If you are evaluating bot protection in 2026, reCAPTCHA pricing is no longer a simple free-versus-paid decision. Google now manages reCAPTCHA through Google Cloud, and no longer allows new classic keys to be created. What you pay depends on usage volume, feature scope, billing configuration, and (for larger deployments) enterprise procurement.
That shift matters because reCAPTCHA typically protects your most sensitive flows: login, registration, account recovery, checkout and payment. Once those flows are business-critical, cost stops being a small technical detail. It becomes part of security planning, budget control, and vendor review.
Table of contents
- At a glance
- What Is a reCAPTCHA Assessment?
- The 2026 Migration Context
- How reCAPTCHA Pricing Works
- What Does Your Bill Actually Look Like?
- reCAPTCHA Enterprise Pricing Explained
- What Premium and Enterprise Include Beyond the Free Tier
- Four Areas of Cost Behind the Sticker Price
- Privacy, Data Control and the April 2026 Change
- How to Evaluate reCAPTCHA Cost in a Real Project
- How reCAPTCHA Compares to Alternatives
- Conclusion
- FAQ – Frequently Asked Questions
At a glance
Google currently offers three reCAPTCHA tiers:
- Essentials: free, up to 10.000 assessments per month
- Premium: billing-enabled, broader protections, usage-based pricing
- Enterprise: contract-based, for higher volumes and advanced fraud and account protection
Google does not price reCAPTCHA like a flat website plugin. What you pay depends on how many security checks you run, which protection modules are active, and your commercial arrangement with Google.
What Is a reCAPTCHA Assessment?
An assessment is the security check reCAPTCHA performs each time a protected action occurs. One login attempt equals one assessment. One registration form submission equals one assessment. One password reset request equals one assessment.
That distinction is important. Google charges for protected actions, not for page views. A site with modest overall traffic can generate a significant assessment volume if automated tools are targeting a login or checkout endpoint with repeated requests. Budgeting based on organic traffic alone will underestimate your real bill.
The 2026 Migration Context
Anyone evaluating reCAPTCHA pricing in 2026 should be aware of one important structural change: Google no longer allows new classic reCAPTCHA keys to be created, and is actively moving customers toward the Google Cloud reCAPTCHA model via a documented migration path. All new keys now run through Google Cloud projects.
This changes the pricing picture in two concrete ways. First, billing is now tied to your Google Cloud account, not a separate reCAPTCHA console. Second, teams migrating from classic reCAPTCHA v2 or v3 keys need to factor in engineering time, QA, privacy review and rollout planning alongside the usage cost. Even when the technical migration is straightforward. Google provides documented migration paths. However, migrating is not a simple copy-and-paste operation for teams that have reCAPTCHA deployed across multiple domains, frameworks, or third-party integrations. Treat it as a project, not a task, and cost it accordingly.
How reCAPTCHA Pricing Works
reCAPTCHA pricing works on a three-tier model: Essentials (free), Premium (usage-based) and Enterprise (contract). Your tier depends on billing setup, assessment volume and required features.
reCAPTCHA Essentials | reCAPTCHA Premium | reCAPTCHA Enterprise | |
|---|---|---|---|
Cost per month | Free up to 10.000 assessments | 1 – 10.000 assessments: Free 10,001 – 100.000 assessments: $8.00 flat fee >100.000 assessments: $1 per 1.000 assessments | Fixed monthly volume commitment at $1 per 1,000 assessments. |
Commitment | None | Monthly + Pay-As-You-Go | Subscription (Minimum 12 months) |
Typical fit | Small or low-risk deployments | Sites needing more scale and broader protections | Higher-volume or advanced fraud and account-defense use cases |
Main caveat | Assessments stop at the monthly limit unless billing is enabled | Monitor feature scope and assessment volume as you grow | Requires formal procurement; some protection modules add extra assessments |
⚠ The free 10.000-assessment monthly allowance applies per Google Cloud organization, not per individual website. Agencies, multi-brand operators, or teams running multiple domains share this quota across all properties in the same organization.
What Does Your Bill Actually Look Like?
