reCAPTCHA to Arkose Labs Migration Guide

This document contains the steps needed to change from using reCAPTCHA to using Arkose Labs Fraud and Abuse Prevention Platform (Arkose Labs Platform).


The Arkose Labs Platform has a different structure to reCAPTCHA, so to migrate you will need to update your client-side processing and your server-side processing.

Developer Guide Information

Read the Developer Guides for Standard Setup and Server-Side Instructions.

Private and Public Key Pair

Get your Private and Public key pair. They are shown on the Site Settings page of the Arkose Labs Client Dashboard. If you do not have access to the dashboard or do not have your private and public keys, contact your Sales Rep or Sales Engineer.


Client-Side Integration

Replace your client-side code that reads:

    <title>reCAPTCHA demo: Simple page</title>
    <script src="" async defer></script>
    <form action="?" method="POST">
      <div class="g-reCAPTCHA" data-sitekey="your_site_key"></div>
      <input type="submit" value="Submit">


 <script src="//" data-callback="setupEnforcement" async defer></script>
    function setupEnforcement(myEnforcement) {
        selector: '#enforcement-trigger',
        onCompleted: function(response) {
          var token = response.token.toString();


Replace INSERT_PUBLIC_KEY with the public key retrieved in the step above.


Server-Side Integration

Differences between reCAPTCHA and Arkose Labs Platform implementation

  1. reCAPTCHA provides a stand-alone library, but the Arkose Labs Platform does not. Use the code shown below to implement the Arkose Labs Platform on your server.

  2. The Arkose Labs Platform refers to private keys, which is equivalent to the reCAPTCHA secret key.

  3. The Arkose Labs Platform uses a session_token which replaces the reCAPTCHA g-recaptcha-response.

Server-Side Implementation

Follow the instructions in Server-Side Instructions to invoke the Verify Endpoint API.

The code below is an example of server-side integration.

Replace "INSERT_PUBLIC_KEY" with your private key.

Manage the response in the way that suits your processing.


$private_key = "INSERT_PRIVATE_KEY";
$session_token = $_GET["fc-token"];
$fc_api_url = "";

$headers = array(
    'Content-Type: application/json'

$fields = array(
	"private_key" => $private_key,
	"session_token" => $session_token

$postdata = json_encode($fields);

$ch = curl_init($fc_api_url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);

$fc_results = json_decode($response);

header("Access-Control-Allow-Origin: *");
if (isset($fc_results->solved) && $fc_results->solved == true) {
    echo $response;
} else {
    echo $response;


Was this article helpful?
0 out of 0 found this helpful