Skip to content

Recent Changes

This page lists notable additions and improvements to the EU CAPTCHA platform. It covers both the widget and integration libraries, the management dashboard, and account features. Changes appear here when they affect how you use or integrate EU CAPTCHA — not every internal fix is listed.

Widget and integration

  • New: Caddy HTTP middleware — Caddy module (http.handlers.eu_captcha) that gates any route behind EU CAPTCHA without a CrowdSec dependency. Visitors who have not yet passed the challenge are redirected to a built-in challenge page; a signed session cookie grants access for the configured grace period (default 1 hour). Configured via a eu_captcha Caddyfile block or JSON. Build with xcaddy --with github.com/Myra-Security-GmbH/eu-captcha-caddy.

  • New: Traefik plugin — EU CAPTCHA support in the crowdsec-bouncer-traefik-plugin Traefik middleware. Set captchaProvider: eucaptcha to serve the EU CAPTCHA challenge for IPs with a CrowdSec captcha decision; ban decisions return 403. Supports Traefik v2.9+ and v3; configured via static/dynamic YAML or Docker labels.

  • New: CrowdSec Bouncer — standalone Go reverse proxy that integrates CrowdSec with EU CAPTCHA. IPs flagged with a captcha decision are challenged with the EU CAPTCHA widget before access is granted; ban decisions receive a 403. Sessions are tracked with HMAC-signed cookies. Available for Linux, macOS, and Windows; build from source or download a pre-built binary.

  • New: Android SDK — native Android library (eu.eucaptcha.android:eu-captcha-android) for integrating EU CAPTCHA into Android apps. Supports Android 4.1+, Kotlin and Java, Jetpack Compose, light/dark/auto themes, and device language detection.

  • New: iOS SDK — native iOS library for integrating EU CAPTCHA into iOS apps. Available via Swift Package Manager.Supports iOS 13+, light/dark/auto themes, and device language detection.

  • New: Flutter — cross-platform Flutter widget for Android and iOS. Integrates via a git dependency and provides a StatefulWidget API with onComplete, onExpire, and onError callbacks.

  • New: data-height attribute and height prop — control the height of the widget iframe in pixels. Use data-height on the HTML element for the vanilla JS integration. The height prop is available on the React (@myrasec/eu-captcha), Vue (@myrasec/eu-captcha-vue), and Angular (@myrasec/eu-captcha-angular19 / angular20 / angular21) components. Defaults to 100.

  • Revamped: Documentation — the documentation site has been fully revamped with new structure, guides, and examples.

  • New: @myrasec/eu-captcha-angular19, @myrasec/eu-captcha-angular20, @myrasec/eu-captcha-angular21 — version-specific Angular packages replacing the former @myrasec/eu-captcha-angular. Install the package matching your Angular version. All three share the same API: supports standalone components and NgModule-based apps; provides sitekey, theme, width, widgetId, and autostart inputs, and completed, expired, and error outputs. See Angular.

  • New: @myrasec/eu-captcha-svelte — official Svelte component for EU CAPTCHA. Supports Svelte and SvelteKit; provides sitekey, theme, width, height, widgetId, and autostart props, and onComplete, onExpired, and onError callbacks. See Svelte.

  • Updated: @myrasec/eu-captcha-vue — adds widgetId, autostart, onComplete, onExpired, and onError props to the Vue component. See Vue 3 / Nuxt.

  • Updated: @myrasec/eu-captcha — adds widgetId, autostart, onComplete, onExpired, and onError props to the React component. See React.

  • New: Other SPA frameworksloadEuCaptcha() from @myrasec/eu-captcha enables programmatic widget loading for frameworks without a dedicated package (SolidJS, etc.). Includes isEuCaptchaDone() for submit-gate checks and a euCaptchaDone window message for reactive state updates.

  • New: data-autostart attribute — set to "false" to suppress the automatic challenge and trigger it manually with euCaptcha.execute(widgetId). Useful for forms where you want to delay verification until the user clicks a button, or when the widget is not immediately visible. See JavaScript API.

  • New: data-widgetid attribute — assign a stable, custom ID to a widget instance instead of relying on the auto-generated eucaptcha-0, eucaptcha-1, … names. Makes euCaptcha.execute() calls predictable across page renders. See JavaScript API.

  • New: euCaptcha.execute(widgetId) — programmatic API to start the challenge on a specific widget. Intended for use with data-autostart="false". See JavaScript API.

