Add Redeyed Sentinel bot protection to your Shopify storefront forms — contact, newsletter, customer login, and customer registration.
Free to install. Rendering the widget is theme-only and costs nothing. Verification (actually checking the token) requires a server/app and your site's Redeyed Secret Key.
| Path | What it is |
|---|---|
snippets/redeyed-sentinel.liquid |
Liquid snippet that renders the Sentinel widget inside a form. |
config/settings_schema.json |
Settings fragment ("Redeyed Sentinel" group) to merge into your theme settings so the Site Key + Base URL are editable in the Theme Editor. |
INSTALL-liquid.md |
Step-by-step: add the snippet, merge settings, drop it into contact/login/register/newsletter forms. |
app-proxy-verify/ |
Minimal Node (Express) example that verifies the sentinel-token server-side, with patterns for App Proxy / headless / Functions. |
LICENSE |
MIT. |
-
Render (theme only). The snippet loads
sentinel.jsonce and drops a<div class="sentinel-captcha" data-sitekey="...">into your form. The widget injects a hiddensentinel-tokeninput on solve. The Site Key is public and safe to keep in the theme. -
Verify (server only). A server you control receives the submitted
sentinel-tokenand POSTs it to{base_url}/sentinel/siteverifywith your site's Secret Key in the request body (reCAPTCHA/Turnstile-style — no developer API key). The Secret Key must never be in the theme.
POST {base_url}/sentinel/siteverify
{ "secret": "<secret key>", "response": "<sentinel-token>", "remoteip": "<client ip>" }
response { "success": true|false, "outcome": "...", "score": N }
success when success === true
Shopify storefronts are Liquid themes — you cannot run arbitrary server code in
the storefront request path, and native forms (contact, customer_login,
create_customer, newsletter) post directly to Shopify. That means:
- The theme snippet can show the CAPTCHA but cannot block a submission on its own.
- True blocking requires a place you control the server: a Shopify App Proxy, a headless storefront (e.g. Hydrogen / custom frontend), or Shopify Functions / webhooks for after-the-fact moderation.
See app-proxy-verify/README.md for the recommended patterns. If you run a
standard theme with no app, treat verification as detection/moderation rather
than a hard block.
Both keys come from Redeyed Lab → Sentinel → Sites:
- Site Key (public) — paste into Theme Editor → Theme settings → Redeyed Sentinel. Still the key that renders the widget.
- Secret Key — set as
SENTINEL_SECRET_KEYon your server only. It is shown only once when you create the site, so store it safely.
- Follow
INSTALL-liquid.mdto render the widget on your forms. - (For enforcement) deploy
app-proxy-verify/and wire it into an App Proxy or headless handler.
MIT © 2026 Redeyed. See LICENSE.