Source signal: Search Console keyword burst: invalid-input-response, missing captcha token, malformed response.
What invalid-input-response usually means
invalid-input-response points to a token that the verification provider cannot accept. The token may be missing, truncated, generated for another site key, generated on a different domain, or altered by a form handler. Users experience it as "invalid CAPTCHA" even when they did everything correctly.
The keyword file Admiral sent includes variations like "google captcha token is invalid", "missing captcha token", "the recaptcha response is invalid or malformed", and "no captcha_token found". These are not just search terms. They are production failure modes that deserve first-class logging and specific support copy.
The handoff path is where most failures happen
The browser receives a token, stores it in a hidden field or JavaScript variable, submits it to the backend, and the backend forwards it to the provider. Any step can break. A frontend framework can re-render and clear the hidden field. A proxy can strip a large form field. A backend can read the wrong request key. A multi-tenant site can pair the token with the wrong secret.
Do not start debugging by telling users to clear cache. First confirm the request payload contains the expected field, the backend reads the same field, the domain matches the configured key, and the verification call is not accidentally using staging credentials in production.
How rCAPTCHA should make this easier
A rCAPTCHA integration can expose a site-specific verification table: site key, allowed domains, current status, last verified route, recent failures by code, and sample integration code for that exact site. That is the opposite of generic "paste this snippet" documentation. It lets the webmaster verify the configuration before traffic hits production.
When verification fails, rCAPTCHA should return a clear machine-readable reason and a human support hint. For example: missing token, expired token, duplicate token, wrong site, disabled site, or network verification unavailable. The goal is not to leak security internals; it is to avoid throwing every legitimate user into the same "invalid captcha" bucket.
Debug checklist
Log the raw presence of the token, not the full token value. Confirm the key pair belongs to the domain. Confirm the backend reads the same parameter name the frontend sends. Check whether CSP, ad blockers, consent tools, or script optimizers are blocking the provider script. Add a staging-only diagnostic route that verifies the token handoff without processing a real form submission.
If the failure is common enough to create search traffic, it is common enough to deserve a dedicated dashboard row. Site owners should not have to reverse-engineer a CAPTCHA failure from one generic error banner.
Sources and further reading
- Stack Overflow: invalid-input-response in reCAPTCHA Enterprise context
- Reddit: invalid site key and invalid response user reports
For site owners, the larger lesson is simple: users search for exact failure text because generic CAPTCHA errors do not help them. rCAPTCHA should make each failure measurable, explainable, and recoverable without weakening abuse protection.