To further protect our customers, VTEX will now enforce the reCAPTCHA orderForm configuration set in each account for all Checkout API requests, regardless of the roles associated with the user or application key.
Review your integrations
First you should review your integrations that use the Checkout API to place orders to your VTEX store, using the following endpoints:
The diagram below can help you assess whether an integration needs to be adjusted, according to your store's reCAPTCHA orderForm configuration and how requests made to these endpoints are authenticated:
Case 1: No changes are required in the integration, but your store might be at risk.
Your store does not use reCAPTCHA at Checkout and is therefore vulnerable to automated attacks, unless other protective measures are implemented in your integration.
Case 2: You need to adjust your integration, otherwise it might stop working.
Your store uses reCAPTCHA at Checkout, but is not ready to display it correctly in the user interface. Your development team should adjust your integrations.
Case 3: No changes are required in the integration.
Your store uses reCAPTCHA at Checkout and is ready to display it correctly in the user interface. Congratulations for following best practices in security!
You must make sure that the application key used to make the requests to the Place order from an existing cart ("Transaction") / Place order ("PlaceOrder") endpoints of the Checkout API has one of these License Manager resources in their roles:
- Checkout > CheckoutResources > Shopping Cart Full Access
- Catalog > Telesales > Assisted Sales
This includes predefined roles like Owner (Super Admin), Call center operator, and Checkout Admin, as well as custom roles including either of those specific resources.
Adjust your integrations
If your team identified that your integration requires attention, you must follow the instructions provided in the developer guide Implementing reCAPTCHA in integrations.
If you are implementing reCAPTCHA on a native mobile app, use reCAPTCHA v3. Otherwise, reCAPTCHA use v2.
Using the reCAPTCHA key returned by the Checkout, the reCAPTCHA widget should be rendered in the user interface of your mobile app/headless storefront (or similar) as described in the reCAPTCHA v2 or reCAPTCHA v3 documentation provided by Google.
After the shopper has completed the reCAPTCHA challenge, their response (
recaptchaToken) should be sent to the Checkout API to complete the purchase, as described in the Final validation section of Implementing reCAPTCHA in integrations. Checkout API will then verify the user's response using the provided token.
All integrations using Checkout API to place orders must be reviewed and adjusted before September 1, 2023. Applications that fail to render the reCAPTCHA widget and verify the user's response will not be able to place orders after this date.