diff --git a/.test/setup-env.js b/.test/setup-env.js
index bdf31b2524..69c2b8ebdf 100644
--- a/.test/setup-env.js
+++ b/.test/setup-env.js
@@ -17,6 +17,7 @@ process.env.ALGOLIA_ID = 'ooo';
 process.env.ALGOLIA_KEY = 'ooo';
 process.env.ALGOLIA_SEARCH_KEY = 'ooo';
 process.env.JWT_SIGNING_SECRET = 'shhhhhh';
+process.env.BYPASS_CAPTCHA = 'true';
 process.env.FIREBASE_TEST_DB_URL = 'http://localhost:9875?ns=pubpub-v6';
 process.env.ZOTERO_CLIENT_KEY = 'abc';
 process.env.ZOTERO_CLIENT_SECRET = 'def';
diff --git a/client/components/Altcha/Altcha.tsx b/client/components/Altcha/Altcha.tsx
new file mode 100644
index 0000000000..1289a6c381
--- /dev/null
+++ b/client/components/Altcha/Altcha.tsx
@@ -0,0 +1,199 @@
+import React, { forwardRef, useEffect, useImperativeHandle, useRef, useState } from 'react';
+
+import { usePageContext } from 'utils/hooks';
+
+export type AltchaRef = {
+	value: string | null;
+	verify: () => Promise<string>;
+};
+
+type AltchaProps = {
+	challengeurl?: string;
+	auto?: 'off' | 'onfocus' | 'onload' | 'onsubmit';
+	onStateChange?: (ev: Event | CustomEvent<{ payload?: string; state: string }>) => void;
+	style?: React.CSSProperties & Record<string, string>;
+};
+
+const DEFAULT_CHALLENGE_URL = '/api/captcha/challenge';
+
+type WidgetElement = HTMLElement & AltchaWidgetMethods;
+
+const Altcha = forwardRef<AltchaRef, AltchaProps>((props, ref) => {
+	const { challengeurl = DEFAULT_CHALLENGE_URL, auto, onStateChange, style } = props;
+	const { locationData } = usePageContext();
+	const devMode = !locationData.isProd;
+	const widgetRef = useRef<WidgetElement | null>(null);
+	const [value, setValue] = useState<string | null>(null);
+	const [loaded, setLoaded] = useState(false);
+	const [simulateFailure, setSimulateFailure] = useState(false);
+	const [widgetKey, setWidgetKey] = useState(0);
+	const valueRef = useRef<string | null>(null);
+	valueRef.current = value;
+
+	useEffect(() => {
+		import('altcha').then(() => setLoaded(true));
+	}, []);
+
+	const [altchaVisible, setAltchaVisible] = useState<boolean>(false);
+	// biome-ignore lint/correctness/useExhaustiveDependencies: widgetKey triggers re-attach after remount
+	useEffect(() => {
+		if (!loaded) return;
+		const w = widgetRef.current;
+		if (!w) return;
+		const handleStateChange = (ev: Event) => {
+			const e = ev as CustomEvent<{ payload?: string; state: string }>;
+			console.log('state changed', e.detail);
+
+			switch (e.detail.state) {
+				case 'error':
+				case 'code':
+				case 'unverified':
+					setAltchaVisible(true);
+					break;
+				case 'verifying':
+					if (devMode) {
+						setAltchaVisible(true);
+					}
+					break;
+				case 'verified':
+					if (e.detail.payload) {
+						setValue(e.detail.payload);
+						setAltchaVisible(false);
+					}
+					break;
+				default:
+					break;
+			}
+
+			onStateChange?.(e);
+		};
+		w.addEventListener('statechange', handleStateChange);
+		return () => w.removeEventListener('statechange', handleStateChange);
+	}, [loaded, onStateChange, widgetKey]);
+
+	// biome-ignore lint/correctness/useExhaustiveDependencies: widgetKey triggers re-bind after remount
+	useImperativeHandle(
+		ref,
+		() => ({
+			get value() {
+				return valueRef.current;
+			},
+			verify(): Promise<string> {
+				const w = widgetRef.current;
+				if (!w) return Promise.reject(new Error('Altcha widget not mounted'));
+				const current = valueRef.current;
+				if (current) return Promise.resolve(current);
+				return new Promise((resolve, reject) => {
+					const handler = (ev: Event) => {
+						const e = ev as CustomEvent<{ payload?: string; state: string }>;
+						const state = e.detail?.state;
+						if (state === 'verified' && e.detail?.payload) {
+							w.removeEventListener('statechange', handler);
+							resolve(e.detail.payload);
+							return;
+						}
+						if (state === 'error' || state === 'expired') {
+							w.removeEventListener('statechange', handler);
+							reject(new Error('Captcha verification failed'));
+						}
+					};
+					w.addEventListener('statechange', handler);
+					w.verify();
+				});
+			},
+		}),
+		[widgetKey],
+	);
+
+	const handleToggleFailure = () => {
+		setSimulateFailure((prev) => !prev);
+		setValue(null);
+		setWidgetKey((k) => k + 1);
+	};
+
+	const handleReset = () => {
+		setValue(null);
+		widgetRef.current?.reset();
+	};
+
+	if (!loaded) return null;
+
+	const devAttrs = devMode ? { debug: true, floatingpersist: 'focus' as const } : {};
+
+	const widget = (
+		<React.Fragment key={widgetKey}>
+			<altcha-widget
+				delay={500}
+				ref={widgetRef as any}
+				challengeurl={challengeurl}
+				{...(auto ? { auto } : {})}
+				floating="auto"
+				{...devAttrs}
+				{...(simulateFailure ? { mockerror: true } : {})}
+				style={{
+					display: altchaVisible ? 'block' : 'none',
+					zIndex: 1000,
+					...(style ? ({ style } as any) : {}),
+				}}
+				// disable very annoying wait alert
+				strings="{&quot;waitAlert&quot;:&quot;&quot;}"
+			/>
+		</React.Fragment>
+	);
+
+	if (!devMode) return widget;
+
+	return (
+		<div
+			style={{
+				display: 'flex',
+				alignItems: 'center',
+				gap: 6,
+				fontSize: 11,
+				color: '#5c7080',
+				padding: '2px 6px',
+				border: '1px dashed #5c7080',
+				borderRadius: 3,
+			}}
+		>
+			{widget}
+			<span style={{ fontWeight: 600 }}>Captcha</span>
+			<label
+				style={{
+					cursor: 'pointer',
+					display: 'inline-flex',
+					alignItems: 'center',
+					gap: 3,
+					color: simulateFailure ? '#db3737' : undefined,
+				}}
+			>
+				<input
+					type="checkbox"
+					checked={simulateFailure}
+					onChange={handleToggleFailure}
+					style={{ margin: 0 }}
+				/>
+				fail
+			</label>
+			<button
+				type="button"
+				onClick={handleReset}
+				style={{
+					fontSize: 11,
+					padding: '1px 6px',
+					cursor: 'pointer',
+					border: '1px solid #ced9e0',
+					borderRadius: 3,
+					background: 'white',
+					lineHeight: '16px',
+				}}
+			>
+				reset
+			</button>
+		</div>
+	);
+});
+
+Altcha.displayName = 'Altcha';
+
+export default Altcha;
diff --git a/client/components/Altcha/index.ts b/client/components/Altcha/index.ts
new file mode 100644
index 0000000000..236dd78b2e
--- /dev/null
+++ b/client/components/Altcha/index.ts
@@ -0,0 +1 @@
+export { type AltchaRef, default } from './Altcha';
diff --git a/client/components/GlobalControls/CreatePubButton.tsx b/client/components/GlobalControls/CreatePubButton.tsx
index aea3c48b5e..0329167eca 100644
--- a/client/components/GlobalControls/CreatePubButton.tsx
+++ b/client/components/GlobalControls/CreatePubButton.tsx
@@ -1,35 +1,72 @@
-import React, { useState } from 'react';
+import type * as types from 'types';
+
+import React, { useCallback, useRef, useState } from 'react';
 
