Captcha

Protect server actions and forms with captcha verification.

What It Does

@kit/auth ships captcha helpers for both client token generation and server-side verification.

When To Use

Public forms (contact, signup, demo requests).
Sensitive endpoints exposed to abuse.

Prerequisites

Captcha site key and secret configured.

Operational Note

Validate credentials, secrets, and runtime environment values before promoting changes to production.

How To Use

Env vars

NEXT_PUBLIC_CAPTCHA_SITE_KEY=your_site_key
CAPTCHA_SECRET_KEY=your_secret_key

Client provider and token hook

import { CaptchaProvider, useCaptchaToken } from '@kit/auth/www/captcha/client';

Server action protection

import { captchaActionClient, verifyCaptcha } from '@kit/auth/www/captcha/server';

Use captchaActionClient for validated actions or call verifyCaptcha(token) manually.

MCP Context

capability: captcha_protection
entrypoints:
  - @kit/auth/www/captcha/client
  - @kit/auth/www/captcha/server
inputs:
  - captcha_token
outputs:
  - allow_or_block_action
constraints:
  - server-side secret must be configured
side_effects:
  - rejected requests when captcha verification fails

Agent Recipe

Add client provider and capture token.
Pass token to server action input.
Protect action with captchaActionClient.

Troubleshooting

Empty token usually means provider is not mounted.
Server verification failures usually mean secret mismatch.

Authentication

Structure

How the monorepo is organized and where to implement each concern.

Content Table

A content table component to display a table of content.

How is this guide?

Last updated on 3/23/2026