diff --git a/backend/LexBoxApi/Controllers/LoginController.cs b/backend/LexBoxApi/Controllers/LoginController.cs
index a9f3defbd..20241a5bd 100644
--- a/backend/LexBoxApi/Controllers/LoginController.cs
+++ b/backend/LexBoxApi/Controllers/LoginController.cs
@@ -1,5 +1,7 @@
 using System.ComponentModel.DataAnnotations;
 using LexBoxApi.Auth;
+using LexBoxApi.Models;
+using LexBoxApi.Otel;
 using LexBoxApi.Services;
 using LexCore;
 using LexCore.Auth;
@@ -7,6 +9,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.ModelBinding;
 using Microsoft.EntityFrameworkCore;
 
 namespace LexBoxApi.Controllers;
@@ -20,18 +23,21 @@ public class LoginController : ControllerBase
     private readonly LoggedInContext _loggedInContext;
     private readonly EmailService _emailService;
     private readonly UserService _userService;
+    private readonly TurnstileService _turnstileService;
 
     public LoginController(LexAuthService lexAuthService,
         LexBoxDbContext lexBoxDbContext,
         LoggedInContext loggedInContext,
         EmailService emailService,
-        UserService userService)
+        UserService userService,
+        TurnstileService turnstileService)
     {
         _lexAuthService = lexAuthService;
         _lexBoxDbContext = lexBoxDbContext;
         _loggedInContext = loggedInContext;
         _emailService = emailService;
         _userService = userService;
+        _turnstileService = turnstileService;
     }
 
     [HttpGet("loginRedirect")]
@@ -101,9 +107,21 @@ public async Task<ActionResult> Logout()
 
     [HttpPost("forgotPassword")]
     [AllowAnonymous]
-    public async Task<ActionResult> ForgotPassword(string email)
+    [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesErrorResponseType(typeof(Dictionary<string, string[]>))]
+    [ProducesDefaultResponseType]
+    public async Task<ActionResult> ForgotPassword(ForgotPasswordInput input)
     {
-        await _lexAuthService.ForgotPassword(email);
+        using var registerActivity = LexBoxActivitySource.Get().StartActivity("ForgotPassword");
+        var validToken = await _turnstileService.IsTokenValid(input.TurnstileToken, input.Email);
+        registerActivity?.AddTag("app.turnstile_token_valid", validToken);
+        if (!validToken)
+        {
+            ModelState.AddModelError<ForgotPasswordInput>(r => r.TurnstileToken, "token invalid");
+            return ValidationProblem(ModelState);
+        }
+
+        await _lexAuthService.ForgotPassword(input.Email);
         return Ok();
     }
 
diff --git a/backend/LexBoxApi/Models/ForgotPasswordInput.cs b/backend/LexBoxApi/Models/ForgotPasswordInput.cs
new file mode 100644
index 000000000..2da950b6c
--- /dev/null
+++ b/backend/LexBoxApi/Models/ForgotPasswordInput.cs
@@ -0,0 +1,7 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace LexBoxApi.Models;
+
+public record ForgotPasswordInput(
+    [EmailAddress] string Email,
+    string TurnstileToken);
diff --git a/frontend/src/lib/i18n/locales/en.json b/frontend/src/lib/i18n/locales/en.json
index 5f2928d91..745aa59e2 100644
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -244,7 +244,6 @@ the [Linguistics Institute at Payap University](https://li.payap.ac.th/) in Chia
     "label_name": "Name",
     "label_password": "Password",
     "name_missing": "Name missing",
-    "turnstile_error": "Captcha Error, try again"
   },
   "reset_password": {
     "title": "Reset Password",
@@ -326,5 +325,8 @@ the [Linguistics Institute at Payap University](https://li.payap.ac.th/) in Chia
   },
   "notifications": {
     "update_detected": "A new version of the application was detected. You may need to reload the page.",
+  },
+  "turnstile": {
+    "invalid": "Captcha Error, try again",
   }
 }
diff --git a/frontend/src/routes/(unauthenticated)/forgotPassword/+page.svelte b/frontend/src/routes/(unauthenticated)/forgotPassword/+page.svelte
index bcee7eb79..e9b42bf7b 100644
--- a/frontend/src/routes/(unauthenticated)/forgotPassword/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/forgotPassword/+page.svelte
@@ -1,19 +1,45 @@
 <script lang="ts">
   import { goto } from '$app/navigation';
-  import { Form, Input, lexSuperForm } from '$lib/forms';
+  import { ProtectedForm, Input, lexSuperForm, FormError } from '$lib/forms';
   import { SubmitButton } from '$lib/forms';
   import t from '$lib/i18n';
   import Page from '$lib/layout/Page.svelte';
-  import { toSearchParams } from '$lib/util/query-params';
   import { z } from 'zod';
 
+  type ForgotPasswordResponseErrors = {
+    errors: {
+      /* eslint-disable @typescript-eslint/naming-convention */
+      TurnstileToken?: unknown,
+      /* eslint-enable @typescript-eslint/naming-convention */
+    }
+  }
+
   const formSchema = z.object({
     email: z.string().email($t('register.email')),
   });
-  let { form, errors, enhance, submitting } = lexSuperForm(formSchema, async () => {
-    await fetch(`api/login/forgotPassword?${toSearchParams($form)}`, {
+
+  let turnstileToken = '';
+
+  let { form, errors, enhance, submitting, message } = lexSuperForm(formSchema, async () => {
+    const response = await fetch(`api/login/forgotPassword`, {
       method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+      },
+      body: JSON.stringify({
+        ...$form,
+        turnstileToken,
+      }),
     });
+
+    if (!response.ok) {
+      const { errors } = await response.json() as ForgotPasswordResponseErrors;
+      const turnstileError = !!errors.TurnstileToken;
+      if (!turnstileError) throw new Error('Unknown error', { cause: errors });
+      $message = $t('turnstile.invalid');
+      return;
+    }
+
     await goto('/forgotPassword/emailSent');
   }, {
     taintedMessage: null,
@@ -24,7 +50,8 @@
   <svelte:fragment slot="header">
     {$t('forgot_password.title')}
   </svelte:fragment>
-  <Form {enhance}>
+
+  <ProtectedForm {enhance} bind:turnstileToken>
     <Input
       id="email"
       label={$t('register.label_email')}
@@ -33,6 +60,7 @@
       bind:value={$form.email}
       error={$errors.email}
     />
+    <FormError error={$message} />
     <SubmitButton loading={$submitting}>{$t('forgot_password.send_email')}</SubmitButton>
-  </Form>
+  </ProtectedForm>
 </Page>
diff --git a/frontend/src/routes/(unauthenticated)/register/+page.svelte b/frontend/src/routes/(unauthenticated)/register/+page.svelte
index 6d4dde18c..99c1a800e 100644
--- a/frontend/src/routes/(unauthenticated)/register/+page.svelte
+++ b/frontend/src/routes/(unauthenticated)/register/+page.svelte
@@ -18,7 +18,7 @@
     const { user, error } = await register($form.password, $form.name, $form.email, turnstileToken);
     if (error) {
       if (error.turnstile) {
-        $message = $t('register.turnstile_error');
+        $message = $t('turnstile.invalid');
       }
       if (error.accountExists) {
         $errors.email = [$t('register.account_exists')];