 import { apiFetch } from 'client/utils/apiFetch';
+import { Altcha, Honeypot } from 'components';
 import { usePageContext } from 'utils/hooks';
 
 import GlobalControlsButton from './GlobalControlsButton';
 
 const CreatePubButton = () => {
 	const [isLoading, setIsLoading] = useState(false);
+	const altchaRef = useRef<import('components').AltchaRef>(null);
 	const { communityData } = usePageContext();
 
-	const handleCreatePub = () => {
-		setIsLoading(true);
-		return apiFetch
-			.post('/api/pubs', { communityId: communityData.id })
-			.then((newPub) => {
+	const handleCreatePub = useCallback(
+		async (evt: React.FormEvent<HTMLFormElement>) => {
+			evt.preventDefault();
+			const formData = new FormData(evt.currentTarget);
+			const honeypot = (formData.get('description') as string) ?? '';
+			setIsLoading(true);
+			try {
+				const altchaPayload = await altchaRef.current?.verify();
+				if (!altchaPayload) return;
+				const newPub = await apiFetch.post<types.Pub>('/api/pubs/fromForm', {
+					communityId: communityData.id,
+					altcha: altchaPayload,
+					_honeypot: honeypot,
+				});
 				window.location.href = `/pub/${newPub.slug}`;
-			})
-			.catch((err) => {
-				console.error(err);
+			} catch (error) {
+				console.error('Error in handleCreatePub', error);
+			} finally {
 				setIsLoading(false);
-			});
-	};
+			}
+		},
+		[communityData.id],
+	);
+
+	const formRef = useRef<HTMLFormElement>(null);
 
 	return (
-		<GlobalControlsButton
-			loading={isLoading}
-			aria-label="Create Pub"
-			onClick={handleCreatePub}
-			desktop={{ text: 'Create Pub' }}
-			mobile={{ icon: 'pubDocNew' }}
-		/>
+		<form
+			onSubmit={handleCreatePub}
+			ref={formRef}
+			// only relevant in dev
+			style={{ display: 'flex', alignItems: 'center', gap: '10px' }}
+		>
+			<Altcha
+				ref={altchaRef}
+				onStateChange={(state) => {
+					if (!isLoading) {
+						setIsLoading(true);
+					}
+					// 	@ts-ignore
+					if (state.detail.state === 'verified') {
+						setIsLoading(false);
+					}
+				}}
+			/>
+			<Honeypot name="description" />
+			<GlobalControlsButton
+				loading={isLoading}
+				aria-label="Create Pub"
+				type="submit"
+				desktop={{ text: 'Create Pub' }}
+				mobile={{ icon: 'pubDocNew' }}
+			/>
+		</form>
 	);
 };
 
