Skip to content
TrustComponent Docs

Echo CAPTCHA Integration

This recipe shows how to integrate TrustCaptcha into an Echo application. The frontend setup is the same as for any other Go application — this page focuses on the server-side validation.

The setup section gets you to a working integration in three small steps using a handler function directly. Below it, an optional refactor section shows the more reusable Echo-idiomatic approach (a custom middleware).

Preparation

Section titled “Preparation”

You should have already completed the following steps before you wire TrustCaptcha into your Echo application.

  1. Read Get-Started: Get a quick overview of the concepts behind TrustCaptcha and the integration process in get started.

  2. Existing CAPTCHA: If you don’t have a CAPTCHA yet, sign in or create a new user account. Then create a new CAPTCHA.

Setup

Section titled “Setup”

1. Embed the frontend widget

Section titled “1. Embed the frontend widget”

First, add the TrustCaptcha script to your page (see the JavaScript Guide for version pinning and self-hosting options).

Then place the <trustcaptcha-component> element inside your form. The widget appends a hidden tc-verification-token field on submit, which your Echo handler receives like any other form input.

<script type="module" src="https://cdn.trustcomponent.com/trustcaptcha/3.0.x/trustcaptcha.esm.min.js"></script>


<form method="post" action="/contact">
    <label>Email</label>
    <input type="email" name="email" required>


    <trustcaptcha-component sitekey="<your_site_key>"></trustcaptcha-component>


    <button type="submit">Send</button>
</form>

See the Widget Overview for the full property reference.

2. Install the Go SDK

Section titled “2. Install the Go SDK”
Terminal window
go get github.com/labstack/echo/v4
go get github.com/trustcomponent/trustcaptcha-go/v3@v3.0.0

3. Validate the token in your handler

Section titled “3. Validate the token in your handler”
main.go
package main


import (
    "net/http"


    "github.com/labstack/echo/v4"
    "github.com/trustcomponent/trustcaptcha-go/v3"
)


func main() {
    e := echo.New()


    e.POST("/contact", func(c echo.Context) error {
        // In production, load from env: os.Getenv("TRUSTCAPTCHA_API_KEY")
        apiKey := "<your_api_key>"
        token := c.FormValue("tc-verification-token")


        result, err := trustcaptcha.GetVerificationResult(apiKey, token)
        if err != nil {
            return c.String(http.StatusBadRequest, "CAPTCHA verification failed.")
        }


        if !result.VerificationPassed || result.Score > 0.5 {
            return c.String(http.StatusBadRequest, "CAPTCHA verification failed.")
        }


        // CAPTCHA passed — request data is safe to use.
        // ... your business logic ...


        return c.String(http.StatusOK, "Thanks!")
    })


    e.Logger.Fatal(e.Start(":8080"))
}

That’s it — the form is now protected. For real deployments, move the API key out of the source code (see the comment) and consider explicit failover handling — see Failover Behavior for the reasoning and a code template.

Refactor: extract to a middleware

Section titled “Refactor: extract to a middleware”

If you protect more than one route, the most idiomatic Echo approach is a custom middleware function. The verification call then runs automatically before any handler that opts in — either per route or per route group.

Configure the API key and share the SDK

Section titled “Configure the API key and share the SDK”

Build the *TrustCaptcha once at startup and reuse it across requests:

main.go
package main


import (
    "log"
    "os"


    "github.com/labstack/echo/v4"
    "github.com/trustcomponent/trustcaptcha-go/v3"
)


var trustCaptcha *trustcaptcha.TrustCaptcha


func main() {
    var err error
    trustCaptcha, err = trustcaptcha.New(os.Getenv("TRUSTCAPTCHA_API_KEY"))
    if err != nil {
        log.Fatalf("trustcaptcha init: %v", err)
    }


    e := echo.New()
    // routes wired below
    e.Logger.Fatal(e.Start(":8080"))
}

Create the middleware

Section titled “Create the middleware”
middleware/trust_captcha.go
package middleware


import (
    "net/http"


    "github.com/labstack/echo/v4"
    "github.com/trustcomponent/trustcaptcha-go/v3"
)


func VerifyTrustCaptcha(tc *trustcaptcha.TrustCaptcha) echo.MiddlewareFunc {
    return func(next echo.HandlerFunc) echo.HandlerFunc {
        return func(c echo.Context) error {
            token := c.FormValue("tc-verification-token")


            result, err := tc.GetVerificationResult(token)
            if err != nil {
                return c.String(http.StatusBadRequest, "CAPTCHA verification failed.")
            }


            if !result.VerificationPassed || result.Score > 0.5 {
                return c.String(http.StatusBadRequest, "CAPTCHA verification failed.")
            }


            return next(c)
        }
    }
}

Apply the middleware to your routes

Section titled “Apply the middleware to your routes”

Per route:

e.POST("/contact", contactHandler, middleware.VerifyTrustCaptcha(trustCaptcha))

Or to a whole route group:

protected := e.Group("/forms", middleware.VerifyTrustCaptcha(trustCaptcha))
protected.POST("/contact",   contactHandler)
protected.POST("/newsletter", newsletterHandler)

Notes

Section titled “Notes”

Form vs JSON body. c.FormValue(...) reads from application/x-www-form-urlencoded. For JSON endpoints, bind into a struct (c.Bind(&body)) and read the token from there.

Sharing the SDK. A constructed *TrustCaptcha is immutable and safe for concurrent use — build it once at startup, reuse it across goroutines and requests. Don’t rebuild it per request. For configured usage (custom timeouts, proxy, custom API host), pass them as functional options: trustcaptcha.New(apiKey, trustcaptcha.WithApiHost(...), trustcaptcha.WithProxy(...)). See the Go Guide for the full options reference.

Next steps

Section titled “Next steps”

Once you have wired TrustCaptcha into your Echo application, you can use TrustCaptcha to its full extent. However, we still recommend the following additional technical and organizational measures:

  • Security rules: You can find many security settings for your CAPTCHA in the CAPTCHA settings. These include, for example, authorized websites, CAPTCHA bypass for specific IP addresses, bypass keys, IP based blocking, geoblocking, individual difficulty and duration of the CAPTCHA, and much more. Learn more about the security rules.

  • Privacy & GDPR compliance: Include a passage in your privacy policy that refers to the use of TrustCaptcha. We also recommend that you enter into a data processing agreement with us to stay GDPR-compliant. Learn more about data protection.

  • Accessibility & UX: Customize TrustCaptcha to your website so that your website is as accessible as possible and offers the best possible user experience. More about accessibility.

  • Failover behavior: Decide how your backend should behave when our service is temporarily unreachable. This is particularly important for high-availability flows where blocking real users during an outage is worse than letting through a small amount of unverified traffic. Learn more about failover behavior.

  • Testing: If you use automated testing, make sure that the CAPTCHA does not block it. Learn more about testing.