reCAPTCHA setup
Description
With reCAPTCHA you can bot-proof your forms by ensuring that they're filled out by humans. Terminalfour offers reCAPTCHA validation on all the forms you create with Form Builder. There are reCAPTCHA FAQs here.
In late 2025 Google are beginning the process of removing support for reCAPTCHA classic. Meaning that keys generated from the reCAPTCHA Admin Console will stop working unless you migrate them to reCAPTCHA enterprise (no change required in Terminalfour) or, you generate new keys in reCAPTCHA Enterprise Cloud console (instructions below).
Google have provided a guide on how to migrate old keys that were originally created in the reCAPTCHA console.
The instructions below outline how to generate keys from the Google Cloud Console which is the most up-to-date method for generating reCAPTCHA keys.
Create reCAPTCHA keys in Google Cloud
Log in to your Google Cloud account and ensure you're in the correct project for your site.
If you don't have any existing projects you can create a new one.
You can now navigate to "Security > reCAPTCHA" and ensure that you enable the Enterprise reCAPTHCA API.
You can now click "Get started" to begin creating a key.
Creating Keys
Provide a display name that's descriptive to help you locate these details in the future.
Ensure the Application type is set to "Web"
Under domain list, add each domain that will contain Terminalfour forms. You can disable domain verification but Google do not recommend it.
If you are creating AMP pages, you can choose to allow the key to work with AMP pages. If you're unsure, this can be left disabled.
Once you've entered your settings, scroll to the very bottom of the page and click "Create key"
At this point you'll need to copy keys which you'll add into Terminalfour.
The ID (previously named Site key) and the Secret key will both be required.
The Site key can be found at the top of the page.
To retrieve the Secret key, click the "Integrate with a third-party service or a plug-in" button.
This will open a popup that contains your Secret key
Only one reCAPTCHA key pair can be added to FORM Builder in your Terminalfour instance.
You'll need both of these so keep this tab open.
Form Builder Settings
In another tab, open Terminalfour and go to System administration > System settings > Form Builder to complete the configuration.
Use the switch to enable reCAPTCHA across your site(s). When reCAPTCHA is enabled in the settings, a reCAPTCHA option will be available in Form Builder under Advanced Inputs. Paste the Site and Secret keys into the text boxes.
When "enforcement" is enabled, reCAPTCHA is added to every form, so you do not add it. If you want to select the forms that reCAPTCHA is added to, then you should disable "enforcement."
If you choose to add reCAPTCHA to all forms, you will not see the "Create fields from content type" option. This is because "Create fields from content type" is only available when there are no form elements present in a form.
When you create a new form or editing an existing form, the display of the reCAPTCHA field will change, depending on the combination of enable and enforcement settings you choose.
| reCAPTCHA is disabled | reCAPTCHA is enabled and not enforced | reCAPTCHA is enabled and enforced |
|---|---|---|
| The reCAPTCHA button is not visible on any of your forms | The reCAPTCHA button is visible under advanced inputs when selecting fields but is not clickable | |
| One reCAPTCHA field can be added to the form |
||
| The reCAPTCHA field, if added will be positioned before the submit /reset buttons and it is not possible to move it |
||
| It is possible to delete the reCAPTCHA field | It is not possible to delete the reCAPTCHA fieldAdding a | |
Adding reCAPTCHA to your form when reCPATCHA is enabled and not enforced:
Adding reCAPTCHA to your form when reCAPTCHA is enabled and is enforced:
When enforcement is disabled, forms that had a reCAPTCHA explicitly added before enforcement was enabled will still have a reCAPTCHA field. Forms that had a reCAPTCHA because enforcement was enabled will not have a reCAPTCHA field.
reCAPTCHA FAQ
How many reCAPTCHA key pairs can be added?
One reCAPTCHA key pair can be added.
How can I add more than one domain?
Multiple domains can be added to one site key in Google. Please include the domain of the Form Bank URL when configuring the Google reCAPTCHA.
Which users can configure the reCAPTCHA?
Administrator users can configure the reCAPTCHA at System administration > System settings > Form builder.
Can a reCAPTCHA be shared?
Sharing is not required as only one reCAPTCHA is configured per installation.
Can the Google site type be specified?
The site type reCAPTCHA v2 is used.
How is the widget rendered?
The widget is explicitly rendered.
Do I need to specify the language code?
There is no need to set the language code as Google will set the language based on the user's browser.
How do I ensure reCAPTCHA is set on all forms?
Administrator users can configure "enforcement" so that the reCAPTCHA will show on all forms. This is configured at System administration > System settings > Form builder.
Where on the form will the reCAPTCHA be displayed?
It will be displayed before the Submit button in all cases. It is not possible to reorder the position of the reCAPTCHA.
How is the reCAPTCHA response processed?
The response is verified via an API request to https://www.google.com/recaptcha/api/siteverify.
What logic is applied to the "hostname" data in the API response?
The logic is based on the "success" property in the API response.
If the "success" response is true, the response token is set as a value in the submission so it can be submitted.
If the "success" response is false, the user is brought the the failure error message / page specified for the form. No response token is sent so the submission is not submitted. The API request error code can be seen in the POST request, via the developer console.
What happened to the old reCAPTCHA admin console?
In 2025 Google are removing the old reCAPTCHA admin console and are migrating to reCAPTCHA Enterprise in Google cloud. Communication about this migration would have been sent to your Google admins.
Do I need a Google Cloud billing account?
reCAPTCHA Enterprise has a free tier so you don't necessarily need a billing account. However, if you have more than 1,000 forms submitted that use reCAPTCHA per month you'll need to set up a billing account with Google cloud.
Can I still use my existing keys?
If you already had reCAPTCHA configured in Terminalfour you do not need to create new keys in Google Cloud. However, you will need to migrate your existing keys from the reCAPTCHA admin console to Google cloud. Google have provided a migration guide on how to do this.