Client Server REST API captcha implementation

All we need is an easy explanation of the problem, so here it is.

I’m building client server REST application.
Client side is based on Angular while server is PHP (not that it matters much anyhow).

What I am wondering if there are any best practices, good examples of captcha implementation in this case? Captcha would be used for user registration etc.

I’m not limited to any specific libraries, only requirement is that there cannot be any calls to 3rd party servers on client side (js libraries hosted on 3rd party servers or req api key etc).


How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

When google captcha approves one user, it provides you a token.

So imagine this scenario. A User is about to save, and uses the captcha, the captcha does its business and gives you a token, it is all that matters.

If you want to see a "tentative" flow of requests for this.

  1. The User should pass the captcha before registering and retrieve the token that it provides in the front end.
  2. User clicks save, you receive the captcha token in the backend as form data. You validate the token with Google via an API. If Google verifies the token as valid, you can save the user or reject if Google returns an error.
  3. The frontend listens for success or error and what kind of error. IF error is captcha, force a retry, get a new token.
  4. Backend receives a new token in form data and repeats step 2.

Method 2

You can have a look on google-recaptcha. Its angular implementation is here


Method 3

Google’s new-ish reCaptcha is pretty slick. They have several easy to understand examples and usage scenarios.

Edit: To address your specific question of how to implement this in a RESTful application, I’d make two files. One would be a public-facing file like index.php and the other would be a back-end file that would hold the private information.

I could copy/paste my previously-written how-to here, or I could just link you to the article I wrote 2 months ago.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply