How can I use reCAPTCHA v2 on a large number of domains?

Question

The previous version of reCAPTCHA provided the option to make a global key which would work on any domain. Now, in version 2, that option is gone, and the reCAPTCHA site cla

Answer 1

NOTE: This applies to a previous version of the reCAPTCHA API. See the other answer for an updated solution.

---

This doesn't seem to be well-known, but reCAPTCHA's documentation mentions that a Secure Token can be used to have one key working on a large number of domains. This feature seems to be exactly designed for this type of situation.

It's created by encrypting a JSON string with your site secret, but the documentation doesn't say exactly what encryption method to use. Here's some PHP code I've used to get it working in one of my projects. This should help with whatever language you're working with.

$token = json_encode(array(
    'session_id' => bin2hex(openssl_random_pseudo_bytes(16)), // Random ID; no special format
    'ts_ms' => intval(round(microtime(true) * 1000))) // Time in milliseconds
);

$secret_key = '{reCAPTCHA secret key}';
$secret_key_hash = substr(hash('sha1', $secret_key, true), 0, 16);

$stoken_bin = openssl_encrypt(
    $token,
    'AES-128-ECB', // Encryption method
    $secret_key_hash,
    OPENSSL_RAW_DATA // Give me the raw binary
);

// URL-safe Base64 encode; change + to -, / to _, and remove =
$stoken = strtr(base64_encode($stoken_bin), array('+'=>'-', '/'=>'_', '='=>''));