diff --git a/client/components/Honeypot/Honeypot.tsx b/client/components/Honeypot/Honeypot.tsx
new file mode 100644
index 0000000000..88be37c7ab
--- /dev/null
+++ b/client/components/Honeypot/Honeypot.tsx
@@ -0,0 +1,54 @@
+import React from 'react';
+
+import { usePageContext } from 'utils/hooks';
+
+import './honeypot.scss';
+
+type HoneypotProps = {
+	name: string;
+};
+
+const Honeypot = (props: HoneypotProps) => {
+	const { name } = props;
+	const { locationData } = usePageContext();
+	const devMode = !locationData.isProd;
+
+	if (devMode) {
+		return (
+			<label
+				style={{
+					display: 'inline-flex',
+					alignItems: 'center',
+					gap: 4,
+					fontSize: 11,
+					color: 'orange',
+					fontWeight: 600,
+					padding: '2px 6px',
+					border: '1px dashed orange',
+					borderRadius: 3,
+				}}
+			>
+				Honeypot
+				<input
+					type="text"
+					name={name}
+					autoComplete="off"
+					style={{ width: 80, fontSize: 11, padding: '1px 4px' }}
+				/>
+			</label>
+		);
+	}
+
+	return (
+		<input
+			type="text"
+			className="honeypot-input"
+			name={name}
+			tabIndex={-1}
+			autoComplete="off"
+			aria-hidden="true"
+		/>
+	);
+};
+
+export default Honeypot;
diff --git a/client/components/Honeypot/honeypot.scss b/client/components/Honeypot/honeypot.scss
new file mode 100644
index 0000000000..a35b7dc422
--- /dev/null
+++ b/client/components/Honeypot/honeypot.scss
@@ -0,0 +1,8 @@
+.honeypot-input {
+	position: absolute;
+	left: -9999px;
+	width: 1px;
+	height: 1px;
+	opacity: 0;
+	pointer-events: none;
+}
diff --git a/client/components/Honeypot/index.ts b/client/components/Honeypot/index.ts
new file mode 100644
index 0000000000..e8624180f0
--- /dev/null
+++ b/client/components/Honeypot/index.ts
@@ -0,0 +1 @@
+export { default } from './Honeypot';
diff --git a/client/components/Layout/LayoutBanner.tsx b/client/components/Layout/LayoutBanner.tsx
index 5ae562b5aa..30689b18d0 100644
--- a/client/components/Layout/LayoutBanner.tsx
+++ b/client/components/Layout/LayoutBanner.tsx
@@ -1,9 +1,10 @@
-import React, { Component } from 'react';
+import React, { Component, createRef } from 'react';
 
-import { AnchorButton, Classes, Tooltip } from '@blueprintjs/core';
+import { AnchorButton, Button, Classes, Tooltip } from '@blueprintjs/core';
 import Color from 'color';
 
 import { apiFetch } from 'client/utils/apiFetch';
+import { Altcha, Honeypot } from 'components';
 import { getResizedUrl } from 'utils/images';
 
 import './layoutBanner.scss';
@@ -34,6 +35,8 @@ const createPubFailureText =
 	'Error creating a new Pub. You may want to refresh the page and try again.';
 
 class LayoutBanner extends Component<Props, State> {
+	altchaRef = createRef<import('components').AltchaRef>();
+
 	constructor(props: Props) {
 		super(props);
 		this.state = {
@@ -43,16 +46,25 @@ class LayoutBanner extends Component<Props, State> {
 		this.createPub = this.createPub.bind(this);
 	}
 
-	createPub() {
+	createPub(evt: React.FormEvent<HTMLFormElement>) {
+		evt.preventDefault();
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('description') as string) ?? '';
 		const { communityData, content } = this.props;
 		this.setState({ isLoading: true, buttonError: null });
-		return apiFetch('/api/pubs', {
-			method: 'POST',
-			body: JSON.stringify({
-				communityId: communityData.id,
-				createPubToken: content.createPubToken,
-			}),
-		})
+		this.altchaRef.current
+			?.verify()
+			.then((altchaPayload) =>
+				apiFetch('/api/pubs/fromForm', {
+					method: 'POST',
+					body: JSON.stringify({
+						communityId: communityData.id,
+						createPubToken: content.createPubToken,
+						altcha: altchaPayload,
+						_honeypot: honeypot,
+					}),
+				}),
+			)
 			.then((newPub) => {
 				window.location.href = `/pub/${newPub.slug}`;
 				this.setState({ isLoading: false });
@@ -85,18 +97,37 @@ class LayoutBanner extends Component<Props, State> {
 			buttonUrl = 'signup';
 		}
 
-		const onButtonClick =
-			(isLoggedIn && buttonType === 'create-pub' && this.createPub) || undefined;
-
-		const button = (
-			<AnchorButton
-				className={Classes.LARGE}
-				onClick={onButtonClick}
-				loading={this.state.isLoading}
-				text={buttonText}
-				href={buttonUrl}
-			/>
-		);
+		// const onButtonClick =
+		// 	(isLoggedIn && buttonType === 'create-pub' && this.createPub) || undefined;
+
+		let button: React.ReactNode;
+
+		if (isLoggedIn && buttonType === 'create-pub') {
+			button = (
+				<form
+					onSubmit={this.createPub}
+					style={{ display: 'flex', alignItems: 'center', gap: '10px' }}
+				>
+					<Altcha ref={this.altchaRef} />
+					<Honeypot name="description" />
+					<Button
+						type="submit"
+						className={Classes.LARGE}
+						text="Create Pub"
+						loading={this.state.isLoading}
+					/>
+				</form>
+			);
+		} else {
+			button = (
+				<AnchorButton
+					className={Classes.LARGE}
+					href={buttonUrl}
+					loading={this.state.isLoading}
+					text={buttonText}
+				/>
+			);
+		}
 
