Guide

How to Bypass reCAPTCHA v3 When Scraping (There Is No Puzzle to Solve)

reCAPTCHA v3 never shows a puzzle. It scores every request from 0.0 to 1.0 and the site acts on a threshold you cannot see. Bypassing it means raising the score, not solving anything. Here is what feeds the score and where residential proxies fit.

HProxy Team · ·Updated July 18, 2026 ·7 min read
HProxy. Guide

Free proxies won't hold up here.

Shared datacenter IPs get flagged and dropped fast. When it has to hold, gaming, streaming, accounts, you need mobile and residential IPs that read as a real device, from $0.65/GB, pay as you go.

See plans & pricing

The frustrating thing about reCAPTCHA v3 is that there is nothing to see. Your scraper does not hit a checkbox or a grid of blurry traffic lights. It just starts getting empty pages, a soft 403, or a login that silently refuses, and there is no puzzle to point at. That absence is the tell. reCAPTCHA v3 is not a gate you pass or fail. It is a score, from 0.0 to 1.0, that it assigns to every request in the background, and the site you are scraping decides what to do with that score against a threshold you cannot see. So bypassing v3 does not mean solving a challenge, because there is no challenge. It means consistently scoring high enough that the site treats you as human. Once you know what feeds the score, you can raise it, and one thing is honest up front: no proxy raises it on its own.

Can you bypass reCAPTCHA v3 with proxies?

Partly, and only for one of the things v3 scores. A residential proxy lifts the IP-reputation part of the score, which is what datacenter ranges fail hardest. It does nothing for your behavior, your browser environment, or your session history, so a clean IP behind a bare headless client still scores low. You need all of them to line up.

What reCAPTCHA v3 actually does

reCAPTCHA v3 runs quietly in the page and, in Google's own words, returns a score for each request without user friction, where 1.0 is very likely a good interaction and 0.0 is very likely a bot. It never interrupts the user, so you can run it on every action. Three signal groups feed that score, and they stack.

IP reputation. Every IP carries a history. Datacenter ranges from the big cloud providers are flagged heavily because most automated traffic comes from them, so a request from a known hosting block starts with a bad score before you send a header. Residential addresses handed out by consumer ISPs look like real people and start clean. This is the part a proxy actually moves.

Behavior. Humans are slow and irregular: they pause, scroll, misclick, and read. A scraper that fires many requests a second on an exact interval, always in the same order, with no dwell time and no mouse movement, reads as a machine no matter what IP it rides on. reCAPTCHA analyses interaction signals like mouse movement and navigation patterns, and burst rates are a strong negative signal because real people do not load fifty pages in ten seconds.

Browser environment and history. A plain HTTP client sends a handful of headers and runs no JavaScript. A headless browser leaks the navigator.webdriver automation flag, a missing plugin list, and a TLS handshake whose JA3 signature contradicts the Chrome it claims to be. And a session with no _GRECAPTCHA cookie and no prior page views looks like it arrived from nowhere. History raises the score; its absence lowers it.

Actions and the threshold. reCAPTCHA v3 tags each check with an action name (login, search, submit) so the site can score in context, and Google suggests starting at a 0.5 threshold. But the site owner picks the number and takes action behind the scenes rather than blocking outright, so the same score can pass on a blog and fail on a bank. You never see the cutoff, which means the only reliable target is to score like a real browser.

Why a raw HTTP client scores near zero

Point a plain requests or axios script at a v3-protected action and it scores at the bottom of the range. It runs no JavaScript, so the reCAPTCHA client never executes and often no valid token is produced at all, and even when a token is generated the environment behind it, no history, no mouse, a mismatched fingerprint, is everything the score punishes. Rotating a datacenter pool does not help, because rotation changes the one input, the IP, that a raw client was never going to score well on by itself, while the behavior and environment signals keep the score on the floor.

Where residential proxies fit, and where they do not

Residential proxies route your traffic through real home connections on consumer ISPs, so the reputation part of the score flips from a flagged hosting range to a neutral home line. Datacenter IPs lose here first, which is why every serious attempt against v3 starts with residential or mobile IPs. This is real, and it is the foundation.

What a proxy cannot do is change how your client behaves or what environment reCAPTCHA sees. The proxy forwards your bytes untouched. If those bytes carry a headless browser with no history and a Python-shaped handshake, a residential IP just means v3 scores a residential IP as a bot. The mental model is the one behind all web scraping with proxies: the proxy makes your IP believable, and your browser and pacing and history make the rest of you believable. v3 scores them together.

Do solver services help against v3?

They exist, and they work differently from v2 solvers. There is no puzzle to hand a human, so a v3 service returns a high-score token, usually by running reputation-aged real browsers on clean IPs so the token they generate scores near the human end. The honest catch is that the token is scoped to a specific action name, is short-lived at around two minutes, and is re-scored server-side when the site calls Google's siteverify, which returns the score and the action for the site to check. A token farmed against the wrong action or a mismatched context can still land below the threshold. They are a fine tool for occasional needs and a fragile main strategy, which is why raising your own score is the durable path.

