Truform Captcha

Official integrations

Download WordPress, Laravel, and HTML starter packs from the client area.

Syndaq ships versioned integration packs for common stacks. Each pack matches the current Truform API and includes working browser and server examples.

Download a pack

Integration downloads require an active Truform subscription.

  1. Sign in to the Syndaq client area.
  2. Open Services and select your Truform subscription.
  3. Open Manage on the site key for the domain you want to protect.
  4. Go to the Integrate tab.
  5. Download the pack you need (WordPress, Laravel, or HTML embed).

Packs are versioned. The client area always offers the latest release for your plan.

WordPress plugin

Pack id: wordpress

Requires: WordPress 6.0+, PHP 8.0+

The plugin adds Truform to the WordPress login screen and verifies submissions server-side before authentication completes.

Install

  1. Download the WordPress pack from the Integrate tab.
  2. Upload the truform-captcha folder to wp-content/plugins/ (or upload the zip via Plugins → Add New → Upload).
  3. Activate Truform Captcha under Plugins.

Configure keys

  1. In the WordPress admin, go to Settings → General.
  2. Set Truform site key to your public key (tf_pub_...).
  3. Set Truform secret key to your secret key (tf_sec_...). Keep this value private.

Keys come from the Syndaq client area on the Manage page for your site key.

What it does

  • Loads https://syndaq.com/truform/api.js and renders the widget on the login form.
  • Reads the truform-response token posted with the login form.
  • Calls https://api.syndaq.com/v1/truform/siteverify before WordPress authenticates the user.
  • Returns a login error if verification fails.

The included plugin focuses on wp-login.php. For custom theme forms, use the HTML embed approach or extend the plugin with truform_captcha_render_widget() on your form hooks.

Laravel package

Pack id: laravel

Requires: Laravel 10+ (PHP 8.1+ recommended)

The pack provides a siteverify client, middleware, and Blade-friendly embed notes.

Install

  1. Download the Laravel pack from the Integrate tab.
  2. Copy the files under src/ into your application, for example:
app/Truform/TruformClient.php
app/Truform/TruformVerifyMiddleware.php

Update the namespace to match your app, or keep Syndaq\Truform and register PSR-4 autoloading for that namespace.

Environment

Add your keys to .env:

TRUFORM_SITE_KEY=tf_pub_your_site_key
TRUFORM_SECRET_KEY=tf_sec_your_secret_key

Expose them through config/services.php (or your preferred config pattern):

'truform' => [
    'site_key' => env('TRUFORM_SITE_KEY'),
    'secret_key' => env('TRUFORM_SECRET_KEY'),
],

Browser widget

In your Blade layout or form view:

<script src="https://syndaq.com/truform/api.js" async defer data-cfasync="false"></script>
<div class="truform" data-sitekey="{{ config('services.truform.site_key') }}"></div>

The widget adds a hidden truform-response field when the visitor completes the puzzle.

Server verification

Register the middleware on routes that accept POST requests you want to protect:

use Syndaq\Truform\TruformClient;
use Syndaq\Truform\TruformVerifyMiddleware;

// In a service provider or bootstrap/app.php, bind the client:
$this->app->singleton(TruformClient::class, fn () => new TruformClient(
    config('services.truform.secret_key')
));

Apply middleware to a route:

Route::post('/contact', ContactController::class)
    ->middleware(TruformVerifyMiddleware::class);

The middleware reads truform-response from the request body, calls siteverify, and returns HTTP 422 when verification fails.

You can also call TruformClient::siteverify() directly inside a controller if you need custom error handling.

HTML embed pack

Pack id: html-snippet

Use this pack for static sites, custom PHP, or any stack where you control the HTML and backend.

Contents

  • examples/embed.html: minimal page with the widget on a form.
  • examples/siteverify.php: PHP example that validates the token before processing the submission.

Replace YOUR_SITE_KEY in the embed example with your public key from the client area.

Browser embed

<script src="https://syndaq.com/truform/api.js" async defer data-cfasync="false"></script>

<form method="post" action="/contact">
  <label>Name <input name="name" required></label>
  <div class="truform" data-sitekey="tf_pub_your_site_key"></div>
  <button type="submit">Send</button>
</form>

Server check (PHP)

Read truform-response from the POST body and call siteverify before you send email or write to a database:

$payload = json_encode([
    'secret' => getenv('TRUFORM_SECRET_KEY'),
    'response' => $_POST['truform-response'] ?? '',
    'remoteip' => $_SERVER['REMOTE_ADDR'] ?? null,
]);
// POST to https://api.syndaq.com/v1/truform/siteverify

See examples/siteverify.php in the downloaded pack for a complete flow.

WHMCS addon module

Pack id: whmcs

Requires: WHMCS 8.x+, PHP 8.0+

Copy truform_captcha/ into modules/addons/ and activate under Setup > Addon Modules. Version 2.0 includes a setup wizard, connection test, and toggles for login, contact, registration, password reset, tickets, checkout, and admin login.

See the dedicated WHMCS module guide for install steps, theme variables, troubleshooting, and configuration reference.

Server SDK packs

Download language-specific clients for siteverify and webhook signature verification:

Pack idLanguage
sdk-phpPHP
sdk-nodeNode.js 18+
sdk-pythonPython 3.10+
sdk-goGo 1.21+

Each pack includes a README with copy-paste examples.

Manual embed (no download)

You do not need a pack to use Truform. The loader and API are always available:

ResourceURL
Widget loaderhttps://syndaq.com/truform/api.js
Challengehttps://api.syndaq.com/v1/truform/challenge
Verifyhttps://api.syndaq.com/v1/truform/verify
Siteverifyhttps://api.syndaq.com/v1/truform/siteverify

Copy the embed snippet from the Integrate tab on any site key, or follow Web integration.

Next steps