To install POWER CAPTCHA, you first need to select a license. With your license, you will automatically receive an API key to access our interfaces. You can integrate POWER CAPTCHA in WordPress, Typo3, OXID eShop, or with JavaScript, among others. Follow our integration instructions for more information.
We are currently working on an external documentation platform that will replace this page. If you are missing important information until then, please contact us.
WordPress quick guide
To install the WordPress plugin for POWER CAPTCHA, go to your WordPress website’s administration area/dashboard and click on the menu item “Plugins > Add New Plugin”. Enter “POWER CAPTCHA’ in the search field (Search Plugins) and scroll through the search results to the POWER CAPTCHA plugin. Click on the “Install now” button. After successful installation, the button changes to ‘Activate’. Click the button to activate the POWER CAPTCHA plugin.
First download the plugin as a ZIP file from the WordPress Plugin Directory. Then go to your WordPress website’s administration area/dashboard and click on the menu item “Plugins > Install”. Click on the “Upload Plugin” button and select the ZIP archive you downloaded beforehand (e.g. power-captcha.1.2.3.zip). Then click on “Install now”. After the upload and installation, a page will open where you can activate our POWER CAPTCHA plugin. Then click on “Install now”. After the upload and installation, a page will open where you can activate our POWER CAPTCHA plugin.
Please make sure to enter your domain in the settings in the customer area (“My Account”) on the POWER CAPTCHA website so that you can use POWER CAPTCHA. To do this, go to the “API-Keys” section and click on “Edit API-Key”, then you can enter your domain in the “Domain / Hostname” field.
After you have activated the plugin, you can configure it. To do this, go to “Settings > POWER CAPTCHA” in the administration area of your WordPress website and enter your API and secret key in the corresponding fields under “General settings”. You can get both keys in the customer area of our website. Under “Integration settings”, you can select the plugin or page area for which you want to activate POWER CAPTCHA.
Under “Captcha settings“ you can customize POWER CAPTCHA according to your wishes if you do not want to start with the default settings. Here you can change the behavior of the security check, the display of the widget, and the policy for API errors.
The “On-premises settings” item is only relevant if you have an Enterprise license and are not using the application as a cloud solution (default) but are running a local POWER CAPTCHA instance. In this case, you have the option to enter the URLs to your locally hosted instance and your local JavaScript. Then all requests will go to your own instance instead of our server. If you are not running your own instance, all fields under “On-premises settings” must remain empty. When all settings are edited, click on “Save changes”. POWER CAPTCHA now protects the plugins / areas you have selected.
Status: April 2025, subject to change.
TYPO3 quick guide
You can download the POWER CAPTCHA extension for your TYPO3 installation directly from TYPO3. Alternatively, you can also find the extension in the GitHub repository. The TYPO3 plugin protects forms of the extensions “Form” and “Powermail” and is compatible with TYPO3 versions 11.5 LTS and 12.4 LTS.
The TYPO3 plugin for POWER CAPTCHA is installed via a Composer command. To do this, follow the steps below:
1. Establish an SSH connection to the server on which your TYPO3 installation is hosted.
2. Navigate to the main directory of TYPO3. There, you will find the file composer.json.
3. Execute the following command to install the extension:
composer require power-captcha/integration-typo3
4. Composer loads and installs the extension automatically.
5. Log in to your TYPO3 backend to configure POWER CAPTCHA.
6. Navigate to “Page management → Websites”, select your website and click on “Edit page configuration” (pencil icon)
7. Switch to the “POWER CAPTCHA” tab and enter your API key and secret key in the corresponding fields. You can get both keys in the customer area of our website.
8. Integrate the POWER CAPTCHA field into the desired form to protect it.
9. Under “Captcha settings,” you can then customize POWER CAPTCHA according to your wishes if you do not want to start with the default settings. Here, you can change the behavior of the security check, the display of the widget, and the policy for API errors.
10. The item “On-premises settings” is only relevant if you are not using POWER CAPTCHA as a cloud solution (standard) but are operating a local instance. In this case, you can enter the URLs for your locally hosted instance and your local JavaScript. If you are not running your own instance, all fields under “On-premises settings” must remain empty. When all settings are edited, click on “Save changes”. POWER CAPTCHA now protects the plugins / areas you have selected.
Please make sure to enter your domain in the settings in the customer area (“My Account”) on the POWER CAPTCHA website so that you can use POWER CAPTCHA. To do this, go to the “API-Keys” section and click on “Edit API-Key”, then you can enter your domain in the “Domain / Hostname” field. After you have activated the plugin, you can configure it.
Frontend integration with HTML
To integrate POWER CAPTCHA in the frontend with HTML, first include our JavaScript in the <head> element:
<script src="https://cdn.power-captcha.com/v1/power-captcha-1.2.5.min.js" type="text/javascript"></script>
Add a div element to the form you want to protect; the widget is displayed within this element. The div element must contain at least the attributes data-pc-api-key=”yourApiKey” and data-pc-client-uid=”uniqueClientId”. The unique client ID can be based on the client’s IP address, for example. It is important that the client can be uniquely identified via the ID and that the same client ID is passed for token verification. Example:
<form method="post" action="submit.php">
...
<div data-pc-api-key="5gVoymQWRcyRQyJUxEqSdodfsK9vJJJs"
data-pc-client-uid="<?php echo hash('sha256', $_SERVER['REMOTE_ADDR']); ?>">
</div>
...
