Human Verification Modal for Anonymous Drupal Routes Using AJAX and Tokens

Staff Reporter

Drupal Commerce Streamlines Payment Setup with New Stripe Connect Integration

In a step-by-step tutorial, Andres Torres shows how to gate anonymous Drupal 10 routes behind a “verify you’re human” modal using Drupal’s AJAX API, expirable one-time tokens, and optional reCAPTCHA—offering a lightweight way to keep bots from hammering public endpoints.

The approach adds a custom access check that requires a single-use token, issues that token via an AJAX-loaded dialog form, and consumes it on success before the protected controller runs—no user accounts or heavy firewall rules required.

Route + access check: Validates a verify_token query parameter via a custom service using KeyValueExpirable.
AJAX modal form: Captures minimal data (e.g., email), optionally adds reCAPTCHA, and returns a one-time access link.
Controller guard: Confirms and consumes the token, then executes the protected functionality.
Theme-agnostic: Works with any theme; includes an optional JS behavior to close the dialog smoothly.

Ideal for public URLs where role-based access, throttling, or simple text CAPTCHAs aren’t enough, this pattern provides a clean UX while sharply reducing automated abuse.

Reference: Stop Bots in Their Tracks: Human Verification for Drupal Routes by Andres Torres (9 September 2025)

Drupal 10

Custom module

Disclosure: This content is produced with the assistance of AI.

Disclaimer: The opinions expressed in this story do not necessarily represent that of TheDropTimes. We regularly share third-party blog posts that feature Drupal in good faith. TDT recommends Reader's discretion while consuming such content, as the veracity/authenticity of the story depends on the blogger and their motives.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.