Google reCaptcha with Laravel

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Mastering Google reCAPTCHA Integration in Laravel Without Packages

Integrating security features like Google reCAPTCHA into a Laravel application is crucial for mitigating spam and bot activity. Many developers look for pre-packaged solutions, but understanding the underlying mechanics—especially when avoiding external packages—is key to mastering the integration. If you are struggling with the captcha not showing or how to verify the submission, this guide will walk you through the developer's perspective on solving this challenge.

The Front-End Hurdle: Why reCAPTCHA Might Not Appear

When integrating Google reCAPTCHA v2 without relying on helper packages, the issue often lies in the synchronization between the public keys placed on the front end and the server-side expectations. If the captcha isn't showing in your Blade file, it’s usually not a Laravel error but a missing or incorrect client-side script execution.

The reCAPTCHA widget requires two things: the site key (public) and the secret key (private). The site key is used in the HTML to render the widget on the form. If you are following tutorials, ensure you have correctly placed the necessary <script> tags pointing to Google’s reCAPTCHA library within your Blade view.

Best Practice for Display: Ensure that your Blade file correctly renders the grecaptcha div and associated script calls before any form submission logic is executed. This ensures the browser has the context needed to load the challenge before sending data. Think of this as setting up the necessary structure within your MVC flow, which aligns with strong architectural principles found in frameworks like Laravel.

Back-End Verification: Verifying the reCAPTCHA Token

The real challenge lies in verifying the token sent back from the client after the form is submitted. When a user successfully completes the captcha, Google returns a unique token. This token must be sent along with the form data to your Laravel backend. You then use this token to make a server-to-server call to Google’s verification API.

Since we are avoiding packages, we handle this entirely through standard HTTP requests in our Controller.

Step 1: Capturing the Token from the Form

When the user submits the form, the reCAPTCHA widget generates a response token. This token is embedded in the request data sent to your Laravel controller.

// In your Form submission route and Controller method

public function submit(Request $request)
{
    // 1. Validate standard form data
    $validated = $request->validate([
        'name' => 'required',
        'captcha_response' => 'required', // Expecting the token here
    ]);

    $captchaToken = $validated['captcha_response'];

    // ... proceed to verification
}

Step 2: Verifying the Token with Google

Now, you need to use this captured $captchaToken to verify it against Google’s servers. This is done by making an external HTTP request from your server to Google's verification endpoint. You will need your reCAPTCHA Secret Key for this step.

use Illuminate\Support\Facades\Http;

public function submit(Request $request)
{
    $captchaToken = $request->input('captcha_response');
    $secretKey = config('services.recaptcha.secret'); // Store your secret key securely!

    // Make the verification request to Google
    $response = Http::asJson()->post('https://www.google.com/recaptcha/api/siteverify', [
        'secret' => $secretKey,
        'response' => $captchaToken,
    ]);

    // Check the response from Google
    if ($response->successful() && $response->json('success') === true) {
        // CAPTCHA is valid! Proceed with database insertion or logic.
        return redirect('/success');
    } else {
        // CAPTCHA failed validation (bot detected or invalid token).
        return back()->withErrors(['captcha' => 'reCAPTCHA verification failed. Please try again.']);
    }
}

Conclusion

Successfully implementing reCAPTCHA without relying on third-party packages requires a solid understanding of the client-server handshake. The perceived failure to display the captcha is often a front-end issue, whereas the post-submission failure is almost always a back-end validation error related to token handling or API communication. By carefully managing the public keys for display and correctly using HTTP clients within your Laravel controller to verify the received tokens, you can establish robust security measures in your application. Remember that mastering these underlying principles of request handling and data flow is what separates a functional developer from an architect—a key concept in building scalable applications on platforms like those offered by Laravel Company.