 		return buttonError ? (
 			<Tooltip content={buttonError} defaultIsOpen={true}>
diff --git a/client/components/SpamStatusMenu/SpamStatusMenu.tsx b/client/components/SpamStatusMenu/SpamStatusMenu.tsx
new file mode 100644
index 0000000000..ea02c2f90c
--- /dev/null
+++ b/client/components/SpamStatusMenu/SpamStatusMenu.tsx
@@ -0,0 +1,78 @@
+import type { SpamStatus } from 'types';
+
+import React, { useCallback, useState } from 'react';
+
+import { apiFetch } from 'client/utils/apiFetch';
+import { Icon } from 'components';
+import { MenuButton, MenuItem, MenuItemDivider } from 'components/Menu';
+
+type Props = {
+	userId: string;
+	currentStatus?: SpamStatus | null;
+	onStatusChanged?: (status: SpamStatus | null) => void;
+	small?: boolean;
+};
+
+const statusLabels: Record<SpamStatus, { label: string; icon: string }> = {
+	'confirmed-spam': { label: 'Mark as spam', icon: 'cross' },
+	'confirmed-not-spam': { label: 'Mark as not spam', icon: 'tick' },
+	unreviewed: { label: 'Mark as unreviewed', icon: 'undo' },
+};
+
+const SpamStatusMenu = (props: Props) => {
+	const { userId, currentStatus = null, onStatusChanged, small = true } = props;
+	const [isLoading, setIsLoading] = useState(false);
+
+	const handleSetStatus = useCallback(
+		async (status: SpamStatus) => {
+			setIsLoading(true);
+			try {
+				await apiFetch.put('/api/spamTags/user', { status, userId });
+				onStatusChanged?.(status);
+			} finally {
+				setIsLoading(false);
+			}
+		},
+		[userId, onStatusChanged],
+	);
+
+	const handleRemoveTag = useCallback(async () => {
+		setIsLoading(true);
+		try {
+			await apiFetch.delete('/api/spamTags/user', { userId });
+			onStatusChanged?.(null);
+		} finally {
+			setIsLoading(false);
+		}
+	}, [userId, onStatusChanged]);
+
+	return (
+		<MenuButton
+			aria-label="Spam actions"
+			buttonContent="Spam"
+			buttonProps={{
+				icon: <Icon icon="flag" iconSize={small ? 12 : 14} />,
+				minimal: true,
+				small,
+				loading: isLoading,
+			}}
+		>
+			{(Object.keys(statusLabels) as SpamStatus[]).map((status) => (
+				<MenuItem
+					key={status}
+					text={statusLabels[status].label}
+					icon={status === currentStatus ? 'tick' : 'blank'}
+					onClick={() => handleSetStatus(status)}
+				/>
+			))}
+			{currentStatus && (
+				<>
+					<MenuItemDivider />
+					<MenuItem text="Remove spam tag" icon="trash" onClick={handleRemoveTag} />
+				</>
+			)}
+		</MenuButton>
+	);
+};
+
+export default SpamStatusMenu;
diff --git a/client/components/SpamStatusMenu/index.ts b/client/components/SpamStatusMenu/index.ts
new file mode 100644
index 0000000000..fdf93533b8
--- /dev/null
+++ b/client/components/SpamStatusMenu/index.ts
@@ -0,0 +1 @@
+export { default } from './SpamStatusMenu';
diff --git a/client/components/index.ts b/client/components/index.ts
index 23b957915c..5a79c48567 100644
--- a/client/components/index.ts
+++ b/client/components/index.ts
@@ -1,4 +1,5 @@
 export { default as AccentStyle } from './AccentStyle/AccentStyle';
+export { type AltchaRef, default as Altcha } from './Altcha';
 export { default as AssignDoi } from './AssignDoi/AssignDoi';
 export { default as AttributionEditor } from './AttributionEditor/AttributionEditor';
 export { default as Avatar } from './Avatar/Avatar';
@@ -43,6 +44,7 @@ export { default as FormattingBar } from './FormattingBar/FormattingBar';
 export { default as GlobalControls } from './GlobalControls';
 export { default as GridWrapper } from './GridWrapper/GridWrapper';
 export { default as Header } from './Header/Header';
+export { default as Honeypot } from './Honeypot';
 export { default as Icon, type IconName } from './Icon/Icon';
 export { default as ImageCropper } from './ImageCropper/ImageCropper';
 export { default as ImageUpload } from './ImageUpload/ImageUpload';
@@ -101,6 +103,7 @@ export { default as SharingCard } from './SharingCard/SharingCard';
 export { default as SimpleEditor } from './SimpleEditor/SimpleEditor';
 export { default as SkipLink } from './SkipLink/SkipLink';
 export { default as SliderInput } from './SliderInput/SliderInput';
+export { default as SpamStatusMenu } from './SpamStatusMenu';
 export { default as SubmissionEmail } from './SubmissionEmail/SubmissionEmail';
 export { default as SubscriptionButton } from './SubscriptionButton/SubscriptionButton';
 export { default as TabToShow } from './TabToShow/TabToShow';
diff --git a/client/containers/App/Breadcrumbs/Breadcrumbs.tsx b/client/containers/App/Breadcrumbs/Breadcrumbs.tsx
index 43149a495b..1a46f9c3fd 100644
--- a/client/containers/App/Breadcrumbs/Breadcrumbs.tsx
+++ b/client/containers/App/Breadcrumbs/Breadcrumbs.tsx
@@ -1,10 +1,10 @@
-import React, { useState } from 'react';
+import React, { useRef, useState } from 'react';
 
 import { AnchorButton, Button, Intent } from '@blueprintjs/core';
 import classNames from 'classnames';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { Avatar, Icon } from 'components';
+import { Altcha, Avatar, Honeypot, Icon } from 'components';
 import { getDashUrl } from 'utils/dashboard';
 import { usePageContext } from 'utils/hooks';
 
@@ -26,6 +26,7 @@ const Breadcrumbs = (props: Props) => {
 	const { mode, subMode } = dashboardMenu.activeMode!;
 	const [newPubIsLoading, setNewPubIsLoading] = useState(false);
 	const [newCollectionIsOpen, setNewCollectionIsOpen] = useState(false);
+	const createPubAltchaRef = useRef<import('components').AltchaRef>(null);
 
 	// console.log(locationData.path.split('/'), locationData.path.split('/').slice(-1))
 	// const modesWithSubmodes = ['discussions', 'reviews', 'pages'];
@@ -44,20 +45,24 @@ const Breadcrumbs = (props: Props) => {
 		avatar = activePub.avatar;
 	}
 
