tkhq · ethankonk · Mar 6, 2026
diff --git a/package.json b/package.json
@@ -67,6 +67,7 @@
       "@confio/ics23@0.6.8>protobufjs": ">=7.2.5",
       "protobufjs@>=6.10.0 <7.2.5": ">=7.2.5",
       "@babel/traverse": ">=7.23.2",
+      "@types/react": "^18.3.24",
       "follow-redirects": ">=1.15.4",
       "web3": ">=4.2.1",
       "web3-core": ">=4.2.1",

diff --git a/packages/core/scripts/codegen.js b/packages/core/scripts/codegen.js
@@ -104,6 +104,13 @@ const METHODS_WITH_ONLY_OPTIONAL_PARAMETERS = [
   "listUserTags",
 ];
 
+const CAPTCHA_PROTECTED_METHODS = [
+  "proxyInitOtp",
+  "proxySignup",
+  "proxyInitOtpV2",
+  "proxySignupV2",
+];
+
 /**
  * @param {string} methodName
  * @returns {string}
@@ -397,6 +404,7 @@ const generateSDKClientFromSwagger = async (
     async authProxyRequest<TBodyType, TResponseType>(
         url: string,
         body: TBodyType,
+        captchaToken?: string
     ): Promise<TResponseType> {
         if (!this.config.authProxyUrl || !this.config.authProxyConfigId) {
         throw new TurnkeyError("Auth Proxy URL or ID is not configured.", TurnkeyErrorCodes.INVALID_CONFIGURATION);
@@ -408,6 +416,10 @@ const generateSDKClientFromSwagger = async (
         "X-Auth-Proxy-Config-ID": this.config.authProxyConfigId,
         }
 
+        if (captchaToken) {
+        headers["X-Captcha-Token"] = captchaToken;
+        }
+
         const response = await fetch(fullUrl, {
         method: "POST",
         headers: headers,
@@ -657,15 +669,27 @@ const generateSDKClientFromSwagger = async (
     const inputType = `ProxyT${operationNameWithoutNamespace}Body`;
     const responseType = `ProxyT${operationNameWithoutNamespace}Response`;
 
-    codeBuffer.push(
-      `\n\t${methodName} = async (input: SdkTypes.${inputType}${
-        METHODS_WITH_ONLY_OPTIONAL_PARAMETERS.includes(methodName)
-          ? " = {}"
-          : ""
-      }): Promise<SdkTypes.${responseType}> => {
+    if (CAPTCHA_PROTECTED_METHODS.includes(methodName)) {
+      codeBuffer.push(
+        `\n\t${methodName} = async (input: SdkTypes.${inputType}${
+          METHODS_WITH_ONLY_OPTIONAL_PARAMETERS.includes(methodName)
+            ? " = {}"
+            : ""
+        }, captchaToken?: string): Promise<SdkTypes.${responseType}> => {
+      return this.authProxyRequest("${endpointPath}", input, captchaToken);
+    }`,
+      );
+    } else {
+      codeBuffer.push(
+        `\n\t${methodName} = async (input: SdkTypes.${inputType}${
+          METHODS_WITH_ONLY_OPTIONAL_PARAMETERS.includes(methodName)
+            ? " = {}"
+            : ""
+        }): Promise<SdkTypes.${responseType}> => {
       return this.authProxyRequest("${endpointPath}", input);
     }`,
-    );
+      );
+    }
   }
 
   // End of the TurnkeySDKClient Class Definition

diff --git a/packages/core/src/__clients__/core.ts b/packages/core/src/__clients__/core.ts
@@ -24,6 +24,7 @@ import {
   TurnkeyError,
   TurnkeyErrorCodes,
   AuthAction,
+  ProxyTInitOtpBody,
 } from "@turnkey/sdk-types";
 import {
   DEFAULT_SESSION_EXPIRATION_IN_SECONDS,
@@ -530,6 +531,7 @@ export class TurnkeyClient {
    * @param params.createSubOrgParams - parameters for creating a sub-organization (e.g., authenticators, user metadata).
    * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
    * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to a {@link PasskeyAuthResult}, which includes:
    *          - `sessionToken`: the signed JWT session token.
    *          - `credentialId`: the credential ID associated with the passkey created.
@@ -545,6 +547,7 @@ export class TurnkeyClient {
       createSubOrgParams,
       sessionKey = SessionKey.DefaultSessionkey,
       organizationId,
+      captchaToken,
     } = params || {};
 
     let generatedPublicKey: string | undefined = undefined;
@@ -589,7 +592,7 @@ export class TurnkeyClient {
           },
         });
 
-        const res = await this.httpClient.proxySignup(signUpBody);
+        const res = await this.httpClient.proxySignup(signUpBody, captchaToken);
 
         if (!res) {
           throw new TurnkeyError(
@@ -1108,6 +1111,7 @@ export class TurnkeyClient {
    * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
    * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
    * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to an object containing:
    *          - `sessionToken`: the signed JWT session token.
    *          - `address`: the authenticated wallet address.
@@ -1121,6 +1125,7 @@ export class TurnkeyClient {
       walletProvider,
       createSubOrgParams,
       sessionKey = SessionKey.DefaultSessionkey,
+      captchaToken,
     } = params;
 
     return withTurnkeyErrorHandling(
@@ -1161,7 +1166,10 @@ export class TurnkeyClient {
             },
           });
 
