reCAPTCHA Action Names: Login, Checkout, Password Reset, and Better Risk Labels

Action names look like a small implementation detail until every protected flow is called submit. Then dashboards blur together, backend checks get weaker, and incident review cannot tell whether the spike came from login, checkout, password reset, or a bot probing every form.

Why action names deserve design time

Google's action-name docs say action names help visibility in reCAPTCHA dashboards and can improve monitoring for different attack forms, including attempts to falsify or duplicate actions. The docs list recommended names such as signup, login, password_reset, cart_view, payment_add, checkout, and transaction_confirmed.

Those names are not just labels for charts. They become part of your server-side verification contract. If the backend expects checkout, a token generated for login should not satisfy the payment flow.

A practical taxonomy for real sites

Start with user intent. Authentication usually needs signup, login, password_reset, and account_update. Commerce usually needs cart_view, cart_add, payment_add, checkout, and transaction_confirmed. Content sites might use comment_submit, contact_submit, newsletter_signup, or search.

Keep names stable, lowercase, and non-user-specific. Do not put email addresses, order IDs, campaign IDs, or dynamic product names into action strings. You want a bounded vocabulary that can be compared in dashboards, tests, and backend policy.

Replace submit with meaningful risk labels

A generic submit action hides whether a problem is a harmless contact form spike or a credential stuffing attempt against login. Better action names let you set different thresholds, alerts, and step-up rules without guessing.

For example, login and password_reset deserve tighter observability than newsletter_signup. checkout and payment_add deserve release monitoring when a frontend deploy changes token timing. cart_view may be lower risk but still useful for detecting inventory scraping or automated browsing.

Verify the action server-side

Frontend naming alone is not enough. The backend must compare the returned action with the expected action for that route. In Enterprise assessments, that comparison is explicit with expectedAction and tokenProperties.action. In classic v3 integrations, the verification response includes the action value that should be checked against the route expectation.

Do not make the backend accept a list of every possible action for convenience. If one route legitimately handles multiple flows, pass the expected action derived from the route or validated request type, then reject or step up mismatches.

Govern the names like API surface

Store the action list near route definitions or in a shared package. Review additions the same way you review new API endpoints. Document the owning flow, frontend caller, backend verifier, and risk policy for each action.

A simple monthly dashboard review can catch drift: actions with near-zero traffic, new action strings that no one approved, and generic submit values coming from new components. The goal is not bureaucracy; it is keeping the signal clean enough to trust during an incident.

Sources and further reading

Google Cloud action names docs for recommended action names and dashboard visibility.

Google Cloud assessment docs for action verification during backend assessment.

expectedAction mismatch debugging for what to do when the contract breaks.