GitHub repo

Salesforce platform puts restriction on loading JS source into Lightning Web Component directly, i.e. the magic reCAPTCHA script cannot be directly used in the component.

“You can’t load JavaScript resources from a third-party site, even a CSP Trusted Site. To use a JavaScript library from a third-party site, add it to a static resource, and then add the static resource to your component. After the library is loaded from the static resource, you can use it as normal.” - Call APIs from JavaScript

There are 4 steps to integrate reCAPTCHA v3 to a Lightning Web Component.

Talk is cheap. Here is the code.

1. Create html static resource with reCAPTCHA


        <title></title>reCAPTCHA html resource</title>
        <script src=""></script>
        <input type="hidden" name="recaptcha_response" id="recaptchaResponse"/>
        <script type="text/javascript">
            grecaptcha.ready(function() {
                var reCAPTCHA_site_key = "reCAPTCHA_site_key";
                grecaptcha.execute('reCAPTCHA_site_key', {action: 'submit'}).then(function(token) {
                    recaptchaResponse.value = token;
                    if (token == "") {
                        parent.postMessage({ action: "getCAPCAH", callCAPTCHAResponse : "NOK"}, "*");
                    } else {
                        parent.postMessage({ action: "getCAPCAH", callCAPTCHAResponse : token}, "*");


<?xml version="1.0" encoding="UTF-8"?>
<StaticResource xmlns="">

2. Create Lightning Web Component with an iframe to load the static resource


    <iframe src={navigateTo} name="captchaFrame" onload={captchaLoaded}></iframe>

3. Create the Javascript controller for the Lightning Web Component


import { LightningElement, track, api } from 'lwc';
import pageUrl from '@salesforce/resourceUrl/reCAPTCHAv3';
import isReCAPTCHAValid from '@salesforce/apex/reCAPTCHAv3ServerController.isReCAPTCHAValid';

export default class GoogleCapatcha extends LightningElement {
    @api formToken;
    @api validReCAPTCHA = false;

    @track navigateTo;
    captchaWindow = null;

        this.navigateTo = pageUrl;

        var e = evt;
        console.log('src') + ' loaded');
        if('src') == pageUrl){

            window.addEventListener("message", function(e) {
                if ( == "getCAPCAH" && == "NOK"){
                    console.log("Token not obtained!")
                } else if ( == "getCAPCAH" ) {
                    this.formToken =;
                    isReCAPTCHAValid({tokenFromClient: formToken}).then(data => {
                        this.validReCAPTCHA = data;
            }, false);


4. Create Apex class to handle the server-side verification


public with sharing class reCAPTCHAv3ServerController {
    public reCAPTCHAv3ServerController(){


    public static Boolean isReCAPTCHAValid(String tokenFromClient) {
        String SECRET_KEY = 'reCAPTCHA_secret_key';
        String RECAPTCHA_SERVICE_URL = '';
        Http http = new Http();

        HttpRequest request = new HttpRequest();

        request.setEndpoint(RECAPTCHA_SERVICE_URL + '?secret=' + SECRET_KEY + '&response' + tokenFromClient);
        request.setHeader('Content-Length', '0');
        HttpResponse response = http.send(request);

        Map<String, Object> mapOfBody = (Map<String, Object>) JSON.deserializeUntyped(response.getBody());

        Boolean success = (Boolean) mapOfBody.get('success');

        return success;

The overall workflow can be shown by the diagram below.