Edit in GitHubLog an issue

Protected endpoints

If CAPTCHA or reCAPTCHA is enabled on pages requiring shopper input, then in most cases, the corresponding endpoints that send requests to the Adobe Commerce server must include an HTTP header that contains a value entered by the shopper (for CAPTCHA) or generated by the Google API (for reCAPTCHA). However, if you specify an integration authorization token in the header of the endpoint, then you do not supply a header specific to CAPTCHA or reCAPTCHA.

The HTTP X-Captcha and X-ReCaptcha headers:

  • Cannot be received by an automated script or a non-UI API call. They are captured and returned by the UI Web form only.
  • Are optional in protected mutation API calls that provide integration authorization tokens only. They cannot be skipped when you provide an Admin or Bearer token.


The following table lists the forms that can be configured to require CAPTCHA. Go to Stores > Configuration > Customers > Customer Configuration > CAPTCHA > Forms to enable or disable CAPTCHA on these forms.

The endpoint that corresponds to a CAPTCHA-enabled form must include the HTTP X-Captcha header, along with the text the shopper entered in response to the CAPTCHA challenge.

Form nameREST endpoint
Add Gift Card CodePOST /V1/carts/mine/giftCards
POST /V1/carts/guest-carts/:cartId/giftCards
Applying Coupon CodePUT /V1/carts/:cartId/coupons/:couponCode
PUT /V1/guest-carts/:cartId/coupons/:couponCode
Change passwordPUT /V1/customers/me/password
Checkout/Placing OrderPOST /V1/carts/mine/payment-information
POST /V1/carts/mine/set-payment-information
POST /V1/guest-carts/:cartId/payment-information
POST /V1/guest-carts/:cartId/set-payment-information
Contact UsNot applicable
Create companyPOST /V1/company
Create userPOST /V1/customers
Forgot passwordPOST /V1/customers/resetPassword
PUT /V1/customers/password
LoginPOST /V1/integration/customer/token
Payflow ProNot applicable
Send to Friend FormNot applicable
Share Wishlist FormNot applicable


The following table lists the forms that can be configured to require reCAPTCHA. Go to Stores > Configuration > Security > Google reCAPTCHA Storefront > Storefront to enable or disable reCAPTCHA on these forms. If reCAPTCHA is enabled, unless an integration token is provided, always specify the HTTP X-ReCaptcha header and the value generated by the Google API.

Field nameMutation
Enable for Customer LoginPUT /V1/integration/customer/token
Enable for Forgot PasswordPUT /V1/customers/me/password
Enable for Create New Customer AccountPOST /V1/customers
Enable for Edit Customer AccountPUT /V1/customers/me
Enable for Contact UsNot applicable
Enable for Product ReviewNot applicable
Enable for Newsletter SubscriptionNot applicable
Enable for Send To FriendNot applicable
Enable for PayPal PayflowPro payment formNot applicable
Enable for Braintree payment formNot applicable
Enable for Checkout/Placing OrderPOST /V1/carts/mine/payment-information
POST /V1/carts/mine/set-payment-information
POST /V1/guest-carts/:cartId/payment-information
POST /V1/guest-carts/:cartId/set-payment-information
Enable for Coupon CodesPUT /V1/carts/:cartId/coupons/:couponCode
PUT /V1/guest-carts/:cartId/coupons/:couponCode

Related topics#

Construct a request

  • Privacy
  • Terms of Use
  • Do not sell my personal information
  • AdChoices
Copyright © 2022 Adobe. All rights reserved.