TrustCaptcha – Bot protection

ASP.NET Core CAPTCHA Integration

Wire TrustCaptcha into an ASP.NET Core controller in just a few lines of C#. Stop bot-driven spam on logins, signups and contact forms — without breaking anti-forgery tokens or your existing model binding. EU-hosted, GDPR-ready, no image puzzles.

Quickstart

How the integration works

1. Create a CAPTCHA

Create a user account or log in with an existing one. Then create a new CAPTCHA or select an existing one. If you’re unsure whether TrustCaptcha is right for you, try our CAPTCHA service risk-free for 14 days at no cost.

On the CAPTCHA overview page, you will find all the important information, such as the site key and licence key, and you can also create your API key. Allow your websites to access your CAPTCHA by simply adding them to the access authorised domain list in the CAPTCHA security rules.

CAPTCHA security rules of a demo CAPTCHA.

2. Add the CAPTCHA widget to your Razor view

Drop the TrustCaptcha widget into the Razor view that renders your form. The widget runs the CAPTCHA in the background and adds a hidden tc-verification-token field on submit, which ASP.NET Core’s model binder hands to your controller.

Views/Contact/Index.cshtml

HTML

<script type="module" src="https://cdn.trustcomponent.com/trustcaptcha/3.0.x/trustcaptcha.esm.min.js"></script>

<form asp-action="Submit" method="post">
    @Html.AntiForgeryToken()
    <input type="email" name="email" required />
    <trustcaptcha-component sitekey="<your_site_key>"></trustcaptcha-component>
    <button type="submit">Send</button>
</form>

The CAPTCHA widget will then be displayed inside your form:

Need detailed information about the CAPTCHA widget integration?
For the full widget reference — including themes, languages, custom design and more — please read our documentation.

Read the documentation

3. Validate the token in your ASP.NET Core controller

In your ASP.NET Core controller, take the verification token from the form, look up the result via our .NET library, and decide whether to accept the request.

First, install our TrustCaptcha .NET library:

Install

bash

dotnet add package TrustComponent.TrustCaptcha --version 3.0.0

Then validate the token inside your controller and act on the result:

ContactController.cs

public class ContactController : Controller
{
    [HttpPost]
    public async Task<IActionResult> Submit(
        [FromForm] string email,
        [FromForm(Name = "tc-verification-token")] string tcVerificationToken)
    {
        try
        {
            var result = await TrustCaptcha.GetVerificationResultAsync("<your_api_key>", tcVerificationToken);

            if (!result.VerificationPassed || result.Score > 0.5)
            {
                ModelState.AddModelError("captcha", "CAPTCHA verification failed.");
                return View("Index");
            }
        }
        catch (Exception)
        {
            ModelState.AddModelError("captcha", "CAPTCHA verification failed.");
            return View("Index");
        }

        // CAPTCHA passed — process the request
        return RedirectToAction("ThankYou");
    }
}

Need detailed information about the ASP.NET Core CAPTCHA integration?
For full step-by-step instructions — including a reusable action filter and a Minimal-APIs variant — please read our documentation.

Read the documentation

Other backend framework instead of ASP.NET Core?
If you use a different framework, pick the matching recipe here. If your framework isn’t listed, your software developers can integrate the verification themselves using our documentation or ask our support team for a pre-built integration.

4. Congratulations 🎉

You are now protected by TrustCaptcha - congratulations!

FAQs

Where in an ASP.NET Core app does the CAPTCHA verification go?

Inside the controller action that receives the form submission, before you persist data or send any email. The CAPTCHA token comes in as a regular form field — read it via [FromForm(Name = "tc-verification-token")] on a string parameter.

Can I run the CAPTCHA verification as an action filter?

Yes — and it's the cleanest way once you protect more than one action. Build a TrustCaptchaActionFilter implementing IAsyncActionFilter, register it as a service, and wrap it in a [TrustCaptcha] attribute via ServiceFilterAttribute. A single attribute then opts any action into CAPTCHA verification.

Does TrustCaptcha replace ASP.NET Core's anti-forgery token?

No. Anti-forgery (@Html.AntiForgeryToken() / [ValidateAntiForgeryToken]) and TrustCaptcha are independent layers — both should stay enabled. The CAPTCHA token only confirms that a human submitted the form, it does not prevent CSRF.

Does TrustCaptcha work with Minimal APIs?

Yes. Replace the action filter with an endpoint filter (IEndpointFilter) — the verification call (TrustCaptcha.GetVerificationResultAsync) stays exactly the same, only the wrapping changes.

How should I share the SDK in DI?

Register a single TrustCaptcha instance in your DI container (built via TrustCaptcha.NewBuilder(apiKey).Build()) as a singleton, and inject it into the action filter or controller. The SDK is immutable and thread-safe, so one instance per app is the right granularity.

Where should I store the CAPTCHA API key?

In appsettings.json (e.g. "Trustcaptcha:ApiKey") or, even better, an environment variable / Azure Key Vault. Read it from IConfiguration inside the filter or controller — never commit the key to source control.

Losing leads to CAPTCHAs?

TrustCaptcha blocks spam and bots, not customers. No puzzles, GDPR-ready, EU-hosted.

Puzzle-free UX

Runs in the background while visitors type — so more people finish your forms and fewer drop off.

GDPR-ready

EU-hosted and privacy-first: no cookies, encrypted transmission, automatic cleanup — with ready-to-use legal resources.

Multi-layer Security

Adaptive protection plus intelligent risk scoring stops abuse early — even when attack traffic spikes.

Full Control

Fine-tune sensitivity, set allow/block lists, and use geoblocking — you decide how strict verification should be.

Protect your ASP.NET Core application with TrustCaptcha in just a few steps!

EU-hosted & GDPR-ready
No puzzles
Try free for 14 days

Get started Contact sales