All docs
4 min read

Captcha

Captcha sits between honeypot (free, weak) and AI moderation (paid, smart). It's the right tool when you need a hard gate that survives sophisticated bots but you don't want to wait on a model.

Formspring supports hCaptcha and Google reCAPTCHA. Both are configured per form — there is no global toggle. You bring your own keys.

hCaptcha setup

  1. Sign up at hcaptcha.com and create a site.
  2. Copy the site key and secret key.
  3. On the form's edit page, enable hCaptcha and paste both values.
  4. Add the widget to your form.
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>

<form action="https://formspring.io/f/your-form-id" method="POST">
  <input name="email" type="email" required>
  <textarea name="message" required></textarea>

  <div class="h-captcha" data-sitekey="YOUR_HCAPTCHA_SITE_KEY"></div>

  <button type="submit">Send</button>
</form>

When the user solves the challenge, hCaptcha injects a hidden input named h-captcha-response with the verification token. Formspring reads that field, verifies it against your secret, and rejects the submission if it's missing or invalid.

reCAPTCHA setup

Both v2 ("I'm not a robot" checkbox) and v3 (invisible score) are supported.

  1. Sign up at google.com/recaptcha and create a site.
  2. Copy the site key and secret key.
  3. On the form's edit page, enable reCAPTCHA, paste both values, and choose v2 or v3.

For v2:

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

<form action="https://formspring.io/f/your-form-id" method="POST">
  <input name="email" type="email" required>
  <div class="g-recaptcha" data-sitekey="YOUR_RECAPTCHA_SITE_KEY"></div>
  <button type="submit">Send</button>
</form>

For v3, you mint the token in JavaScript before submission and inject it as a hidden field named g-recaptcha-response:

<script src="https://www.google.com/recaptcha/api.js?render=YOUR_RECAPTCHA_SITE_KEY"></script>
<script>
  grecaptcha.ready(() => {
    grecaptcha.execute('YOUR_RECAPTCHA_SITE_KEY', { action: 'submit' })
      .then((token) => {
        document.getElementById('recaptcha-token').value = token;
      });
  });
</script>

<form action="https://formspring.io/f/your-form-id" method="POST">
  <input name="email" type="email" required>
  <input type="hidden" id="recaptcha-token" name="g-recaptcha-response">
  <button type="submit">Send</button>
</form>

Where the token comes from

Both providers post a token (h-captcha-response or g-recaptcha-response) as a normal form field. Formspring picks it up server-side and verifies it with the provider before accepting the submission. You don't proxy anything yourself.

If the token is missing, expired, or fails verification, the submission is rejected with 400 Bad Request and a captcha_failed reason. It does not land in the spam folder — the request never makes it past validation.

When to use which

Need Pick
Privacy-friendly, no Google dependency hCaptcha
Best human bot detection in 2026 reCAPTCHA v3
Visible challenge, no JavaScript heuristics reCAPTCHA v2 or hCaptcha
Lowest user friction (invisible) reCAPTCHA v3
Compliance with EU data residency hCaptcha

If you don't have a strong opinion: hCaptcha v2-style for public contact forms, reCAPTCHA v3 for high-volume signup forms where you want the score-based fraud signal.

Accessibility tradeoffs

Captchas are inherently friction. v2-style checkbox challenges are usable by most assistive tech but the image puzzles that follow a failed challenge are not. v3-style invisible captchas are friction-free for humans but produce false positives that block users with no recourse.

For a public-facing form where reach matters more than spam prevention, lean on honeypot + rate limits + AI moderation and skip captcha entirely.

What's next

← Previous
Rate limits
Next →
AI moderation