Edit in GitHubLog an issue

Protected mutations

If CAPTCHA or reCAPTCHA is enabled on pages requiring shopper input, then in most cases, the corresponding mutations that send requests to the application server must include an HTTP header that contains a value entered by the shopper (for CAPTCHA) or generated by the Google API (for reCAPTCHA). These headers are generated by UI Web form widgets during interactions with the shopper. However, if you specify an integration authorization token in the header of the mutation, then you do not supply a header specific to CAPTCHA or reCAPTCHA.

Even when Adobe Commerce is used in a headless way, like with PWA, the merchant must have their own Web UI that renders the correct Captcha or reCAPTCHA web form widget, captures the proper X-Captcha or X-ReCaptcha HTTP header, and sends it in the API request in the background only.

The HTTP X-Captcha and X-ReCaptcha headers:

  • Cannot be received by an automated script or a non-UI API call. They are captured and returned by the UI Web form only.
  • Are optional in protected mutation API calls that provide integration authorization tokens only. They cannot be skipped when you provide an Admin or Bearer token.

CAPTCHA

The following table lists the forms that can be configured to require CAPTCHA. Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms.

The mutation that corresponds to a CAPTCHA-enabled form must include the HTTP X-Captcha header, along with the text the shopper entered in response to the CAPTCHA challenge.

Form nameMutation
Add Gift Card Code
applyGiftCardToCart
Applying Coupon Code
applyCouponToCart
Change password
changeCustomerPassword
Checkout/Placing Order
setPaymentMethodOnCart, setPaymentMethodAndPlaceOrder
Contact Us
Not applicable
Create company
Not applicable
Create user
createCustomer
Forgot password
Not applicable
Login
generateCustomerToken
Payflow Pro
setPaymentMethodOnCart, setPaymentMethodAndPlaceOrder
Send to Friend Form
sendEmailToFriend
Share Wishlist Form
Not applicable

reCAPTCHA

The following table lists the forms and mutations that can be configured to require reCAPTCHA. Go to Stores > Configuration > Security > Google reCAPTCHA Storefront > Storefront to enable or disable reCAPTCHA on these forms and mutations. If reCAPTCHA is enabled, unless an integration token is provided, always specify the HTTP X-ReCaptcha header and the value generated by the Google API.

Field nameMutation
Enable for Customer Login
generateCustomerToken
Enable for Forgot Password
changeCustomerPassword
Enable for Create New Customer Account
createCustomer, createCustomerV2
Enable for Edit Customer Account
updateCustomer, updateCustomerV2
Enable for Contact Us
Not applicable
Enable for Product Review
createProductReview
Enable for Newsletter Subscription
subscribeEmailToNewsletter
Enable for Send To Friend
sendEmailToFriend
Enable for PayPal PayflowPro payment form
createPayflowProToken
Enable for Braintree payment form
Not applicable
Enable for Checkout/Placing Order
setPaymentMethodOnCart, setPaymentMethodAndPlaceOrder
Enable for Coupon Codes
applyCouponToCart
Enable for Resend Confirmation Email
resendConfirmationEmail

Construct a request

  • Privacy
  • Terms of Use
  • Do not sell or share my personal information
  • AdChoices
Copyright © 2024 Adobe. All rights reserved.