Server-Side Verification

Always verify the SilentShield nonce on your server. Client-side checks alone can be bypassed by bots.

Why Server-Side?

The widget runs in the browser and injects a nonce into forms. A bot could skip the widget and submit the form directly. Server-side verification ensures the nonce was legitimately issued and verified by SilentShield.

API Endpoint

Method: POST
URL: https://api.silentshield.io/api/v1/captcha/verify-nonce
Headers: X-Api-Key: YOUR_API_KEY Content-Type: application/json
Body: { "nonce": "the-nonce-from-the-form" }

Response Format

Responsejson

{
  "verdict": "human",
  "score": 0.92,
  "difficulty": "pass",
  "challenge_required": false
}

human: human — User is very likely human. Process the form.
suspicious: suspicious — User may be a bot. Consider additional checks.
bot: bot — High confidence this is a bot. Reject the form.

Recommended Logic

In most cases, check the verdict field:

Server-Side Logicjavascript

if verdict == "bot":
    reject the submission (403)
elif verdict == "suspicious":
    optionally require additional verification
else:
    process the form normally

Error Handling

If the SilentShield API is unreachable (timeout, 5xx error), decide on your strategy:

Fail Open: Fail open — Accept the form (better UX, less secure)
Fail Closed: Fail closed — Reject the form (more secure, worse UX)

For most applications, we recommend fail open with logging. Critical forms (login, payment) should fail closed.