Additional Spam Protection

Use reCAPTCHA v2, reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile with SpamBlock Forms.

SpamBlock Forms supports optional CAPTCHA verification so you can require a valid token on each submission. You can choose one type per form: reCAPTCHA v2 (custom key), reCAPTCHA v3, hCaptcha, or Cloudflare Turnstile.

  1. In the dashboard, open your form and go to Settings.
  2. Find the Additional Spam Protection card and click the settings (gear) button.
  3. Select the protection type and paste your secret key (and for reCAPTCHA v2, your site key).
  4. Add the provider’s widget or script to your form HTML and send the token with the expected field name in the request body.

SpamBlock verifies the token server-side. If CAPTCHA is enabled and the token is missing or invalid, the submission is stored but marked as spam.

reCAPTCHA v2 (custom key)

Use your own reCAPTCHA v2 keys so the widget lives on your site.

  1. Go to the reCAPTCHA admin console, create a key, and select reCAPTCHA v2 (e.g. “I’m not a robot” checkbox).
  2. Add your domain and copy the Site key and Secret key.
  3. In SpamBlock form settings → Additional Spam Protection, choose reCAPTCHA v2 (custom key) and paste both keys.
  4. On your form page, load the reCAPTCHA script and add the widget. The token must be sent in the request under the field name g-recaptcha-response.

Example (widget in form, token submitted with field name g-recaptcha-response):

<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<form action="https://api.spamblock.io/f/YOUR_FORM_ID" method="POST">
  <input name="email" type="email" required />
  <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>
  <button type="submit">Submit</button>
</form>

When the form is submitted, the reCAPTCHA widget automatically adds a hidden field named g-recaptcha-response. SpamBlock reads this field and verifies it with your secret key.

reCAPTCHA v3

reCAPTCHA v3 runs in the background and returns a score; no checkbox is required.

  1. In the reCAPTCHA admin console, create a key and select reCAPTCHA v3.
  2. Add your domain and copy the Secret key (and keep the Site key for your front end).
  3. In SpamBlock form settings → Additional Spam Protection, choose reCAPTCHA v3 and paste the Secret key.
  4. On your form, load the reCAPTCHA v3 script, execute it on submit, and send the token in the request under the field name g-recaptcha-response.

Example (execute on submit and send token as g-recaptcha-response):

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>
<form id="myform" action="https://api.spamblock.io/f/YOUR_FORM_ID" method="POST">
  <input name="email" type="email" required />
  <button type="submit">Submit</button>
</form>
<script>
  document.getElementById("myform").addEventListener("submit", function (e) {
    e.preventDefault();
    var form = this;
    grecaptcha.ready(function () {
      grecaptcha.execute("YOUR_SITE_KEY", { action: "submit" }).then(function (token) {
        var input = document.createElement("input");
        input.type = "hidden";
        input.name = "g-recaptcha-response";
        input.value = token;
        form.appendChild(input);
        form.submit();
      });
    });
  });
</script>

SpamBlock expects the token in the field g-recaptcha-response and verifies it with your secret key.

hCaptcha

hCaptcha is a privacy-focused alternative to reCAPTCHA.

  1. In the hCaptcha dashboard, add a site and copy the Site key. From account settings, copy your Secret key.
  2. In SpamBlock form settings → Additional Spam Protection, choose hCaptcha and paste the Secret key.
  3. On your form, load the hCaptcha script and add the widget. Send the token in the request under the field name h-captcha-response.

Example:

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
<form action="https://api.spamblock.io/f/YOUR_FORM_ID" method="POST">
  <input name="email" type="email" required />
  <div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>
  <button type="submit">Submit</button>
</form>

The hCaptcha widget adds a response token. SpamBlock expects it in the field h-captcha-response and verifies it with your secret key.

Cloudflare Turnstile

Cloudflare Turnstile is a CAPTCHA alternative that can run without user challenges.

  1. In the Cloudflare Turnstile dashboard, add a widget and copy the Site key and Secret key.
  2. In SpamBlock form settings → Additional Spam Protection, choose Cloudflare Turnstile and paste the Secret key.
  3. On your form, load the Turnstile script and add the widget. Send the token in the request under the field name cf-turnstile-response.

Example:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<form action="https://api.spamblock.io/f/YOUR_FORM_ID" method="POST">
  <input name="email" type="email" required />
  <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>
  <button type="submit">Submit</button>
</form>

SpamBlock expects the token in the field cf-turnstile-response and verifies it with your secret key.

Field names summary

Provider Field name in request
reCAPTCHA v2 / v3 g-recaptcha-response
hCaptcha h-captcha-response
Cloudflare Turnstile cf-turnstile-response

Verification is always done server-side by SpamBlock using your secret key. Do not expose the secret key in your front end.