Download the PHP package captchaapi/laravel without Composer

On this page you can find all versions of the php package captchaapi/laravel. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of captchaapi/laravel

Informations about the package laravel

captchaapi/laravel

Latest Version on Packagist Total Downloads Tests

Official Laravel SDK for captchaapi.eu — EU-hosted, GDPR-compliant proof-of-work CAPTCHA. Drop-in Blade component, validation rule, and Livewire trait. No cookies, no tracking, no Google.

Why captchaapi.eu

Requirements

Installation

Publish the config file:

Set the credentials in .env:

Get your keys from the project dashboard.

Usage

Plain HTML form

In your layout's <head> (renders the widget script and pushes config to window.CAPTCHA_*):

In your form, add data-captcha:

In your validation:

Or via the string alias:

Livewire

In your layout (same as above):

In your Livewire component:

validateWithCaptcha() is sugar for $this->validate(array_merge($rules, $this->rulesForCaptcha())). If you need to compose validateOnly() flows yourself, rulesForCaptcha() is still public.

In the component view, use the Livewire-aware form wrapper:

The wrapper sets data-captcha-mode="event", includes the hidden attestation input, and dispatches to your Livewire register method once the attestation arrives.

Status element styling

Place a <div data-captcha-status></div> anywhere inside (or near) your form to show the widget's current state to your users. Six states exist (waiting, idle, solving, ready, error, rate_limited), each rendered as an icon + a localised message. The widget sets data-captcha-state="…" on the element so you can target each state with CSS.

The status element is opt-in. A form without a [data-captcha-status] child runs silently — submission still works, only the visible signal is absent. There is no auto-injection.

Default colors

The widget injects a low-specificity stylesheet on first use that applies sensible default colors per state:

State Default color
waiting #6b7280 grey
idle #6b7280 grey
solving #6b7280 grey
ready #059669 emerald
error #dc2626 red
rate_limited #d97706 amber

You don't have to write any CSS to get those colors. They appear automatically on every [data-captcha-status] element the widget finds.

Override one state

Write a higher-specificity rule (two attribute selectors instead of one). The customer rule wins regardless of cascade order — no !important needed:

Take over completely (Tailwind / design system)

Add data-captcha-no-color to suppress the widget's default stylesheet entirely. Your own classes / CSS apply cleanly:

Note that waiting and ready share the shield icon and would be visually identical without color. If you opt out of the widget defaults, supply per-state colors in your own CSS so the two stay distinguishable.

Configuration reference

Config key ENV variable Default Purpose
site_key CAPTCHAAPI_SITE_KEY null Public site key from the dashboard. Required for widget rendering.
secret_keys CAPTCHAAPI_SECRET_KEYS [] Comma-separated HMAC secrets. Multi-value enables zero-downtime rotation.
base_url CAPTCHAAPI_BASE_URL null Override the API origin. Use only when self-hosting / proxying.
locale CAPTCHAAPI_LOCALE null Force widget language (en, de, cs, …). Falls back to <html lang> then en.
preload CAPTCHAAPI_PRELOAD lazy lazy waits for first form interaction; eager fires the challenge on page load.
debug CAPTCHAAPI_DEBUG false Log timing breakdown in the browser console.
mode CAPTCHAAPI_MODE null submit (native form POST) or event (CustomEvent for Livewire/SPA).
replay_protection CAPTCHAAPI_REPLAY_PROTECTION true Cache each attestation jti and reject duplicates within its TTL window.
cache_prefix captchaapi:jti: Prefix for cached jtis. Change only on collision with another package.
clock_skew_leeway CAPTCHAAPI_CLOCK_SKEW_LEEWAY 60 Seconds an attestation's iat may sit in the future before it is rejected.

Secret key rotation

The package accepts any matching secret in CAPTCHAAPI_SECRET_KEYS (a comma-separated list). Rotation has four steps:

  1. In the dashboard, click Rotate secret key — generates a new key in the pending state. Your backend keeps signing with the current key.

  2. Add the pending key alongside the current one in your .env:

    Deploy.

  3. In the dashboard, click Activate pending key. The backend now signs with the new key; your app accepts both during the handover.
  4. Drop the old key on the next deploy.

For suspected-compromise scenarios, use the dashboard's Revoke immediately — replaces the key in one step and skips the pending phase. Briefly accepts no attestations until you deploy the new key.

Replay protection

By default the validation rule caches each accepted attestation's jti (unique identifier in the payload) for the remainder of its TTL. A captured-in-transit attestation can therefore be submitted only once, even within its 5-minute validity window.

This requires a working cache driver (the application's default cache via Cache::store()). Disable in config/captchaapi.php if your cache is unreliable or unavailable:

Use Redis, Memcached, or the database cache driver in production. The file and array drivers don't have an atomic Cache::add(), so concurrent submissions can race past the replay check.

Testing

In feature tests, enable fake mode so ValidCaptcha accepts any input without requiring you to mint real attestations:

The fake state is stored on the Captchaapi singleton — it does not persist across requests in production code.

Security

If you discover a security vulnerability, please do not open a public GitHub issue. Use GitHub's private vulnerability reporting so we can coordinate a fix before details become public.

Contributing

Bug reports and feature requests welcome at github.com/captchaapi/laravel/issues.

For development:

License

MIT — see LICENSE.

All versions of laravel with dependencies

PHP Build Version
Package Version
Requires php Version ^8.2
illuminate/cache Version ^11.0|^12.0|^13.0
illuminate/contracts Version ^11.0|^12.0|^13.0
illuminate/support Version ^11.0|^12.0|^13.0
illuminate/validation Version ^11.0|^12.0|^13.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package captchaapi/laravel contains the following files

Loading the files please wait ...