Google has rolled out reCAPTCHA v3. It does away with all the user friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?
How is reCAPTCHA v3 going to stop [Spam] ?
There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.
What if a hacker spams the URLs on my site with an external tool without using the interface I provide?
Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.