-          signupRes = await this.httpClient.proxySignup(signUpBody);
+          signupRes = await this.httpClient.proxySignup(
+            signUpBody,
+            captchaToken,
+          );
 
           if (!signupRes) {
             throw new TurnkeyError(
@@ -1218,13 +1226,22 @@ export class TurnkeyClient {
    * @param params.otpType - type of OTP to initialize (OtpType.Email or OtpType.Sms).
    * @param params.contact - contact information for the user (e.g., email address or phone number).
    * @param params.organizationId - optional organization ID to target (defaults to the session's organization ID or the parent organization ID).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to the OTP ID required for verification.
    * @throws {TurnkeyError} If there is an error during the OTP initialization process or if the maximum number of OTPs has been reached.
    */
   initOtp = async (params: InitOtpParams): Promise<string> => {
     return withTurnkeyErrorHandling(
       async () => {
-        const initOtpRes = await this.httpClient.proxyInitOtp(params);
+        const initOtpInput: ProxyTInitOtpBody = {
+          otpType: params.otpType,
+          contact: params.contact,
+        };
+
+        const initOtpRes = await this.httpClient.proxyInitOtp(
+          initOtpInput,
+          params.captchaToken,
+        );
 
         if (!initOtpRes || !initOtpRes.otpId) {
           throw new TurnkeyError(
@@ -1448,6 +1465,7 @@ export class TurnkeyClient {
    * @param params.createSubOrgParams - parameters for creating a sub-organization (e.g., authenticators, user metadata).
    * @param params.invalidateExisting - flag to invalidate existing session for the user.
    * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to a {@link BaseAuthResult}, which includes:
    *          - `sessionToken`: the signed JWT session token.
    * @throws {TurnkeyError} If there is an error during the OTP sign-up process or session storage.
@@ -1463,6 +1481,7 @@ export class TurnkeyClient {
       invalidateExisting,
       sessionKey,
       publicKey = await this.apiKeyStamper?.createKeyPair(),
+      captchaToken,
     } = params;
 
     // build sign up body without client signature first
@@ -1510,10 +1529,13 @@ export class TurnkeyClient {
           signature: signature,
         };
 
-        const signupRes = await this.httpClient.proxySignup({
-          ...signUpBody,
-          clientSignature,
-        });
+        const signupRes = await this.httpClient.proxySignup(
+          {
+            ...signUpBody,
+            clientSignature,
+          },
+          captchaToken,
+        );
 
         if (!signupRes) {
           throw new TurnkeyError(
@@ -1577,6 +1599,7 @@ export class TurnkeyClient {
    * @param params.invalidateExisting - flag to invalidate existing sessions for the user.
    * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
    * @param params.createSubOrgParams - parameters for sub-organization creation (e.g., authenticators, user metadata).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to an object containing:
    *          - `sessionToken`: the signed JWT session token.
    *          - `verificationToken`: the OTP verification token.
@@ -1597,6 +1620,7 @@ export class TurnkeyClient {
       invalidateExisting = false,
       sessionKey,
       createSubOrgParams,
+      captchaToken,
     } = params;
 
     return withTurnkeyErrorHandling(
@@ -1625,6 +1649,7 @@ export class TurnkeyClient {
             ...(invalidateExisting && { invalidateExisting }),
             ...(sessionKey && { sessionKey }),
             publicKey: publicKey!,
+            ...(captchaToken && { captchaToken }),
           });
 
           return {
@@ -1669,6 +1694,7 @@ export class TurnkeyClient {
    * @param params.createSubOrgParams - parameters for sub-organization creation (e.g., authenticators, user metadata).
    * @param params.invalidateExisting - flag to invalidate existing sessions for the user.
    * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
+   * @param params.captchaToken - optional captcha token for bot prevention during OAuth completion (must be enabled in the auth proxy config to take effect).
    *
    * @returns A promise that resolves to an object containing:
    *          - `sessionToken`: the signed JWT session token.
@@ -1685,6 +1711,7 @@ export class TurnkeyClient {
       createSubOrgParams,
       invalidateExisting,
       sessionKey,
+      captchaToken,
     } = params;
 
     return withTurnkeyErrorHandling(
@@ -1726,6 +1753,7 @@ export class TurnkeyClient {
             }),
             ...(invalidateExisting && { invalidateExisting }),
             ...(sessionKey && { sessionKey }),
+            ...(captchaToken && { captchaToken }),
           });
 
           return {
@@ -1849,6 +1877,7 @@ export class TurnkeyClient {
    * @param params.providerName - name of the OAuth provider (e.g., "Google", "Apple").
    * @param params.createSubOrgParams - parameters for sub-organization creation (e.g., authenticators, user metadata).
    * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
+   * @param params.captchaToken - optional captcha token for bot prevention during OTP initialization (must be enabled in the auth proxy config to take effect).
    * @returns A promise that resolves to a {@link BaseAuthResult}, which includes:
    *          - `sessionToken`: the signed JWT session token.
    * @throws {TurnkeyError} If there is an error during the OAuth sign-up or login process.
@@ -1862,6 +1891,7 @@ export class TurnkeyClient {
       providerName = "OpenID Connect Provider" + " " + Date.now(),
       createSubOrgParams,
       sessionKey,
+      captchaToken,
     } = params;
 
     return withTurnkeyErrorHandling(
@@ -1878,7 +1908,10 @@ export class TurnkeyClient {
           },
         });
 
-        const signupRes = await this.httpClient.proxySignup(signUpBody);
+        const signupRes = await this.httpClient.proxySignup(
+          signUpBody,
+          captchaToken,
+        );
 
         if (!signupRes) {
           throw new TurnkeyError(