Spam Protection
Formoar provides multiple layers of spam protection: honeypot fields (available on all plans), Cloudflare Turnstile, and Google reCAPTCHA v3 (both available on paid plans). These can be used together for maximum protection.
Honeypot fields
A honeypot is a hidden form field that legitimate users won't fill in, but spam bots will. If the honeypot field contains any value, the submission is flagged as spam.
Honeypot is enabled by default on all new forms. The default field name is _honeypot, but you can customize it in your form settings.
HTML with honeypot
<form action="https://formoar.com/api/f/your-form-id" method="POST">
<label for="name">Name</label>
<input type="text" id="name" name="name" required />
<label for="email">Email</label>
<input type="email" id="email" name="email" required />
<!-- Honeypot field — hidden from real users -->
<div style="display: none;">
<input type="text" name="_honeypot" tabindex="-1" autocomplete="off" />
</div>
<button type="submit">Send</button>
</form>
Use CSS display: none to hide the honeypot field. Using type="hidden" is
less effective because some bots specifically look for hidden inputs.
Cloudflare Turnstile
Cloudflare Turnstile is a privacy-friendly CAPTCHA alternative. It runs in the background and usually doesn't require any user interaction.
Setup
- Create a Turnstile widget in your Cloudflare dashboard
- Copy the Site Key and Secret Key
- In your Formoar form settings, enable Turnstile and paste the Secret Key
- Add the Turnstile widget to your form using the Site Key
HTML with Turnstile
<form action="https://formoar.com/api/f/your-form-id" method="POST">
<label for="name">Name</label>
<input type="text" id="name" name="name" required />
<label for="email">Email</label>
<input type="email" id="email" name="email" required />
<!-- Cloudflare Turnstile widget -->
<div class="cf-turnstile" data-sitekey="your-site-key"></div>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<button type="submit">Send</button>
</form>
The Turnstile widget automatically adds a cf-turnstile-response field to your form. Formoar reads this token and verifies it with Cloudflare's API before accepting the submission.
AJAX submissions with Turnstile
When using AJAX, include the Turnstile response token in your JSON payload as _turnstile:
JavaScript with Turnstile
const form = document.querySelector('form')
form.addEventListener('submit', async (e) => {
e.preventDefault()
const data = Object.fromEntries(new FormData(form))
// The Turnstile widget sets this field automatically
data._turnstile = data['cf-turnstile-response']
const response = await fetch('https://formoar.com/api/f/your-form-id', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(data),
})
const result = await response.json()
console.log(result)
})
Cloudflare Turnstile is available on Starter, Pro, and Business plans. The free plan uses honeypot fields only.
Google reCAPTCHA v3
Google reCAPTCHA v3 is a score-based spam detection system. It runs entirely in the background, requires no user interaction, and returns a score from 0.0 (very likely a bot) to 1.0 (very likely a human). Formoar compares this score against a configurable threshold to decide whether to accept or reject the submission.
Setup
- Go to the Google reCAPTCHA admin console and create a new site
- Select reCAPTCHA v3 as the type
- Add your website domain(s) and submit
- Copy the Site Key and Secret Key
- In your Formoar form settings, enable reCAPTCHA and paste the Secret Key
- Optionally adjust the score threshold (default is
0.5— submissions scoring below this are flagged as spam)
Adding reCAPTCHA v3 to your form
Unlike traditional CAPTCHAs, reCAPTCHA v3 does not render a widget. You load the script, request a token when the form is submitted, and include it as a hidden field.
HTML with reCAPTCHA v3
<form id="my-form" action="https://formoar.com/api/f/your-form-id" method="POST">
<label for="name">Name</label>
<input type="text" id="name" name="name" required />
<label for="email">Email</label>
<input type="email" id="email" name="email" required />
<!-- reCAPTCHA v3 token (populated by the script below) -->
<input type="hidden" name="g-recaptcha-response" id="recaptcha-token" />
<button type="submit">Send</button>
</form>
<script src="https://www.google.com/recaptcha/api.js?render=your-site-key"></script>
<script>
const form = document.getElementById('my-form')
form.addEventListener('submit', function (e) {
e.preventDefault()
grecaptcha.ready(function () {
grecaptcha.execute('your-site-key', { action: 'submit' }).then(function (token) {
document.getElementById('recaptcha-token').value = token
form.submit()
})
})
})
</script>
Formoar reads the g-recaptcha-response field, verifies the token with Google's API, and strips it from the stored submission data so it never appears in your submissions.
AJAX submissions with reCAPTCHA v3
When using AJAX, include the reCAPTCHA token in your JSON payload as g-recaptcha-response:
JavaScript with reCAPTCHA v3
const form = document.querySelector('form')
form.addEventListener('submit', async (e) => {
e.preventDefault()
// Request a reCAPTCHA v3 token
const token = await new Promise((resolve) => {
grecaptcha.ready(() => {
grecaptcha.execute('your-site-key', { action: 'submit' }).then(resolve)
})
})
const data = Object.fromEntries(new FormData(form))
data['g-recaptcha-response'] = token
const response = await fetch('https://formoar.com/api/f/your-form-id', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(data),
})
const result = await response.json()
console.log(result)
})
Score threshold
reCAPTCHA v3 returns a score between 0.0 and 1.0 for every request. Higher scores indicate more confidence that the user is human. The default threshold in Formoar is 0.5, meaning any submission with a score below 0.5 is flagged as spam.
You can adjust the threshold in your form settings:
- Lower threshold (e.g.
0.3) — more permissive, fewer false positives but more spam may get through - Higher threshold (e.g.
0.7) — more aggressive, blocks more spam but may flag some legitimate users
Google recommends monitoring your reCAPTCHA scores in the admin console and adjusting the threshold based on your traffic patterns.
Google reCAPTCHA v3 is available on Starter, Pro, and Business plans. If the reCAPTCHA API is temporarily unavailable, Formoar will allow the submission through rather than blocking legitimate users.