reCAPTCHA setup

Your project supports Google reCAPTCHA v3 (invisible) to protect authentication endpoints from bots. When enabled, it guards: sign up, sign in, password reset, email verification.

What happens without reCAPTCHA configured?

If RECAPTCHA_SECRET_KEY or RECAPTCHA_SITE_KEY are not set, reCAPTCHA is disabled — all auth forms work normally without bot verification. This is fine for development and internal tools.

Environment variables

Add these to packages/backend/.env:

RECAPTCHA_SITE_KEY=6Lxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
RECAPTCHA_SECRET_KEY=6Lxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • Site key — public key used by the frontend to render reCAPTCHA.
  • Secret key — server-side key used to verify tokens with Google.

Getting your keys

  1. Go to the Google reCAPTCHA admin console.
  2. Click Create (the + button).
  3. Choose reCAPTCHA v3 (score-based).
  4. Add your domains (e.g., localhost, yourdomain.com).
  5. Submit and copy the site key and secret key.

Tip: For local development, add localhost to the domain list. reCAPTCHA v3 works on localhost without any extra setup.

How it works

  1. The frontend loads the reCAPTCHA script using the site key (only when configured).
  2. On form submission, reCAPTCHA generates an invisible token in the background — no user interaction needed.
  3. The token is sent to the backend via the x-captcha-response header.
  4. The backend verifies the token with Google using the secret key.
  5. If verification fails, the request is rejected.
Email setupPush notifications