This simple flutter plugin allows using the SafetyNet API on Android devices to verify that the user is human.

Using the plugin


First, include the plugin in your project's dependencies by including it in the relevant section of your pubspec.yaml:

  grecaptcha: ^0.0.5

Next, you wil need to register your app in the reCAPTCHA admin console. Go to and register by filling out the form. Be sure to select "reCAPTCHA-Android" as the type. A form field asking for your Android package name will appear. You can copy it from the manifest file located under android/app/src/main/AndroidManifest.xml in your project directory. It is the value of the package attribute of the root XML-tag. You can also visit the instructions page from the android documentation for a more detailed guide, only the section "Adding a SafetyNet API dependency" is relevant, the plugin will do the rest.

Verifying users

After having your app registered with the reCAPTCHA API, you can invoke the following method anywhere in your dart code, most commonly after a button has been pressed. Replace SITE_KEY with the site key the admin interface shows after registering your app.

 Grecaptcha.verifyWithRecaptcha(SITE_KEY).then((result) {
    // You can send the result token, along with some form fields, to your
    // server, which can verify the token using an endpoint proved by the
    // reCAPTCHA API for servers, see
    }, onError: (e, s) {
    // An error doesn't have to mean that the user is not a human. Errors
    // can also occur when the sitekey is invalid or does not match your
    // application, when the device is not supported or when a network
    // error occurs.
    // You should inform the user of errors, explaining why they can't
    // proceed. As the plugin is not available for iOS, you might consider
    // skipping the reCAPTCHA step when FGrecaptcha.isAvailable is false.
    print("Could not verify:\n $e at $s");

Server-side verification

Simply checking that Grecaptcha.verifyWithRecaptcha returned a value is not enough to be sure that the user is a human. Instead, you would have to verify the token returned in your applications backend server. You can accomplish that by following the instructions at