type: service
status: active
timestamp: 2026-06-20
tags: [security, captcha, google-cloud, audit-card]

reCAPTCHA Enterprise

Bot-defense assessments wired into Firebase App Check — 10K/mo free

reCAPTCHA Enterprise

Role

Provides assessments consumed by Firebase App Check. Wraps risk scoring around Firestore reads/writes that originate from browsers.

Free tier

Card / subscription required?

YES — flagged. reCAPTCHA Enterprise lives inside Google Cloud Platform. To enable the API on a project, GCP requires a billing account linked to the project, even when usage stays inside the free quota. The billing account itself requires a payment method.

This is a soft violation of the no-card-on-file rule. The family accepts it because:

  1. The free quota of 10K assessments / month is far above our traffic.
  2. GCP free-tier usage does not auto-charge if usage stays below the threshold and quota alerts are configured.
  3. Firebase App Check has no equivalent free provider that ties as cleanly into Firestore security rules.

If we choose to honor the rule strictly, swap to Cloudflare Turnstile (free, unlimited, no GCP billing account) — see Alternatives.

Alternatives

Swap cost

Medium — App Check provider is configurable, but the verifier code in @chirag127/firebase-init is reCAPTCHA-shaped today.

Why this is our pick (with the caveat)

Tightest Firebase integration; verified-bot heuristics work without a visible challenge for real users. The card requirement is the trade-off we explicitly accept until we hit a strict no-card moment.

Cross-refs


Edit on GitHub · Back to index