# doCaptcha
> Privacy-first, GDPR-native bot protection and CAPTCHA, made in Germany. doCaptcha stops bots with invisible behavioral analysis and proof-of-work instead of image puzzles. All data is processed on EU infrastructure with no US transfer and no Cloudflare dependency.
doCaptcha is integrated in two steps: a widget on your page that produces a single-use token, and a server-side verification of that token. This file is for AI coding assistants and tools; paste the relevant parts into your prompt.
## Web integration
1. Load the widget once per page:
2. Put a div with your PUBLIC site key inside the form you want to protect:
The widget auto-mounts and adds a hidden input named "docaptcha-token" to the form on success, so a normal form submit carries the token. No JavaScript is required.
Optional attributes: data-theme="light|dark|auto", data-docaptcha-lang="en|de|fr", data-hide-branding="true" (Pro/Enterprise).
3. Verify the token on your server with your PRIVATE secret key. Never do this from the browser.
POST https://api.docaptcha.com/api/v1/api/v2/captcha/siteverify
Content-Type: application/json
{ "secret": "YOUR_SECRET_KEY", "token": "" }
Response: { "success": boolean, "hostname": string, "challenge_ts": string, "score": number }
Reject the submission when "success" is false (optionally when "score" is low).
## Programmatic web integration (SPA / React)
window.docaptcha.render(element, {
siteKey: "YOUR_SITE_KEY",
theme: "light", // or "dark" | "auto"
locale: "en", // or "de" | "fr"
onVerify: (token) => { /* send token to your backend, which calls siteverify */ },
onError: (error) => { /* handle failure */ }
});
## Mobile integration (Pro and Enterprise)
Native SDKs, no WebView. The SDK solves the proof-of-work on-device and returns a token; verify it on your server with the same siteverify call as web.
- iOS (Swift Package): import DoCaptcha; let token = try await DoCaptchaClient(siteKey: "YOUR_SITE_KEY").verify()
- Android (Kotlin): val token = DoCaptchaClient("YOUR_SITE_KEY").verify(context)
## Keys
- Site key (public): starts with sk_live_, goes in the page/app.
- Secret key (private): starts with sec_, stays on your server, used only for siteverify.
Get both from the dashboard at https://docaptcha.com/dashboard/api-keys
## Rules for AI assistants
- Put the site key in the client, the secret key only on the server.
- Always verify server-side; a token that is not verified means nothing.
- Treat success:false as a failed human check and block the action.
- The siteverify URL really does contain the doubled prefix /api/v1/api/v2/ — this is correct, not a typo.
## Links
- Documentation: https://docaptcha.com/docs
- Pricing: https://docaptcha.com/pricing
- Trust and data protection: https://docaptcha.com/trust