Merge remote-tracking branch 'origin/main' into rok/2025-11-20-update-localization-docs

 Conflicts:
	docs/guides/localization.md

Author: rokostik

docs/getting-started/install.md

@@ -16,15 +16,17 @@ To create widgets from Javascript code, [see **Option B** below](#option-b-progr
 
 Add the following to your website's HTML:
 ```html
-<script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/site.min.js" async defer></script>
-<script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/site.compat.min.js" async defer></script>
+<script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/site.min.js" async defer></script>
+<script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/site.compat.min.js" async defer></script>
 ```
 
 ::::tip
-#### Using the scripts without a CDN
+#### Using the scripts without a CDN (i.e. self-hosting)
 
-You can [download the latest release files](https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/) and serve them from your own server.
+Using `cdn.jsdelivr.net` is optional. If preferred, you can self-host the scripts. [Download the latest release files](https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/) and serve them from your own server.
 Remember to update these scripts regularly.
+
+`cdn.jsdelivr.net` is blocked in some jurisdictions, like some parts of China. If your website needs to be reachable from these jurisdictions, we recommend that you self-host the scripts.
 ::::
 
 
@@ -54,7 +56,7 @@ You can install our NPM package to create widgets programmatically.
 npm install @friendlycaptcha/sdk
 
 # using yarn
-yan add @friendlycaptcha/sdk
+yarn add @friendlycaptcha/sdk
 ```
 
 

docs/getting-started/verify.md

@@ -59,7 +59,7 @@ The response body is a JSON object which has a `success` field that tells you wh
   "success": false,
   "error": {
     "error_code": "bad_request", // Error code, see the table below for possible values
-    "detail": "..." // A textual description of what went wrong.
+    "detail": "..." // Extra details (this is mainly intended for Friendly Captcha staff)
   },
 }
 

docs/guides/automated-testing.md

@@ -13,8 +13,9 @@ With this approach you can keep all other code in your application the same.
 
 ### IP or password-based gating
 If you perform automated end-to-end tests in production you may want to conditionally disable the captcha check for your test-runner.
-* If you know the IPs of the machines that run these tests you could whitelist those and skip the captcha check for those (or use the mocking approach above).
-* If you do not know the IP beforehand, you could have your test-runner put a secret in the form submission that you check for. In other words, you can specify a password that bypasses the captcha.
+
+* If you know the IPs of the machines that run these tests you could skip [CAPTCHA verification](../getting-started/verify) by adding the IPs to an allowlist in your code or infrastructure.
+* If you do not know the IP beforehand, you could have your test-runner put a secret in the form submission that you check for. In other words, you can specify a password that your backend will accept for bypassing [CAPTCHA verification](../getting-started/verify).
 
 ### Dynamic button enabling
 Many websites that have a form protected using Friendly Captcha will only enable the submit button after the captcha widget is finished to prevent users from submitting without a valid captcha solution. When you are using a browser automation tool you may want to enable the button despite the captcha not being completed, we advice you achieve this by executing a snippet of Javascript (which is something you can do in all browser testing automation tools).

docs/guides/migrating-from-hcaptcha.md

@@ -33,9 +33,9 @@ Instead you would replace the hCaptcha plugin and install a plugin that supports
     ```
     with the hCAPTCHA-compatible Friendly Captcha scripts.
     ```html
-    <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/contrib/hcaptcha-site.min.js"
+    <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/contrib/hcaptcha-site.min.js"
             async defer></script>
-    <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/contrib/hcaptcha-site.compat.min.js"
+    <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/contrib/hcaptcha-site.compat.min.js"
           async defer></script>
     ```
 

docs/guides/migrating-from-recaptcha.md

@@ -32,9 +32,9 @@ Instead you would replace the reCAPTCHA plugin and install a plugin that support
     ```
     with the reCAPTCHA-compatible Friendly Captcha scripts.
     ```html
-    <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/contrib/recaptcha-site.min.js"
+    <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/contrib/recaptcha-site.min.js"
             async defer></script>
-    <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/contrib/recaptcha-site.compat.min.js"
+    <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/contrib/recaptcha-site.compat.min.js"
           async defer></script>
     ```
 

docs/guides/self-hosted-endpoint.md

@@ -0,0 +1,146 @@
+# Self-Hosted Endpoint
+
+:::info
+
+The Self-Hosted Endpoint feature is only available for Friendly Captcha v2.
+
+:::
+
+When a customer website or application loads a Friendly Captcha widget, the widget makes a number of requests to the Friendly Captcha API. The API endpoint is `global.frcapi.com`, or `eu.frcapi.com` for customers who use [the EU Endpoint](./eu-endpoint). Friendly Captcha offers the **Self-Hosted Endpoint** feature for customers who prefer to route all end-user traffic through their own infrastructure.
+
+To use a Self-Hosted Endpoint, customers operate a proxy server that forwards widget requests to the Friendly Captcha API. Because the Friendly Captcha service depends on data sent by the widget, it is important to ensure that a Self-Hosted Endpoint correctly forwards that data.
+
