You can easily add TrustKit to your website instantly. Just add this:
<script src="https://trustkit.matriigo.com/trustkit.js" trustkit-dropin="true" trustkit-sitekey="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"></script>
And it will render something like this:
It will load here.
trustkit-dropin: Set to "true" to automatically inject the TrustKit widgettrustkit-sitekey: Your public site key from the TrustKit dashboardtrustkit-language: Optional language code (defaults to browser language)TrustKit supports 25+ languages.
You can manually set the language using trustkit-language="no" (Norwegian Bokmål for example) or remove the attribute to allow it to auto detect based on the user's browser. There is also support for right-to-left (RTL) languages.
You have two methods to use it to gatekeep a protected system (e.g. dashboard, forum)
Option 1: Allow it to inject into an HTML form. If you place the script tag within a form tag, it will inject a hidden field when the user is verified.
<form action="/submit">
<label for="firstname">First name:</label><br />
<input type="text" id="firstname" name="firstname" value="John" />
<label for="lastname">Last name:</label>
<input type="text" id="lastname" name="lname" value="Doe" />
<label for="email">Email:</label>
<input type="email" id="email" name="email" value="[email protected]" />
<input type="submit" value="Submit" />
<input
type="text"
hidden="true"
name="trustkit_token"
value="zTqI5KkEsDtcEkkj2t8gq"
/>
<script
src="https://trustkit.matriigo.com/trustkit.js"
trustkit-dropin="true"
trustkit-sitekey="trustkit_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
></script>
</form>
Option 2: Get the completed token using the window.TrustKit.getToken() API
window.TrustKit.getToken() // Returns undefined if not completed or a string if completed.
In the admin dashboard, you can enable "under attack mode". This treats every user like an attacker, making it take 15-30 seconds to confirm they are not a robot.
This endpoint is used to validate a challenge token after a user completes the TrustKit widget. It verifies the token and returns whether it is valid.
POST https://trustkit.matriigo.com/api/v1/validate_challenge
secret (string, required): Your site's secret key (from dashboard)response (string, required): The challenge token received from the widgetremoteip (string, optional): The user's IP address (optional, for extra validation){
"secret": "trustkit_secret_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"response": "challenge_token_from_widget",
"remoteip": "203.0.113.42"
}
{
"success": true,
"ip_match": true,
"challenge_ts": "2024-06-01T12:34:56.789Z"
}
{
"success": false,
"error-codes": ["invalid-input-secret"]
}
{
"success": false,
"error-codes": ["timeout-or-duplicate"]
}
ip_match will be true if the request IP matches remoteip (if provided).challenge_ts is the timestamp when the challenge was created.