GotCHA Implementation Checklist

We wrote this section to help with any troubleshooting. Check if you've performed all steps correctly

Setup Requirements

Client-side integration steps

Log into your GotCHA dashboard
Go to your application's "API Keys" tab
Copy your Site Key
Add the GotCHA widget div inside your HTML form
Replace YOUR_ACTUAL_SITE_KEY_HERE with your real site key from the dashboard
Add JavaScript to handle form submission and capture the CAPTCHA token
Ensure your form data includes the gotcha-response field when submitting to your server

Server-side verification steps

Copy your Secret Key from the GotCHA dashboard (different from your Site Key)
Set up an endpoint on your server to receive form submissions
Extract the CAPTCHA token from the gotcha-response field in your form data
Create a verification function that:
- Makes a POST request to http://api.gotcha.land/api/siteverify
- Sends your secret key and the token as form parameters
- Checks if the response shows "success": true
Only process the form submission if CAPTCHA verification passes
Handle verification failures gracefully (show error message, reject submission)

Testing procedures

Test that the CAPTCHA widget appears on your form
Test successful form submission with completed CAPTCHA
Test that form submission fails without completing CAPTCHA
Test that direct API calls to your server (bypassing frontend) are rejected without valid tokens
Verify that expired or invalid tokens are properly rejected

Completion checklist

Security best practices

Never put your secret key in frontend code - it should only exist on your server
Always verify every CAPTCHA token on your server before processing forms
Store your secret key securely (environment variables, secure config)
Handle API errors gracefully (decide whether to allow or block if verification API is down)

Last updated 4 months ago