Keycloak Captcha Plugin

An open-source identity and access-management system providing single sign-on, user federation and secure token services.Strengthen Keycloak logins with privacy-friendly multi-layered security—proof-of-work plus bot scoring—for seamless yet safer SSO.

Contact Sales

TrustCaptcha is the privacy friendly and user focused CAPTCHA for Keycloak

Security & Bot-ScoreTrustCaptcha combines a proof-of-work with a bot score — similar to the reCAPTCHA score — and custom security configurations for maximum security. Learn more about the CAPTCHA security concept

Privacy Friendly & GDPR-CompliantTrustCaptcha is a privacy-first CAPTCHA solution with a clear focus on data protection and GDPR compliance. Learn more about the GDPR-compliant CAPTCHA

CustomizationAll features of the CAPTCHA widget are fully customizable such as translations or design. The branding or the entire widget can also be hidden. Learn more about the customization

AccessibilityThe CAPTCHA completely dispenses with puzzles or image marking tasks. The CAPTCHA works fully automated and complies with international accessibility standards. Learn more about the accessibility

Contact Sales

Integrate TrustCaptcha in Keycloak

Integrate TrustCaptcha with Keycloak quickly and easily into your website, application or platform in just a few steps and effectively protect your online presence and services from bot abuse.

1 – Sign in or sign up
The first thing you need to do is sign in to your Trustcomponent account. If you do not yet have a Trustcomponent account, you can register with us quickly and easily in just a few steps. After that, go to your dashboard. Here you will see all existing CAPTCHAs and can create new CAPTCHAs.
2 – Choose existing CAPTCHA or create a new CAPTCHA
If you already have a CAPTCHA that you want to use, skip this step. If you don't have a CAPTCHA yet, create a new CAPTCHA now.Create a new CAPTCHADuring the creation process, select the “TrustCaptcha” product category and choose your preferred pricing plan. If you are not yet sure which pricing plan to choose, no problem! The plan can be extended at any time. Then decide whether you want to start with the 30-day trial version or go straight to a paid subscription. If you want to start directly with a paid CAPTCHA, all you have to do is add your billing details and optionally a payment method and you're ready to go.30-day trail periodIf you opt for the 30-day trial period, you can test CAPTCHA for 30 days risk-free. At the end of the 30-day trial period, CAPTCHA locks itself. During the 30-day trial period or up to 30 days after the end of the trial period, you can unsubscribe from CAPTCHA at any time for a fee or delete it with immediate effect. If you neither subscribe to the CAPTCHA for a fee nor delete it within 30 days of the end of the free trial period, it will be deleted automatically.Non-Commercial PlanIn addition to our standard plans, we also offer a permanently free “Non Commercial“ plan with 1 website and up to 500 free verifications for non-commercial websites and projects.
3 – Add your websites and check your credentials
On the dashboard of your CAPTCHA you will find all the important information, statistics and setting options. Here you will also find your site-key, the secret-key and, if available, the license-key. You will need these later on when integrating your CAPTCHA.Add your websitesYour CAPTCHA may only be accessed by websites that you explicitly authorise. To allow websites to access the CAPTCHA, enter all the websites on which you want to integrate the CAPTCHA in the settings.
4 – Install the Keycloak CAPTCHA plugin
Download the latest version of our plugin trustcaptcha_keycloak_1-8-0.jar here. and copy the file trustcaptcha_keycloak_1-8-0.jar to the providers directory of your Keycloak installation. You can find more information about the installation in our documentation.Our CAPTCHA for Keycloak currently supports the following Keycloak flows:
- Registration
- Login
- Forgot Password
5 – Configure the Keycloak CAPTCHA plugin
You can find all the important information and installation instructions for registration, login and forgotten password in our documentation.
6 – Congratulations 🎉
You are now protected by TrustCaptcha - congratulations!

Do you need more information about the Angular integration?

Frequently Asked Questions

What is a Keycloak CAPTCHA?

A Keycloak CAPTCHA is a challenge-response test integrated into Keycloak’s authentication flows to block automated bots while allowing legitimate users to sign in. It appears on login, registration, or forgotten-password forms and asks the browser to perform a small task to prove it is not a script. TrustCaptcha for Keycloak combines lightweight proof-of-work with behavioural signals and a bot probability score to deliver stronger protection than pure proof-of-work widgets. Because the challenge runs automatically in the background, most users never have to solve a puzzle.

What is the best Keycloak CAPTCHA?

The best Keycloak CAPTCHA balances security, user experience, and data protection. TrustCaptcha stands out by layering proof-of-work with real-time bot scoring and configurable security levels, achieving higher detection rates than tools that rely on proof-of-work alone. It is fully hosted in the EU, ships with GDPR documentation and ready-to-sign DPA/SLA, and offers extensive theming so it blends perfectly with any Keycloak realm. These advantages make it a strong, future-proof choice for European organisations.

How does a Keycloak CAPTCHA work?

When a user reaches a Keycloak form, the TrustCaptcha script starts instantly and runs a short, CPU-bound proof-of-work in the browser. Simultaneously, it collects non-invasive behavioural and network signals to calculate a bot probability score. The result is sent to Keycloak, where the TrustCaptcha authenticator decides whether to allow the flow, show an optional visual challenge, or block the request. This multi-layer approach keeps interaction friction low while stopping sophisticated bots.

Do I need a Keycloak CAPTCHA?

If your Keycloak realm faces credential stuffing, fake account creation, or DDoS-style signup attacks, adding a CAPTCHA is one of the quickest ways to harden the perimeter. TrustCaptcha is especially valuable for EU businesses that require GDPR-compliant processing and want fine-grained control over security levels. Its automatic, puzzle-free mode keeps conversion rates high, so genuine users seldom notice it’s there. That balance of compliance, usability, and security makes a Keycloak CAPTCHA a smart default in 2025.

How do I integrate TrustCaptcha into Keycloak?

Installation takes about five minutes. You upload the TrustCaptcha authenticator JAR to Keycloak, enable it in the browser flow, and copy the site-key and secret from your TrustCaptcha dashboard. No code changes to your application are required. Detailed step-by-step instructions are provided in the Keycloak plugin guide.

Can I customise the CAPTCHA’s look and feel?

Yes. TrustCaptcha supports multiple themes, dark or light modes, custom colours, and whitelabel branding so the widget matches your Keycloak login page. You can also localise all texts in more than 25 languages or hide the badge entirely for a minimalist layout. These options ensure your security layer never clashes with your design guidelines.

Will TrustCaptcha slow down my Keycloak login?

The widget starts automatically and finishes its proof-of-work in a fraction of a second on modern browsers. Because most visitors pass the background check silently, the perceived login time remains virtually unchanged. For high-traffic sites you can set an adaptive difficulty threshold so the workload never exceeds your performance targets. The enterprise plan even offers SLA-backed latency guarantees.

Is TrustCaptcha GDPR compliant?

Absolutely. All TrustCaptcha endpoints are hosted in EU data centres and process only the minimum technical data needed to score the request. No personal profiling or cross-site tracking occurs, and a Data Processing Agreement is available out-of-the-box in your dashboard. This allows controllers to prove compliance during audits without additional paperwork.