Configuring CAPTCHA
To configure CAPTCHA for use in MetalSoft a series of configurations are required on both the MetalSoft side and also on the CAPTCHA provider side.
The below example is using Cloudflare Turnstile as the CAPTCHA provider. The steps on the Cloudflare side may change without notice.
Overview
This guide walks you through:
- Creating a Turnstile widget in Cloudflare dashboard
- Configuring CAPTCHA in your MetalSoft application
- Verify the process works
Step 1. Creating a Turnstile widget in Cloudflare dashboard
Section titled “Step 1. Creating a Turnstile widget in Cloudflare dashboard”Log in to the Cloudflare Dashboard
Section titled “Log in to the Cloudflare Dashboard”- Go to https://dash.cloudflare.com and log in to your account
Navigate to Turnstile
Section titled “Navigate to Turnstile”- In the left sidebar, under Protect & Connect > Application security, click Turnstile.
- On the Turnstile overview page, click Add widget
Fill in the Widget Details
Section titled “Fill in the Widget Details”On the Add Widget page:
- Widget name — Enter a recognizable name, e.g. metalsoft-app
- Widget Mode — Leave as Managed (Recommended)
Add Your Hostname
Section titled “Add Your Hostname”- Click + Add Hostnames. A side panel opens.
- Type the MetalSoft Global Controllers hostname (e.g. yourmetalsofthostname.io) in the custom hostname field and click Add.
Note: The hostname must match the domain where your MetalSoft app is hosted. - Your hostname appears under Selected hostnames. Click Save to close the panel.
Create the Widget & Copy Your Keys
Section titled “Create the Widget & Copy Your Keys”Click Create at the bottom of the page. Cloudflare will generate two keys:
- Site key — Used in your frontend (public)
- Secret key — Used by your backend to verify tokens (keep private)
Note: Copy both keys now. While you can view them again later, it’s good practice to save them somewhere safe.
Step 2. Configure CAPTCHA in MetalSoft
Section titled “Step 2. Configure CAPTCHA in MetalSoft”Open Global Configurations
Section titled “Open Global Configurations”- In your MetalSoft app, navigate to Global configurations > Authentication section. Scroll down to the CAPTCHA section.
Enable CAPTCHA and Enter Your Keys
Section titled “Enable CAPTCHA and Enter Your Keys”Fill in the following fields:
- Enable CAPTCHA — Check this box to activate CAPTCHA globally
- CAPTCHA verify URL — Leave as default: https://challenges.cloudflare.com/turnstile/v0/siteverify
- Password reset site key — Paste your Site key
- Password reset secret key — Paste your Secret key
- Sign-up site key — Paste your Site key
- Sign-up secret key — Paste your Secret key
Click Save.
Note: You can use the same widget keys for both the sign-up and password reset forms, or create separate widgets for each.
Step 3. Verify It Works
Section titled “Step 3. Verify It Works”Open your app’s sign-up or password reset page. You should see a Cloudflare Turnstile widget that automatically verifies the visitor.
A “Success!” badge confirms CAPTCHA is working correctly.
Note: If the widget does not appear, double-check that your hostname in Cloudflare exactly matches the domain of your app, and that CAPTCHA is enabled in Global configurations