Authgear
Start BuildingHomePortalCommunity
  • Authgear Overview
  • Get Started
    • Start Building
    • 5-Minute Guide
    • Single-Page App
      • JavaScript (Web)
      • React
      • Angular
      • Vue
    • Native/Mobile App
      • iOS SDK
      • Android SDK
        • Android Kotlin coroutine support
        • Android OKHttp Interceptor Extension (Optional)
      • Flutter SDK
      • React Native SDK
      • Ionic SDK
      • Xamarin SDK
      • Using Authgear without SDK (Client side)
    • Regular Web App
      • Express
      • Next.js
      • Python Flask App
      • Java Spring Boot
      • ASP.NET Core MVC
      • Laravel
      • PHP
    • Backend/API Integration
      • Validate JWT in your application server
      • Forward Authentication to Authgear Resolver Endpoint
    • AI Coding tools
      • Cursor/Windsurf
  • How-To Guides
    • Authenticate
      • Add Passkeys Login
      • Add WhatsApp OTP Login
      • Add Email Magic Link Login
      • Add Biometric Login
      • Add Anonymous Users
      • Add authentication to any web page
      • Enable Two-Factor Authentication (2FA)
      • How to Use the OAuth 2.0 State Parameter
      • Reauthentication
      • How to Use Social/Enterprise Login Providers Without AuthUI
      • Passwordless Login for Apple App Store Review
      • Setup local development environment for Cookie-based authentication
      • Forgot/Reset Password settings
      • Phone number validation
      • Set Password Expiry
    • Single Sign-on
      • App2App Login
      • Pre-authenticated URLs
      • SSO between Mobile Apps / Websites
      • Force Authgear to Show Login Page
      • Single Sign-On with OIDC
      • Single Sign-On with SAML
        • Use Authgear as SAML Identity Provider for Salesforce
        • Use Authgear as SAML Identity Provider for Dropbox
        • SAML Attribute Mapping
    • Social Login / Enterprise Login Providers
      • Social Login Providers
        • Connect Apps to Apple
        • Connect Apps to Google
        • Connect Apps to Facebook
        • Connect Apps to GitHub
        • Connect Apps to LinkedIn
        • Connect Apps to WeChat
      • Enterprise Login Providers
        • Connect Apps to Azure Active Directory
        • Connect Apps to Microsoft AD FS
        • Connect Apps to Azure AD B2C
      • Force Social/Enterprise Login Providers to Show Login Screen
    • Built-in UI
      • Branding in Auth UI
      • User Settings
      • Privacy Policy & Terms of Service Links
      • Customer Support Link
      • Custom Text
    • Custom UI
      • Authentication Flow API
      • Implement Authentication Flow API using Express
      • Implement Authentication Flow API using PHP
      • Add Custom Login/Signup UI to Native Apps
      • Manually Link OAuth Provider using Account Management API
      • Implement a custom account recovery UI using Authentication Flow API
    • Integrate
      • Add custom fields to a JWT Access Token
      • User Analytics by Google Tag Manager
      • Track User Before and After Signup
      • Custom domain
      • Custom Email Provider
      • Custom SMS Provider
        • Twilio
        • Webhook/Custom Script
    • Monitor
      • Audit Log For Users Activities
      • Audit Log for Admin API and Portal
      • Analytics
    • User Management
      • Account Deletion
      • Import Users using User Import API
      • Export Users using the User Export API
      • Manage Users Roles and Groups
      • How to Handle Password While Creating Accounts for Users
    • User Profiles
      • What is User Profile
      • Access User Profiles
      • Update User Profiles
      • Profile Custom Attributes
      • Update user profile on sign-up using Hooks
    • Events and Hooks
      • Event List
      • Webhooks
      • JavaScript / TypeScript Hooks
      • Only Allow Signups from Inside the Corporate Network using Hooks
    • Mobile Apps
      • Use SDK to make authorized API calls to backend
      • Force authentication on app launch
      • Customize the Login Pop-up / Disable the login alert box
    • Languages and Localization
    • Custom Email and SMS Templates
    • Directly accessing Authgear Endpoint
    • Migration
      • Bulk migration
      • Rolling migration
      • Zero-downtime migration
    • Troubleshoot
      • How to Fix SubtleCrypto: digest() undefined Error in Authgear SDK
      • How to Fix CORS Error
  • Concepts
    • Identity Fundamentals
    • Authgear use cases
    • User, Identity and Authenticator
  • Security
    • Brute-force Protection
    • Bot Protection
    • Non-HTTP scheme redirect URI
    • Password Strength
  • Reference
    • APIs
      • Admin API
        • Authentication and Security
        • API Schema
        • Admin API Examples
        • Using global node IDs
        • Retrieving users using Admin API
        • User Management Examples
          • Search for users
          • Update user's standard attributes
          • Update user's picture
          • Generate OTP code
      • Authentication Flow API
      • OAuth 2.0 and OpenID Connect (OIDC)
        • UserInfo
        • Supported Scopes
      • User Import API
      • User Export API
    • Tokens
      • JWT Access Token
      • Refresh Token
    • Glossary
    • Billing FAQ
    • Rate Limits
      • Account Lockout
  • Client App SDKs
    • Javascript SDK Reference
    • iOS SDK Reference
    • Android SDK Reference
    • Flutter SDK Reference
    • Xamarin SDK Reference
  • Deploy on your Cloud
    • Running locally with Docker
    • Deploy with Helm chart
    • Authenticating HTTP request with Nginx
    • Configurations
      • Environment Variables
      • authgear.yaml
      • authgear.secrets.yaml
    • Reference Architecture Diagrams
      • Google Cloud Reference Architecture
      • Azure Reference Architecture
      • AWS Reference Architecture
      • Throughput Scaling Reference
Powered by GitBook
On this page
  • How to Enable Bot Protection
  • 1. Set a CAPTCHA Provider
  • 2. Set CAPTCHA Requirements
  • 3. Reset Password

