CAPTCHA Widget Release Notes

Here you can see all the modifications and changes of the TrustCaptcha CAPTCHA widget.

• Fixed: full-width now reliably stretches the widget to 100% in flex/grid parent layouts (e.g. Keycloak forms) where a plain block child does not auto-expand
• Fixed: Invisible-hint can no longer be hidden behind other page elements — the z-index now applies to the positioned wrapper instead of an unpositioned inner element
• Fixed: With white-label enabled and no custom privacy URL, the invisible-hint no longer widens slightly on hover (the empty hover container is now omitted entirely)

A major release that overhauls how the widget detects bots, what data it collects, how it integrates into modern frontend stacks, and how it behaves when our servers are temporarily unreachable.

Bot detection & verification quality

• Improved: Sharper signal collection for the bot score — more precise detection means fewer false positives for real users and harder bypasses for automated traffic
• Improved: Stronger honeypot system — multiple decoy fields with different concealment techniques and timing analysis, while leaving the host form’s submission payload untouched
• Improved: Faster, more accurate proof-of-work — workers are reused across challenges instead of being spawned per task, reducing time-to-verify especially on lower-end devices
• Improved: Headless / automation tooling detection covers current browser-automation frameworks

Privacy & data minimization

• Removed: A range of legacy event and DOM properties that no longer contributed to bot detection — less data collected in the first place
• Improved: Stricter handling of minimal-data mode — when enabled, no user-interaction events are tracked or transmitted, end-to-end
• Improved: Honeypot fields are no longer part of the host form’s natural submission and never leak honeypot values into the application’s form data

Failover behavior

• Added: Optional failover-enabled mode. When activated and the captcha API is unreachable, the widget issues a clearly marked failover token so the user can still complete the form. The backend then decides — based on its own risk policy — whether to accept, soft-challenge, or reject the request

Customization & design

• Added: Spinner color, success-icon color, failure background / border / text color, and box / checkbox border-width are now part of the custom design schema
• Improved: Refined default light and dark themes (subtle border, spacing, and rounding adjustments)
• Improved: Trustcaptcha branding restyled and moved to the bottom-right corner; cleaner alignment with custom privacy links
• Updated: New error icon — a clearly recognizable warning triangle in place of the previous symbol
• Fixed: The widget text is now always left-aligned, regardless of the surrounding page or CMS context

Accessibility (targeting WCAG 2.2 AAA)

• Improved: Reworked screen-reader announcements for start, running, completed, failed and expired states — translated into all 38 supported languages
• Improved: Proper role="checkbox" semantics with aria-checked, aria-busy, aria-disabled and a focus-visible outline
• Improved: Keyboard handling — both Space and Enter activate the widget, and clicks on interactive children (links, buttons, custom privacy URL) are no longer absorbed by the widget
• Improved: Honors prefers-reduced-motion (no spinner animation)
• Improved: Failure reason is now announced in addition to the generic “verification failed” message

Events

• Added: New captchaExpired event — fires when the verification token approaches its expiry and the widget auto-resets
• Changed: captchaFailed now emits a structured object ({ errorCode, message }) instead of a plain string, making programmatic error handling easier

Properties (renames & type changes) The widget API was tightened up for consistency. Existing integrations need to migrate the following attributes:

A new failover-enabled attribute has been added (see above).

Error codes

• Removed: UNAUTHORIZED, MODES_NOT_MATCHING, SITE_KEY_NOT_VALID, OPTION_NOT_AVAILABLE
• Added: SITE_KEY_FORMAT_INVALID, CAPTCHA_NOT_FOUND, MINIMAL_DATA_MODE_MISMATCH, LICENSE_FORMAT_INVALID, LICENSE_SITE_KEY_MISMATCH, LICENSE_FEATURE_MISSING_WHITE_LABEL, LICENSE_FEATURE_MISSING_INVISIBILITY, LICENSE_FEATURE_MISSING_CUSTOMIZABILITY
• The single OPTION_NOT_AVAILABLE code has been split into three license-feature-specific codes so integrators can react to the exact missing entitlement
• The error model’s errorCode field is now a typed enum value rather than a numeric index

Verification token

• Changed: The token is now produced fully server-side and includes the verification’s expiresAt — the previously deprecated apiEndpoint and encryptedAccessToken fields are no longer part of the payload. Existing backend SDKs continue to work; the simplified format is opaque to most integrations

License system

• Added: whiteLabel is now its own license feature, separate from customizability. Hiding the Trustcaptcha branding and customizing privacy/design can be licensed independently

Bug fixes

• Fixed: data-autostart="false" is now also honored when the user types into a marked field, not just on focus
• Fixed: Auto-reset timer and theme/language listeners are properly cleaned up when the widget is removed from the DOM
• Fixed: Audio-fingerprint deprecation warning in current browsers no longer appears in the console

Frameworks & ecosystem

• Updated: Angular wrapper requires Angular 17+, ships standalone components only
• Updated: React wrapper supports React 18 and 19
• Updated: Vue wrapper supports Vue 3.3+
• Updated: Stencil 4.43 with current output targets

Performance & footprint

• Improved: External JWT library replaced with the browser’s native crypto.subtle — fewer runtime dependencies, smaller bundle
• Improved: Faster proof-of-work startup through worker reuse and inline worker code (no extra HTTP request)

For step-by-step migration help see the Upgrade to v3 guide. The previous documentation set is preserved under Legacy v1 / v2.

