Skip to main content
The strongest bot mitigation setup combines several controls. You can start in the Privy dashboard and then add sitewide protections.

1. Enable invisible CAPTCHA

Privy supports invisible CAPTCHA with Cloudflare Turnstile and hCaptcha. Enable CAPTCHA in App settings > Advanced. When using hCaptcha, configure the risk tolerance setting to define how strictly suspicious attempts are blocked.
If a strict CSP is enabled, include CAPTCHA domains in policy directives. See the CSP guide.

2. Block low-quality email signups

On the Authentication page, enable email restrictions that reduce throwaway account creation:
  • Block temporary email domains
  • Disable + aliases in email addresses
Privy uses mailchecker to identify temporary email domains.
Blocking + aliases increases friction for abuse, but may also impact legitimate alias usage. Choose this setting based on your app’s risk profile.

3. Block VOIP numbers for phone login

On the Authentication page, enable VOIP blocking for phone login. If SMS or WhatsApp login is enabled, block VOIP numbers to reduce disposable phone signups and OTP abuse.

4. Use the denylist for repeat offenders

Use the denylist to block known bad users from logging in or creating new accounts. Supported denylist entries include:
  • Email addresses
  • Email domains
  • Phone numbers
  • EVM wallet addresses
  • Solana wallet addresses

5. Add sitewide Cloudflare protections

Privy controls are strongest when paired with edge protection in front of your app. A practical Cloudflare setup usually includes:
  • Bot management or Super Bot Fight Mode
  • Managed Challenge on high-risk pages like sign up and login
  • Blocking or challenging high-risk traffic segments for your app’s threat model

6. Add supporting controls

For stronger defense in depth, also configure:
  • Allowed domains to prevent unauthorized client usage of your app ID
  • Allowed OAuth redirects to reduce OAuth abuse risk
  • MFA for sensitive or high-value actions
  • Minimum required login methods only, to reduce attack surface
Anti-bot strategy should evolve with traffic patterns. Review signup quality, OTP volume, and conversion rates on a regular cadence.

FAQ

CAPTCHA providers do not share specific details about why an individual attempt is classified as bot-like traffic. As a workaround, users can try:
  • Disabling VPN, proxy, or traffic filtering tools
  • Trying an incognito/private window to identify browser extension interference
  • Trying a different browser or device
  • Switching networks (for example, from public Wi-Fi to mobile data)
  • Retrying after a short wait
Privy does not recommend deleting users unless absolutely necessary. Blocking future access with the denylist is usually a better first step. If deletion is required, follow Deleting users.
Enable Twilio Fraud Guard, and review Twilio Verify geo-permissions to limit risky destination regions.