captchaapi/laravel
Official Laravel SDK for captchaapi.eu (EU-hosted, GDPR-friendly proof-of-work CAPTCHA). Includes Blade widget/component, server-side verification + validation rule, and optional Livewire 4 support. PHP 8.2+, Laravel 12/13.
Adds FakeCaptchaapi::enforceSingleUse(), an opt-in test helper that makes the fake honour the server's single-use token contract. A response verifies once, the per-request memo still covers Fortify's double validation, and a replay in a later request is rejected — so a missing memoization fails the test instead of passing silently. The default fake is unchanged and still accepts any value.
Also documents Octane safety and adds a regression test proving the per-request memo does not leak across requests when the manager singleton survives.
Renames the secret env var to CAPTCHAAPI_SECRET_KEY (was CAPTCHAAPI_SECRET), the config key to secret_key, and the accessor to Captchaapi::secretKey(), to match the existing CAPTCHAAPI_SITE_KEY. Update your .env: CAPTCHAAPI_SECRET=... becomes CAPTCHAAPI_SECRET_KEY=....
Fixes Fortify login and registration failing under 3.0.
Fortify runs the captcha validator twice per request. Because server-side verification is single-use, the second pass hit an already-consumed token and returned invalid_token, rejecting a visitor who had already passed. ValidCaptcha now memoizes a success per request and skips the repeat verify call. Upgrade with composer update captchaapi/laravel.
Breaking release. Verification moved from a local HMAC check to a server-side call to /verify, matching how every hosted CAPTCHA works and keeping the secret off the browser.
ValidCaptcha now verifies server-side: it posts the response to /verify with your secret as a Bearer token and accepts the submission only when the server returns success. One call per submit, never retried (the response is single-use).captchaapi_response (was captcha_attestation) — update your validation keys and any hand-written markup. The Blade components and WithCaptcha trait are updated.CAPTCHAAPI_SECRET_KEYS (a list) is replaced by a single CAPTCHAAPI_SECRET. Rotate from the dashboard, which accepts both keys during the overlap.replay_protection, cache_prefix, and clock_skew_leeway — the server owns single-use now.fail_open (default true) decides what happens when the verify call can't reach a verdict. Set false for login or payment forms.timeout for the verify call.See CHANGELOG.md for the full migration steps.
README.md - fix Hetzner serevr location
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.1.3...v2.1.4
README.md - add PHP + Laravel badges update captchaapi.eu URL.
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.1.2...v2.1.3
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.1.1...v2.1.2
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.1.0...v2.1.1
Add CAPTCHAAPI_ENABLED to turn off/on captcha package (default is true)
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.0.1...v2.1.0
Add Blade captcha error helper
Full Changelog: https://github.com/captchaapi/laravel/compare/v2.0.0...v2.0.1
Major fixes BC
Full Changelog: https://github.com/captchaapi/laravel/compare/v1.0.2...v2.0.0
Fixed memoization issue + update licence badge in README.md
Full Changelog: https://github.com/captchaapi/laravel/compare/v1.0.1...v1.0.2
Official Laravel SDK for captchaapi.eu — EU-hosted, GDPR-compliant proof-of-work CAPTCHA. Drop-in Blade component, validation rule, and Livewire trait. No cookies, no tracking, no Google.
composer require captchaapi/laravel
php artisan vendor:publish --tag=captchaapi-config
How can I help you explore Laravel packages today?