Skip to content


This chapter will guide you through the steps required to configure the captcha module in Onegini IdP. A “CAPTCHA” is a test to tell humans and bots apart. It is easy for humans to solve but hard for “bots” and other malicious software to figure out. Captcha prevents accounts from getting blocked by an automated script. The captcha needs to be solved during the last password try for an account. Onegini IdP supports two types of captcha.


reCAPTCHA is a free service from Google that helps protect websites from spam and abuse. successfully complete this topic make sure you have access to an Google account. Next visit reCAPTCHA Admin and Register a new site by filling the form.

Configure reCAPTCHA when javascript disabled

reCAPTCHA can only provide the optimal experience in terms of security and usability with JavaScript enabled.

If JavaScript has been disabled reCAPTCHA provides alternative verification challenge. Navigate to reCAPTCHA sites and choose your site. Open the site settings and move the security preference slider to easiest for users. Keep in mind that with this setting reCAPTCHA won't be able to use all of its security features.

Keep in mind that with this setting reCAPTCHA won't be able to use all of its security features.


To test reCaptcha module please try login to Onegini IdP given invalid credentials at least five times. Then you will should see reCAPTCHA module under password field. Now you should only be able to login once reCAPTCHA is confirmed.

For test purposes you may use reCAPTCHE keys generated by Google. With the following test keys, you will always get No CAPTCHA and all verification requests will pass.

  • site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
  • secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe

The reCAPTCHA widget will show a warning message to claim that it's only for testing purpose. Please do NOT use these keys in production environment.

Friendly Captcha

Friendly Captcha was introduced as a GDPR-compliant alternative to reCAPTCHA. Thus you will need to purchase the Advanced or Enterprise plan. Once you get the account, follow this guide to generate a sitekey. After this, you will have to obtain the secret key. To do that, log in to Friendly Captcha, select your organization, navigate to API Keys, and Create an API key.

Configure captcha in Onegini IdP

Once you have the keys, log in to Onegini IdP admin console. Select Smart security menu option and navigate to Captcha configuration tab. Fill in the form as follows:

  • Captcha integration - choose integration type
  • Secret key - paste generated secret key
  • Site key - paste generated site key
  • Enabled - mark reCaptcha functionality as enabled

Save your settings. If the default CSP settings were modified, you might need to add these domains to ensure the captcha is working.