TrustCaptcha – Bot protection

Next.js CAPTCHA Integration

Wire TrustCaptcha into a Next.js Route Handler or Server Action in just a few lines of TypeScript. Stop bot-driven spam on logins, signups and contact forms — using our React widget on the client and verifying server-side. EU-hosted, GDPR-ready, no image puzzles.

Quickstart

How the integration works

1. Create a CAPTCHA

Create a user account or log in with an existing one. Then create a new CAPTCHA or select an existing one. If you’re unsure whether TrustCaptcha is right for you, try our CAPTCHA service risk-free for 14 days at no cost.

On the CAPTCHA overview page, you will find all the important information, such as the site key and licence key, and you can also create your API key. Allow your websites to access your CAPTCHA by simply adding them to the access authorised domain list in the CAPTCHA security rules.

CAPTCHA security rules of a demo CAPTCHA.

2. Add the CAPTCHA widget to your form component

Use our React wrapper inside the client component that renders your form. The widget runs the CAPTCHA in the background and adds a hidden tc-verification-token field on submit, which Server Actions and Route Handlers receive as form data.

First, install our TrustCaptcha React package:

Install

bash

npm i @trustcomponent/trustcaptcha-react

Then add the <TrustcaptchaComponent> to the client component that renders your form:

app/contact/contact-form.tsx

TypeScript

"use client";

import { TrustcaptchaComponent } from "@trustcomponent/trustcaptcha-react";

export function ContactForm() {
  return (
    <form method="post" action="/api/contact">
      <input type="email" name="email" required />
      <TrustcaptchaComponent sitekey="<your_site_key>" />
      <button type="submit">Send</button>
    </form>
  );
}

The CAPTCHA widget will then be displayed inside your form:

Need detailed information about the CAPTCHA React widget integration?
For the full reference — including themes, languages, custom design and more — please read our documentation.

Read the documentation

3. Validate the token in a Route Handler or Server Action

In a Next.js Route Handler (or Server Action), take the verification token from the form data, look up the result via our Node.js library, and decide whether to accept the request.

First, install our TrustCaptcha Node.js library:

Install

bash

npm i @trustcomponent/trustcaptcha-nodejs

Then validate the token inside your Route Handler and act on the result:

app/api/contact/route.ts

TypeScript

import { NextResponse } from "next/server";
import { TrustCaptcha } from "@trustcomponent/trustcaptcha-nodejs";

export async function POST(request: Request) {
  const formData = await request.formData();
  const token = String(formData.get("tc-verification-token") ?? "");

  try {
    const result = await TrustCaptcha.getVerificationResult(process.env.TRUSTCAPTCHA_API_KEY!, token);
    if (!result.verificationPassed || result.score > 0.5) {
      return NextResponse.json({ error: "CAPTCHA verification failed." }, { status: 400 });
    }
  } catch {
    return NextResponse.json({ error: "CAPTCHA verification failed." }, { status: 400 });
  }

  // CAPTCHA passed — process the request
  return NextResponse.json({ status: "ok" });
}

Need detailed information about the Next.js CAPTCHA integration?
For full step-by-step instructions — including a Server Action variant and a reusable verifier utility — please read our documentation.

Read the documentation

Other backend framework instead of Next.js?
If you use a different framework, pick the matching recipe here. If your framework isn’t listed, your software developers can integrate the verification themselves using our documentation or ask our support team for a pre-built integration.

4. Congratulations 🎉

You are now protected by TrustCaptcha - congratulations!

FAQs

Does TrustCaptcha work with the App Router and the Pages Router?

Yes, both. In the App Router you typically validate the token inside a Route Handler (app/api/.../route.ts) or a Server Action. In the Pages Router you do the same inside an API route (pages/api/...) — the SDK call is identical.

Can I verify the CAPTCHA from a Server Action?

Yes — and it's a clean fit. Read the token from the FormData passed into your "use server" action, call our Node.js library, and return an error if it fails. The CAPTCHA stays fully server-side and your client component never touches the API key.

Does the React widget work inside a server component?

The widget itself runs in the browser, so render it from a client component ("use client"). The form can still be submitted to a Server Action or Route Handler — the verification happens entirely on the server.

Can I run the CAPTCHA verification on the Edge runtime?

No. Our Node.js library uses Node-only APIs (axios), so set the runtime to "nodejs" on routes that verify CAPTCHA tokens. The default runtime in Next.js is already "nodejs", so you only need to act if you've explicitly set runtime = "edge".

Where do I store the CAPTCHA API key in a Next.js project?

In .env.local during development and in your hosting provider's environment variables (Vercel, Netlify, …) for production. Read it via process.env.TRUSTCAPTCHA_API_KEY inside server-only code — never expose it through NEXT_PUBLIC_*.

How do I keep the CAPTCHA verification utility out of the client bundle?

Add import "server-only" at the top of the file that imports the Node.js library. This makes Next.js fail the build if the file is ever pulled into a client component, which prevents accidentally shipping the API key to the browser.

Losing leads to CAPTCHAs?

TrustCaptcha blocks spam and bots, not customers. No puzzles, GDPR-ready, EU-hosted.

Puzzle-free UX

Runs in the background while visitors type — so more people finish your forms and fewer drop off.

GDPR-ready

EU-hosted and privacy-first: no cookies, encrypted transmission, automatic cleanup — with ready-to-use legal resources.

Multi-layer Security

Adaptive protection plus intelligent risk scoring stops abuse early — even when attack traffic spikes.

Full Control

Fine-tune sensitivity, set allow/block lists, and use geoblocking — you decide how strict verification should be.

Protect your Next.js application with TrustCaptcha in just a few steps!

EU-hosted & GDPR-ready
No puzzles
Try free for 14 days

Get started Contact sales