Snaptcha Logo Snaptcha

Invisible CAPTCHA to pre­vent spam form sub­missions.

Invisible and completely unobtrusive form spam prevention.

Prevents spam bots from submitting to your site.

Works automatically with any form and any plugin.

Snaptcha (Simple Non-obtrusive Automated Public Turing test to tell Computers and Humans Apart) will validate all POST requests to the front-end of your site, meaning that it will work with any form and any plugin. 


Note that since this will affect all POST requests, you must add the required template tag before enabling validation (see usage instructions).

To get Snaptcha v1 for Craft CMS 2, please purchase a license through the Craft 3 Plugin Store and send your receipt to [email protected]​putyourlightson.​net. We will then email you the legacy plugin.

License #

This plugin requires a commercial license purchasable through the Craft Plugin Store. The license fee is $29 plus $14 per subsequent year for updates (optional).

Requirements #

Craft CMS 3.0.0 or later.

Usage #

Installation #

To install the plugin, search for Snaptcha” in the Craft Plugin Store, or install manually using composer.

composer require putyourlightson/craft-snaptcha

Getting Started #

After installing the plugin, go to the plugin settings page. Snaptcha validation is disabled by default so that you can first add the required template tag to your forms. Once you have done this you can enable Snaptcha validation.

Add the following template tag to every form that submits a POST request to your site. This will output a hidden input field along with some JavaScript code.

{# Outputs a hidden input field #}
{{ craft.snaptcha.field }}

If you want to be more fine-grained then you can get the field name and value as follows.

{# Outputs the name of the field #}
{{ craft.snaptcha.fieldName }}

{# Outputs a field value #}
{{ craft.snaptcha.fieldValue }}

{# Sample usage #}
<input type="hidden" id="my-snaptcha-field"
    name="{{ craft.snaptcha.fieldName }}" 
    value="{{ craft.snaptcha.fieldValue }}">

You can optionally use the getField and getFieldValue methods to pass in configuration values that will override the default values in the plugin settings.

{% set config = {expirationTime: 60, minimumSubmitTime: 3} %}

{# Outputs a hidden input field with the config values #}
{{ craft.snaptcha.getField(config) }}

{# Outputs a field value with the config values #}
{{ craft.snaptcha.getFieldValue(config) }}

Settings #

Validation Enabled #

With this setting enabled, Snaptcha will validate all forms submitted through POST requests. Ensure that all of your forms that submit via POST requests have the necessary tags in place before enabling this.

One Time Key #

Enabling this will restrict the number of times that a form can be submitted to one time per page refresh. This is a strong security measure and is recommended for low to medium traffic sites. For high traffic sites, disabling this will prevent the database table that the plugin uses from getting too big. 

Log Rejected #

Whether rejected form submissions should be logged (log will be written to storage/logs/snaptcha.log).

Field Name #

The name of the hidden Snaptcha input field.

Error Message #

The error message that will be displayed if Snaptcha identifies a submission as spam.

Expiration Time #

The expiration time for form submissions in minutes.

Minimum Submit Time #

The minimum time for form submission in seconds (increase this to harden spam blocking).

Excluded URI Patterns #

The URI patterns to exclude from validation.

URI patterns use PCRE regular expressions. Below are some common use cases. You can reference the full syntax here.

  • . Matches any character
  • .* Matches any character 0 or more times
  • .+ Matches any character 1 or more times
  • \d Matches any four digits
  • \w Matches any word character
  • entries Matches anything containing entries”
  • ^entries Matches anything beginning with entries”
  • ^entries/entry$ Matches exact URI

Blacklist #

IP addresses to blacklist from all form submissions.

Config Settings #

Snaptcha comes with a config file for a multi-environment way to set the plugin settings. To use it, copy the config.php to your project’s main config directory as snaptcha.php and uncomment any settings you wish to change.

AJAX Requests #

If you are working with AJAX requests then you can get the field name and a value using a GET request.

// Gets the name of the field
    .then(result => { return result.text(); })
    .then(result => { console.log(result); });
    // snaptcha

// Gets a field value
    .then(result => { return result.text(); })
    .then(result => { console.log(result); });    
    // abcdefg1234567

// Gets a raw input field
    .then(result => { return result.text(); })
    .then(result => { console.log(result); });
    // <input type="hidden" name="snaptcha" value="abcdefg1234567">

// Gets a field in JSON format
fetch('/actions/snaptcha/field/get-field', {
    headers: {
        Accept: 'application/json'
    .then(result => {return result.json();})
    .then(result => { console.log(result); });
    // {name: "snaptcha", value: "abcdefg1234567"}

For security reasons, passing in configuration values is not allowed using controller actions. 

If you are using Blitz to statically cache your pages then you can use its getUri tag together with the get-field controller action to dynamically inject the input field into your forms.

{# Dynamically fetches and outputs a hidden input field #}
{{ craft.blitz.getUri('/actions/snaptcha/field/get-field') }}

You can validate a field value using an AJAX request as follows.

// Validates a field value
    .then(result => { return result.text(); })
    .then(result => { console.log(result); });
    // `success` or an error message

// Validates a field value with a result in JSON format
    headers: {
        Accept: 'application/json'
    .then(result => { return result.json(); })
    .then(result => { console.log(result); });
    // `{success: true}` or `{error: "The error message."}`

Disabling Validation #

Validation can be disabled by specifying URI patterns to exclude. Adding a property called $enableSnaptchaValidation to any controller class and setting it to false will disable validation when the actions in that class are called.

class WebhookController extends Controller
   * @var bool Disable Snaptcha validation
  public $enableSnaptchaValidation = false;

Testing Snaptcha #

If you want to test or see how Snaptcha works on your site then navigate to one of your forms, open your browser’s inspector and delete the input field that Snaptcha inserted. It will usually be inside your form’s markup and will have an ID that begins with the prefix in your extension settings (snaptcha by default). After deleting the input field, submit the form and the error message from your plugin settings should appear.