Tenant Signup Protection
Overview
We protect the platform tenant/customer signup flow with Cloudflare Turnstile, a privacy-friendly CAPTCHA alternative that prevents automated bot signups without requiring users to solve visual puzzles.
This protection applies only to the tenant signup flow (when publishers create their accounts on the platform), not to end-user signups in tenant storefronts.
Configuration
Two environment variables are required:
CLOUDFLARE_TURNSTILE_SITE_KEYCLOUDFLARE_TURNSTILE_SECRET_KEY
Both keys are available in the Cloudflare dashboard under Turnstile settings.
Requires internet connection and API access to Cloudflare for challenge verification.
Implementation
The validation is handled by App\Rules\CloudflareTurnstilePasses, which verifies the challenge response with Cloudflare's API during signup form submission.
We use managed challenge mode with the visible widget. The hidden/invisible version produces more false positives.
Future Considerations
We might extend this protection to end-user signups in tenant storefronts. However, this presents an additional challenge: each tenant operates on its own domain (either a subdomain of publica.la, or a fully custom branded domain), which would require per-tenant Turnstile configuration or a different implementation approach.