Most teams search reCAPTCHA pricing because they need to estimate a real number. Here is how the math works across common usage levels:
Monthly assessments | Monthly cost | Annual cost | Typical site profile |
|---|---|---|---|
Up to 10.000 | $0 | $0 | Small blog, single low-traffic form |
50.000 | $8 | $96 | Small business with login + contact form |
100.000 | $8 | $96 | Top of the flat-fee band, maximum value point in Premium |
200.000 | $200 | $2.400 | Mid-size SaaS protecting login and registration |
500.000 | $500 | $6.000 | E-commerce with login, checkout, and account recovery flows |
1.000.000 | $1.000 | $12.000 | High-traffic platform with multiple protected flows under sustained bot pressure |
A few important notes on these figures. The $8 flat fee covers the entire 10.001–100.000 band. So a site at 50.000 assessments pays the same as one at 99.000. Once you cross 100.000, the model shifts to $1 per 1.000 assessments for the full monthly volume.
Assessment counts also grow faster than traffic counts under active bot pressure. Automated credential-stuffing or registration-abuse tools can generate hundreds of attempts per minute against login and account creation endpoints. If your protected flows are under sustained attack, your assessment volume,and your bill, can spike rapidly and independently of organic user activity.
reCAPTCHA Enterprise Pricing Explained
reCAPTCHA Enterprise is not simply a larger usage bucket. Google positions it as a distinct commercial model for organizations that need broader fraud and account protection capabilities, a formal support relationship, and a predictable volume commitment.
Key differences from Premium
- Minimum 12-month contract commitment
- Fixed monthly volume agreed at procurement, not pay-as-you-go
- Advanced fraud, account-defense, and transaction-defense modules
- Support structure beyond standard Google Cloud documentation
- Sales-led procurement rather than self-service billing activation
The practical implication: Enterprise pricing is not published as a public rate card. Volume commitments, required protection modules, and support tier all affect the final commercial arrangement. Teams evaluating Enterprise should engage Google’s sales team with a clear picture of their protected flows, expected monthly volume, and any compliance or SLA requirements.One underappreciated cost driver: some Enterprise protection modules, including password defense, SMS defense, carding protection, chargeback detection, account defense and transaction defense, require an additional assessment per protected action. A fully activated Enterprise deployment therefore costs more than the base volume price suggests. Build that into your evaluation from the start.
What Premium and Enterprise Include Beyond the Free Tier
The higher tiers expand the types of risk you can address, not just the volume ceiling. Here is how the protection modules map across tiers:
| |||
|---|---|---|---|
Basic bot filtering | |||
Password defense | |||
SMS defense | |||
Carding protection | |||
Chargeback detection | |||
Account defense | |||
Transaction defense | |||
Formal support relationship |
The free tier is not always the cheapest real-world option for high-risk deployments. A business that saves on visible usage fees while leaving its checkout or account recovery flows under-protected may face significantly higher costs from fraud losses, support load and damaged user trust, none of which appear on a Google Cloud invoice.
Four Areas of Cost Behind the Sticker Price
In practice, the total cost of reCAPTCHA comes from four places. Only one of them appears on your Google Cloud invoice.
1. Visible usage cost
The per-assessment billing most teams notice first. This is what the pricing table above describes.
2. Feature cost
The protection modules that matter most for account and fraud defense only appear in higher tiers, or require extra assessments when activated. Enabling them after the fact often means revisiting your billing band and your architecture.
3. Migration and governance cost
Google no longer allows new classic keys, and organizations still relying on classic reCAPTCHA should review Google’s migration path to the current Google Cloud model. Even when the technical migration is manageable, teams still need engineering time, QA, privacy review, and staged rollout planning. For organizations with many domains or complex integrations, this is a meaningful project cost that lives outside the Google billing dashboard.
4. Privacy and disclosure cost
Legal and compliance obligations that sit alongside the commercial cost — and that changed materially in early 2026. See the section below.
Privacy, Data Control and the April 2026 Change
Starting April 2, 2026, Google restructured reCAPTCHA’s data responsibility model. Under the revised arrangement, customers act as the sole data controller, while Google acts as data processor.
That change has real implications. Data controllers carry primary accountability under GDPR and equivalent frameworks. If your organization operates in the EU or serves EU users, the controller designation means you are responsible for lawful basis, data subject rights and disclosure obligations; not Google. A data protection impact assessment (DPIA) may be required or advisable.
The _GRECAPTCHA cookie also remains part of the current reCAPTCHA model. Any deployment subject to consent requirements under your applicable legal framework needs cookie disclosure, consent management integration and documentation capable of withstanding supervisory authority review.
⚠ Teams should review pricing, implementation and privacy obligations together; not sequentially. A decision that looks low-cost on the billing page can look significantly more complex once legal and compliance review begins.
