Bot signups pollute your data, inflate your costs, and can trigger billing abuse. Here is how CAPTCHA works, why traditional approaches fell short, and why Cloudflare Turnstile is the modern standard.
Any form on the public internet that accepts input will eventually be targeted by bots. Signup forms are among the most attractive targets — they create accounts, generate email traffic, and in the case of SaaS applications, can trigger trial activations, consume free-tier resources, or inflate user counts in ways that affect billing.
Bot signups are not a problem reserved for large platforms. Any web application with a public registration form is a target. The question is not whether bots will find it, but how much damage they will do before you have a control in place.
The direct costs are straightforward: confirmation emails sent to fake addresses, free plan resources consumed, support tickets from legitimate users whose experience is degraded, and time spent cleaning up junk accounts from your database.
The indirect costs are subtler. Polluted user data makes it harder to understand your actual customer base. Welcome email sequences triggered by fake signups can damage your sending reputation with email providers, affecting deliverability to real users. And if your application has any metered component — storage, API calls, compute — bots consuming it shifts costs onto your infrastructure bill.
CAPTCHA — Completely Automated Public Turing test to tell Computers and Humans Apart — is a challenge designed to be easy for a human to pass and difficult for an automated script to solve. The goal is to add a verification step between the form submission and the backend action, so that only genuine users can complete the flow.
In practice, CAPTCHA works by presenting a challenge that requires human perception, behaviour, or context to pass. The classic version — distorted text — was cracked years ago by machine learning models. Modern CAPTCHA systems rely on behavioural signals and risk scoring rather than visual puzzles.
The image-based CAPTCHAs that dominated the 2010s — identify the traffic lights, select all squares with a bicycle — created significant friction for legitimate users without reliably stopping determined bots. Automated solving services, often powered by low-cost human labour farms, emerged to defeat them at scale. The result was the worst of both worlds: real users frustrated, bots still getting through.
reCAPTCHA v2 improved things but introduced its own issues: reliance on Google's tracking infrastructure, inconsistent behaviour for users with VPNs or privacy tools, and an experience that felt like a test rather than a natural part of signing up.
Cloudflare Turnstile takes a fundamentally different approach. Instead of asking users to solve a visual puzzle, it analyses a range of non-invasive signals — browser behaviour, device characteristics, interaction patterns — and makes a risk assessment in the background. The vast majority of legitimate users see nothing more than a brief "Verifying..." message followed by a green tick. No puzzles, no image grids, no friction.
Turnstile is free with no paid plan required. It does not rely on advertising tracking or cross-site fingerprinting, making it compatible with privacy-focused browsers and users who run ad blockers. And because it integrates directly with Supabase Auth, the verification happens server-side before an account is created — meaning bots cannot bypass it by calling the API directly.
The key advantage of server-side CAPTCHA verification is that it cannot be bypassed by simply removing the widget from the frontend. The Supabase Auth API rejects any signup, login, or password reset request that does not include a valid CAPTCHA token — regardless of how the request was made.
Supabase has native CAPTCHA support built into its Auth system. When enabled, it validates the Turnstile token server-side before completing any auth operation — signups, logins, and password reset requests are all covered.
The setup involves three steps: create a site in the Cloudflare Turnstile dashboard to get a site key and secret key; enable CAPTCHA protection in Supabase Auth settings and paste the secret key; then add the Turnstile widget to your frontend using the React package and pass the token to your Supabase auth calls.
Once you enable CAPTCHA in Supabase Auth, it applies to all auth API calls — not just signup. This means your login and password reset forms also need the widget, otherwise legitimate users will be blocked when they try to sign in.
It is easy to add the widget to the signup form and forget that the same requirement applies to login and forgot-password flows. Cover all three before deploying to production.
CAPTCHA is an important layer, but it works best as part of a broader approach. Rate limiting at the API level prevents high-volume automated requests even if a CAPTCHA token is somehow obtained. Email confirmation before account activation prevents bots from becoming active users even if they pass the CAPTCHA. And periodic review of new account data — looking for patterns like random name strings, unrecognised email domains, or accounts that never log in after creation — helps you identify and remove bot accounts that slip through.
The goal is not to make bot signups impossible — determined attackers will always find creative approaches. The goal is to make automated abuse expensive enough that it is not worth targeting your platform.
IT Trackr uses Cloudflare Turnstile on all auth forms — signup, login, and password reset — with server-side verification via Supabase Auth. Every verified signup also triggers a new user notification so unusual registration patterns are visible immediately.
IT Trackr is free to get started — no credit card required.
Start for free →