Protected endpoints
If CAPTCHA or reCAPTCHA is enabled on pages requiring shopper input, then in most cases, the corresponding endpoints that send requests to the Adobe Commerce server must include an HTTP header that contains a value entered by the shopper (for CAPTCHA) or generated by the Google API (for reCAPTCHA). These headers are generated by UI Web form widgets during interactions with the shopper. However, if you specify an integration authorization token in the header of the endpoint, then you do not supply a header specific to CAPTCHA or reCAPTCHA.
Even when Adobe Commerce is used in a headless way, like with PWA, the merchant must have their own Web UI that renders the correct Captcha or reCAPTCHA web form widget, captures the proper X-Captcha
or X-ReCaptcha
HTTP header, and sends it in the API request in the background only.
The HTTP X-Captcha
and X-ReCaptcha
headers:
- Cannot be received by an automated script or a non-UI API call. They are captured and returned by the UI Web form only.
- Are optional in protected mutation API calls that provide integration authorization tokens only. They cannot be skipped when you provide an Admin or Bearer token.
CAPTCHA
The following table lists the forms that can be configured to require CAPTCHA. Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms.
The endpoint that corresponds to a CAPTCHA-enabled form must include the HTTP X-Captcha
header, along with the text the shopper entered in response to the CAPTCHA challenge.
Form name | REST endpoint |
---|---|
Add Gift Card Code | POST /V1/carts/mine/giftCards POST /V1/carts/guest-carts/:cartId/giftCards |
Applying Coupon Code | PUT /V1/carts/:cartId/coupons/:couponCode PUT /V1/guest-carts/:cartId/coupons/:couponCode |
Change password | PUT /V1/customers/me/password |
Checkout/Placing Order | POST /V1/carts/mine/payment-information POST /V1/carts/mine/set-payment-information POST /V1/guest-carts/:cartId/payment-information POST /V1/guest-carts/:cartId/set-payment-information |
Contact Us | Not applicable |
Create company | POST /V1/company |
Create user | POST /V1/customers |
Forgot password | POST /V1/customers/resetPassword PUT /V1/customers/password |
Login | POST /V1/integration/customer/token |
Payflow Pro | Not applicable |
Send to Friend Form | Not applicable |
Share Wishlist Form | Not applicable |
reCAPTCHA
The following table lists the forms that can be configured to require reCAPTCHA. Go to Stores > Configuration > Security > Google reCAPTCHA Storefront > Storefront to enable or disable reCAPTCHA on these forms. If reCAPTCHA is enabled, unless an integration token is provided, always specify the HTTP X-ReCaptcha
header and the value generated by the Google API.
Field name | Mutation |
---|---|
Enable for Customer Login | PUT /V1/integration/customer/token |
Enable for Forgot Password | PUT /V1/customers/me/password |
Enable for Create New Customer Account | POST /V1/customers |
Enable for Edit Customer Account | PUT /V1/customers/me |
Enable for Contact Us | Not applicable |
Enable for Product Review | Not applicable |
Enable for Newsletter Subscription | Not applicable |
Enable for Send To Friend | Not applicable |
Enable for PayPal PayflowPro payment form | Not applicable |
Enable for Braintree payment form | Not applicable |
Enable for Checkout/Placing Order | POST /V1/carts/mine/payment-information POST /V1/carts/mine/set-payment-information POST /V1/guest-carts/:cartId/payment-information POST /V1/guest-carts/:cartId/set-payment-information |
Enable for Coupon Codes | PUT /V1/carts/:cartId/coupons/:couponCode PUT /V1/guest-carts/:cartId/coupons/:couponCode |