How to Implement Google reCAPTCHA v3 in a NetSuite Online Customer Form

Spam submissions on NetSuite online customer forms aren’t just an inconvenience, they create security risks, waste internal resources, and compromise data quality. As bots become more advanced, native NetSuite form protections are no longer enough. Implementing Google reCAPTCHA v3 in a NetSuite online form provides a modern, invisible layer of security that blocks automated submissions without disrupting legitimate users. In this guide, we walk through a production-ready approach to NetSuite reCAPTCHA implementation, combining client-side scripts with secure, server-side Suitelet validation.

Purpose

The purpose of this article is to provide a clear, real-world framework for implementing Google reCAPTCHA v3 in NetSuite online customer forms using best practices. You’ll learn how to silently generate and validate reCAPTCHA tokens, prevent bot-driven spam submissions, and maintain full control over form validation logic within NetSuite. Whether you’re focused on NetSuite spam prevention, improving form security, or protecting public-facing data entry points, this guide delivers a scalable and secure solution that works seamlessly within the NetSuite ecosystem.

For official documentation, refer to Google’s reCAPTCHA v3 guide: https://developers.google.com/recaptcha/docs/v3

Why reCAPTCHA v3 for NetSuite Online Forms?

Unlike reCAPTCHA v2, v3 works silently in the background and assigns a risk score to each submission.

Benefits:

• No user interaction
• Better UX
• Blocks automated spam
• Fully customizable validation logic in NetSuite

High-Level Flow (What We’re Building)

1. Load reCAPTCHA script in the Online Form Template
2. Generate a reCAPTCHA token on page load
3. Validate the token during form submission (saveRecord)
4. Send the token to a Suitelet
5. Suitelet verifies it with Google and returns a score
6. Allow or block submission based on score

Step 1: Open the Online Customer Form

1. Go to Customization → Forms → Online Customer Forms (or your relevant online form)
2. Open the form you want to protect
3. Click Customize

Step 2: Load reCAPTCHA Script in the Form Template

Open the Template associated with the online form and add the Google reCAPTCHA script.

<script src=”https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY”></script>

Why this is required

• This loads Google’s reCAPTCHA v3 library
• Without this, grecaptcha.execute() will never work

Step 3: Add Client-Side reCAPTCHA Logic to the Form

Go back to the Online Form and add the following Custom Script.

Client Script (reCAPTCHA Token Generation + Validation)

var RECAPTCHA_TOKEN = null;
var SITE_KEY = ‘YOUR_SITE_KEY’;
var url = ‘SUITELET_URL’;
var minimum_score = 0.5;
var script_id = ‘2634’;
var comp_id = ‘3331694_SB1’;
var TOKEN_TIME = null;

What these variables do

• RECAPTCHA_TOKEN → Stores the generated token
• SITE_KEY → Google reCAPTCHA site key
• url → Suitelet URL for verification
• minimum_score → Threshold to allow submission (0.0–1.0)
• TOKEN_TIME → Tracks token expiry (tokens are short-lived)

Generate reCAPTCHA Token

What’s happening here:

• grecaptcha.execute() runs silently
• Google returns a token
• Token is stored for form submission

Page Load Hook

This ensures:

• reCAPTCHA loads properly
• Token is generated as soon as the form opens

Token Expiry Check

Why these matters

• reCAPTCHA tokens expire quickly
• Prevents invalid token reuse
• Improves security

Validate Before Form Submission (saveRecord)

Key Points (Important)

• async: false is required for NetSuite saveRecord
• Submission is blocked unless Google confirms the request is legit
• Score-based validation gives you full control

Error Message Helpers

These functions display clean, user-friendly error messages without breaking the form UI.

Step 4: Create the Suitelet for Server-Side Verification

Client-side validation alone is not secure. The real verification must happen on the server.

Suitelet Script (reCAPTCHA Verification)

Step 5: What the Suitelet Does

• Receives the reCAPTCHA token from the form
• Sends it to Google’s verification API
• Returns:
  • success → true / false
  • score → confidence score
  • action → action name (optional)

This keeps your secret key fully secure on the server.

Final Thoughts

This setup gives you:

• Silent bot protection
• Full control over validation logic
• Secure server-side verification

If you’re running public-facing NetSuite forms, this isn’t optional anymore, it’s baseline security.

Public-facing NetSuite forms are often the first entry point into your ERP and they deserve enterprise-grade protection. By implementing Google reCAPTCHA v3 with Suitelet-based server-side validation, you can significantly reduce spam, protect sensitive data, and improve overall system reliability without sacrificing user experience. If you’re ready to strengthen your NetSuite online form security or want expert guidance implementing reCAPTCHA the right way, contact GIR Software Services today to start securing your NetSuite environment.

Why GIR Software Services

GIR Software Services specializes exclusively in NetSuite, delivering secure, scalable solutions tailored to real-world business needs. Our team brings deep expertise in NetSuite Suitelet development, form customization, and security-focused implementations, ensuring your solutions are not only functional, but future-proof. From NetSuite reCAPTCHA validation to full ERP optimization, GIR partners with you to protect your data, streamline processes, and get the most out of your NetSuite investment.

• Our Services
• Our NetSuite ERP Services
• Our NetSuite SuiteCommerce Services
• About GIR Software Services