Backend contract
Your backend should treat HumanProof as a gate: read the submitted token, call siteverify with the backend secret, and continue only when the JSON response contains success: true.
Node / Express
app.post('/contact', async (req, res) => {
const verify = await fetch('https://humanproof.eu/api/siteverify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
secret: process.env.HUMANPROOF_SECRET,
response: req.body['humanproof-token'],
}),
});
const result = await verify.json();
if (!result.success) return res.status(422).send('Verification failed');
res.send('OK');
});Next.js route handler
export async function POST(request) {
const formData = await request.formData();
const verify = await fetch('https://humanproof.eu/api/siteverify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
secret: process.env.HUMANPROOF_SECRET,
response: formData.get('humanproof-token'),
}),
});
const result = await verify.json();
if (!result.success) return Response.json({ error: 'Verification failed' }, { status: 422 });
return Response.json({ ok: true });
}Laravel
$verified = Http::post('https://humanproof.eu/api/siteverify', [
'secret' => config('services.humanproof.secret'),
'response' => $request->input('humanproof-token'),
])->json('success');
abort_unless($verified, 422, 'Verification failed.');PHP / WordPress
$response = wp_remote_post('https://humanproof.eu/api/siteverify', [
'headers' => ['Content-Type' => 'application/json'],
'body' => wp_json_encode([
'secret' => getenv('HUMANPROOF_SECRET'),
'response' => $_POST['humanproof-token'] ?? '',
]),
]);
$body = json_decode(wp_remote_retrieve_body($response), true);
if (empty($body['success'])) {
wp_die('Verification failed.', 422);
}