{"section":"announcements","requestedLocale":"en","requestedSlug":"2023-07-04-recaptcha-validation-will-now-follow-orderform-configuration-for-all-requests","locale":"en","slug":"2023-07-04-recaptcha-validation-will-now-follow-orderform-configuration-for-all-requests","path":"docs/en/announcements/2023/july/2023-07-04-recaptcha-validation-will-now-follow-orderform-configuration-for-all-requests.md","branch":"main","content":"[reCAPTCHA](https://developers.vtex.com/docs/guides/recaptcha) is a security service used to determine if a given action is performed by a real user or malicious automation, protecting websites from fraud and abuse. By activating [reCAPTCHA at checkout](/en/docs/tutorials/using-recaptcha-at-checkout), you are following best practices against virtual attacks and reducing the risk that your store can be exploited for fraudulent purposes.\n\nTo further protect our customers, VTEX will now enforce the reCAPTCHA orderForm configuration set in each account for all Checkout API requests, regardless of the roles associated with the user or application key.\n\nMerchants that use the Checkout API to place orders from mobile apps, headless storefronts and similar applications must [review](#review-your-integrations) and [adjust](#adjust-your-integrations) their integrations before __September 1, 2023__.\n\n## What is changing?\n\nBefore, reCAPTCHA verification was not required for orders placed by users and application keys with the `Shopping Cart Full Access` [resource in License Manager](/en/docs/tutorials/license-manager-resources). This includes [predefined roles](/en/docs/tutorials/predefined-roles) such as `Owner (Admin Super)` and `User Admin - RESTRICTED`, as well as the [Sponsor user](/en/docs/tutorials/what-is-the-sponsor-user).\n\nNow, reCAPTCHA verification will follow orderForm configuration set in each account for all Checkout API requests, regardless of the roles associated with the user or application key.\n\n## Why are we making this change?\n\nThis action was necessary to reduce the chances of fraud and abuse, such as card testing, in our stores. While the best practices for using application keys indicate that stores should create individual keys for each integration and apply restrictive roles to them, some merchants were exposing themselves to risk by using application keys with administrative roles. \n\nBecause we understand that there may be a legitimate reason for some integrations to have access to more resources and information, our decision was to require merchants to implement reCAPTCHA in those integrations. If that is not possible, they have the alternative of disabling the reCAPTCHA validation in their account (`recaptchaValidation=\"never\"`) and implementing alternative protective measures against automated attacks on their own.\n\nWe know that these changes will have an impact on our customers’ operations, but adopting security best practices is always necessary and beneficial for our entire ecosystem.\n\n## What needs to be done?\n\n### Review your integrations\n\nAsk your development team to review your integrations that use the Checkout API to place orders to your VTEX store, using the following endpoints:\n\n- [Place order from an existing cart](https://developers.vtex.com/docs/api-reference/checkout-api#post-/api/checkout/pub/orderForm/-orderFormId-/transaction)\n- [Place order](https://developers.vtex.com/docs/api-reference/checkout-api#put-/api/checkout/pub/orders)\n\nThey should be able to follow the diagram below to assess whether an integration needs to be adjusted, according to your store's [reCAPTCHA orderForm configuration](https://developers.vtex.com/docs/api-reference/checkout-api#post-/api/checkout/pvt/configuration/orderForm) and how requests made to these endpoints are [authenticated](https://developers.vtex.com/docs/guides/authentication-overview):\n\n![reCAPTCHA diagram](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/announcements/2023/july/2023-07-04-recaptcha-validation-will-now-follow-orderform-configuration-for-all-requests_1.png)\n\n- __Case 1__: *No changes are required in the integration, but your store might be at risk.*\n\n  Your store does not use reCAPTCHA at Checkout and is therefore vulnerable to automated attacks, unless other protective measures are implemented in your integration.\n\n- __Case 2__: *You need to adjust your integration, otherwise it might stop working.*\n\n  Your store uses reCAPTCHA at Checkout, but is not ready to display it correctly in the user interface. Your development team should [adjust your integrations](#adjust-your-integrations).\n\n- __Case 3__: *No changes are required in the integration.*\n\n  Your store uses reCAPTCHA at Checkout and is ready to display it correctly in the user interface. Congratulations for following best practices in security!\n\n### Adjust your integrations\n\nIf your development team identified that your integration requires attention, they must follow the instructions provided in the developer guide [Implementing reCAPTCHA in integrations](https://developers.vtex.com/docs/guides/implementing-recaptcha-in-integrations).\n\n> ⚠️ If you are implementing reCAPTCHA on a native mobile app, use reCAPTCHA v3. Otherwise, reCAPTCHA use v2.\n\nUsing the reCAPTCHA key returned by the Checkout, the reCAPTCHA widget should be rendered in the user interface of your mobile app/headless storefront (or similar) as described in the [reCAPTCHA v2](https://developers.google.com/recaptcha/docs/display) or [reCAPTCHA v3](https://developers.google.com/recaptcha/docs/v3) documentation provided by Google.\n\nAfter the shopper has completed the reCAPTCHA challenge, their response (`recaptchaToken`) should be sent to the Checkout API to complete the purchase, as described in the *Final validation* section of [Implementing reCAPTCHA in integrations](https://developers.vtex.com/docs/guides/implementing-recaptcha-in-integrations#final-validation). Checkout API will then [verify the user's response](https://developers.google.com/recaptcha/docs/verify) using the provided token.\n\n> ❗ All integrations using Checkout API to place orders must be reviewed and adjusted before September 1, 2023. Applications that fail to render the reCAPTCHA widget and verify the user's response will not be able to place orders after this date.\n\n## Learn more\n\nCheck out the following documentation to learn more about reCAPTCHA and best practices to ensure your store is protected:\n\n- [Using reCAPTCHA at Checkout](/en/docs/tutorials/using-recaptcha-at-checkout)\n- [Best practices against virtual attacks](/en/docs/tutorials/best-practices-against-virtual-attacks)\n- [Best practices for using application keys](/en/docs/tutorials/best-practices-api-keys)\n- [License Manager resources](/en/docs/tutorials/license-manager-resources)"}