CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a challenge-response test used to determine whether a form submission comes from a human or an automated bot.
CAPTCHAs protect web forms from automated abuse by presenting challenges that are easy for humans but difficult for bots. The concept dates back to the early 2000s when distorted text images were used — users had to type the letters they saw to prove they weren't robots.
Modern CAPTCHAs have evolved significantly. Google's reCAPTCHA v3 runs invisibly in the background, scoring each user's behavior without requiring any interaction. Cloudflare Turnstile uses browser challenges that complete silently. hCaptcha presents image selection tasks while respecting user privacy.
The tradeoff with CAPTCHAs is always between security and user experience. Visible CAPTCHAs (image puzzles, checkboxes) add friction that can reduce form completion rates. Invisible CAPTCHAs (reCAPTCHA v3, Turnstile) have no UX impact but may occasionally misclassify legitimate users as bots.
For form backends like FormsList, CAPTCHA integration typically works in two parts: a client-side widget generates a token when the user completes the challenge, and the server-side backend verifies that token with the CAPTCHA provider before accepting the submission. FormsList supports reCAPTCHA, Cloudflare Turnstile, and hCaptcha on Pro and Business plans.
The classic 'I'm not a robot' checkbox. Users click it, and Google's risk analysis either passes them through or presents an image challenge.
No visible widget. reCAPTCHA monitors user behavior and assigns a score from 0.0 (likely bot) to 1.0 (likely human). The server decides the threshold.
A privacy-focused alternative that runs non-interactive browser challenges. No puzzles, no tracking cookies, and no user data sold.
Set up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.