A setup that scores like a human

Everything here lifts the score. Do all of it and v3 stops being a wall:

  1. Route through rotating residential IPs, verified before use and held per session rather than swapped on every request, so the reputation signal stays clean and the session stays consistent.
  2. Drive a real, fortified browser, a hardened Playwright or Puppeteer or an anti-detect browser, with navigator.webdriver hidden and the TLS and HTTP/2 fingerprint matching the User-Agent, so the environment scores as a genuine device.
  3. Pace and move like a person, with randomized delays, real dwell time, and modest per-IP volume, because burst rate and robotic timing are what the behavioral signal punishes.
  4. Carry cookies and warm the session, letting the first request land on a normal entry page and keeping the _GRECAPTCHA cookie, so you arrive with the history v3 rewards.
  5. Keep the action name consistent with what the site expects, so the score is read in the right context.

Test before you scale

Before you point a real job at a defended target, prove one identity end to end. Confirm your exit is alive and residential with the proxy checker, then run one real request through your browser and IP against the target action and watch what happens: a clean page, a soft block, or an empty response. Because you cannot see the score directly, a v3 test endpoint that echoes the score is the fastest way to know whether your setup lands near 0.9 or near 0.1. Testing one full identity tells you which signal is dragging the score down, which is the only way to fix the right thing instead of buying more proxies you did not need.

The honest bottom line

reCAPTCHA v3 has no puzzle. It scores every request from your IP reputation, your behavior, and your browser environment and history, and the site acts on a threshold you never see. Residential proxies fix the reputation input completely and are the foundation, since datacenter ranges score near the floor before anything else is weighed. But they do nothing for the other two thirds of the score. A clean rotating residential pool gets your reputation right; a real browser with hidden automation tells, human pacing, and a warmed session with history are what push the score into the human range. Solver services farm high-score tokens but the tokens are action-scoped, short-lived, and re-scored server-side, so they are a patch, not a plan. Our residential and mobile IPs start at $0.65/GB pay-as-you-go with no KYC and a balance that does not expire, so a job that runs in bursts pays only for what it uses. Anyone selling residential proxies as a one-click reCAPTCHA v3 bypass is skipping two thirds of the score. Get all of it right and v3 stops being a wall and becomes a number you keep high.

Sources

  • Google: reCAPTCHA v3 developer docs: the frictionless score (1.0 good, 0.0 bot), actions for context, and the default 0.5 threshold with the site taking action behind the scenes.
  • MDN: Navigator.webdriver: the automation flag headless browsers leak, which drags the score down.
  • JA3 (Salesforce): the TLS ClientHello fingerprint that can contradict a scraper's claimed User-Agent.

Frequently asked questions

Can you bypass reCAPTCHA v3 with proxies?
Partly. reCAPTCHA v3 scores your IP reputation, your behavior, and your browser environment and history, and a proxy only fixes the IP. A clean residential IP lifts the reputation part of the score, which is what datacenter ranges fail, so you clear a threshold more often. But your behavior, your browser fingerprint, and your session history still feed the score, so a clean IP behind a bare headless client still scores low. The IP is necessary and not sufficient.
Is there a puzzle to solve in reCAPTCHA v3?
No, and that is the whole difference from v2. reCAPTCHA v3 never interrupts the user and never shows a checkbox or an image grid. It runs in the background and returns a score from 0.0 (very likely a bot) to 1.0 (very likely human) for each action. There is nothing to click, so bypassing it does not mean solving a challenge, it means consistently scoring above whatever threshold the site chose.
What score does a scraper get, and what threshold blocks me?
Scrapers score low because datacenter IPs, burst request rates, and a headless browser with no history all read as automation. Google recommends a default threshold of 0.5, but the site owner picks it and you never see the number, so a bank might block under 0.7 while a blog allows over 0.3. Because the threshold is hidden, the only reliable target is to score as high as a real browser, not to guess the cutoff.
Do reCAPTCHA v3 solver services work?
Differently from v2 solvers. There is no puzzle to hand a human, so v3 services return a high-score token, typically by running reputation-aged real browsers. The catch is that the token is scoped to a specific action name, is short-lived (about two minutes), and is re-scored server-side when the site calls siteverify, so a token farmed on a mismatched action or context can still land below the threshold. They help for occasional needs and are fragile as a main strategy.
Does a Google login or first-party cookies raise my v3 score?
History helps. A session that arrives with a _GRECAPTCHA cookie and a normal browsing trail looks like a returning human, and reCAPTCHA rewards that with a higher score, while a session that opens every request cold with no cookies looks like it teleported in. A signed-in Google account in the same browser context is a strong positive signal, though it also ties the session to an identity, which is its own tradeoff for scraping.
How is reCAPTCHA Enterprise different for scraping?
Enterprise exposes a finer score and reasons to the site and integrates with risk tooling like WAFs and account defense. Its docs describe 11 score levels across 0.0 to 1.0, of which only four (0.1, 0.3, 0.7, 0.9) are available before a billing account is added. For a scraper the practical effect is the same as standard v3, a low score triggers the site's response, but the site can act on more granular scores and richer signals, so a marginal setup gets caught more precisely.

Proxies that don't die mid-job

Residential, ISP, datacenter and mobile, verified by the same engine that runs tens of millions of checks. They read as a real device and hold up under load. Pay as you go, and your balance never expires.

47M+ proxy checks run · 100+ countries · HTTP / HTTPS / SOCKS · re-checked every few minutes · no signup