Firebase App Check rejected a request because the reCAPTCHA risk score fell below your configured threshold. This happens when user behavior appears suspicious or bot-like to reCAPTCHA.
This error occurs when Firebase App Check validates a user request using reCAPTCHA and the returned score is below your configured app risk threshold. reCAPTCHA assigns a score between 0.0 and 1.0, where 1.0 indicates very likely legitimate user behavior and 0.0 indicates very likely fraudulent/bot activity. If the score is strictly less than your threshold (default 0.5), App Check rejects the request with a 403 Unauthorized error. This is a security feature to protect your backend resources from abuse.
Navigate to your Firebase Console → App Check → Web Apps → Your App. Look at the "reCAPTCHA v3 Score Threshold" or "reCAPTCHA Enterprise Score Threshold" slider. The default is 0.5 (moderate security). A threshold closer to 1.0 is more strict but may reject legitimate users.
Note: You can see the actual score distribution in the reCAPTCHA Admin Console (https://www.google.com/recaptcha/admin) to understand what scores real users are getting.
In the Firebase Console, move the threshold slider to the right (towards 0.0) to be more permissive. Start by moving it from 0.5 to 0.4 or 0.3. Monitor your error rates to see if legitimate users can now access your app. WARNING: Do not set to 0.0 as this disables fraud protection entirely.
If you are testing locally or in CI environments, use the App Check debug provider instead of real reCAPTCHA validation:
import { initializeAppCheck, getDebugToken } from 'firebase/app-check';
// Use only in development
if (process.env.NODE_ENV === 'development') {
self.FIREBASE_APPCHECK_DEBUG_TOKEN = getDebugToken();
}
initializeAppCheck(app, {
provider: new DebugAppCheckProvider(),
});Get your debug token from the App Check settings in Firebase Console.
Firebase recommends migrating from reCAPTCHA v3 to reCAPTCHA Enterprise, which provides:
- More granular control (11 score levels vs 1 threshold)
- Better fraud signals
- 10,000 free assessments/month
- More customization options
Upgrade in Firebase Console → App Check → Web Apps → Switch to reCAPTCHA Enterprise.
Go to the reCAPTCHA Admin Console (https://www.google.com/recaptcha/admin) and select your site key. Look at the 'Score Distribution' graph to see what scores legitimate users are receiving. If most legitimate users are scoring above 0.5, your threshold is appropriate. If legitimate users are clustering below your threshold, you need to lower it.
Review if your app is doing anything that triggers bot detection:
- Rapidly making requests in succession
- Using automation libraries (Puppeteer, Selenium, etc.)
- Running in headless browser environments
- Disabling JavaScript normally used for trust validation
- Making requests from unusual geographic locations
If your legitimate app is behaving like a bot, you may need to restructure your client code or whitelist known users.
In the reCAPTCHA Admin Console (https://www.google.com/recaptcha/admin):
1. Click on your site key
2. Verify it is the correct type:
- For App Check with reCAPTCHA v3: Select the v3 site key
- For App Check with reCAPTCHA Enterprise: Select your Enterprise API key
3. Ensure you are using the correct key in your Firebase initialization
4. Do not mix v3 and Enterprise keys
import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check';
initializeAppCheck(app, {
provider: new ReCaptchaV3Provider(
'YOUR_RECAPTCHA_V3_SITE_KEY'
),
});By default, reCAPTCHA Enterprise on free Firebase tier is limited to basic score levels. To enable all 11 score levels (0.0–1.0 in 0.1 increments):
1. Upgrade your Firebase project to Blaze pricing (pay-as-you-go)
2. Link a Google Cloud Billing account
3. Re-check your threshold settings—you now have finer control
Note: reCAPTCHA Enterprise provides 10,000 free assessments/month, so costs should be minimal.
App Check enforces throttling after a 403 error from reCAPTCHA—it will not retry for 1 day if the failure indicates a configuration issue (invalid key, threshold mismatch, etc.). This is by design to prevent abuse, but it means a bad config can break your app for 24 hours. Always test threshold changes in a staging environment first.
Some developers report that reCAPTCHA Enterprise shows 'high risk' on the GCP dashboard but 'low risk' in the Admin Console—this can indicate a client-side bug in how scores are being transmitted. If this persists, file an issue with Firebase.
On Safari, reCAPTCHA may have fewer trust signals available, leading to lower scores. If your Safari users are disproportionately affected, consider lowering your threshold specifically for reCAPTCHA Enterprise (which allows per-provider tuning in newer Firebase SDKs).
If you are using a custom domain or behind a CDN, ensure your domain is registered in the reCAPTCHA site configuration. Mismatched domains will cause verification failures.
messaging/UNSPECIFIED_ERROR: No additional information available
How to fix "messaging/UNSPECIFIED_ERROR: No additional information available" in Firebase Cloud Messaging
storage/invalid-url: Invalid URL format for Cloud Storage reference
How to fix invalid URL format in Firebase Cloud Storage
auth/missing-uid: User ID identifier required
How to fix "auth/missing-uid: User ID identifier required" in Firebase
auth/invalid-argument: Invalid parameter passed to method
How to fix "auth/invalid-argument: Invalid parameter passed to method" in Firebase
storage/invalid-argument: Incorrect data type passed to upload function
How to fix "storage/invalid-argument: Incorrect data type passed to upload" in Firebase Storage