-	const handleCreatePub = () => {
+	const handleCreatePub = async (evt: React.FormEvent<HTMLFormElement>) => {
+		evt.preventDefault();
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('description') as string) ?? '';
 		setNewPubIsLoading(true);
-		return apiFetch
-			.post('/api/pubs', {
+		try {
+			const altchaPayload = await createPubAltchaRef.current?.verify();
+			if (!altchaPayload) return;
+			const newPub = await apiFetch.post('/api/pubs/fromForm', {
 				communityId: communityData.id,
 				collectionId: activeCollection && activeCollection.id,
-			})
-			.then((newPub) => {
-				window.location.href = `/pub/${newPub.slug}`;
-			})
-			.catch((err) => {
-				console.error(err);
-				setNewPubIsLoading(false);
+				altcha: altchaPayload,
+				_honeypot: honeypot,
 			});
+			window.location.href = `/pub/${newPub.slug}`;
+		} finally {
+			setNewPubIsLoading(false);
+		}
 	};
 
 	const actions = {
@@ -71,14 +76,14 @@ const Breadcrumbs = (props: Props) => {
 			},
 			{
 				text: 'Create Pub',
-				onClick: handleCreatePub,
+				// onClick: handleCreatePub,
 				minPermissions: 'manage',
 			},
 		],
 		collection: [
 			{
 				text: 'Create Pub',
-				onClick: handleCreatePub,
+				// onClick: handleCreatePub,
 				minPermissions: 'manage',
 			},
 			activeCollection && {
@@ -202,6 +207,25 @@ const Breadcrumbs = (props: Props) => {
 								disabled: action.text !== 'Create Pub' && newPubIsLoading,
 								outlined: true,
 							};
+							if (action.text === 'Create Pub') {
+								const { onClick: _, ...buttonProps } = buttonsProps;
+								return (
+									<form
+										key={action.text}
+										onSubmit={handleCreatePub}
+										style={{
+											display: 'flex',
+											alignItems: 'center',
+											gap: '10px',
+										}}
+									>
+										<Altcha ref={createPubAltchaRef} />
+										<Honeypot name="description" />
+										<Button {...buttonProps} type="submit" />
+									</form>
+								);
+							}
+
 							return buttonsProps.href ? (
 								<AnchorButton {...buttonsProps} />
 							) : (
diff --git a/client/containers/CommunityCreate/CommunityCreate.tsx b/client/containers/CommunityCreate/CommunityCreate.tsx
index 73e4cc610d..ee1099dc32 100644
--- a/client/containers/CommunityCreate/CommunityCreate.tsx
+++ b/client/containers/CommunityCreate/CommunityCreate.tsx
@@ -3,7 +3,7 @@ import React, { useEffect, useRef, useState } from 'react';
 import { Button, Checkbox, Classes, NonIdealState } from '@blueprintjs/core';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { ColorInput, GridWrapper, ImageUpload, InputField } from 'components';
+import { Altcha, ColorInput, GridWrapper, Honeypot, ImageUpload, InputField } from 'components';
 import { usePageContext } from 'utils/hooks';
 import { slugifyString } from 'utils/strings';
 
@@ -75,6 +75,7 @@ const CommunityCreatedView = ({ subdomain }: { subdomain: string }) => {
 
 const CommunityCreate = () => {
 	const { loginData } = usePageContext();
+	const altchaRef = useRef<import('components').AltchaRef>(null);
 	const [subdomain, setSubdomain] = useState('');
 	const [title, setTitle] = useState('');
 	const [description, setDescription] = useState('');
@@ -86,31 +87,40 @@ const CommunityCreate = () => {
 	const [createError, setCreateError] = useState<string | undefined>(undefined);
 	const [isCreated, setIsCreated] = useState(false);
 
-	const onCreateSubmit = (evt) => {
+	const onCreateSubmit = async (evt: React.FormEvent<HTMLFormElement>) => {
 		evt.preventDefault();
 		setCreateIsLoading(true);
 		if (!acceptTerms) return false;
-		return apiFetch('/api/communities', {
-			method: 'POST',
-			body: JSON.stringify({
-				subdomain,
-				title,
-				description,
-				headerLogo: heroLogo,
-				heroLogo,
-				accentColorLight,
-				accentColorDark,
-			}),
-		})
-			.then(() => {
-				setCreateIsLoading(false);
-				setCreateError(undefined);
-				setIsCreated(true);
-			})
-			.catch((err) => {
-				setCreateIsLoading(false);
-				setCreateError(err);
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('website') as string) ?? '';
+		const payload = {
+			subdomain,
+			title,
+			description,
+			headerLogo: heroLogo,
+			heroLogo,
+			accentColorLight,
+			accentColorDark,
+			_honeypot: honeypot,
+		};
+		const altchaPayload = await altchaRef.current?.verify();
+		if (!altchaPayload) {
+			setCreateIsLoading(false);
+			return;
+		}
+		try {
+			const newCommunity = await apiFetch.post<string>('/api/communities', {
+				...payload,
+				altcha: altchaPayload,
 			});
+			window.location.href = newCommunity;
+			setCreateIsLoading(false);
+			setIsCreated(true);
+		} catch (error) {
+			setCreateIsLoading(false);
+			setCreateError((error as Error).message);
+			return;
+		}
 	};
 	const onSubdomainChange = (evt) => {
 		setSubdomain(slugifyString(evt.target.value));
@@ -156,6 +166,7 @@ const CommunityCreate = () => {
 							will be able to view the community.
 						</p>
 						<form onSubmit={onCreateSubmit}>
+							<Honeypot name="website" />
 							<InputField
 								label="URL"
 								isRequired={true}
@@ -219,6 +230,7 @@ const CommunityCreate = () => {
 									.
 								</Checkbox>
 							</InputField>
+							<Altcha ref={altchaRef} auto="onload" />
 							<InputField
 								error={
 									createError
@@ -232,7 +244,6 @@ const CommunityCreate = () => {
 									name="create"
 									type="submit"
 									className={`${Classes.BUTTON} ${Classes.INTENT_PRIMARY} create-account-button`}
-									onClick={onCreateSubmit}
 									text="Create Community"
 									disabled={!subdomain || !title || !acceptTerms}
 									loading={createIsLoading}
diff --git a/client/containers/Login/Login.tsx b/client/containers/Login/Login.tsx
index 31860aaf71..b4c1c5aae1 100644
--- a/client/containers/Login/Login.tsx
+++ b/client/containers/Login/Login.tsx
@@ -1,3 +1,5 @@
+import type { AltchaRef } from 'components';
+
 import React, { useRef, useState } from 'react';
 
