WEBWARD
← All articles Feb 3, 2026

Google reCAPTCHA Pricing: Free, Enterprise, and What You Actually Need

How Google reCAPTCHA pricing works, what the difference between free and Enterprise actually is, and how to decide which version your site needs.

Google reCAPTCHA has three tiers, and understanding the difference matters more than most developers realize before they hit the limits.

The Three Tiers

Essentials (free, no billing required)

When you create a reCAPTCHA key in a project without billing enabled, you get the Essentials tier: 10,000 free assessments per month with a basic feature set. No credit card required.

What you get at this tier:

  • reCAPTCHA v2 — The checkbox challenge (“I’m not a robot”) and image challenges. Simple to implement, visible to users, effective at blocking basic bot traffic.
  • reCAPTCHA v3 — Returns a score (0.0–1.0) for each request based on user behavior. No challenge presented to the user. You interpret the score and decide what to do with it.

No SLAs, no dedicated support, no advanced analytics. If something breaks, you’re debugging it yourself.

Standard (billing enabled, billed through Google Cloud)

Enable billing on your project and you’re upgraded to Standard, which still gives you 10,000 free assessments per month. Once you exceed 10,000 assessments in a month, you’re charged a flat $8/month — covering usage up to 100,000 assessments total. Unlocks more advanced features than Essentials.

For most small to medium sites, this is the relevant tier. A site with 1,000 form submissions per month and typical bot traffic would stay under 10,000 assessments and pay nothing. A site with heavier traffic hitting forms on every page would likely cross the threshold but stay under the $8 flat fee.

Enterprise (automatically applied above 100,000 assessments/month)

Once you exceed 100,000 assessments in a month, you’re automatically moved to the Enterprise tier: $0.001 per assessment ($1 per 1,000) for usage above 100,000. High-volume users can contact Google Sales for subscription pricing with volume discounts.

Calculate based on where you’re implementing it — only on form submissions is very different from on every page load.

What Enterprise Adds

Beyond pricing, reCAPTCHA Enterprise includes features that matter for larger or higher-risk deployments:

Account Defender — Risk analysis tied to user accounts, not just individual requests. Detects account takeovers and credential stuffing attacks by analyzing patterns across login attempts.

Password Leak Detection — Alerts when a user’s credentials appear in known data breaches. Google checks against a database of compromised passwords without revealing the credentials to Google.

Multi-factor authentication integration — Enterprise supports adaptive MFA challenges based on risk scores.

WAF integration — Native integration with Google Cloud Armor and third-party WAFs. The free tier doesn’t offer this.

SLA and support — Enterprise comes with Google Cloud SLAs and technical support options. The free tier has neither.

Detailed analytics — More granular reporting on challenge scores, bot traffic patterns, and attack vectors.

Annotation API — You can send feedback to Google about whether your risk assessments were accurate, which improves the model for your specific traffic patterns.

Which One Do You Actually Need?

Free tier is sufficient if:

  • You’re protecting standard web forms (contact, newsletter, registration)
  • Your site handles under ~50,000 form interactions per month
  • You don’t have elevated fraud or abuse risk
  • You don’t need SLAs or dedicated support

Standard/Enterprise is worth enabling billing for if:

  • You’re handling financial transactions, account creation at scale, or any high-value user action where fraud has real cost
  • You’re integrating with a WAF or need WAF-level bot management
  • You need audit trails and compliance documentation
  • You’re seeing sophisticated bot traffic that the Essentials tier isn’t blocking effectively
  • You’re consistently above 10,000 assessments per month and want advanced features

Implementation Considerations

v2 vs v3. Most developers default to v3 because it’s invisible to users. This is the right choice in most cases — the UX impact of the checkbox challenge is real, and v3 eliminates it. The trade-off is that v3 requires you to decide what to do with scores — typically you set a threshold (0.5 is common) and treat lower scores as suspicious, which means you need logic to handle the borderline cases.

Score thresholds require tuning. A v3 threshold that’s too aggressive will block legitimate users. Too permissive and you let bots through. Most implementations start with 0.5 and adjust based on what they see in the data.

Not a complete spam solution. reCAPTCHA significantly reduces automated form spam, but it doesn’t eliminate it. Sophisticated actors use residential proxy networks and human CAPTCHA farms to defeat it. For high-value targets, it’s one layer of a defense-in-depth approach, not the whole approach.

Honeypot fields. For lower-risk forms, a honeypot field (a hidden form field that bots fill in but humans don’t see) is often effective without the performance overhead of reCAPTCHA at all. Consider whether you actually need reCAPTCHA or whether a simpler approach solves the problem.

At Webward, we build forms and handle bot protection as part of our standard web development work — including the integration decisions around reCAPTCHA and when simpler alternatives make more sense. Get in touch if you have a specific implementation question.