Am I supposed to check user score in reCAPTCHA v3?

Question

I am using Google reCAPTCHA V3 in the registration page of my application. When a user sends the POST request to register, it sends the reCAPTCHA token to be checked server side.

I use this server side function to check:

//Google Capatcha Verification
if(isset($_POST['grecaptcharesponse'])){
    $url = 'https://www.google.com/recaptcha/api/siteverify';
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_RETURNTRANSFER => 1,
        CURLOPT_URL => $url."?secret=secretkey&response=".$_POST['grecaptcharesponse']
    ));    
    $resp = curl_exec($curl);
    $json = json_decode($resp, TRUE);
    
    if($json['success'] == 0){
        header('Content-Type: application/json');        
        echo json_encode(array("error" => "Google Capatcha Verification Failed! It has identified you as a spammer with a score of ".$json['score']));  
        exit();
    }
}else{
    header('Content-Type: application/json');        
    echo json_encode(array("error" => "Google Capatcha Verification Failed! No Capatcha Token was provided.")); 
    exit();    
}

However, upon reviewing my code I think I am only checking the siteverify API success response being true or false. I've checked the documentation here and I'm not sure if a true success response means the user isn't a spammer or if it means the API was able to successfully check the token.

Am I supposed to also be checking the response score and basing my code on that?

Answer 1

You have to check the spam score it is a must.

The theory between this process is that the Google client library checks the user activity through their mouse movement location etc. Then you send that information to the Google server with a token or secret and google provides you with a score that you need to check best threshold is around 80%.