  • New: callback attributesdata-callback, data-expired-callback, and data-error-callback let you register global function names directly on the widget element. The completion callback receives the encoded token as its argument. The expiry callback fires 60 minutes after a successful verification. See JavaScript API.

  • New: WordPress plugin — official plugin with Quick Setup integration; installs in under a minute. Supports WordPress Login, Registration, Comments, Contact Form 7, Ninja Forms, WooCommerce Checkout, and WPForms. See WordPress Plugin.

  • New: Joomla! plugin — official plugin package (pkg_eucaptcha) with Quick Setup integration for Joomla! 4, 5, and 6. Hooks into Joomla's standard captcha API so any form with a captcha field is protected automatically. Supports User Registration, Password Reset, Contact Component, and any third-party component that renders a standard captcha field. See Joomla! Plugin.

  • New: Drupal module — official module with Quick Setup integration for Drupal 10 and 11. Supports User Login, Registration, Password Reset, Comments, core Contact Forms, Webform submissions, and Node forms. See Drupal Module.

  • New: PHP modulemyra-security-gmbh/eu-captcha Composer package for server-side token verification. Supports PHP 5+; provides a result object that separates network failures from token failures. Includes Symfony and Laravel examples.

  • New: Python modulemyra-eucaptcha PyPI package for server-side token verification. Offers both synchronous and async (avalidate) APIs, configurable timeouts, and fail-open/fail-closed fault tolerance. Works with FastAPI, Flask, and any Python framework.

  • New: Django modulemyra-eucaptcha-django package that adds EU CAPTCHA as a native Django form field and widget. Credentials are managed through the Django admin or settings.py; server-side verification runs automatically on form.is_valid(). Supports multiple named configurations and per-form overrides.

  • New: Ruby gemeu_captcha RubyGems package for server-side token verification. No runtime dependencies (uses Ruby's built-in net/http); provides a result object that separates network failures from token failures with success?, success_network?, and success_token?. Supports automatic IP and User-Agent resolution from Rack environments. Includes Rails and Sinatra integration examples.

  • Updated: Java client — all three variants are now published to Maven Central (com.myrasec) and can be added as a standard dependency without building from source. Variants renamed to eu-captcha-java-resttemplate, eu-captcha-java-webflux-boot2, and eu-captcha-java-webflux-boot3. The java-resttemplate variant now targets Spring Framework 6 / Java 17. A new isTrainingMode() helper on VerifyResponse makes it easier to detect misconfigured credentials. The webflux variants return Mono<VerifyResponse> for reactive composition.

  • New: OpenAPI generator guide — the EU CAPTCHA verification API is described by an OpenAPI 3.1 spec at https://docs-api.eu-captcha.eu/openapi.yaml. Use openapi-generator-cli to generate a native client in any supported language (TypeScript, Go, Ruby, C#, Kotlin, and more).

  • New: Quick Setup iframe mode — embed the EU CAPTCHA registration and sitekey creation flow in an <iframe> for CMS plugins and control panels. On completion the iframe sends a eu-captcha-quicksetup postMessage to the parent page containing the new sitekey and secret.

  • New: widget language support — the challenge iframe now detects the visitor's browser locale and displays status text in the matching language. Over 100 languages are supported.

Platform and dashboard

Account and security

  • New: two-factor authentication (TOTP) — secure your account with a TOTP authenticator app. Passkeys can be used as a bypass method. See Two-Factor Authentication.

  • New: Passkey login (WebAuthn) — log in with a passkey instead of a password. See Passkeys.

  • New: social and SSO login — GitHub, Google, Apple, SAML, and Okta OIDC authentication are supported. See Social Login Providers.

  • New: email verification via one-time code — new accounts and new email addresses are verified with a one-time code rather than a confirmation link.

  • New: sign-in location notifications — an email notification is sent when a sign-in occurs from a new location.

  • New: Country, Location, and AS columns in login history — the login history table (Account → Logins) now shows geographic location and autonomous system data for each sign-in.

  • New: user locale detection — account locale is pre-filled from Google and Okta profile data on first login.

Organisation management

  • New: Organisation Admin role — a dedicated admin role for managing members and settings within an organisation. See Organisation Management.

  • New: Organisation invites — invite users to an organisation by email. See Organisation Management.

  • New: SAML configuration for Organisations — organisations can configure a SAML identity provider for single sign-on. See Organisation Management.

  • New: sitekey permissions — grant access to a sitekey to multiple accounts with configurable permission levels. See Permissions.