Was this helpful?

Edit on GitHub
  1. Security

Bot Protection

Use bot protection tools to block automated attackers

PreviousBrute-force ProtectionNextNon-HTTP scheme redirect URI

Last updated 8 months ago

Was this helpful?

Bot protection detects and blocks attacks from automation tools. This secures your application by using CAPTCHA challenges to stop bots.

With bot protection enabled, Authgear may require your users to complete a CAPTCHA challenge before proceeding with specific authentication flows or actions. You can select the CAPTCHA provider you prefer in the Authgear portal.

The following screenshot shows a Bot Protection CAPTCHA in AuthUI:

How to Enable Bot Protection

You can turn on bot protection for your project in the Authgear Portal. To do that, first, navigate to the Bot Protection section in the portal then toggle the Enable Bot Protection radio button on.

Once you've toggled Enable Bot Protection, you can access more options for setting up a CAPTCHA provider and configuring how bot protection will work in your project.

1. Set a CAPTCHA Provider

Scroll to the CAPTCHA Challenge Provider sub-section, and select one of the supported CAPTCHA providers.

Authgear currently supports these providers:

  • reCAPTCHA

  • Cloudflare Turnstile

Then, enter your Site Key and Secret Key for the CAPTCHA provider.

reCAPTCHA

Only reCAPTCHA Challenge (v2) is supported.

Cloudflare Turnstile

Only the Managed Widget Mode is supported.

Once you're done adding your site, Cloudflare will provide you with the Site Key and Secret Key for your new site.

2. Set CAPTCHA Requirements

Scroll to the CAPTCHA Requirement sub-section to set the condition for showing CAPTCHA. The following are CAPTCHA requirements you can set:

Flows

Use the flow option to configure when your project shows CAPTCHA based on the type of authentication flow or when a user is using a specific authenticator.

The values you can set for Flows are:

All signup & login flows: If you select the All signup & login flows option, and select Always in the dropdown, your users will see a CAPTCHA when they log in or sign up for all authenticators.

When specific authenticator is used: Selecting this option will only show CAPTCHA to your users for specific authenticators. If you select the When specific authenticator is used option, you can continue to specify the authenticator you want users to see CAPTCHA for.

Password: This option will be available when you set Flows to When specific authenticator is used. Set it to Always to enable CAPTCHA when users log in using a password.

Passwordless via SMS: Set this option to Always to enable CAPTCHA when users log in using SMS OTP. It is only available when you set Flows to When specific authenticator is used.

Passwordless via Email: You can use this option to enable CAPTCHA for passwordless authentication using email. The option is only available when you set Flows to When specific authenticator is used.

3. Reset Password

You can use this option to set whether to always or never show CAPTCHA when a user is performing a password reset.

To get a Site Key and Secret Key for reCAPTCHA go to the official website of and register a new site. Add your under Domains.

For Cloudflare Turnstile, also visit the official page and add a new site. Enter your in the Domain field.

reCAPTCHA
Authgear project domain
Cloudflare Turnstile
Authgear project domain