CAPTCHA challenge

Ory Identities supports protecting self-service flows with CAPTCHA challenges. This is useful to prevent credential stuffing, brute force and other automated attacks.

Prerequisites

Before proceeding, ensure you are on a plan that supports this feature. If you need CAPTCHA support, contact us.

Supported CAPTCHA providers are:

• Cloudflare Turnstile

Ory Console

1. Go to Authentication → General in the Ory Console.
2. Toggle CAPTCHA protection.
3. Choose your preferred configuration mode:
   • Managed: Our standard, zero-setup integrated Cloudflare Turnstile widget.
     • Add or remove domains from the Allowed domains list.
     • You must define at least one valid domain.
     • You can list up to 10 domains in total.
   • Bring Your Own Keys: Connect your existing Cloudflare Turnstile account to view detailed security analytics directly within your own Cloudflare dashboard.
     • Enter your Turnstile Site Key and Secret Key.
4. Click Save.
5. Navigate to any protected self-service screen, for example the registration or login page, to test the CAPTCHA protection.

Ory CLI

Configure Managed Mode:

ory patch identity-config --project <project-id> --workspace <workspace-id> \
  --replace '/selfservice/methods/captcha/enabled=true' \
  --replace '/selfservice/methods/captcha/config/byo=false' \
  --replace '/selfservice/methods/captcha/config/allowed_domains=["example.org", "foo.bar.dev"]'

Configure BYO Mode:

ory patch identity-config --project <project-id> --workspace <workspace-id> \
  --replace '/selfservice/methods/captcha/enabled=true' \
  --replace '/selfservice/methods/captcha/config/byo=true' \
  --replace '/selfservice/methods/captcha/config/cf_turnstile/sitekey=your-site-key' \
  --replace '/selfservice/methods/captcha/config/cf_turnstile/secret=your-secret-key'