+## Setup
+
+There are 3 steps to setting up a Self-Hosted Endpoint, explained in detail below.
+
+1. [Generate a proxy key in the Friendly Captcha dashboard.](#1-generate-a-proxy-key)
+2. [Configure your web server to proxy widget requests to the Friendly Captcha API.](#2-configure-your-web-server)
+3. [Configure your widget to use your Self-Hosted Endpoint.](#3-configure-your-site-or-apps-widget)
+
+### 1. Generate a proxy key
+
+To verify that proxied widget requests come from your infrastructure, you must set a header that contains a proxy key. You can generate a key in the [Friendly Captcha dashboard](https://app.friendlycaptcha.eu/dashboard/accounts/-/keys/proxy). Make sure to generate a **Proxy Key**; API keys are not accepted. Store the generated key somewhere safe and retrievable—Friendly Captcha doesn't keep a copy of the key, so you will have to regenerate it if you lose it. You will use this proxy key in the next step.
+
+### 2. Configure your web server
+
+You need to configure your web server to forward the following requests to the Friendly Captcha API:
+
+```
+GET  /api/v2/captcha/agent
+GET  /api/v2/captcha/widget
+GET  /api/v2/captcha/ping
+POST /api/v2/captcha/activate
+POST /api/v2/captcha/quote
+POST /api/v2/captcha/redeem
+```
+
+For these requests, your server should forward the request in its entirety, including all headers. Additionally, the forwarded requests should include two ***extra*** headers:
+
+1. `X-Frc-Proxy-Key`: The proxy key you generated in the Friendly Captcha dashboard.
+2. `X-Frc-Proxy-Client-IP`: The original (source) IP address of the end user.
+
+Forward the requests to this endpoint (i.e., the upstream server):
+
+```
+https://global.proxy.frcapi.com
+```
+
+If you have access to [the EU Endpoint](./eu-endpoint.md), you may alternatively forward the requests to this endpoint:
+
+```
+https://eu.proxy.frcapi.com
+```
+
+[See below](#example-routing-configurations) for examples of how to configure a server to correctly proxy the widget requests.
+
+:::warning Note
+
+If you don't forward the entire request and its headers, the widget may still be functional, but the service will operate in a degraded state. If you forget either of the additional proxy headers (`X-Frc-Proxy-Key` and `X-Frc-Proxy-Client-IP`), the widget will display an error message. 
+
+:::
+
+### 3. Configure your site or app's widget
+
+The final step is to configure your server's URL as the API endpoint for your widget. This will ensure that the widget sends its requests to your server (which will then forward them to the upstream Friendly Captcha API). If your server's URL is `https://example.com` and you configure the widget using HTML `data-` attributes, your markup will look something like this:
+
+```html
+<div class="frc-captcha" data-sitekey="<my sitekey>" data-api-endpoint="https://example.com"></div>
+```
+
+If you configure the widget using the JavaScript SDK, your code will look something like this:
+
+```js
+import { FriendlyCaptchaSDK } from "@friendlycaptcha/sdk"
+const sdk = new FriendlyCaptchaSDK();
+
+const mount = document.querySelector(".my-widget");
+const widget = sdk.createWidget({
+    element: mount,
+    sitekey: "<my sitekey>",
+    apiEndpoint: "https://example.com",
+});
+```
+
+For more documentation, see the page on [configuring the Friendly Captcha widget](../sdk/configuration.md).
+
+## Example Routing Configurations
+
+Provided below are some example Self-Hosted Endpoints configurations for popular web server technologies. If you copy and paste the configuration, make sure to replace `<% PROXY KEY %>` with your real proxy key, and verify that you're using the correct upstream Friendly Captcha API endpoint.
+
+### Apache
+
+```
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule headers_module modules/mod_headers.so
+
+<LocationMatch "^/api/v2/captcha/(agent|widget|ping|activate|quote|redeem)(/.*)?$">
+    RequestHeader set X-Frc-Proxy-Key "<% PROXY KEY %>"
+    RequestHeader set X-Frc-Proxy-Client-IP expr=%{REMOTE_ADDR}
+
+    ProxyPass https://global.proxy.frcapi.com
+    ProxyPassReverse https://global.proxy.frcapi.com
+</LocationMatch>
+```
+
+### Caddy
+
+```
+@captcha_paths path_regexp ^/api/v2/captcha/(agent|widget|ping|activate|quote|redeem)(/.*)?$
+
+reverse_proxy  @captcha_paths https://global.proxy.frcapi.com {
+    header_up X-Frc-Proxy-Key "<% PROXY KEY %>"
+    header_up X-Frc-Proxy-Client-IP {remote_host}
+}
+```
+
+### HAProxy
+
+```
+frontend http-in
+    # other frontend configuration...
+
+    acl is_captcha_path path_reg ^/api/v2/captcha/(agent|widget|ping|activate|quote|redeem)(/.*)?$
+    use_backend captcha_paths if is_captcha_path
+
+backend captcha_paths
+    mode http
+
+    http-request set-header X-Frc-Proxy-Key "<% PROXY KEY %>"
+    http-request set-header X-Frc-Proxy-Client-IP %[src]
+
+    # Note: the path to the certificates file may be different for your OS.
+    server frc_api global.proxy.frcapi.com:443 ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt
+```
+
+### NGINX
+
+```
+location ~ ^/api/v2/captcha/(agent|widget|ping|activate|quote|redeem)(/.*)?$ {
+    proxy_set_header X-Frc-Proxy-Key <% PROXY KEY %>;
+    proxy_set_header X-Frc-Proxy-Client-IP $remote_addr;
+
+    proxy_pass https://global.proxy.frcapi.com;
+}
+```

docs/guides/upgrading-from-v1/script.md

@@ -13,9 +13,9 @@ Replace the `friendly-challenge` scripts
   ```
   with the new `@friendlycaptcha/sdk` scripts
   ```html
-  <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/site.min.js"
+  <script type="module" src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/site.min.js"
           async defer></script>
-  <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.23/site.compat.min.js"
+  <script nomodule src="https://cdn.jsdelivr.net/npm/@friendlycaptcha/sdk@0.1.31/site.compat.min.js"
         async defer></script>
   ```
 ## 2. 🇪🇺 Update custom API endpoints

