Skip to main content
Spike offers multiple layers of spam protection to keep your forms secure.

Honeypot Field

The simplest spam protection. Add a hidden field that bots will fill out: 
<form action="https://spike.ac/api/f/YOUR_FORM_SLUG" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  
  <!-- Honeypot - bots will fill this, humans won't see it -->
  <input 
    type="text" 
    name="_gotcha" 
    style="display:none" 
    tabindex="-1" 
    autocomplete="off"
  >
  
  <button type="submit">Send</button>
</form>
You can also configure a custom honeypot field name in your form settings.

reCAPTCHA

reCAPTCHA v2 (Checkbox)

  1. Get keys at google.com/recaptcha
  2. Enable reCAPTCHA in your form settings
  3. Add the widget to your form:
<script src="https://www.google.com/recaptcha/api.js" async defer></script>

<form action="https://spike.ac/api/f/YOUR_FORM_SLUG" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  
  <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>
  
  <button type="submit">Send</button>
</form>

reCAPTCHA v3 (Invisible)

For invisible protection: 
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>

<form id="contact-form" action="https://spike.ac/api/f/YOUR_FORM_SLUG" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  <input type="hidden" name="g-recaptcha-response" id="recaptcha-token">
  <button type="submit">Send</button>
</form>

<script>
document.getElementById('contact-form').addEventListener('submit', async (e) => {
  e.preventDefault();
  
  const token = await grecaptcha.execute('YOUR_SITE_KEY', { action: 'submit' });
  document.getElementById('recaptcha-token').value = token;
  
  e.target.submit();
});
</script>

hCaptcha

Privacy-focused alternative to reCAPTCHA: 
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>

<form action="https://spike.ac/api/f/YOUR_FORM_SLUG" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  
  <div class="h-captcha" data-sitekey="YOUR_SITE_KEY"></div>
  
  <button type="submit">Send</button>
</form>

Cloudflare Turnstile

Cloudflare’s privacy-preserving CAPTCHA alternative: 
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

<form action="https://spike.ac/api/f/YOUR_FORM_SLUG" method="POST">
  <input type="email" name="email" required>
  <textarea name="message" required></textarea>
  
  <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>
  
  <button type="submit">Send</button>
</form>

Blocklists

Block specific emails, domains, IPs, or words in your form settings:
TypeExampleDescription
Emails[email protected]Block specific email addresses
Domainsspammer.comBlock all emails from a domain
IPs1.2.3.4Block submissions from an IP
Wordscrypto, viagraBlock submissions containing words

Work Email Validation

Require business email addresses by enabling “Require Work Email” in settings. This blocks common free email providers:
  • gmail.com
  • yahoo.com
  • hotmail.com
  • outlook.com
  • And 100+ more

ML Spam Filtering

Enable ML-based spam detection for advanced filtering. This analyzes:
  • Content patterns (crypto spam, phishing, etc.)
  • Email address patterns
  • Submission metadata
  • Link density
Configure the spam threshold (0-1) in your form settings. Higher values are more strict.

Rate Limiting

Prevent abuse with rate limiting:
SettingDefaultDescription
EnabledYesEnable/disable rate limiting
Count100Max submissions per window
Window3600Time window in seconds (1 hour)
When rate limited, submissions return a 429 Too Many Requests error.