https://www.google.com/recaptcha/api2/pat 401 (Unauthorized)

[arebelof]

Hi,

When I have the Chrome's Device Toolbar active (CTRL + SHIFT + M), I'm getting this error on console when loading the page:

recaptcha__pt.js:805
POST https://www.google.com/recaptcha/api2/pat?k= 401 (Unauthorized)

If I disable the device tollbar, there's no error.

Thank you.

[mchamma]

Same

[borisb13]

same here

[guncv]

same here how to solve it

[andrewhood]

Same

[Berman59]

Same!

[TomerSH17]

Same :(

[notKamui]

Please stop saying "Same" like parrots. You're polluting the issue thread. Instead, upvote the initial comment, and subscribe to the issue

[cududa]

Additionally, I've noticed that when I use Safari dev tools to remotely connect to my iPhone and pull up dev tools in Safari, it seems this error occurs on every load

[jeremy-hunter]

cududa - thank you for sharing, that totally cleared everything up for me

Overriding the user agent without enabling device mode will still exhibit the same behavior

This user agent value does NOT exhibit this behavior in chrome's dev tools
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/129.0.0.0 Mobile/15E148 Safari/604.1

This user agent value DOES exhibit this behavior in chrome's dev tools
Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1

[cududa]

@jeremy-hunter

Yes, different user agents change the in dev tools - but in prod, testing on a real device I still get a 401.

I'm hoping Google doesn't close this issue, as it appears recaptcha just won't load on recent iOS versions and there's no guidance or documentation on the issue.

[NareshRoka]

Seems like the problem start when user agent has iPhone OS 16_0 and above. Its working fine till version iPhone OS 15_8.

[dbrisson-passat]

anyone has solved this issue please ?

[Rick-EESCOC]

I see this issue on Safari Version 17.5 (19618.2.12.11.6)
Is this because of CORS?

Cross-Origin-Opener-Policy-Report-Only: same-origin;

Also noticing other CSS and JS is returning a 401 response.
Request
Accept: /
Cache-Control: no-cache
Pragma: no-cache
Referer: https://www.google.com/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15

Request
Accept: /
Cache-Control: no-cache
Pragma: no-cache
Referer: https://www.google.com/
Sec-Fetch-Dest: script
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15

Working on Chrome 130.0.6723.92 (Official Build) (x86_64)

Working on Chrome Canary 132.0.6817.0
Request URL:
https://www.gstatic.com/recaptcha/releases/-ZG7BC9TxCVEbzIO2m429usb/recaptcha__en.js
Request Method:
GET
Status Code:
200 OK
Remote Address:
142.251.215.227:443
Referrer Policy:
strict-origin-when-cross-origin

Response Headers
accept-ranges:
bytes
access-control-allow-origin:
*
age:
924
alt-svc:
h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
cache-control:
public, max-age=31536000
content-encoding:
gzip
content-length:
220347
content-security-policy-report-only:
require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/recaptcha
content-type:
text/javascript
cross-origin-opener-policy:
same-origin-allow-popups; report-to="recaptcha"
cross-origin-resource-policy:
cross-origin
date:
Mon, 04 Nov 2024 18:58:56 GMT
expires:
Tue, 04 Nov 2025 18:58:56 GMT
last-modified:
Tue, 22 Oct 2024 00:01:33 GMT
report-to:
{"group":"recaptcha","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/recaptcha"}]}
server:
sffe
vary:
Accept-Encoding
x-content-type-options:
nosniff
x-xss-protection:
0
Request Headers:
:authority:
www.gstatic.com
:method:
GET
:path:
/recaptcha/releases/-ZG7BC9TxCVEbzIO2m429usb/recaptcha__en.js
:scheme:
https
accept:
/
accept-encoding:
gzip, deflate, br, zstd
accept-language:
en-US,en;q=0.9
cache-control:
no-cache
origin:
https://.com
pragma:
no-cache
referer:
https://.com/
sec-ch-ua:
"Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile:
?1
sec-ch-ua-platform:
"Android"
sec-fetch-dest:
script
sec-fetch-mode:
cors
sec-fetch-site:
cross-site
user-agent:
Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36
x-client-data:
CI+2yQEIo7bJAQirncoBCMv4ygEIlqHLAQia/swBCNX0zQEI4LrOAQjIws4BCJPEzgEI48XOAQiOxs4BCPHGzgEInMjOARiYr80B
Decoded:
message ClientVariations {
// Active Google-visible variation IDs on this client. These are reported for analysis, but do not directly affect any server-side behavior.
repeated int32 variation_id = [3300111, 3300131, 3313323, 3325003, 3330198, 3358490, 3373653, 3382624, 3383624, 3383827, 3384035, 3384078, 3384177, 3384348];
// Active Google-visible variation IDs on this client that trigger server-side behavior. These are reported for analysis and directly affect server-side behavior.
repeated int32 trigger_variation_id = [3364760];
}

Working on Firefox latest build. 132.0

Not checking other Chromium browsers.

[nstiac]

Same here .. confirmed it happens only with iphone user agent .. but still happening.

[kemalkastrataj]

Same here .. confirmed it happens only with iphone user agent .. but still happening.

I can confirm this; it is the same issue on my sites.

[dbrisson-passat]

anyone have a solution for this issue or no?

[jasminmistry]

Is there any temporary solution for this?

[geanfarias]

is there some update?

[elielson-anjos]

Peas as always breaking everything and the developers has to fix theyr s*****. Any fix on this? This is a super bad bug... Gonna have to disable App Check while this isn't fixed.

[tommag21]

I wouldn't expect an answer in this repostory. I opened a discussion in the Google Cloud Security forums If anyone wants to contribute: https://www.googlecloudcommunity.com/gc/reCAPTCHA/reCAPTCHA-initialization-error-on-Safari-iOS-16/td-p/859376