# Testing Forms with Captcha

The whole point of Captcha (e.g. [Recaptcha](https://www.google.com/recaptcha/intro/v3.html)) to ensure the forms filled out by a human. So we cannot simply bypass it with automating tests. However we can still test the forms if we persuade the application under test that we are a trusted source. For example, the application uses a token-based authentication. From Puppetry side by using `page.runjs` command we can login under a test account and provide to the application the received token as certificate. The application checks if the token valid and disable Captcha for the session (obviously not on the production environment). Let's say we feed to `page.runjs` the following function:

```javascript
const rsp = await fetch( "https://rest-api-sandbox.local/api/v1/login", {
    method: 'POST',         
    body: JSON.stringify({
      email: process.env.QA_EMAIL
      password: process.env.QA_PASSWORD
    })
});
ENV.SESSION_TOKEN = rsp.json().token;
```

{% hint style="info" %}
As you can see define a dynamic template variable  as `ENV.<VARIABLE NAME>`. The same way template variables can be accessed in the code .&#x20;
{% endhint %}

Next we can use `page.setCookie` command to pass the retrieved token to the app server:

![](https://3461068122-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LdyKJ-zzeS2hB7DF04J%2F-LhFtckY-SEU0gzUvrXq%2F-LhG7dAUYg2IS86LxIEP%2FP2-captcha-setCookie.png?alt=media\&token=c8eb655c-42b1-42e8-b3e9-9b09914e7250)

The application server validates the token if any available in TRUSTED\_CLIENT\_TOKEN cookie and disables the captcha for the session.