 import { AnchorButton, Button, Classes, NonIdealState } from '@blueprintjs/core';
@@ -5,7 +7,7 @@ import encHex from 'crypto-js/enc-hex';
 import SHA3 from 'crypto-js/sha3';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { Avatar, GridWrapper, InputField } from 'components';
+import { Altcha, Avatar, GridWrapper, InputField } from 'components';
 import { usePageContext } from 'utils/hooks';
 
 import './login.scss';
@@ -16,6 +18,7 @@ const Login = () => {
 	const [logoutLoading, setLogoutLoading] = useState(false);
 	const emailRef = useRef(null);
 	const passwordRef = useRef(null);
+	const altchaRef = useRef<AltchaRef>(null);
 	const { locationData, loginData, communityData } = usePageContext();
 	const onLoginSubmit = (evt) => {
 		evt.preventDefault();
@@ -34,30 +37,38 @@ const Login = () => {
 		}
 		setLoginLoading(true);
 		setLoginError(undefined);
-		return apiFetch('/api/login', {
-			method: 'POST',
-			body: JSON.stringify({
-				// @ts-expect-error ts-migrate(2531) FIXME: Object is possibly 'null'.
-				email: emailRef.current.value.toLowerCase(),
-				// @ts-expect-error ts-migrate(2531) FIXME: Object is possibly 'null'.
-				password: SHA3(passwordRef.current.value).toString(encHex),
-			}),
-		})
-			.then(() => {
-				const cacheBreaker = Math.round(new Date().getTime() / 1000);
-				window.location.href = locationData.query.redirect
-					? `/${locationData.query.redirect.replace(
-							/^\/+/,
-							'',
-						)}?breakCache=${cacheBreaker}`
-					: `/?breakCache=${cacheBreaker}`;
-				// window.location.href =
-				// 	`/${trimStart(`${locationData.query.redirect}`, '/')}` || '/';
+		const doLogin = (altchaPayload: string) =>
+			apiFetch('/api/login/fromForm', {
+				method: 'POST',
+				body: JSON.stringify({
+					// @ts-expect-error ts-migrate(2531) FIXME: Object is possibly 'null'.
+					email: emailRef.current.value.toLowerCase(),
+					// @ts-expect-error ts-migrate(2531) FIXME: Object is possibly 'null'.
+					password: SHA3(passwordRef.current.value).toString(encHex),
+					altcha: altchaPayload,
+				}),
 			})
+				.then(() => {
+					const cacheBreaker = Math.round(new Date().getTime() / 1000);
+					window.location.href = locationData.query.redirect
+						? `/${locationData.query.redirect.replace(
+								/^\/+/,
+								'',
+							)}?breakCache=${cacheBreaker}`
+						: `/?breakCache=${cacheBreaker}`;
+				})
+				.catch(() => {
+					setLoginLoading(false);
+					// @ts-expect-error ts-migrate(2345) FIXME: Argument of type '"Invalid Email or Password"' is ... Remove this comment to see the full error message
+					setLoginError('Invalid Email or Password');
+				});
+		return altchaRef.current
+			?.verify()
+			.then(doLogin)
 			.catch(() => {
 				setLoginLoading(false);
-				// @ts-expect-error ts-migrate(2345) FIXME: Argument of type '"Invalid Email or Password"' is ... Remove this comment to see the full error message
-				setLoginError('Invalid Email or Password');
+				// @ts-expect-error ts-migrate(2345) FIXME: Argument of type '"Verification failed..."' is ... Remove this comment to see the full error message
+				setLoginError('Verification failed. Please try again.');
 			});
 	};
 	const onLogoutSubmit = () => {
@@ -93,12 +104,12 @@ const Login = () => {
 								helperText={<a href="/password-reset">Forgot Password</a>}
 								inputRef={passwordRef}
 							/>
+							<Altcha ref={altchaRef} auto="onload" />
 							<InputField error={loginError}>
 								<Button
 									name="login"
 									type="submit"
 									className={`${Classes.BUTTON} ${Classes.INTENT_PRIMARY}`}
-									onClick={onLoginSubmit}
 									text="Login"
 									loading={loginLoading}
 								/>
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/Discussion.tsx b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/Discussion.tsx
index aec5c27d6c..d7a4632791 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/Discussion.tsx
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/Discussion.tsx
@@ -1,6 +1,6 @@
-import type { PubPageData, PubPageDiscussion } from 'types';
+import type { PubPageData, PubPageDiscussion, SpamStatus } from 'types';
 
-import React, { useEffect, useState } from 'react';
+import React, { useCallback, useEffect, useState } from 'react';
 
 import { Button } from '@blueprintjs/core';
 import classNames from 'classnames';
@@ -111,6 +111,32 @@ const Discussion = (props: Props) => {
 		return elements;
 	};
 
