Glossary

Action type An internal code that categorises an EU CAPTCHA event. Examples: ACC (accepted), VFC (challenge generated), BLK (blocked). Used in the Statistics API response.

Additional secret An extra secret key associated with a sitekey, in addition to the primary secret. Used for key rotation or multi-server setups. See Additional Secrets.

Bearer token A JSON Web Token (JWT) passed in the Authorization: Bearer <token> HTTP header to authenticate management API requests. Obtained by logging in via /login.

Block rate The percentage of total verification requests that were blocked. Calculated as blocked / (blocked + verified) × 100. Displayed as a percentage in the dashboard.

Bot An automated script or program that makes requests to a website, often to perform spam, credential stuffing, scraping, or fraud. EU CAPTCHA detects and blocks bot traffic.

CAPTCHA Completely Automated Public Turing test to tell Computers and Humans Apart. A challenge mechanism that distinguishes humans from automated bots. EU CAPTCHA uses invisible, cryptographic challenges — no image selection or text entry required.

EU CAPTCHA token A short-lived, single-use string generated by the EU CAPTCHA widget after a challenge passes. Submitted with a form and verified server-side. Also called a "response token".

Challenge The cryptographic computation performed by the EU CAPTCHA widget in the visitor's browser to prove they are human. Runs invisibly in the background.

Credential stuffing An attack where stolen username/password pairs are automatically tested against login forms. EU CAPTCHA's bot protection defends against this.

Dark mode An optional visual theme for the EU CAPTCHA widget that uses a dark colour scheme. Refer to the HTML integration guide for configuration details.

Domain A hostname (e.g. example.com) associated with a sitekey. The EU CAPTCHA service only accepts challenge requests from listed domains.

Fingerprinting Collecting characteristics of the visitor's browser and device environment (user agent, screen resolution, installed fonts, etc.) to identify bots. EU CAPTCHA uses advanced fingerprinting as part of its risk analysis.

Free plan The no-cost subscription tier. Includes a limited monthly verification quota.

GDPR General Data Protection Regulation — EU data protection law. EU CAPTCHA is designed to be compatible with GDPR requirements.

JWT (JSON Web Token) An encoded token used to authenticate API requests. Contains the user's identity and an expiry timestamp. See API Authentication.

Organisation A group of EU CAPTCHA user accounts managed together. Enterprise feature. See Organization Management.

Owner The highest permission level for a sitekey. The user who created the sitekey is always the owner. Owners can delete the sitekey and manage permissions. See Permissions.

Passkey A credential stored on the user's device (using the WebAuthn/FIDO2 standard) that enables passwordless login. See Passkeys.

Permission The level of access a user has to a sitekey: owner, write, read, or none. See Permissions.

postMessage A browser API for communication between a parent page and an embedded <iframe>. Used in EU CAPTCHA's Quick Setup iframe mode.

Quick Setup An embedded onboarding flow that runs inside an <iframe>, designed for CMS plugins and platform integrations. See Quick Setup.

Secret key A private key associated with a sitekey, used to verify EU CAPTCHA tokens server-side. Must not be exposed in frontend code. Found in the sitekey's Details tab.

Sitekey A configuration object that represents one website or integration point. Contains the public sitekey identifier, secret key, and permissions. The domain is set at creation and identifies which site the sitekey belongs to. See Sitekeys.

Sitekey identifier The public string used in the data-sitekey attribute of the widget. Safe to include in frontend HTML.

Spam Unwanted or automated form submissions, typically for advertising or phishing. EU CAPTCHA's challenge prevents bots from submitting forms.

Stripe The third-party payment processor used for EU CAPTCHA subscriptions. Card details are stored securely by Stripe, not by EU CAPTCHA.

TOTP (Time-based One-Time Password) A 6-digit code generated by an authenticator app, refreshed every 30 seconds. Used for two-factor authentication. See Two-Factor Authentication.

Token See EU CAPTCHA token.

Two-factor authentication (2FA) An additional login step requiring a code from an authenticator app after entering email and password. See Two-Factor Authentication.

Verification The server-side process of confirming that an EU CAPTCHA token is valid. Performed by sending the token and secret key to the EU CAPTCHA verification API.

WebAuthn A W3C standard (Web Authentication) that enables secure, passwordless authentication using hardware authenticators (fingerprint readers, Face ID, security keys). The foundation of passkeys. See Passkeys.

Widget The EU CAPTCHA UI element embedded on a webpage. Rendered as a <div class="eu-captcha" data-sitekey="...">. Runs the challenge automatically and displays a small Myra logo on completion.