</form>
If you have an Enterprise license, you can add the data-pc-user attribute to the input field with the user name / email address for additional protection. Example:
<input name="username" type="text" required="required" data-pc-user="" />
A login form protected with POWER CAPTCHA might look like this:
<form method="post" action="submit.php">
<label for="username">Username:</label><br />
<input type="text" id="username" name="username" data-pc-user /><br />
<label for="password">Password:</label><br />
<input type="password" id="password" name="password" />
<div data-pc-api-key="5gVoymQWRcyRQyJUxEqSdodfsK9vJJJs"
data-pc-client-uid="<?php echo hash('sha256', $_SERVER['REMOTE_ADDR']); ?>">
</div>
<input type="submit" value="submit" />
</form>
After the security check by the POWER CAPTCHA API, a field with a token is added to the form. Afterwards, check this token in the backend (see “Token verification”).
By default, the POWER CAPTCHA widget is always displayed and the security check starts automatically as soon as the form is filled out (focus event). If you add the attribute data-pc-user to a field, the check only starts after the field has been filled in.
However, you can configure the display and check behaviour individually. You can choose between three check modes, e.g. to switch off the automatic security check or only display the widget when it is necessary. You can configure the check mode using the data-pc-check-mode attribute. You can choose between the values ‘auto’, ‘hidden’ or ‘manu’. Each value stands for a specific check mode:
| Check mode | Description |
|---|---|
|
auto |
The widget is displayed by default. The security check starts as soon as the form is filled in or after the field (e.g. user name or e-mail address) has been filled in. A manual click on the widget is only necessary if a captcha also needs to be solved. |
|
hidden |
The widget is not initially displayed. The security check starts as soon as the form is filled in or after the field (e.g. user name or e-mail address) has been filled in. If the check returns that a captcha must be solved, the widget is displayed. |
|
manu |
The widget is always displayed. POWER CAPTCHA only starts the security check after a manual click on the widget. |
Here is an example of showing how to hide the widget (check mode hidden):
<form method="post" action="submit.php">
...
<div data-pc-api-key="5gVoymQWRcyRQyJUxEqSdodfsK9vJJJs"
data-pc-client-uid="<?php echo hash('sha256', $_SERVER['REMOTE_ADDR']); ?>"
data-pc-check-mode="hidden">
</div>
<input type="submit" value="submit" />
</form>
How to verify the POWER CAPTCHA token on the server
Before you evaluate or save the content of your form in the backend, you should verify the POWER CAPTCHA token.
To do this, the token from the form ($_POST[“pc-token”]) and your secret key must be passed to our interface https://api.power-captcha.com/pcu/v1/verify as JSON, and in the header your API Key must be present in the X-API-Key field.
The interface will return a JSON and the “success” field will say if the token was successfully verified. Afterwards you can evaluate your form as usual.
Here is a sample code how you can verify a token with PHP:
<?php
if(isset($_POST['pc-token']) && !empty($_POST['pc-token'])) {
$curl = curl_init('https://api.power-captcha.com/pcu/v1/verify');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'X-API-Key: 5gVoymQWRcyRQyJUxEqSdodfsK9vJJJs', // your api key
'Content-Type: application/json'
));
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode(array(
'secret' => 'q5jBZojDfaQFzPGyhmAEFgz6C5j3NsjJ', // your secret key
'token' => $_POST['pc-token'],
'clientUid' => hash('sha256', $_SERVER['REMOTE_ADDR']), // unique client id (same value as in the data-client-uid attribute)
'name' => $_POST['username'] // field which was marked by 'data-pc-user' (optional)
)));
$response = json_decode(curl_exec($curl));
curl_close($curl);
if($response->success) {
echo "Token was successfully verified.";
// add your form logic
} else {
echo "Error: Token verfification failed.";
}
} else {
echo "Error: Token was missing in POST request.";
}
?>
API interface for token verification
After you submit your form, the token needs to be verified in your backend. To do this, you pass the token and some additional parameters via JSON to our Verifiy interface so that we can check if the captcha was solved correctly or if the alternative email authentication had a positive result. The Verifiy interface is called via the following URL: https://api.power-captcha.com/pcu/v1/verifiy.
In the header, the X-API-Key value must be set with your API key when called, and in the request body, the token and additional parameters must be POSTed to our interface as JSON.
{
"secret": "{secret-key}",
"token": "{token}",
"clientUid": "{client-uid}",
"name": "{username}"
}
Add your secret key in the parameter “secret”. You can find your secret key in your account. The parameter “token” contains the token which was generated by our JavaScript. The token can be found in the POST/GET field “pc-token”. The “clientUid” parameter must contain the same unique client ID that has been assigned in the form. It is used to check whether the token was originally created for this client ID. If you have marked a field with “data-pc-user” in the frontend, you have to pass the value of this field in the parameter “name” to our verifiy interface to protect a username / email address.
{
"success": true,
"errors": []
}
If the “success” field is set to “true”, then the verification was successful (token is valid) and you can continue with the evaluation of your form. If the “success” field is set to “false”, then the token is either invalid or the request is structured incorrectly. In this case the evaluation of the form should be stopped immediately, because the token could not be verified by POWER CAPTCHA. If the request is structured incorrectly, a list with the following error codes appears in the “errors” field:
| Error Code | Description |
|---|---|
|
missing_token |
No token or an empty token was provided with the request. |
|
missing_secret |
No secret key was supplied with the request. |
|
invalid_secret |
The secret key is invalid or does not match the API key. |
|
invalid_token |
The token is invalid. |
Get started with POWER CAPTCHA
You want to use POWER CAPTCHA on your website? Then get your license here and follow our step-by-step instructions.
POWER CAPTCHA
About Us
Contact
© 2025 POWER CAPTCHA by Uniique AG – All Rights Reserved