+	const handleSpamStatusChanged = useCallback(
+		(status: SpamStatus | null) => {
+			const isNowSpam = status === 'confirmed-spam';
+			const authorUserId = discussionData.userId;
+			updateLocalData('pub', {
+				discussions: pubData.discussions.map((discussion) => {
+					const authorMatch = discussion.userId === authorUserId;
+					return {
+						...discussion,
+						...(authorMatch && { isAuthorSpam: isNowSpam || undefined }),
+						thread: {
+							...discussion.thread,
+							comments: discussion.thread.comments.map((comment) => {
+								if (comment.userId === authorUserId) {
+									return { ...comment, isAuthorSpam: isNowSpam || undefined };
+								}
+								return comment;
+							}),
+						},
+					};
+				}),
+			});
+		},
+		[discussionData.userId, pubData.discussions, updateLocalData],
+	);
+
 	const handleUpdateDiscussion = (discussionUpdates) => {
 		return apiFetch('/api/discussions', {
 			method: 'PUT',
@@ -221,7 +247,8 @@ const Discussion = (props: Props) => {
 				/>
 			)}
 			<LabelList pubData={pubData} discussionData={discussionData} />
-			{!isPreview && isAuthorSpam && (
+			{isAuthorSpam && isPreview && <span className="spam-badge">Spam</span>}
+			{isAuthorSpam && !isPreview && (
 				<div className="discussion-spam-banner">
 					This user has been banned. Only you and other admins of this community can see
 					this discussion. You can safely remove it.
@@ -236,6 +263,7 @@ const Discussion = (props: Props) => {
 							onUpdateDiscussion={handleUpdateDiscussion}
 							sortType={sortType}
 							setSortType={setSortType}
+							onSpamStatusChanged={handleSpamStatusChanged}
 						/>
 					)}
 					{renderAnchorText()}
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/DiscussionInput.tsx b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/DiscussionInput.tsx
index 8593f7fac1..580bd21025 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/DiscussionInput.tsx
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/DiscussionInput.tsx
@@ -1,9 +1,11 @@
-import React, { useCallback, useEffect, useState } from 'react';
+import type { AltchaRef } from 'components';
+
+import React, { useCallback, useEffect, useRef, useState } from 'react';
 
 import { AnchorButton, Button, InputGroup, Intent } from '@blueprintjs/core';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { Avatar } from 'components';
+import { Altcha, Avatar, Honeypot } from 'components';
 import Editor, {
 	convertLocalHighlightToDiscussion,
 	getJSON,
@@ -51,6 +53,7 @@ const DiscussionInput = (props: Props) => {
 	const [didFocus, setDidFocus] = useState(false);
 	const [editorKey, setEditorKey] = useState(Date.now());
 	const [commenterName, setCommenterName] = useState('');
+	const altchaRef = useRef<AltchaRef>(null);
 	const isNewThread = !discussionData.number;
 	const inputView = changeObject?.view;
 
@@ -60,72 +63,92 @@ const DiscussionInput = (props: Props) => {
 		}
 	}, [isNewThread, inputView, didFocus, isPubBottomInput]);
 
-	const handlePostThreadComment = async () => {
+	const postThreadCommentBody = () => ({
+		accessHash: locationData.query.access,
+		parentId: discussionData.id,
+		threadId: discussionData.thread.id,
+		pubId: pubData.id,
+		communityId: communityData.id,
+		content: getJSON(changeObject?.view),
+		text: getText(changeObject?.view) || '',
+		commentAccessHash: pubData.commentHash,
+		commenterName,
+	});
+
+	const postDiscussionBody = () => {
+		const initAnchorData = getLocalHighlightText(pubView, discussionData.id);
+		return {
+			accessHash: locationData.query.access,
+			discussionId: discussionData.id,
+			pubId: pubData.id,
+			historyKey: historyData.currentKey,
+			communityId: communityData.id,
+			content: getJSON(changeObject?.view),
+			text: getText(changeObject?.view) || '',
+			initAnchorData,
+			visibilityAccess: pubData.isRelease ? 'public' : 'members',
+			commentAccessHash: pubData.commentHash,
+			commenterName,
+		};
+	};
+
+	const handlePostThreadComment = async (evt: React.FormEvent<HTMLFormElement>) => {
+		evt.preventDefault();
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('title') as string) ?? '';
 		setIsLoading(true);
-		const outputData = await apiFetch('/api/threadComment', {
-			method: 'POST',
-			body: JSON.stringify({
-				accessHash: locationData.query.access,
-				parentId: discussionData.id,
-				threadId: discussionData.thread.id,
-				pubId: pubData.id,
-				communityId: communityData.id,
-				content: getJSON(changeObject?.view),
-				text: getText(changeObject?.view) || '',
-				commentAccessHash: pubData.commentHash,
-				commenterName,
-			}),
-		});
-
-		updateLocalData('pub', {
-			discussions: pubData.discussions.map((disc) => {
-				if (disc.thread!.id === outputData.threadId) {
-					return {
-						...disc,
-						thread: {
-							...disc.thread,
-							comments: [...disc.thread!.comments, outputData],
-						},
-					};
-				}
-				return disc;
-			}),
-		});
-
-		if (isPubBottomInput) {
+		try {
+			const altchaPayload = await altchaRef.current?.verify();
+			const outputData = await apiFetch('/api/threadComment/fromForm', {
+				method: 'POST',
+				body: JSON.stringify({
+					...postThreadCommentBody(),
+					_honeypot: honeypot,
+					altcha: altchaPayload,
+				}),
+			});
+			updateLocalData('pub', {
+				discussions: pubData.discussions.map((disc) => {
+					if (disc.thread!.id === outputData.threadId) {
+						return {
+							...disc,
+							thread: {
+								...disc.thread,
+								comments: [...disc.thread!.comments, outputData],
+							},
+						};
+					}
+					return disc;
+				}),
+			});
+		} finally {
 			setIsLoading(false);
-			setEditorKey(Date.now());
+			if (isPubBottomInput) setEditorKey(Date.now());
 		}
 	};
 