How to Evaluate reCAPTCHA Cost in a Real Project
Start with protected workflows, not with price.
Compare the model against your governance requirements. If GDPR compliance, cookie-free operation, accessibility certification, and predictable European hosting are organizational requirements, those factors belong in the evaluation alongside usage costs.
Count protected actions across all sensitive flows. Login, account creation, password and account recovery, checkout, payment, and any high-risk API endpoint. Separate actions that need basic bot filtering from those that require stronger account or fraud protection.
Model abuse pressure, not just organic traffic. A site with 1.000 real logins per day can easily attract 50.000 automated login attempts per day from credential-stuffing bots. Your realistic assessment volume includes both and it’s the abuse volume that tends to grow unpredictably.
Understand your billing band and its thresholds. Between 10.001 and 100.000 assessments, you pay $8 regardless of where in that band you land. Above 100.000, every additional 1.000 assessments adds $1. Knowing which band you occupy and how close you are to crossing a threshold, is basic budget hygiene.
How reCAPTCHA Compares to Alternatives
Buyers evaluating reCAPTCHA for cost reasons often overlook relevant comparisons. Two are worth knowing before you finalize a decision.
Cloudflare Turnstile offers a Free plan and an Enterprise plan. For sites already on Cloudflare infrastructure, it can be a relevant cost comparison. Teams should verify the current plan limits, widget and hostname constraints, and whether the product fits their architecture and compliance requirements before treating it as a direct substitute.
For EU-based organizations and those with GDPR or accessibility obligations, a privacy-first, cookie-free alternative, like captcha.eu, addresses a different set of requirements than pure volume economics. The evaluation criteria that matter are compliance certification, data residency, consent management compatibility and accessibility standards, not just assessment price.
Conclusion
reCAPTCHA pricing in 2026 reflects a structural shift: Google no longer allows new classic keys and has consolidated its bot-protection offering into Google Cloud, restructuring data responsibility under a new controller model effective April 2, 2026. The free tier remains, but it comes with a hard monthly ceiling, a cookie, and a set of governance obligations that now sit squarely with the customer.
For some deployments, the free tier is a reasonable fit. For most business-critical flows, the real question is whether the chosen tier matches your volume, feature requirements, abuse exposure and compliance obligations. Teams that treat reCAPTCHA as a standalone form widget rather than a procurement decision tend to discover the gaps at the worst possible moment: when an incident occurs, when a DPA requests documentation or when a billing spike appears mid-month.
Evaluate the full picture. If GDPR compliance, cookie-free operation, accessibility certification and predictable European hosting are organizational requirements, comparing Google’s model against privacy-focused alternatives, like captcha.eu, is a sensible and proportionate next step.
100 free requests
You have the opportunity to test and try our product with 100 free requests.
FAQ – Frequently Asked Questions
Is reCAPTCHA free in 2026?
Yes. Google still offers a free entry tier. It includes up to 10,000 assessments per month. Once that limit is exceeded, billing must be enabled if you want reCAPTCHA to continue creating assessments.
How much does reCAPTCHA Enterprise cost?
reCAPTCHA Enterprise is not positioned like a simple self-service plan. It is sold as a higher-tier commercial model for larger or more advanced use cases. In practice, pricing depends on volume commitments, required protections, and the commercial setup agreed with Google.
What is the difference between reCAPTCHA Premium and Enterprise?
Premium is the billing-enabled tier for organizations that need broader protection and more scale than the free tier offers. Enterprise is the contract-based model for larger or more advanced use cases. It is designed for organizations that need higher volume, broader fraud and account protections, and a commercial support model.
What happens if you exceed the free reCAPTCHA limit?
If usage goes beyond the free monthly allowance, billing must be enabled to continue creating assessments. That means teams should not treat the free tier as unlimited. They should estimate assessment volume in advance, especially for login, registration, password reset, and checkout flows.
Does reCAPTCHA still use cookies in 2026?
Yes. reCAPTCHA still uses the _grecaptcha cookie in the current model. That remains relevant for privacy reviews, consent assessments and implementation decisions.
Editorial note
This article was prepared by reviewing official reCAPTCHA documentation, including billing information, tier comparisons, FAQ material, migration guidance and related product documentation, as accessed on March 23, 2026. Pricing, terms and feature availability can change. Before procurement, legal review or budgeting, organizations should verify the current live documentation and request written confirmation where necessary.
If you have any questions
Contact us
Our support team is available to assist you.
English 
German 
French 
Spanish 
Dutch 
Italian