Login
Free Trial

CAPTCHA Plugin for Keycloak – GDPR-compliant, no cookies, EU-hosted

Powerful spam protection and easy integration.

Stop unwanted bot traffic in a few simple steps

Keep your Keycloak application safe from spam and bot traffic with our powerful, easy-to-integrate captcha solution: Fully configurable, GDPR-compliant and focused on ensuring the best possible user experience, puzzle-solving and box-ticking are a thing of the past. Get the captcha plugin for Keycloak now!

Get the Plugin

Unlike Keycloak’s built-in reCAPTCHA, captcha.eu transfers no data to the US, sets no cookies, and requires no consent banner on your login or registration pages. Keycloak is the identity and access management platform of choice for European enterprises, public authorities, and organisations that need fine-grained control over authentication flows. It is open-source, self-hostable, and precisely for that reason widely deployed by teams for whom GDPR compliance is non-negotiable. The problem is that Keycloak’s native CAPTCHA integration relies on Google reCAPTCHA, a US-based service that sets tracking cookies, transfers behavioural data to Google servers, and requires a cookie consent mechanism on every protected flow. captcha.eu replaces reCAPTCHA inside Keycloak without any of that overhead. It is hosted entirely in Austria, processes no data outside the EU, runs invisibly in the background for legitimate users, and holds WACA Silver certification from TÜV Austria for independently verified WCAG 2.2 AA accessibility compliance. It protects browser login, registration and reset credential flows, which are the three authentication entry points most targeted by credential stuffing and bot-driven account takeover.

How to add a captcha to Keycloak

Maximum protection, maximum privacy: With the captcha.eu plugin, safeguarding your Keycloak application against spam bots and unwanted traffic has never been easier. Our sleek and powerful captcha solution ensures a high level of security across logins, registration and reset credentials – and is fully compliant with all EU data privacy rules and regulations. Here’s how to set up captcha.eu plugin in a few simple steps:

1

Download the Keycloak captcha extension and add target/keycloak-captcha.jar into the extension folder. Restart Keycloak.

2

Next, configure the authentication flows. Captcha.eu supports the following parts/flows:

  • Browser (login)
  • Registration
  • Reset Credentials


How to enable captcha for Keycloak Browser Login

1

Go to Authentication and select “browser“. Then make a duplicate by clicking Action > Duplicate.

2

Delete the execution “Username Password Form”.

3

Click “Add New Step” in “browser forms”. Browse and select “captcha.eu: Username Password Form“.

4

To configure the plugin, click settings and copy-paste the Rest Key and Public Key from your captcha.eu Dashboard into the relevant fields. Click “Save” when you’re done. Then bind the flow to the prod one by clicking “Action” and selecting “Bind flow” from the dropdown menu.

4

Now all that’s left to do is to enable the frontend code. You can do this by adding the snippet below to your existing login.ftl right after the </form> closing tag. Alternatively, you can use the theme that comes with the captcha.eu extension source code, located in /theme/captcha.

<#if captchaEnabled ??>
    <script
        var CaptchaDOMReady = function (callback) {
          document.readyState === "interactive" || document.readyState === "complete"
            ? callback()
            : document.addEventListener("DOMContentLoaded", callback);
        };
        CaptchaDOMReady(function() {
            KROT.setup("${captchaEUPublicKey}");
            var f = document.getElementById("kc-form-login");
            KROT.interceptForm(f);
        });
    </script>
</#if>

How to enable captcha for Keycloak Registration & Sign-ups

1

Go to Authentication and select “registration“. Make a duplicate by clicking Action > Duplicate.

2

Delete the “Recaptcha” element and click “Add New Step“. Browse and select “captcha.eu: Registration“. Then change the value to “required“.

3

To configure the plugin, click settings and copy-paste the Rest Key and Public Key from your captcha.eu Dashboard into the relevant fields. Click “Save” when you’re done. Then bind the flow to the prod one by clicking “Action” and selecting “Bind flow” from the dropdown menu.

4

Now all that’s left to do is to enable the frontend code. You can do this by adding the snippet below to your existing register.ftl right after the </form> closing tag. Alternatively, you can use the theme that comes with the captcha.eu extension source code, located in /theme/captcha.

<#if captchaEnabled ??>
    <script>
        var CaptchaDOMReady = function (callback) {
            document.readyState === "interactive" || document.readyState === "complete"
                ? callback()
                : document.addEventListener("DOMContentLoaded", callback);
        };
        CaptchaDOMReady(function() {
            KROT.setup("${captchaEUPublicKey}");
            var f = document.getElementById("kc-register-form");
            KROT.interceptForm(f);
        });
    </script>
</#if>

How to enable captcha for Reset Credentials

1

Go to Authentication and select “reset credentials“. Make a duplicate by clicking Action > Duplicate.

2

Delete the “Choose User” element and click “Add New Step“. Browse and select “captcha.eu: Choose User“.

3

To configure the plugin, click settings and copy-paste the Rest Key and Public Key from your captcha.eu Dashboard into the relevant fields. Click “Save” when you’re done. Then bind the flow to the prod one by clicking “Action” and selecting “Bind flow” from the dropdown menu.

4

Now all that’s left to do is to enable the frontend code. You can do this by adding the snippet below to your existing login-reset-password.ftl right after the </form> closing tag. Alternatively, you can use the theme that comes with the captcha.eu extension source code, located in /theme/captcha.

<#if captchaEnabled ??>
    <script>
        var CaptchaDOMReady = function (callback) {
            document.readyState === "interactive" || document.readyState === "complete"
                ? callback()
                : document.addEventListener("DOMContentLoaded", callback);
        };
        CaptchaDOMReady(function() {
            KROT.setup("${captchaEUPublicKey}");
            var f = document.getElementById("kc-reset-password-form");
            KROT.interceptForm(f);
        });
    </script>
</#if>

That’s it! Your Keycloak captcha plugin is all set up and ready to use. Got any questions or issues setting up the plugin? Our detailed documentation is right at hand to guide you through the installation process. Or get in touch directly with us via our contact form for added support.

Enjoy maximum protection for your authentication flows without compromising on user experience: Our sleek and powerful captcha plugin for Keycloak is the ultimate solution for effectively safeguarding your browser login, reset credentials and registration forms against unwanted traffic and spam – no box-ticking and puzzle-solving required. Plus: it’s fully GDPR compliant, too!

Get the Plugin
en_USEnglish
de_DEGerman fr_FRFrench es_ESSpanish nl_NLDutch it_ITItalian en_USEnglish