes. Use the official pricing page: https:\/\/cloud.google.com\/recaptcha-enterprise\/pricing<\/p>\n<\/li>\n<li>\n<p><strong>Can I use different thresholds for different endpoints?<\/strong><br\/>\n   Yes, and you generally should. Login vs signup vs checkout have different risk tolerance.<\/p>\n<\/li>\n<li>\n<p><strong>How do I test in development?<\/strong><br\/>\n   Use separate dev keys\/projects, allow <code>localhost<\/code> if supported, and avoid using production keys for local testing.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn reCAPTCHA<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>reCAPTCHA Enterprise docs<\/td>\n<td>Primary source for APIs, key setup, web\/mobile integration, and best practices. https:\/\/cloud.google.com\/recaptcha-enterprise\/docs<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>reCAPTCHA Enterprise pricing<\/td>\n<td>Current SKUs, pricing dimensions, and billing model. https:\/\/cloud.google.com\/recaptcha-enterprise\/pricing<\/td>\n<\/tr>\n<tr>\n<td>Official API reference<\/td>\n<td>reCAPTCHA Enterprise API reference<\/td>\n<td>Details on CreateAssessment, request\/response fields, errors. Start from docs and API reference links. https:\/\/cloud.google.com\/recaptcha-enterprise\/docs\/reference<\/td>\n<\/tr>\n<tr>\n<td>Getting started \/ tutorials<\/td>\n<td>reCAPTCHA Enterprise quickstarts (in docs)<\/td>\n<td>Step-by-step instructions maintained by Google. https:\/\/cloud.google.com\/recaptcha-enterprise\/docs (navigate to quickstarts\/tutorials)<\/td>\n<\/tr>\n<tr>\n<td>Client libraries<\/td>\n<td>Google Cloud client libraries<\/td>\n<td>Language-specific libraries and authentication patterns. https:\/\/cloud.google.com\/apis\/docs\/client-libraries-explained<\/td>\n<\/tr>\n<tr>\n<td>Cloud Run docs<\/td>\n<td>Cloud Run documentation<\/td>\n<td>Best practices for deploying secure verification endpoints. https:\/\/cloud.google.com\/run\/docs<\/td>\n<\/tr>\n<tr>\n<td>Cloud Armor docs<\/td>\n<td>Cloud Armor documentation<\/td>\n<td>Edge protections and patterns often paired with reCAPTCHA. https:\/\/cloud.google.com\/armor\/docs<\/td>\n<\/tr>\n<tr>\n<td>Observability<\/td>\n<td>Cloud Logging + Audit Logs docs<\/td>\n<td>How to track admin activity and application telemetry safely. https:\/\/cloud.google.com\/logging\/docs and https:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\n<\/tr>\n<tr>\n<td>Samples (official\/trusted)<\/td>\n<td>GoogleCloudPlatform GitHub org<\/td>\n<td>Look for official samples; verify they match current APIs before using. https:\/\/github.com\/GoogleCloudPlatform<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Google Cloud Tech YouTube channel<\/td>\n<td>Talks and demos on Google Cloud Security patterns (verify reCAPTCHA-specific content availability). https:\/\/www.youtube.com\/@googlecloudtech<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>Google Cloud fundamentals, CI\/CD, operations; may include Security integrations<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps tooling, SDLC, cloud basics<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>CloudOps practices, monitoring, cost and reliability<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and reliability-focused engineers<\/td>\n<td>SRE practices, incident response, observability<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops + automation practitioners<\/td>\n<td>AIOps concepts, automation, monitoring analytics<\/td>\n<td>check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud coaching (verify offerings)<\/td>\n<td>Beginners to intermediate<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training (verify course list)<\/td>\n<td>DevOps engineers, students<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps help\/training (verify specifics)<\/td>\n<td>Teams needing hands-on guidance<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify services)<\/td>\n<td>Ops\/DevOps teams<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify portfolio)<\/td>\n<td>Architecture, deployments, operational maturity<\/td>\n<td>Hardening Cloud Run deployments, setting up CI\/CD, operational playbooks<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps\/cloud consulting and training<\/td>\n<td>Platform enablement, DevOps transformations, cloud migrations<\/td>\n<td>Building secure deployment pipelines, SRE practices, cloud governance<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Automation, cloud operations, reliability<\/td>\n<td>Implementing monitoring\/alerting, cost controls, security baselines<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before reCAPTCHA<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web fundamentals: HTTP, cookies\/sessions, browser security basics<\/li>\n<li>Authentication basics: passwords, MFA, OAuth\/OIDC concepts<\/li>\n<li>API security fundamentals:<\/li>\n<li>rate