How to Detect reCAPTCHA on Any Website (API + Curl)

reCAPTCHA is Google’s anti-bot service, and it is one of the most widely deployed pieces of front-end security on the web. If a site has a login form, a signup page, a comment box, or a checkout, there is a good chance it is sitting behind reCAPTCHA. Knowing which sites use it — and which version — is useful for competitive research, security mapping, and building technographic lead lists for companies that sell bot mitigation, fraud prevention, or testing tools.

The good news for detection is that reCAPTCHA cannot hide. To work, it has to load Google’s JavaScript into the page, and that script tag is right there in the HTML for anyone to read. This guide explains exactly what reCAPTCHA leaves behind, how to check for it manually with curl, and how to detect it programmatically — including across thousands of domains — with the DetectZeStack API.

What Is reCAPTCHA and Why Detect It

reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. It comes in a few flavors: the visible “I’m not a robot” checkbox (v2), an invisible score-based version that runs silently in the background (v3), and a paid tier aimed at larger deployments (reCAPTCHA Enterprise). All of them share the same delivery mechanism: a script loaded from Google’s servers.

There are several practical reasons to detect it:

• Technographic prospecting — If you sell a competing CAPTCHA, a privacy-friendly alternative, or a bot-management platform, a list of sites already running reCAPTCHA is a list of companies that have already decided this problem is worth solving.
• Security and attack-surface mapping — Knowing where reCAPTCHA gates a form (and where it doesn’t) tells you which endpoints rely on bot protection.
• Automation and QA — Teams building scrapers, test harnesses, or monitoring tools need to know in advance which target pages will throw a CAPTCHA challenge.
• Competitive intelligence — Seeing whether a competitor uses reCAPTCHA, hCaptcha, or a newer privacy-focused option is a small but real signal about their stack and priorities.

How reCAPTCHA Leaves Fingerprints in a Page

Every reCAPTCHA integration has to download Google’s client library before it can render a challenge or compute a score. That happens through a standard <script> tag pointing at one of Google’s reCAPTCHA endpoints. Because the tag lives in the served HTML, you can detect reCAPTCHA without executing any JavaScript — a plain HTTP fetch of the page is enough.

The most reliable fingerprints are:

• The script source — A <script src> matching /recaptcha/api.js (v2 and v3) or /recaptcha/enterprise.js (Enterprise). Older integrations may load recaptcha_ajax.js or reference api-secure.recaptcha.net.
• The widget container — A <div class="g-recaptcha"> element, which is where the v2 checkbox or challenge renders.
• The challenge iframe — An <iframe> whose src contains google.com/recaptcha/, plus the legacy #recaptcha_image element on very old deployments.

These are exactly the markers DetectZeStack matches against. reCAPTCHA detection is based on the static page source and HTTP headers, so it works even when the widget would only become visible after a user interaction.

reCAPTCHA v2, v3, and Enterprise Markers

The three versions are distinguishable from the page source:

• reCAPTCHA v2 — Loads https://www.google.com/recaptcha/api.js and renders a visible widget: a div.g-recaptcha with the “I’m not a robot” checkbox, or an inline challenge iframe. The div.g-recaptcha marker is the clearest tell for v2.
• reCAPTCHA v3 — Loads the same api.js, usually with a ?render=SITE_KEY query string, but renders no visible widget. It runs in the background and returns a score, so there is typically no div.g-recaptcha — the script tag is the fingerprint.
• reCAPTCHA Enterprise — Loads https://www.google.com/recaptcha/enterprise.js instead of api.js. This is the giveaway that a site is on the paid Enterprise tier rather than the free service.

Manual Ways to Detect reCAPTCHA (Browser + Curl)

For a one-off check, you do not need any tooling beyond a browser and curl.

In the browser: open DevTools, go to the Network tab, reload the page, and filter for recaptcha. If you see a request to www.google.com/recaptcha/api.js or enterprise.js, the site uses reCAPTCHA. You can also search the page source (Ctrl/Cmd+U) for the string g-recaptcha.

From the command line: fetch the HTML and grep for the markers. This is faster and scriptable:

$ curl -s https://example.com | grep -ioE "recaptcha/(api|enterprise)\.js|g-recaptcha"
recaptcha/api.js
g-recaptcha

If that returns matches, the page is loading reCAPTCHA. The limitation of the manual approach is that it only inspects the first HTML response. Some sites inject the reCAPTCHA script later via their own JavaScript, or only on a specific route (the login page, say, but not the homepage). To catch those, you may need to check several URLs — and that is where an API that handles the fetch and parsing for you saves time.

Detect reCAPTCHA Programmatically with the DetectZeStack API

The DetectZeStack API fetches the page, parses the HTML, and matches it against thousands of technology fingerprints in one request. reCAPTCHA comes back under the Security category, right alongside the rest of the site’s stack — framework, CMS, analytics, CDN, and more — so a single call tells you whether the site uses reCAPTCHA and what else it is built on.

Free Demo Endpoint Curl Example

The /demo endpoint needs no API key, which makes it perfect for a quick check. Pass the target URL as a query parameter:

$ curl -s "https://detectzestack.com/demo?url=https://www.google.com/recaptcha/api2/demo" | python3 -m json.tool

The response is a single JSON object. Trimmed to the relevant fields, a reCAPTCHA hit looks like this:

{
  "url": "https://www.google.com/recaptcha/api2/demo",
  "domain": "google.com",
  "technologies": [
    {
      "name": "reCAPTCHA",
      "categories": ["Security"],
      "confidence": 100,
      "description": "reCAPTCHA is a free service from Google that helps protect websites from spam and abuse.",
      "website": "https://www.google.com/recaptcha/",
      "icon": "reCAPTCHA.svg",
      "source": "http",
      "version": "",
      "cpe": ""
    }
  ],
  "categories": { "Security": ["reCAPTCHA"] },
  "meta": { "status_code": 200, "tech_count": 1, "scan_depth": "full" },
  "cached": false,
  "response_ms": 1842
}

The "name": "reCAPTCHA" entry under the Security category is your answer. The source: "http" field shows the match came from the page HTML, and confidence: 100 reflects a direct fingerprint match on the script tag or widget markup.

