Has anyone integrated FriendlyCaptcha in Adaptive forms? | Community
Skip to main content
Vishal_Anand
Vishal_Anand
Level 5
February 19, 2026
Solved

Has anyone integrated FriendlyCaptcha in Adaptive forms?

  • February 19, 2026
  • 1 reply
  • 29 views

Hi,

We are working on integrating FriendlyCaptcha in our Adaptive forms and wanted to understand if anyone already tried it before? Also, if there are any best practices around its integration especially from server side validation.

 

Thanks,

Vishal

Best answer by AmitVishwakarma

@Vishal_Anand No out-of-the-box (OOTB) FriendlyCaptcha integration exists in Adaptive Forms. AEM Forms supports Google reCAPTCHA and (in newer/EA paths) also hCaptcha / Cloudflare Turnstile, but FriendlyCaptcha would be a custom captcha provider integration. See: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/release-notes/release-notes/2024/release-notes-2024-6-0

 

Best-practice integration pattern:

  1. Client side (form UI)
    • Render FriendlyCaptcha widget (their JS) in the form (usually via a custom component or injecting JS).
    • When the challenge completes, capture the token/solution and store it in:
      • a hidden field, or
      • the submission metadata (implementation-dependent).
  2. Server-side validation (mandatory)
  3. Security/gov best practices
    • Keep FriendlyCaptcha secret key server-side only (OSGi config/secret manager), never in clientlibs.
    • Treat missing token as failure (don’t “skip captcha if token missing”).
    • Log only minimal debug info (no tokens), and consider rate limiting.

AEM Forms version matter:

Thanks,
Amit

 

 

1 reply

AmitVishwakarma
Community Advisor
AmitVishwakarmaCommunity AdvisorAccepted solution
Community Advisor
February 20, 2026

@Vishal_Anand No out-of-the-box (OOTB) FriendlyCaptcha integration exists in Adaptive Forms. AEM Forms supports Google reCAPTCHA and (in newer/EA paths) also hCaptcha / Cloudflare Turnstile, but FriendlyCaptcha would be a custom captcha provider integration. See: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/release-notes/release-notes/2024/release-notes-2024-6-0

 

Best-practice integration pattern:

  1. Client side (form UI)
    • Render FriendlyCaptcha widget (their JS) in the form (usually via a custom component or injecting JS).
    • When the challenge completes, capture the token/solution and store it in:
      • a hidden field, or
      • the submission metadata (implementation-dependent).
  2. Server-side validation (mandatory)
  3. Security/gov best practices
    • Keep FriendlyCaptcha secret key server-side only (OSGi config/secret manager), never in clientlibs.
    • Treat missing token as failure (don’t “skip captcha if token missing”).
    • Log only minimal debug info (no tokens), and consider rate limiting.

AEM Forms version matter:

Thanks,
Amit

 

 

Amit Vishwakarma - Adobe Commerce Champion 2025 | 16x Adobe certified | 4x Adobe SME
    Vishal_Anand
    Vishal_AnandAuthor
    Level 5
    March 10, 2026

    Thank you for capturing detailed approach.

    Quick note for server side validation: Custom form components other than AF form component data is not sent to server via afFormData.

     

    Above issue is resolved by adding an AF form hidden field on the form and retrieving the token into the form field. As the hidden field is an OOTB AF field able to retrieve the value through a JSP and sent to server side for additional validation to siteverify API ("/api/v2/captcha/siteverify") as mentioned in FriendlyCaptcha API documentation.

      Terms & ConditionsAccessibility statement

      Loading footer...