hCaptcha integration missing required host parameter since #16171

[Tealk]

Describe the bug
Since updating to version 2025.8.1, Authentik no longer allows user registrations because the hCaptcha integration sends requests without the required "host" parameter. This causes hCaptcha to respond with a 403 Forbidden error, blocking the captcha verification and thus preventing registrations.

To Reproduce
Steps to reproduce the behavior:

1. Use Authentik version 2025.8.1 or later.
2. Attempt to register a new user through the registration flow that includes the hCaptcha captcha stage.
3. Observe the network requests sent to hCaptcha’s API (e.g., /checksiteconfig).
4. Notice that the "host" parameter in the request URL is empty or missing.
5. The hCaptcha API responds with HTTP 403 Forbidden, and the registration cannot be completed.

Expected behavior
The "host" parameter should be correctly set to the domain from which the registration request originates. This would allow hCaptcha to validate the request and permit user registrations to proceed normally.

Logs

Request URL
https://api.hcaptcha.com/checksiteconfig?v=XXX&host=&sitekey=XXX&sc=1&swa=1&spst=0
Request Method
POST
Status Code
403 Forbidden

[Tealk]

One more thing: if I turn off interactive mode the Captcha appears but then I get stuck in a loading loop and don't see any errors in the browser console.

[Tealk]

I think reCAPTCHA should also be integrated into hcaptcha:

authentik/web/src/flow/stages/captcha/CaptchaStage.ts

Line 565 in 62f0e67

if (captchaProvider === CaptchaProvider.reCAPTCHA) {

Change #16171 probably only considered reCAPTCHA and thus broke hCaptcha.

Maybe something like that?
if (captchaProvider === CaptchaProvider.reCAPTCHA || captchaProvider === CaptchaProvider.hCaptcha) {

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.