limiting<\/li>\n<li>input validation<\/li>\n<li>abuse\/threat modeling<\/li>\n<li>Google Cloud basics:<\/li>\n<li>projects, IAM, service accounts<\/li>\n<li>Cloud Run \/ GKE basics<\/li>\n<li>Cloud Logging basics<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after reCAPTCHA<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Armor WAF and rate limiting (layered defenses)<\/li>\n<li>Identity Platform (MFA, step-up auth) or your IdP integrations<\/li>\n<li>Advanced abuse prevention patterns:<\/li>\n<li>velocity rules<\/li>\n<li>device\/session risk scoring<\/li>\n<li>anomaly detection pipelines (BigQuery + Looker)<\/li>\n<li>Incident response for Security events in Google Cloud<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer<\/li>\n<li>Application Security Engineer<\/li>\n<li>DevOps Engineer \/ SRE<\/li>\n<li>Platform Engineer<\/li>\n<li>Backend Engineer (auth and risk)<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>reCAPTCHA itself isn\u2019t typically a standalone certification topic, but it appears as part of Google Cloud Security and architecture skills. Consider:\n&#8211; Google Cloud security and architect certifications (verify current names\/paths on Google Cloud certification pages): https:\/\/cloud.google.com\/learn\/certification<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a login service with:<\/li>\n<li>reCAPTCHA scoring<\/li>\n<li>step-up MFA for low scores<\/li>\n<li>Cloud Armor rate limiting<\/li>\n<li>Create an \u201canti-abuse gateway\u201d microservice used by multiple apps.<\/li>\n<li>Implement score-based routing:<\/li>\n<li>high score \u2192 instant approve<\/li>\n<li>medium score \u2192 email verification<\/li>\n<li>low score \u2192 require MFA + manual review queue<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Assessment<\/strong>: Server-side verification result created by calling reCAPTCHA Enterprise API with a token.<\/li>\n<li><strong>Site key<\/strong>: Public identifier used by the client integration to request tokens.<\/li>\n<li><strong>Token<\/strong>: Short-lived proof of a client interaction, sent to the backend for verification.<\/li>\n<li><strong>Action (expectedAction)<\/strong>: A label (e.g., <code>login<\/code>) tied to a token and verified server-side to prevent misuse across endpoints.<\/li>\n<li><strong>Risk score<\/strong>: A numeric indicator of suspiciousness\/legitimacy used for decisioning (exact meaning depends on product behavior and tuning).<\/li>\n<li><strong>Step-up verification<\/strong>: Adding extra verification (MFA, email\/phone verification, challenge) for risky interactions.<\/li>\n<li><strong>Credential stuffing<\/strong>: Automated login attempts using leaked username\/password pairs.<\/li>\n<li><strong>WAF<\/strong>: Web Application Firewall\u2014blocks or filters malicious HTTP traffic patterns.<\/li>\n<li><strong>Rate limiting<\/strong>: Limiting requests to protect services from overload\/abuse.<\/li>\n<li><strong>Least privilege<\/strong>: Granting only the minimum IAM permissions required for a workload.<\/li>\n<li><strong>Service account<\/strong>: Google Cloud identity used by workloads (Cloud Run, GKE) to call APIs.<\/li>\n<li><strong>Cloud Audit Logs<\/strong>: Logs that record \u201cwho did what, where, and when\u201d for Google Cloud resources.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>reCAPTCHA on Google Cloud (reCAPTCHA Enterprise) is a Security service for protecting web and mobile applications from bots, abuse, and fraud by issuing client tokens and verifying them server-side via assessments to obtain risk analysis.<\/p>\n\n\n\n<p>It matters because automated abuse is cheap for attackers and expensive for you\u2014reCAPTCHA helps you apply risk-based controls, reducing fraud while minimizing user friction.<\/p>\n\n\n\n<p>In Google Cloud architectures, reCAPTCHA typically sits in front of high-value actions (login, signup, checkout) and pairs well with Cloud Run\/GKE for verification endpoints, Cloud Armor for edge rate limiting\/WAF, and strong identity controls for step-up verification.<\/p>\n\n\n\n<p>Cost is driven primarily by assessment volume and attack spikes; optimize by protecting only high-value actions and layering edge rate limits. Security-wise, enforce server-side verification, use action binding, and apply least-privilege IAM to service accounts.<\/p>\n\n\n\n<p>Use reCAPTCHA when you need scalable bot detection and adaptive verification. Next step: add Cloud Armor rate limiting and build a step-up MFA flow for low-score login attempts, then monitor outcomes and tune thresholds using real production traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-815","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=815"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/815\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}