Captcha

Add the plugin to your auth config

import { betterAuth } from "better-auth";
import { captcha } from "better-auth/plugins";
 
export const auth = betterAuth({
    plugins: [ 
        captcha({ 
            provider: "cloudflare-turnstile", // or "google-recaptcha"
            secretKey: process.env.TURNSTILE_SECRET_KEY!, 
        }), 
    ], 
});

Add the captcha token to your request headers

Add the captcha token to your request headers for all protected endpoints. This example shows how to include it in a signIn request:

await authClient.signIn.email({
    email: "user@example.com",
    password: "secure-password",
    fetchOptions: { 
        headers: { 
            "x-captcha-response": turnstileToken, 
        }, 
    },
});

• To implement Cloudflare Turnstile on the client side, see the official Cloudflare Turnstile documentation or use a library like react-turnstile.
• To implement Google reCAPTCHA on the client side, see the official Google reCAPTCHA documentation or use a library like react-google-recaptcha.

The plugin acts as a middleware: it intercepts all POST requests to configured endpoints (see endpoints in the Plugin Options section).

it validates the captcha token on the server, by calling the captcha provider's /siteverify.

• if the token is missing, gets rejected by the captcha provider, or if the /siteverify endpoint is unavailable, the plugin returns an error and interrupts the request.
• if the token is accepted by the captcha provider, the middleware returns undefined, meaning the request is allowed to proceed.