We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

Should I enable reCAPTCHA?

Identity Management supports two captcha providers: Cloudflare Turnstile and Google reCAPTCHA (v2 and v3). Both help protect your site from spam and abuse, including bot-driven registration and login attacks.

Cloudflare Turnstile is a privacy-friendly, mostly invisible alternative to traditional CAPTCHA that verifies users without requiring them to solve puzzles. For full setup details, see the Cloudflare Turnstile article.

For Google reCAPTCHA, Piano recommends v3. reCAPTCHA v3 detects abusive traffic without any user friction by returning a score based on interactions with your website, giving Piano the flexibility to block fraudulent bots from spamming account creation. If you are using Identity Management, this feature is built into the platform and can be enabled almost immediately. More information is available here.

We recommend enabling captcha protection as soon as you configure Piano, as there is little to no impact on the user experience for legitimate registrations and logins. Without it, your site is at risk of being flooded with bot-driven registration requests, which can take logins and registrations offline and directly impact revenue from new users.

Piano may automatically enable CAPTCHA protection on your application in response to fraud or a high number of failed authentication attempts. In such cases, Cloudflare Turnstile will be used by default, relying on Piano’s keys if no client keys are configured. The only exception applies to white-labeled applications, which must provide their own Cloudflare keys before Turnstile can be activated.

Note: Captcha is only supported for Identity Management.

Last updated: