Blockscout currently supports reCAPTCHA v2 in invisible mode. Previous frontend versions (v1.36.x) support v3, but moving forward we will only support v2.
reCAPTCHA from Google is a free service (with certain usage limits) designed to protect your site from spam and bots. It can be used in Blockscout to prevent bot activity related to CSV downloads and account validation. reCAPTCHA is turned on by default, but can be disabled by setting RE_CAPTCHA_DISABLED to true.

Obtain your keys

1) To use reCAPTCHA you will need a SITE KEY and SECRET KEY
  1. Go to https://www.google.com/recaptcha/admin/create, login to Google with an existing account, and fill in the following info: a. Label: Private label to identify the instance in your reCAPTCHA admin dashboard. b. reCAPTCHA type: Select Challenge (v2) and Invisible reCAPTCHA badge c. Domains: Enter your primary Blockscout domain, all associated subdomains will be covered. You can enter multiple domains, and also localhost for testing if needed. d. Submit
2) Copy your keys and use them with the following ENV variables to enable reCAPTCHA.
Backend ENV VariableGoogle reCAPTCHA key
RE_CAPTCHA_SECRET_KEYSECRET KEY
Frontend ENV VariableGoogle reCAPTCHA key
NEXT_PUBLIC_RE_CAPTCHA_APP_SITE_KEYSITE KEY
3) Add the keys to ENV variables to your .env file or at runtime for the backend and frontend containers. Backend container: 
$ export RE_CAPTCHA_SECRET_KEY=6Le...Qdo
Frontend container: 
$ export NEXT_PUBLIC_RE_CAPTCHA_APP_SITE_KEY=6L...IU
Once setup, you can view and update your reCAPTCHA settings on the Google admin dashboard at https://www.google.com/recaptcha/admin

Additional reCAPTCHA ENV info

  • Backend reCAPTCHA ENVs are located in the Backend ENVs: Common page in the CSV exports section.
  • Frontend reCAPTCHA ENVs are located on the Frontend ENVs: Common -> ENVs page in the External Services section.
  • Disable reCAPTCHA by setting RE_CAPTCHA_DISABLED to true
  • Disable checking reCAPTCHA domain names by setting RE_CAPTCHA_CHECK_HOSTNAME to false. This will bypass checking the hostname info added during reCAPTCHA setup in Google. ****More info on domains.