Captcha Plugin

Bot protection with Cloudflare Turnstile

The captcha plugin adds bot protection to authentication flows using Cloudflare Turnstile.

Configuration

The plugin is automatically enabled when TURNSTILE_SECRET_KEY is set:

TURNSTILE_SECRET_KEY=your_secret_key
NEXT_PUBLIC_CAPTCHA_SITE_KEY=your_site_key

Setup

  1. Create a Turnstile widget at Cloudflare Dashboard
  2. Add environment variables:
    • TURNSTILE_SECRET_KEY - Server-side secret key
    • NEXT_PUBLIC_CAPTCHA_SITE_KEY - Client-side site key
  3. The plugin automatically protects auth endpoints when configured

Conditional Enablement

The plugin gracefully disables itself when no secret key is configured, allowing development without captcha while enabling it in production.

Next: OTP Plugin