• Added: Support for Angular 21
• Added: Translatable runtime error messages for users
• Improve: Default text translations for many languages
• Improve: Textual and visual accessibility

• Added: Support for Angular 20

• Bugfix: Automatic reset of the CAPTCHA widget shortly before the verification token expires

• Added: Automatic reset of the CAPTCHA widget shortly before the verification token expires

• Update: Improving accessibility

• TrustCaptcha is now part of TrustComponent
• Changed: Scopes, namespaces and some packages combined under TrustComponent
• Changed: JavaScript files are no longer provided under https://resources.trustcaptcha.com/. All TrustCaptcha JavaScript files from version 2.0.0 are now available at https://cdn.trustcomponent.com/trustcaptcha/

• Added: Changeable rounding of CAPTCHA box corners
• Updated: TrustCaptcha branding link from trustcaptcha.com to trustcomponent.com
• Updated: API endpoint changed from api.captcha.trustcaptcha.com to api.trustcomponent.com
• Updated: Privacy link now only visible if a custom privacy url is set
• Updated: Added screen reader translations for fr, es, it and lb
• Fixed: TrustCaptcha branding when theme uses auto detection
• Improved: Data privacy
• Removed: Slider

• Added: Option to hide the privacy link
• Updated: Translations
• Updated: Accessibility improvements

• Changed: Angular TrustCaptcha component now standalone (requires Angular 14+)
• Updated: StencilJS upgrade to 4.26
• Updated: Internal dependencies

• Refactor: Technical improvements

• Fixed: Error in older browsers like Safari 15

• Added: Override translations and add additional languages
• Added: Customizable captcha-box design
• Added: Option to set a custom privacy link
• Added: Hint for running CAPTCHA if the CAPTCHA is invisible
• Updated: Angular version to v19

• Added: Provide static UMD JavaScript bundles from version 1.7
• Added: Cache rules for static assets
• Changed: Improved proof-of-work and privacy measures

• Updated: Links in README.md files

• Added: Provide static CJS JavaScript bundles from version 1.7
• Added: Measures to optimize the captcha box in the future
• Changed: Replace company website with privacy url

• Added: New captcha box slider security measure
• Added: Public JavaScript event captchaReset()
• Changed: Improved cache methods to improve loading performance of static JS bundles
• Changed: Improved text minification and compression to improve loading performance
• Changed: Reduced code size
• Changed: Improved privacy measures
• Removed: Language support for: Armenian (hy), Azerbaijani (az), Bengali (bn), Hebrew (he), Indonesian (id), Japanese (ja), Kazakh (kk), Malay (ms), Persian (fa), Swahili (sw), Tagalog (tl), Tamil (ta), Thai (th), Urdu (ur), Vietnamese (vi)
• Updated: Internal dependencies

• Added: Public JS function startVerification() to trigger the captcha box manually
• Fixed: StencilJS downgraded to 4.17.2 to fix Vue issues

• Added: Hide branding option
• Added: Invisible option
• Added: Public JS event captchaStarted()
• Removed: Old button shaped design
• Updated: StencilJS to 4.20.0

• Added: Error message if captcha is locked
• Added: Error message if captcha is temporarily locked because of payment issues

• Added: Language support for Albanian (sq), Armenian (hy), Azerbaijani (az), Bosnian (bs), Bulgarian (bg), Catalan (ca), Estonian (et), Hebrew (he), Kazakh (kk), Macedonian (mk), Malay (ms), Persian (fa), Serbian (sr), Slovene (sl), Tamil (ta), Ukrainian (uk)
• Changed: Improve compatibility for screen readers

• Fixed: Issue with provided static ESM JS bundle files

• Added: New checkbox shaped design
• Added: Captcha box width option full and fixed
• Added: Language support for: Arabic (ar), Bengali (bn), Chinese (zh), Hindi (hi), Indonesian (id), Japanese (ja), Korean (ko), Swahili (sw), Tagalog (tl), Thai (th), Urdu (ur), Vietnamese (vi)
• Added: Provide static ESM JS bundles for v1.2, v1.3 and v1.4
• Changed: Improve error display message on error COMMUNICATION_FAILURE
• Deprecated: Current button shaped design will be removed in v1.6.0

• Changed: Improve captcha box design
• Fixed: Bug in auto language detection

• Fixed: Issue in the build process

• Added: Auto language detection
• Added: Minimal data mode option
• Added: Bypass keys for testing purposes
• Fixed: Wrong display error on HTTP 422 server response

• Added: Dynamic names for honeypot field
• Fixed: Move proof-of-work calculation to Web Workers (performance & efficiency)
• Fixed: Privacy and performance issues while data collection and analysis
• Fixed: Cursor design on disabled buttons
• Updated: StencilJS to 4.13.0
• Updated: Internal dependencies

• Updated: Privacy link in the captcha-box
• Updated: Links in README.md files

• Added: Language support for: Belarusian (be), Croatian (hr), Czech (cs), Danish (da), Dutch (nl), Finnish (fi), French (fr), Greek (el), Hungarian (hu), Italian (it), Latvian (lv), Lithuanian (lt), Luxembourgish (lb), Norwegian (no), Polish (pl), Portuguese (pt), Romanian (ro), Russian (ru), Slovak (sk), Spanish (es), Swedish (sv), Turkish (tr)
• Added: Make verification token field name changeable
• Added: Switch off the autostart for certain input fields
• Changed: Loading spinner animation (design & behaviour)
• Updated: StencilJS to 4.12.4

• Refactor: Proof-of-work calculation
• Refactor: Remove unnecessary code
• Updated: StencilJS to 4.11.0

• Release version

• Open-Beta

• Open-Beta

• Open-Beta

• Closed-Beta