Some endpoints may require captchas to proceed, in order to slow down automated malicious traffic. Legitimate users might also be affected, based on the frequency of write requests or due certain endpoints being particularly sensitive to malicious use, such as user signup.
Once an endpoint decides that a captcha needs to be solved, a 403 Forbidden response will be returned, with the error code
The sitekey needed for recaptcha to function is provided in both the
X-Captcha-Sitekey header field, as well as in the error context, specified as
The captcha result of the client can either be passed into the repeated original request with the
X-Captcha-Result header or alternatively to the
POST /captcha/solve endpoint.
The time a solved captcha is remembered varies across different endpoints and can also be influenced by individual client behavior.
Authentication is not required for the
POST /captcha/solve endpoint, captchas are tracked both by client ip and logged in user id.
If you are logged in, you want to send the session token along, so you validate the captcha for your client ip and user id at the same time, but it is not required.