How can you trust an AJAX recaptcha request?

The recaptcha API allows pure JavaScript captcha creating and verifying. But, how can a site trust that the user actually solved the captcha this way? How do they know they didn't just alter the javascript?

If all calculations are done by the user, then as the backend how can we trust the result t开发者_运维技巧hat they send us?

For example, lets say you were using a backend function (like sending an activation email) that requires your new users to prove they are human. With the normal API your backend could call reCaptcha and confirm (since we can trust recaptcha). With an AJAX verification the user agents are basically saying "I solved the recaptcha - you can trust me!" to your backend.

Am I missing something?

---

From the docs:

To verify the solution, you will need to pass two variables from the widget to the reCAPTCHA verification API.

And the verification part needs to be done on the server.

Basically, when you validate, you need to make an AJAX request to your server yourself by sending the challenge and response to your server.

A script on your server can then verify with reCaptcha and returns the result back to to your web page. Your backend script may have to store some session variable saying that the user has passed a captcha test.