What is duplicate-or-timeout error message in Google's reCAPTCHA v3

Question

I am using Google's reCaptcha v3 in html page, that's still in beta version. (reCaptcha v3 docs)

The html page consists of two buttons and clicking each causes a back-end web service method to be called using jquery ajax i.e. form is not being submitted on clicking these buttons. If Contact Us button is clicked then the web service method ContactUs is called and if Buy button is clicked then the Buy method of web service is called.

If I click on Contact Us button after page renders, then I get a response as below which is what I expect since I am not a bot.

{success: true, challenge_ts:"2018-05-12T05:40:23Z", hostname:"localhost", score: 0.9}

Then, if I click the other button i.e. Buy button, I always get a response as below.

{success: false, error-codes": ["timeout-or-duplicate"]}

Question

Why is the response from recaptcha always false with above error message of timeout-or-duplicate when I click on Buy button?

I just want to make sure that these buttons are not being clicked by a bot and I thought recaptcha v3 would help in this, but it seems the full page needs to postback i.e. form needs to be submitted after each click of a button for it to work.

Html code

<!DOCTYPE html>
<html>

<head>
    <title>reCaptcha v3</title>
    <meta charset="utf-8" />
    <script src="Scripts/jquery-1.11.3.min.js" type="text/javascript"></script>
    <script src='https://www.google.com/recaptcha/api.js?render=keyValue'></script>
    <script>
        function verify(action) {
            grecaptcha.execute('clientkeyValue')
                .then(function (token) {
                    $.ajax({
                        type: "POST",
                        url: "SomeWebService.asmx/VerifyCaptchaV3",
                        data: JSON.stringify({ response: token }),
                        success: function (r) {
                            if (r && JSON.parse(r).success === true) {
                                verified = true;

                                if (action === "contactus") {
                                    //code for calling ContactUs method in web service
                                } else if (action === "buy") {
                                    //code for calling Buy method in web service
                                }
                            } else {
                                verified = false;
                            }
                        },
                        contentType: "application/json; charset=utf-8",
                        dataType: "json"
                    });
                });
            }
    </script>
</head>

<body>
    <form action="javascript:grecaptcha.reset();" method="post">
        <div id="example3"></div>
        <br>
        <input type="submit" value="Contact Us" id="submit" onclick="verify('contactus'); return false;">
        <input type="submit" value="Buy" id="submit1" onclick="verify('buy'); return false;">
    </form>
</body>

</html>

Web Service method in C# to call server-side recaptcha siteVerify

public string VerifyCaptchaV3(string response) {
    string url = "https://www.google.com/recaptcha/api/siteverify?secret=someValue&response=" + response;
    return (new System.Net.WebClient()).DownloadString(url);
}

Answer 1

You should not verify reCaptcha multiple times per page. It is unnecessary and would generate redudant web traffic and excessive resource use.

After first verification you should save the score result on server side (for example as a session variable) for subsequent use.

Answer 2

I was receiving the same error even for distinct token values. I found that removing and re-adding the api.js script to the page after a verification allows subsequent verifications to succeed.