google
https://www.google.com/recaptcha/api2/pat 401 (Unauthorized)
Hi,
When I have the Chrome's Device Toolbar active (CTRL + SHIFT + M), I'm getting this error on console when loading the page:
recaptcha__pt.js:805 POST https://www.google.com/recaptcha/api2/pat?k=<My Key> 401 (Unauthorized)
If I disable the device tollbar, there's no error.
Thank you.
Please stop saying "Same" like parrots. You're polluting the issue thread. Instead, upvote the initial comment, and subscribe to the issue
Additionally, I've noticed that when I use Safari dev tools to remotely connect to my iPhone and pull up dev tools in Safari, it seems this error occurs on every load
cududa - thank you for sharing, that totally cleared everything up for me
Overriding the user agent without enabling device mode will still exhibit the same behavior
This user agent value does NOT exhibit this behavior in chrome's dev tools
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.0.0 Mobile/15E148 Safari/604.1
This user agent value DOES exhibit this behavior in chrome's dev tools
Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1
@jeremy-hunter
Yes, different user agents change the in dev tools - but in prod, testing on a real device I still get a 401.
I'm hoping Google doesn't close this issue, as it appears recaptcha just won't load on recent iOS versions and there's no guidance or documentation on the issue.
Seems like the problem start when user agent has iPhone OS 16_0 and above. Its working fine till version iPhone OS 15_8.
I see this issue on Safari Version 17.5 (19618.2.12.11.6) Is this because of CORS?
Cross-Origin-Opener-Policy-Report-Only: same-origin;
Also noticing other CSS and JS is returning a 401 response. Request Accept: / Cache-Control: no-cache Pragma: no-cache Referer: https://www.google.com/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15
Request Accept: / Cache-Control: no-cache Pragma: no-cache Referer: https://www.google.com/ Sec-Fetch-Dest: script Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15
Working on Chrome 130.0.6723.92 (Official Build) (x86_64)
Working on Chrome Canary 132.0.6817.0 Request URL: https://www.gstatic.com/recaptcha/releases/-ZG7BC9TxCVEbzIO2m429usb/recaptcha__en.js Request Method: GET Status Code: 200 OK Remote Address: 142.251.215.227:443 Referrer Policy: strict-origin-when-cross-origin
Response Headers accept-ranges: bytes access-control-allow-origin: * age: 924 alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 cache-control: public, max-age=31536000 content-encoding: gzip content-length: 220347 content-security-policy-report-only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha content-type: text/javascript cross-origin-opener-policy: same-origin-allow-popups; report-to="recaptcha" cross-origin-resource-policy: cross-origin date: Mon, 04 Nov 2024 18:58:56 GMT expires: Tue, 04 Nov 2025 18:58:56 GMT last-modified: Tue, 22 Oct 2024 00:01:33 GMT report-to: {"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]} server: sffe vary: Accept-Encoding x-content-type-options: nosniff x-xss-protection: 0 Request Headers: :authority: www.gstatic.com :method: GET :path: /recaptcha/releases/-ZG7BC9TxCVEbzIO2m429usb/recaptcha__en.js :scheme: https accept: / accept-encoding: gzip, deflate, br, zstd accept-language: en-US,en;q=0.9 cache-control: no-cache origin: https://.com pragma: no-cache referer: https://.com/ sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132" sec-ch-ua-mobile: ?1 sec-ch-ua-platform: "Android" sec-fetch-dest: script sec-fetch-mode: cors sec-fetch-site: cross-site user-agent: Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36 x-client-data: CI+2yQEIo7bJAQirncoBCMv4ygEIlqHLAQia/swBCNX0zQEI4LrOAQjIws4BCJPEzgEI48XOAQiOxs4BCPHGzgEInMjOARiYr80B Decoded: message ClientVariations { // Active Google-visible variation IDs on this client. These are reported for analysis, but do not directly affect any server-side behavior. repeated int32 variation_id = [3300111, 3300131, 3313323, 3325003, 3330198, 3358490, 3373653, 3382624, 3383624, 3383827, 3384035, 3384078, 3384177, 3384348]; // Active Google-visible variation IDs on this client that trigger server-side behavior. These are reported for analysis and directly affect server-side behavior. repeated int32 trigger_variation_id = [3364760]; }
Working on Firefox latest build. 132.0
Not checking other Chromium browsers.
Same here .. confirmed it happens only with iphone user agent .. but still happening.
Same here .. confirmed it happens only with iphone user agent .. but still happening.
I can confirm this; it is the same issue on my sites.
Peas as always breaking everything and the developers has to fix theyr s*****. Any fix on this? This is a super bad bug... Gonna have to disable App Check while this isn't fixed.
I wouldn't expect an answer in this repostory. I opened a discussion in the Google Cloud Security forums If anyone wants to contribute: https://www.googlecloudcommunity.com/gc/reCAPTCHA/reCAPTCHA-initialization-error-on-Safari-iOS-16/td-p/859376
It looks like this is a red herring error. I was getting the same error on safari and upon investigating the error more on safari on my macbook it turned out once I actually submitted the form I was getting an error about my query string being too long so IIS was rejecting my request. Basically for some reason in safari the getRecatpchaResponse function I had to determine if the user was a bot or not was about 2500 characters long. No idea why it was working in every browser but safari. Anyways I updated the max length of my query string to 3000 in IIS from 2048 and boom it started working again! Hope this can help someone else out but yeah most likely recaptcha is not working in safari due to another reason. Hit that submit button and see what error you get!
I do not know if this helps but I found this thread:
https://www.googlecloudcommunity.com/gc/reCAPTCHA/reCAPTCHA-initialization-error-on-Safari-iOS-16/td-p/859376
So TL;DR
Google are ducking clowns, and you can "safely ignore" the error, and they don't even plan on fixing it.
This is absolutely insane.
Wasted too much time on this.
TL;DR: in the Chrome DevTools for iOS devices (iPhone, iPad...) we get a 401 on this URL:
https://www.google.com/recaptcha/api2/pat?k=‹google recaptcha client key›
It's annoying and polluting the console log. Does not prevent recaptcha from working. Does not occur on non-iOS in my experience.
EDIT:
- I also sometimes got the error for non-iOS devices.
I ran into this issue while developing the SMS authentication part of FireBase. Is this by any chance a configuration issue in the FireBase console?
For anyone still running into this:
This error seems to be related to Apple’s Private Access Tokens (PAT) feature on iOS/macOS devices, triggering a 401 on api2/pat.
Google staff confirmed here that it’s safe to ignore, as it doesn’t affect reCAPTCHA functionality. They're probably not gonna fix it.
Just one of those things—ignore it and carry on.
