All support articles
Pro

CAPTCHA & bot protection (Turnstile, reCAPTCHA, hCaptcha)

Every form includes a honeypot field you hide in your HTML. On Pro, you can add Cloudflare Turnstile, Google reCAPTCHA v3, or hCaptcha so the server verifies a token on each submission.

Honeypot (all plans)

When you create a form you choose a honeypot field name. Add a normal text input with that name, hide it with CSS, and do not autofocus it. Humans leave it empty; many bots fill it in and we reject the submission.

Turn on CAPTCHA (Pro)

  1. Open the form → Settings.
  2. Under Security, choose CAPTCHA Provider: Cloudflare Turnstile, Google reCAPTCHA v3, or hCaptcha—or None for honeypot only.
  3. Paste the provider's secret key from their dashboard (server-side secret, not the site key shown in widgets).
  4. Save settings.
What to add on your website

CAPTCHA only works if the visitor's browser runs the provider's widget or script and the token is submitted with the form. Field names we read on the server:

  • Turnstile — token in cf-turnstile-response (or cf_turnstile_response).
  • reCAPTCHA v3 g-recaptcha-response.
  • hCaptcha h-captcha-response.

Use each vendor's docs to add the widget and site key to your page. The Integration tab shows an HTML snippet for Turnstile when your form has a Turnstile secret saved.

JSON / AJAX submissions

If you POST JSON, include the same token field in the JSON body using the names above so our server can verify the CAPTCHA before storing the submission.

Troubleshooting

  • "Token is required" / verification errors usually mean the widget is missing, the wrong site key is on the page, or the secret in Forms.fyi does not match that site key's project.
  • Free accounts cannot enable Turnstile, reCAPTCHA, or hCaptcha in settings.