Menu
Feedback
Start here
Tutorials
Developer portal
Known Issues
Support Rules
Troubleshooting
Frequently Asked Questions
Announcements
Announcements
reCAPTCHA validation will now follow orderForm configuration for all requests
Photo of the author
PedroAntunesCosta
Published on 7/4/2023
Last update on 7/5/2023

reCAPTCHA is a security service used to determine if a given action is performed by a real user or malicious automation, protecting websites from fraud and abuse. By activating reCAPTCHA at checkout, you are following best practices against virtual attacks and reducing the risk that your store can be exploited for fraudulent purposes.

To further protect our customers, VTEX will now enforce the reCAPTCHA orderForm configuration set in each account for all Checkout API requests, regardless of the roles associated with the user or application key.

Merchants that use the Checkout API to place orders from mobile apps, headless storefronts and similar applications must review and adjust their integrations before September 1, 2023.

What is changing?

Before, reCAPTCHA verification was not required for orders placed by users and application keys with the Shopping Cart Full Access resource in License Manager. This includes predefined roles such as Owner (Admin Super) and User Admin - RESTRICTED, as well as the Sponsor user.

Now, reCAPTCHA verification will follow orderForm configuration set in each account for all Checkout API requests, regardless of the roles associated with the user or application key.

Why are we making this change?

This action was necessary to reduce the chances of fraud and abuse, such as card testing, in our stores. While the best practices for using application keys indicate that stores should create individual keys for each integration and apply restrictive roles to them, some merchants were exposing themselves to risk by using application keys with administrative roles.

Because we understand that there may be a legitimate reason for some integrations to have access to more resources and information, our decision was to require merchants to implement reCAPTCHA in those integrations. If that is not possible, they have the alternative of disabling the reCAPTCHA validation in their account (recaptchaValidation="never") and implementing alternative protective measures against automated attacks on their own.

We know that these changes will have an impact on our customers’ operations, but adopting security best practices is always necessary and beneficial for our entire ecosystem.

What needs to be done?

Review your integrations

Ask your development team to review your integrations that use the Checkout API to place orders to your VTEX store, using the following endpoints:

They should be able to follow the diagram below to assess whether an integration needs to be adjusted, according to your store's reCAPTCHA orderForm configuration and how requests made to these endpoints are authenticated:

{"base64":" ","img":{"width":1157,"height":863,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":56367,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/announcements/2023-07-04-recaptcha-validation-will-now-follow-orderform-configuration-for-all-requests_1.png"}}

  • Case 1: No changes are required in the integration, but your store might be at risk.

    Your store does not use reCAPTCHA at Checkout and is therefore vulnerable to automated attacks, unless other protective measures are implemented in your integration.

  • Case 2: You need to adjust your integration, otherwise it might stop working.

    Your store uses reCAPTCHA at Checkout, but is not ready to display it correctly in the user interface. Your development team should adjust your integrations.

  • Case 3: No changes are required in the integration.

    Your store uses reCAPTCHA at Checkout and is ready to display it correctly in the user interface. Congratulations for following best practices in security!

Adjust your integrations

If your development team identified that your integration requires attention, they must follow the instructions provided in the developer guide Implementing reCAPTCHA in integrations.

If you are implementing reCAPTCHA on a native mobile app, use reCAPTCHA v3. Otherwise, reCAPTCHA use v2.

Using the reCAPTCHA key returned by the Checkout, the reCAPTCHA widget should be rendered in the user interface of your mobile app/headless storefront (or similar) as described in the reCAPTCHA v2 or reCAPTCHA v3 documentation provided by Google.

After the shopper has completed the reCAPTCHA challenge, their response (recaptchaToken) should be sent to the Checkout API to complete the purchase, as described in the Final validation section of Implementing reCAPTCHA in integrations. Checkout API will then verify the user's response using the provided token.

All integrations using Checkout API to place orders must be reviewed and adjusted before September 1, 2023. Applications that fail to render the reCAPTCHA widget and verify the user's response will not be able to place orders after this date.

Learn more

Check out the following documentation to learn more about reCAPTCHA and best practices to ensure your store is protected:

Was this helpful?
Yes
No
Suggest Edits (GitHub)
On this page
Still got questions?
Ask the community
Find solutions and share ideas in the VTEX community.
Join our community
Request support from VTEX
For personalized assistance, contact our experts.
Open a support ticket
GithubDeveloper portalCommunityFeedback