Authenticated /analyze for Scanning at Volume

For production use, the /analyze endpoint is the same shape but authenticated and not rate-limited per IP the way the demo is. Calls go through RapidAPI with your key:

$ curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://example.com" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
  | jq '.technologies[] | select(.name == "reCAPTCHA")'

If reCAPTCHA is detected, that pipe prints exactly the matching object:

{
  "name": "reCAPTCHA",
  "categories": ["Security"],
  "confidence": 100,
  "description": "reCAPTCHA is a free service from Google that helps protect websites from spam and abuse.",
  "website": "https://www.google.com/recaptcha/",
  "icon": "reCAPTCHA.svg",
  "source": "http",
  "version": "",
  "cpe": ""
}

If the site does not use reCAPTCHA, the jq filter prints nothing — an empty result is a clean negative.

Batch-Checking Many Domains for reCAPTCHA

Manually checking one site at a time does not scale to a prospect list. The POST /analyze/batch endpoint accepts up to 10 URLs per request and analyzes them concurrently, returning the full technology stack for each:

$ curl -s -X POST "https://detectzestack.p.rapidapi.com/analyze/batch" \
  -H "X-RapidAPI-Key: YOUR_KEY" \
  -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
  -H "Content-Type: application/json" \
  -d '{"urls": ["example.com", "stripe.com", "github.com"]}'

The response wraps one result object per URL, each with the same shape as a single /analyze response:

{
  "results": [
    { "url": "example.com", "result": { "...full analysis..." : "" } },
    { "url": "stripe.com",  "result": { "...full analysis..." : "" } },
    { "url": "github.com",  "result": { "...full analysis..." : "" } }
  ],
  "total_ms": 2341,
  "successful": 3,
  "failed": 0
}

Because each result matches the single-domain shape, the filtering logic is identical whether you scan one domain or a thousand. Here is a copy-pasteable bash pipeline that reads domains.txt (one domain per line), checks each one, and appends every domain where reCAPTCHA is detected to recaptcha_sites.csv:

#!/usr/bin/env bash
# Requires: curl, jq. Reads domains.txt, writes recaptcha_sites.csv
RAPIDAPI_KEY="YOUR_KEY"
: > recaptcha_sites.csv

while read -r domain; do
  [ -z "$domain" ] && continue
  has_recaptcha=$(curl -s "https://detectzestack.p.rapidapi.com/analyze?url=https://$domain" \
    -H "X-RapidAPI-Key: $RAPIDAPI_KEY" \
    -H "X-RapidAPI-Host: detectzestack.p.rapidapi.com" \
    | jq -r '[.technologies[].name] | index("reCAPTCHA") // empty')
  if [ -n "$has_recaptcha" ]; then
    echo "$domain,reCAPTCHA" >> recaptcha_sites.csv
    echo "HIT: $domain"
  fi
  sleep 0.5
done < domains.txt

For a deeper treatment of batch throughput, retries, and a production-grade Python scanner, see how to batch scan 1,000 websites.

Other CAPTCHA Providers You Can Detect

reCAPTCHA is the most common, but it is not the only game in town. The same Security category surfaces a range of CAPTCHA and anti-bot providers, each identified from its own script tag or DOM markers in the page HTML:

Because they all return under the same category, a single scan tells you not just whether a site uses a CAPTCHA but which vendor it chose — a useful split when you are segmenting a market.

Common Use Cases for reCAPTCHA Detection

• Lead lists for security and fraud tools — Filter a domain list down to sites already investing in bot protection.
• Migration targets — If you offer a privacy-focused or self-hosted CAPTCHA, sites on reCAPTCHA v2/v3 are your switchers.
• Scraper and QA planning — Flag pages that will challenge automated traffic before you build against them.
• Stack profiling — Combine reCAPTCHA detection with other signals — Google Tag Manager, analytics, CDN, and bot management — for a complete picture of a site’s front-end. reCAPTCHA often appears next to Cloudflare Bot Management, since the two solve overlapping problems at different layers.

Get Your API Key

Detecting reCAPTCHA on one page takes a single curl against the free /demo endpoint. Detecting it across an entire market takes an API key and the batch endpoint. To get started:

1. Smoke test the response shape with curl "https://detectzestack.com/demo?url=https://example.com" — no key required.
2. Sign up at rapidapi.com/mlugoapx/api/detectzestack and copy your x-rapidapi-key. The free tier is 100 requests per month with no credit card.
3. Run the /analyze example above against a domain you control.
4. Check the technologies[] array for a reCAPTCHA entry under the Security category — that’s your answer.

Conclusion

reCAPTCHA has to load Google’s script to function, and that script tag — api.js for v2/v3, enterprise.js for Enterprise — is sitting in the page HTML for anyone to read. That makes it reliably detectable with nothing more than an HTTP fetch and a pattern match. For a single page, curl and grep get you there. For a list of domains, the DetectZeStack API returns reCAPTCHA under the Security category alongside hCaptcha, FunCaptcha, and the rest of the site’s stack, so you can turn a raw domain list into a segmented, CAPTCHA-confirmed dataset in one pass.