StoreConnect supports Google reCAPTCHA v3 on the checkout flow to help prevent spam and bot activity. reCAPTCHA v3 works invisibly in the background, scoring user behaviour and validating the result server-side, without presenting any challenge to your shoppers.
reCAPTCHA v3 is built in to the checkout flow (customer information step) with no theme changes required. It can also be enabled on other pages such as registration, login, and custom forms with a small theme edit - see Enabling reCAPTCHA on Other Pages.
Prerequisites
- A Google account to access the reCAPTCHA Admin Console
- Access to your StoreConnect admin (to set Store Variables)
- Your store's domain (e.g.
shop.example.com.au)
Step 1: Create Your reCAPTCHA Keys
- Go to https://www.google.com/recaptcha/admin/create and sign in with your Google account.
- Enter a label to identify this key (e.g. your store name).
- Select reCAPTCHA v3 as the type.
- Add your store domain (e.g.
shop.example.com.au). Keys are domain-specific, so add any additional domains you want to protect. - Accept the terms and submit.
- Retrieve your Site Key and Secret Key from the confirmation screen or via Settings > Keys in the Google Admin Console.
The Site Key is public and used in the browser. The Secret Key is private and used server-side to verify scores. Only the Site Key is visible on your storefront, so do not expose your Secret Key publicly.
Step 2: Add Store Variables in StoreConnect
In your StoreConnect Store record, navigate to Store Variables and create the following three variables.
All three Store Variables are required. If captcha_type or captcha_secret_key are missing, the reCAPTCHA script will load in the browser but the server will not verify token scores. Your Google Admin Console will show the key as Unprotected.
| Name | Key | Description | Required? |
|---|---|---|---|
| Captcha key | captcha_site_key |
Your reCAPTCHA v3 Site Key (public key from Google) | Required |
| Captcha secret | captcha_secret_key |
Your reCAPTCHA v3 Secret Key (private key from Google) | Required |
| Captcha type | captcha_type |
Must be set to: recaptcha |
Required |
Once these variables are set, StoreConnect automatically injects the reCAPTCHA script into the checkout page and handles token generation and server-side verification, so no theme changes are required.
Step 3: Verify the Setup
Browser verification
After setting the Store Variables, attempt a checkout on your store. On the customer information step:
- Open browser Developer Tools (F12) and go to the Console tab.
- Confirm there are no reCAPTCHA-related errors (e.g.
grecaptcha is not definedorInvalid site key). - The reCAPTCHA badge icon should be visible in the bottom-right corner of the screen on the customer information step.
Google Admin Console verification
- Log in to https://www.google.com/recaptcha/admin and select your registered key.
- After a real checkout is completed, activity data should appear in the dashboard within 24 to 48 hours.
- If the console shows "Unprotected - Your key is requesting tokens but isn't requesting scores", this means
captcha_secret_keyis missing.
There will be a delay before activity appears in the Google Admin Console, even after a successful checkout. If no data appears after 48 hours and your Store Variables are correctly set, confirm that the domain registered in Google matches your store's domain exactly.
Enabling reCAPTCHA on Other Pages
The Store Variables set in Step 2 are all that is required. To enable reCAPTCHA on pages beyond the checkout flow, add the following snippet inside the form in the relevant theme file:
{%- if store_variables["captcha_site_key"] %}
<script src="https://www.google.com/recaptcha/api.js?render={{ store_variables["captcha_site_key"] }}" async defer></script>
{%- endif %}
{% render "captcha", action: "YOUR_ACTION_LABEL" %}
Replace YOUR_ACTION_LABEL with a descriptive value for the page (e.g. register, login). This label appears in the Google Admin Console to identify where interactions are coming from - it does not affect how the token is generated or validated.
The following pages and their corresponding theme snippet files support this approach:
| Page | Theme snippet file | Suggested action value |
|---|---|---|
Registration (/account/register) |
snippets/account/register/form |
register |
Login (/account/login) |
snippets/account/login/form |
login |
Forgot password (/account/forgot-password) |
snippets/account/forgot-password/form |
forgot-password |
Resend confirmation (/account/resend-confirmation) |
snippets/account/resend-confirmation/form |
resend-confirmation |
| Custom form | Template using {% form "custom-form" %} |
any descriptive label |
After adding the snippet to a page, visit that page and confirm the reCAPTCHA badge is visible in the bottom-right corner of the screen.
Troubleshooting
| Symptom | Resolution |
|---|---|
| Google Admin Console shows 'Unprotected' warning | The captcha_secret_key Store Variable is missing. |
grecaptcha is not defined in browser console |
The reCAPTCHA script is not loading. Check that captcha_site_key is set. Do not add the reCAPTCHA script manually to your theme, as it is injected automatically and adding it again will cause it to load twice. |
Invalid site key error in browser console |
The value in captcha_site_key is incorrect. Retrieve the Site Key (not the Secret Key) from the Google Admin Console under Settings > Keys. |
| reCAPTCHA works on checkout but not on other pages | Other pages require a theme snippet. See Enabling reCAPTCHA on Other Pages. |
| Domain mismatch or key not authorised | Ensure the domain registered in Google matches your live store URL exactly (e.g. shop.example.com.au). |
reCAPTCHA Failure Message to Shoppers
Any bots that are detected will be shown an error message after trying to complete the customer information step at checkout:
We have detected unusual activity, please try again or contact us for support.
Managing Your reCAPTCHA Score
reCAPTCHA v3 assigns a score between 0.0 (likely a bot) and 1.0 (likely a human) to each interaction. You can monitor your score distribution and adjust thresholds from the reCAPTCHA v3 Admin Console.
If you find that legitimate shoppers are being blocked, review your score data in the Admin Console and consider whether your threshold needs adjustment.
If your Site Key changes (e.g. you register a new key), update the captcha_site_key Store Variable immediately. An outdated or incorrect key will break bot protection.
Privacy compliance
Once you are using reCAPTCHA, your shoppers' data is being sent to Google for verification. If you are using StoreConnect's cookie-management-and-privacy-compliance feature, you should update this as well.
Terms
Captcha: A CAPTCHA is a type of challenge-response test used in computing to determine whether or not the user is human.