docs/introduction/v1-and-v2.md

@@ -26,15 +26,11 @@ v1 will keep working! We will maintain it moving forward for multiple years.
 
 At some point down the road we will not allow newly created apps to use v1, but existing apps will still continue to work.
 
-## When can I upgrade?
-
-You may already be eligible—accounts created after May 1, 2024 automatically have access to v2. You can find out if you do by navigating to the [Create New App](https://app.friendlycaptcha.eu/dashboard/accounts/-/apps/create) page. In the **Friendly Captcha Version** step, if you can select v2, you're all set.
-
-Over the next 6 months, we will be rolling out v2 access to the rest of our customers. If you're ready to upgrade now, feel free to reach out using [**this form**](https://tally.so/r/n0MGDA) and a member of our team will help you get access.
-
 ## How do I upgrade?
 
-After v2 is enabled for your account, you can [follow the upgrade guide](./guides/upgrading-from-v1).
+v2 is available to all customers and we highly recommend it. Please [follow the upgrade guide](/docs/v2/guides/upgrading-from-v1).
+
+If you're an **Enterprise** customer, please [contact support](https://friendlycaptcha.com/support/) so that we can help you upgrade to v2!
 
 ## How can I tell if I'm using v1 or v2?
 

docs/sdk/events.md

@@ -28,7 +28,7 @@ You can listen to events using `HTMLElement.addEventListener` or `widget.addEven
 
   myWidget.addEventListener("frc:widget.error", function(event) {
       console.error("Widget ran into an error:", event.detail.error);
-      myButton.disabled = true;
+      myButton.disabled = false;
   });
 
   myWidget.addEventListener("frc:widget.expire", function(event) {

docs/sdk/lifecycle.md

@@ -4,7 +4,7 @@ The widget has a fixed set of states it can be in.
 
 Usually the only states you have to care about are the following:
 * `completed`: the captcha has been completed, you can enable the button to submit and verification should pass.
-* `error`: something went wrong. You should disable the submit button.
+* `error`: something went wrong. Enable the button to submit so that the error can be investigated.
 * `expired`: the user waited too long and needs to restart. You should disable the submit button.
 * `destroyed`: You called `destroy()` on the widget which cleans it up entirely, it can no longer be used.