Headless Forms

Bot Protection

Headless Forms supports multiple bot protection providers. You can choose a provider per form and configure it independently of the honeypot layer.

Supported Providers

Cloudflare Turnstile

A privacy-focused CAPTCHA alternative from Cloudflare. It can run invisibly or show a visible widget.

  • Token field: cf-turnstile-response

Add the Turnstile widget to your form:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>

The widget automatically injects a hidden cf-turnstile-response field into your form.

reCAPTCHA v2

Google's "I'm not a robot" checkbox challenge.

  • Token field: g-recaptcha-response

Add the reCAPTCHA widget:

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

<div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>

reCAPTCHA v3

Google's invisible scoring system. No user interaction required — it scores requests based on behavior.

  • Token field: g-recaptcha-response
  • Submissions below the score threshold configured in the dashboard are rejected.

Execute reCAPTCHA v3 and include the token:

grecaptcha.ready(function() {
  grecaptcha.execute('YOUR_SITE_KEY', { action: 'submit' }).then(function(token) {
    document.getElementById('recaptcha-token').value = token;
  });
});

<input type="hidden" name="g-recaptcha-response" id="recaptcha-token" />

Combining with the Honeypot

Bot protection and the honeypot are independent layers. You can use:

  • Honeypot only — lightweight, no external dependencies
  • Bot protection only — Turnstile or reCAPTCHA for stronger verification
  • Both together — maximum protection with multiple layers

Token and honeypot fields are always removed from the submission data automatically.