To safeguard registration against bots, Keycloak has integration with Google Recaptcha. To enable this you need to first go to Google Recaptcha and create an API key so that you can get your recaptcha site key and secret. (FYI, localhost works by default so you don't have to specify a domain). Next, go to the Keycloak Admin Console. Go to Authentication->Flows page. Select the 'registration' flow. Set the 'Recaptcha' requirement to 'Required'. Click on the 'Configure' button and enter in the Recaptcha site key and secret. Finally, you have to change Keycloak's default security headers. In the Admin Console, go to Settings->Security Defenses of your realm. Add a space and https://www.google.com to the values of both the X-Frame-Options and Content-Security-Policy headers. i.e. frame-src 'self' https://www.google.com That's it! You may want to edit register.ftl in your login theme to muck around with the placement and styling of the recaptcha button. Up to you.