Quick description (copy-paste):

HighLevel’s built-in reCAPTCHA is served with a site key registered to a generic HighLevel domain, not to the custom domain the page is actually on. Browsers log “ERROR: domain mismatch for site-key”; Lighthouse and security scanners flag it. Functionality still works, but the warning clutters audits and undermines trust.

Why it matters

Clean console → easier debugging and higher perceived quality.

Stops false-positive warnings in SEO / security tools.

Allows strict Content-Security-Policy setups (no wildcard domains).

Requested fix

Domain-aware provisioning – when a custom domain is connected, automatically register that domain to the default reCAPTCHA key.

Custom key option – add fields in Site Settings → Security to paste our own reCAPTCHA v2/v3 keys (or hCaptcha key) per workspace.

Toggle off – let power users disable the built-in reCAPTCHA and embed their own script if they prefer.

One update removes the console noise, keeps security teams happy, and gives agencies full control over CAPTCHA branding.