Tymeslot integrates Google reCAPTCHA v3 to protect the signup and booking forms from automated submissions. Unlike reCAPTCHA v2 — which presents a checkbox or image challenge — v3 runs entirely in the background and returns a score between 0.0 and 1.0 that represents how likely the submission is to be human. No interaction is required from your users. reCAPTCHA sits as the third layer in a defence-in-depth pipeline alongside a honeypot hidden field and a per-email/per-IP rate limiter.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Tymeslot/tymeslot/llms.txt
Use this file to discover all available pages before exploring further.
reCAPTCHA v3 is invisible — there is no checkbox, image grid, or visible challenge. Users on your signup and booking pages will not see any reCAPTCHA widget. The score is computed silently by Google’s risk engine based on browser behaviour and interaction signals.
How scoring works
Google’s reCAPTCHA v3 service assigns every form submission a score from0.0 (very likely a bot) to 1.0 (very likely a human). Tymeslot compares the returned score against a configurable minimum threshold and rejects the submission if the score falls below it.
Tymeslot defaults both thresholds to 0.3, which is intentionally permissive. This reduces false positives for legitimate users on VPNs, mobile networks, or privacy-focused browsers that reduce the signals available to Google’s scoring engine. Combined with the honeypot and rate limiter, even a permissive reCAPTCHA threshold provides meaningful protection.
Setup
Register your site at the reCAPTCHA Admin Console
Go to https://www.google.com/recaptcha/admin and sign in with a Google account.Click + (Create) and fill in the form:
- Label:
Tymeslot(or any descriptive name) - reCAPTCHA type: Score based (v3)
- Domains: add your Tymeslot hostname (e.g.
tymeslot.yourdomain.com). Addlocalhostas well if you want to test locally.
Copy your site and secret keys
After registration, the console displays two keys:
- Site key — embedded in the browser page (public).
- Secret key — used server-side for verification (keep this private).
Set the key environment variables
Add both keys to your The keys are shared across both the signup and booking integrations — you do not need separate keys per form.
.env:Enable protection per form
reCAPTCHA is opt-in per form. Enable whichever forms you want to protect:You can enable one without the other. Both default to
false.Tune score thresholds (optional)
The default minimum score is Start with the defaults and monitor your logs before tightening. A threshold of
0.3 for both forms. Raise it to block more borderline traffic; lower it to reduce false positives:0.5 is Google’s general recommendation, but 0.3 works well when combined with the other security layers Tymeslot already applies.Environment variables reference
The public site key from the reCAPTCHA Admin Console. Embedded in the browser page to load the reCAPTCHA script. Required when
RECAPTCHA_SIGNUP_ENABLED=true or RECAPTCHA_BOOKING_ENABLED=true.The private secret key used server-side to verify reCAPTCHA tokens with Google’s API. Never expose this in client-side code or public logs.
Enable reCAPTCHA verification on the account registration form. Requires
RECAPTCHA_SITE_KEY and RECAPTCHA_SECRET_KEY to be set. If keys are missing when this is true, reCAPTCHA is automatically disabled (logged as a warning) so legitimate signups are not blocked.Enable reCAPTCHA verification on the booking submission form. Same key requirements and graceful-degradation behaviour as
RECAPTCHA_SIGNUP_ENABLED.Minimum reCAPTCHA score required to accept a signup submission. Values range from
0.0 (bot) to 1.0 (human). Submissions scoring below this threshold are rejected.Minimum reCAPTCHA score required to accept a booking submission. Follows the same
0.0–1.0 scale as the signup threshold.The reCAPTCHA action name sent with signup verifications. Google’s dashboard uses action names to segment your score analytics. Override this only if you need custom analytics groupings.
The reCAPTCHA action name sent with booking verifications. Same purpose as
RECAPTCHA_SIGNUP_ACTION.Comma-separated list of hostnames that are expected in reCAPTCHA verification responses (e.g.
tymeslot.yourdomain.com). When set, Tymeslot will reject tokens whose response hostname does not match. Leave unset to skip hostname validation — useful when running behind a reverse proxy or in environments where the hostname seen by Google may differ from PHX_HOST.Graceful degradation
IfRECAPTCHA_SIGNUP_ENABLED=true or RECAPTCHA_BOOKING_ENABLED=true is set but the corresponding keys are missing or blank, Tymeslot does not crash or block legitimate submissions. Instead, it logs a warning (rate-limited to once per minute to avoid log spam) and allows the form through. This ensures that a misconfiguration does not lock users out of your instance.
Adjusting thresholds after launch
The reCAPTCHA Admin Console (at https://www.google.com/recaptcha/admin) shows a score distribution graph for your site after traffic starts flowing. Use this to calibrate your thresholds:- If the distribution shows most legitimate traffic scoring above
0.7, you can safely raise the threshold closer to0.5. - If you are seeing false positive rejections from real users, lower the threshold or check whether a browser extension or Content Security Policy is interfering with the reCAPTCHA script.
If a user’s browser blocks the reCAPTCHA script (ad blocker, strict CSP, or JavaScript disabled), no score token is sent with the form submission. Make sure your Content Security Policy allows
https://www.google.com and https://www.gstatic.com if you serve a custom CSP header.