feat: add captcha byo mode doc (#2463)

pcaillaudm · web-flow · commit 06e7608d67b3 · 2026-03-13T14:26:46.000+01:00
diff --git a/docs/kratos/concepts/security.mdx b/docs/kratos/concepts/security.mdx
@@ -73,13 +73,13 @@ Ory OAuth2 and OpenID Connect is a certified OAuth2 and OpenID Connect provider.
 
 ## CAPTCHAs
 
-Ory Identities supports protecting the registration and login endpoints with CAPTCHA challenges. This is useful to prevent
-credential stuffing, brute force and other automated attacks.
+Ory Identities supports protecting self-service flows with CAPTCHA challenges. This is useful to prevent credential stuffing,
+brute force and other automated attacks.
 
-#### Prerequisites
+### Prerequisites
 
-Before proceeding, ensure you are on a plan that supports this feature. If you need CAPTCHA support, please
-[reach out](https://www.ory.com/contact).
+Before proceeding, ensure you are on a plan that supports this feature. If you need CAPTCHA support,
+[contact us](https://www.ory.com/contact).
 
 Supported CAPTCHA providers are:
 
@@ -92,25 +92,41 @@ Supported CAPTCHA providers are:
 
 1. Go to <ConsoleLink route="project.authentication" />.
 2. Toggle **CAPTCHA protection**.
-3. (optional) Add or remove domains from the **Allowed domains** list.
-
-- You must define at least one valid domain.
-- You can list up to 10 domains in total.
-
+3. Choose your preferred configuration mode:
+   - **Managed**: Our standard, zero-setup integrated Cloudflare Turnstile widget.
+     - Add or remove domains from the **Allowed domains** list.
+     - You must define at least one valid domain.
+     - You can list up to 10 domains in total.
+   - **Bring Your Own Keys**: Connect your existing Cloudflare Turnstile account to view detailed security analytics directly
+     within your own Cloudflare dashboard.
+     - Enter your Turnstile **Site Key** and **Secret Key**.
 4. Click **Save**.
-5. Navigate to your registration or login screen to test the CAPTCHA protection.
+5. Navigate to any protected self-service screen, for example the registration or login page, to test the CAPTCHA protection.
 
 ```mdx-code-block
 </TabItem>
 <TabItem value="cli" label="Ory CLI">
 ```
 
+Configure Managed Mode:
+
 ```shell
 ory patch identity-config --project <project-id> --workspace <workspace-id> \
-  --replace '/selfservice/mehods/captcha/enabled=true' \
+  --replace '/selfservice/methods/captcha/enabled=true' \
+  --replace '/selfservice/methods/captcha/config/byo=false' \
   --replace '/selfservice/methods/captcha/config/allowed_domains=["example.org", "foo.bar.dev"]'
 ```
 
+Configure BYO Mode:
+
+```shell
+ory patch identity-config --project <project-id> --workspace <workspace-id> \
+  --replace '/selfservice/methods/captcha/enabled=true' \
+  --replace '/selfservice/methods/captcha/config/byo=true' \
+  --replace '/selfservice/methods/captcha/config/cf_turnstile/sitekey=your-site-key' \
+  --replace '/selfservice/methods/captcha/config/cf_turnstile/secret=your-secret-key'
+```
+
 ```mdx-code-block
 </TabItem>
 </Tabs>
