Truform Captcha
Official integrations
Download WordPress, Laravel, and HTML starter packs from the client area.
Syndaq ships versioned integration packs for common stacks. Each pack matches the current Truform API and includes working browser and server examples.
Download a pack
Integration downloads require an active Truform subscription.
- Sign in to the Syndaq client area.
- Open Services and select your Truform subscription.
- Open Manage on the site key for the domain you want to protect.
- Go to the Integrate tab.
- Download the pack you need (WordPress, Laravel, or HTML embed).
Packs are versioned. The client area always offers the latest release for your plan.
WordPress plugin
Pack id: wordpress
Requires: WordPress 6.0+, PHP 8.0+
The plugin adds Truform to the WordPress login screen and verifies submissions server-side before authentication completes.
Install
- Download the WordPress pack from the Integrate tab.
- Upload the
truform-captchafolder towp-content/plugins/(or upload the zip via Plugins → Add New → Upload). - Activate Truform Captcha under Plugins.
Configure keys
- In the WordPress admin, go to Settings → General.
- Set Truform site key to your public key (
tf_pub_...). - Set Truform secret key to your secret key (
tf_sec_...). Keep this value private.
Keys come from the Syndaq client area on the Manage page for your site key.
What it does
- Loads
https://syndaq.com/truform/api.jsand renders the widget on the login form. - Reads the
truform-responsetoken posted with the login form. - Calls
https://api.syndaq.com/v1/truform/siteverifybefore WordPress authenticates the user. - Returns a login error if verification fails.
The included plugin focuses on wp-login.php. For custom theme forms, use the HTML embed approach or extend the plugin with truform_captcha_render_widget() on your form hooks.
Laravel package
Pack id: laravel
Requires: Laravel 10+ (PHP 8.1+ recommended)
The pack provides a siteverify client, middleware, and Blade-friendly embed notes.
Install
- Download the Laravel pack from the Integrate tab.
- Copy the files under
src/into your application, for example:
app/Truform/TruformClient.php
app/Truform/TruformVerifyMiddleware.php
Update the namespace to match your app, or keep Syndaq\Truform and register PSR-4 autoloading for that namespace.
Environment
Add your keys to .env:
TRUFORM_SITE_KEY=tf_pub_your_site_key
TRUFORM_SECRET_KEY=tf_sec_your_secret_key
Expose them through config/services.php (or your preferred config pattern):
'truform' => [
'site_key' => env('TRUFORM_SITE_KEY'),
'secret_key' => env('TRUFORM_SECRET_KEY'),
],
Browser widget
In your Blade layout or form view:
<script src="https://syndaq.com/truform/api.js" async defer data-cfasync="false"></script>
<div class="truform" data-sitekey="{{ config('services.truform.site_key') }}"></div>
The widget adds a hidden truform-response field when the visitor completes the puzzle.
Server verification
Register the middleware on routes that accept POST requests you want to protect:
use Syndaq\Truform\TruformClient;
use Syndaq\Truform\TruformVerifyMiddleware;
// In a service provider or bootstrap/app.php, bind the client:
$this->app->singleton(TruformClient::class, fn () => new TruformClient(
config('services.truform.secret_key')
));
Apply middleware to a route:
Route::post('/contact', ContactController::class)
->middleware(TruformVerifyMiddleware::class);
The middleware reads truform-response from the request body, calls siteverify, and returns HTTP 422 when verification fails.
You can also call TruformClient::siteverify() directly inside a controller if you need custom error handling.
HTML embed pack
Pack id: html-snippet
Use this pack for static sites, custom PHP, or any stack where you control the HTML and backend.
Contents
examples/embed.html: minimal page with the widget on a form.examples/siteverify.php: PHP example that validates the token before processing the submission.
Replace YOUR_SITE_KEY in the embed example with your public key from the client area.
Browser embed
<script src="https://syndaq.com/truform/api.js" async defer data-cfasync="false"></script>
<form method="post" action="/contact">
<label>Name <input name="name" required></label>
<div class="truform" data-sitekey="tf_pub_your_site_key"></div>
<button type="submit">Send</button>
</form>
Server check (PHP)
Read truform-response from the POST body and call siteverify before you send email or write to a database:
$payload = json_encode([
'secret' => getenv('TRUFORM_SECRET_KEY'),
'response' => $_POST['truform-response'] ?? '',
'remoteip' => $_SERVER['REMOTE_ADDR'] ?? null,
]);
// POST to https://api.syndaq.com/v1/truform/siteverify
See examples/siteverify.php in the downloaded pack for a complete flow.
WHMCS addon module
Pack id: whmcs
Requires: WHMCS 8.x+, PHP 8.0+
Copy truform_captcha/ into modules/addons/ and activate under Setup > Addon Modules. Version 2.0 includes a setup wizard, connection test, and toggles for login, contact, registration, password reset, tickets, checkout, and admin login.
See the dedicated WHMCS module guide for install steps, theme variables, troubleshooting, and configuration reference.
Server SDK packs
Download language-specific clients for siteverify and webhook signature verification:
| Pack id | Language |
|---|---|
sdk-php | PHP |
sdk-node | Node.js 18+ |
sdk-python | Python 3.10+ |
sdk-go | Go 1.21+ |
Each pack includes a README with copy-paste examples.
Manual embed (no download)
You do not need a pack to use Truform. The loader and API are always available:
| Resource | URL |
|---|---|
| Widget loader | https://syndaq.com/truform/api.js |
| Challenge | https://api.syndaq.com/v1/truform/challenge |
| Verify | https://api.syndaq.com/v1/truform/verify |
| Siteverify | https://api.syndaq.com/v1/truform/siteverify |
Copy the embed snippet from the Integrate tab on any site key, or follow Web integration.
Next steps
- Web integration: themes, callbacks, and programmatic rendering
- Server verification: token lifecycle and error codes
- Site keys and security: domains and IP rules