Backend Implementation
The following explains how to retrieve the verification result on the server side and determine the next steps based on it.
Supported Technologies
You can use Trustcaptcha with any programming language and framework of your choice and customize it entirely to your needs. Below you will find detailed documentation of the backend process and the corresponding API interface.
Library Support
To make using Trustcaptcha as easy as possible, libraries are provided for commonly used programming languages and frameworks. These simplify a large part of the subsequent process. However, we still recommend reading this tutorial first. This will give you a good understanding of the underlying process.
Below you will find a current list of libraries provided:
The Verification Token
When a captcha is successfully solved, the Trustcaptcha component returns a verification token. This must be transmitted to the backend and can be further processed there. Below, the structure of the verification token is explained.
Base64 Encoded
The verification token returned by the Trustcaptcha component is encoded in Base64.
Base64 Decoded
When you decode the verification token, you get back a JSON object. This contains the verification ID and the encrypted access token named encryptedAccessToken.
Key | Value | Description |
|---|---|---|
verificationId | UUID | Unique identifier (ID) of the verification. |
encryptedAccessToken | Text | Encrypted access token for retrieving the verification result. |
Decrypting the Access Token
The access token named encryptedAccessToken in the verification result is encrypted with AES. This ensures that only you are able to retrieve the verification result. First, the encryptedAccessToken needs to be decoded from base64 and converted into a binary format. Then decrypt it using your secret-keyue. Use AES-265 in CBC mode. Use a PKCS5Padding and a 16-byte initialization vector (IV).
Implementation Example
Below you will find some implementation examples for AES decryption.
The Verification Result
Below you will be explained how to retrieve the verification result, what information it contains, and how you can work with it.
Retrieving the Result
You can retrieve the verification result from our servers using the following URL.
Parameter | Type | Description |
|---|---|---|
verificationId | Path | Unique identifier (ID) of the verification. |
decryptedAccessToken | Query | Decrypted access token to retrieve the verification result. |
Please note that the verification token becomes invalid after 30 minutes and the verification result can only be received once.
Processing the Result
The returned verification result looks like this:
Parameter | Value | Description |
|---|---|---|
captchaId | UUID | Unique identifier (ID) of the respective CAPTCHA. |
verificationId | UUID | Unique identifier (ID) of the verification. |
verificationPassed | Boolean | Statement on whether the CAPTCHA was fundamentally passed or not. |
score | Number | Probability level that the client is a bot. |
reason | Text | Rationale for calculating verificationPassed and score. |
mode | Text | Selected captcha mode. |
origin | Text | The page where the captcha was solved. |
ipAddress | Text | IP address (IPv4 or IPv6) of the client. |
deviceFamily | Text | Name of the device family used by the client. |
operatingSystem | Text | Name and version of the operating system used by the client. |
browser | Text | Name and version of the browser used by the client. |
creationTimestamp | Timestamp (UTC) | The moment when the verification process (the CAPTCHA) was started by the client. |
releaseTimestamp | Timestamp (UTC) | The moment when the verification process (the CAPTCHA) was completed by the client. |
retrievalTimestamp | Timestamp (UTC) | The moment when the verification result was called up by the website operator. |
The Bot Score
The Bot Score returns a decimal value between 0 and 1. It provides information on the likelihood that the requesting client is a bot. The lower the value, the more likely the user is human. The higher the value, the more likely it is a machine user.
The Bot Score allows you to define a simple threshold at which you either allow or deny the request. Our recommendation is to set the threshold at 0.5. However, based on the Bot Score, you can also establish different security measures for various probabilities, such as additional two-factor authentication or email confirmation.
The Reason
The reason provides insight into why the bot score and the statement about VerificationPassed were made accordingly.
Reason | VerificationPassed | Score | Description |
|---|---|---|---|
BYPASS_KEY | 0 | The captcha was solved using a bypass token. | |
CUSTOM_ALLOW_LIST | 0 | The client's IP address is on the custom allow list. | |
CUSTOM_BLOCK_LIST | 1 | The client's IP address is on the custom block list. | |
GLOBAL_ALLOW_LIST | 0 | The client's IP address is on Trustcaptcha's global allow list. | |
GLOBAL_BLOCK_LIST | 1 | The client's IP address is on Trustcaptcha's global block list. | |
GEOBLOCKING | 1 | The client's region is blocked on the country list. | |
REQUEST_REJECTED | 1 | The verification attempt was rejected by Trustcaptcha. | |
ONLY_PROOF_OF_WORK | 0 | Verification passed without bot-score (e.g. minimal data mode). | |
CALCULATED | Individual | The bot score was calculated based on data analysis. | |
CHALLENGES_NOT_SOLVED_CORRECTLY | 1 | The client did not correctly calculate the Proof-of-Work challenges. | |
CHALLENGES_NOT_SOLVED_IN_SPECIFIED_TIME | 1 | The client did not submit the Proof-of-Work challenges within the specified time. |
Error Handling
Errors can occur when retrieving the verification result. Below you will find an overview of all status codes along with a description of what went wrong and what you should consider.
Status Code | Status Name | Description |
|---|---|---|
400 | Bad Request | The request was made under false assumptions. Possibly the verification ID (verificationId) is not a UUID or the access token (accessToken) does not match the specified format. |
403 | Forbidden | The access token (accessToken) is not valid. Please check the access token. |
404 | Not Found | The verification does not exist. Please check the verification ID. It is also possible that the verification has already been retrieved and is now deleted. |
410 | Gone | The verification result has either already been retrieved or is no longer provided, as the verification attempt is too old. Remember that you can only retrieve the verification result once, shortly after the verification. |
423 | Locked | The verification result has not yet been released. Please wait until the verification is complete. |
422 | Unprocessable Content | The set captcha mode of the Trustcaptcha component does not match the set mode in the captcha settings. |
500 | Internal Server Error | An internal server error has occurred. If this happens repeatedly and persists over time, please contact support. |