-	const handlePostDiscussion = async () => {
+	const handlePostDiscussion = async (evt: React.FormEvent<HTMLFormElement>) => {
+		evt.preventDefault();
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('title') as string) ?? '';
 		setIsLoading(true);
-		const initAnchorData = getLocalHighlightText(pubView, discussionData.id);
-		const outputData = await apiFetch('/api/discussions', {
-			method: 'POST',
-			body: JSON.stringify({
-				accessHash: locationData.query.access,
-				discussionId: discussionData.id,
-				pubId: pubData.id,
-				historyKey: historyData.currentKey,
-				communityId: communityData.id,
-				content: getJSON(changeObject?.view),
-				text: getText(changeObject?.view) || '',
-				initAnchorData,
-				visibilityAccess: pubData.isRelease ? 'public' : 'members',
-				commentAccessHash: pubData.commentHash,
-				commenterName,
-			}),
-		});
-		updateLocalData('pub', {
-			discussions: [...pubData.discussions, outputData],
-		});
-
-		if (isPubBottomInput) {
+		try {
+			const altchaPayload = await altchaRef.current?.verify();
+			const outputData = await apiFetch('/api/discussions/fromForm', {
+				method: 'POST',
+				body: JSON.stringify({
+					...postDiscussionBody(),
+					_honeypot: honeypot,
+					altcha: altchaPayload,
+				}),
+			});
+			updateLocalData('pub', {
+				discussions: [...pubData.discussions, outputData],
+			});
+			if (!isPubBottomInput) convertLocalHighlightToDiscussion(pubView, outputData.id);
+		} finally {
 			setIsLoading(false);
-			setEditorKey(Date.now());
-		} else {
-			convertLocalHighlightToDiscussion(pubView, outputData.id);
+			if (isPubBottomInput) setEditorKey(Date.now());
 		}
 	};
 
@@ -142,12 +165,9 @@ const DiscussionInput = (props: Props) => {
 			evt.currentTarget.blur();
 		}
 	};
-	const handleInputChange = useCallback(
-		(e) => {
-			setCommenterName(e.target.value);
-		},
-		[setCommenterName],
-	);
+	const handleInputChange = useCallback((e) => {
+		setCommenterName(e.target.value);
+	}, []);
 	const renderUserNameInput = () => {
 		return (
 			!isUser &&
@@ -203,7 +223,11 @@ const DiscussionInput = (props: Props) => {
 				</>
 			)}
 			{canComment && (isNewThread || didFocus) && (
-				<div className="content-wrapper">
+				<form
+					onSubmit={isNewThread ? handlePostDiscussion : handlePostThreadComment}
+					className="content-wrapper"
+				>
+					<Honeypot name="title" />
 					<div className="discussion-body-wrapper editable">
 						<FormattingBar
 							editorChangeObject={changeObject}
@@ -219,29 +243,32 @@ const DiscussionInput = (props: Props) => {
 						/>
 						{renderUserNameInput()}
 					</div>
+
+					<Altcha ref={altchaRef} />
 					<Button
 						className="discussion-primary-button"
 						intent={Intent.PRIMARY}
+						type="submit"
 						text={isNewThread ? 'Post Discussion' : 'Post Reply'}
 						loading={isLoading}
 						disabled={
 							!getText(changeObject?.view) &&
 							!getTopLevelImages(changeObject?.view).length
 						}
-						onClick={isNewThread ? handlePostDiscussion : handlePostThreadComment}
 						small={true}
 					/>
 					{isNewThread && !isPubBottomInput && (
 						<Button
 							className="discussion-cancel-button"
 							text="Cancel"
+							type="button"
 							small={true}
 							onClick={() => {
 								removeLocalHighlight(pubView, discussionData.id);
 							}}
 						/>
 					)}
-				</div>
+				</form>
 			)}
 		</div>
 	);
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ManageTools.tsx b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ManageTools.tsx
index 0de5acc71a..0fd7c9dcdb 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ManageTools.tsx
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ManageTools.tsx
@@ -2,7 +2,7 @@ import React, { useState } from 'react';
 
 import { Button } from '@blueprintjs/core';
 
-import { ConfirmDialog, Icon } from 'components';
+import { ConfirmDialog, Icon, SpamStatusMenu } from 'components';
 import { MenuButton, MenuItem } from 'components/Menu';
 import { usePageContext } from 'utils/hooks';
 
@@ -29,10 +29,18 @@ type Props = {
 	setSortType: (s: SortType) => any;
 	sortType: SortType;
 	onUpdateDiscussion: (...args: any[]) => any;
+	onSpamStatusChanged?: (status: import('types').SpamStatus | null) => void;
 };
 
 const ManageTools = (props: Props) => {
-	const { pubData, discussionData, onUpdateDiscussion, sortType, setSortType } = props;
+	const {
+		pubData,
+		discussionData,
+		onUpdateDiscussion,
+		sortType,
+		setSortType,
+		onSpamStatusChanged,
+	} = props;
 	const { scopeData } = usePageContext();
 	const { canAdmin, isSuperAdmin } = scopeData.activePermissions;
 	const { isClosed } = discussionData;
@@ -107,6 +115,12 @@ const ManageTools = (props: Props) => {
 			{renderArchiveButton()}
 			{renderSortMenu()}
 			{isSuperAdmin && <DiscussionReanchor discussionData={discussionData} />}
+			{isSuperAdmin && discussionData.userId && (
+				<SpamStatusMenu
+					userId={discussionData.userId}
+					onStatusChanged={onSpamStatusChanged}
+				/>
+			)}
 		</div>
 	);
 };
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ThreadComment.tsx b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ThreadComment.tsx
index 573441dd75..cd21b75076 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ThreadComment.tsx
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/ThreadComment.tsx
@@ -1,13 +1,13 @@
-import type { Callback } from 'types';
+import type { Callback, SpamStatus } from 'types';
 
-import React, { useState } from 'react';
+import React, { useCallback, useState } from 'react';
 
 import { Button, Intent } from '@blueprintjs/core';
 import classNames from 'classnames';
 import TimeAgo from 'react-timeago';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { Avatar, Icon } from 'components';
+import { Avatar, Icon, SpamStatusMenu } from 'components';
 import Editor, { type EditorChangeObject, getJSON, getText, viewIsEmpty } from 'components/Editor';
 import { buttons, FormattingBar } from 'components/FormattingBar';
 import { usePageContext } from 'utils/hooks';
@@ -31,7 +31,8 @@ const ThreadComment = (props: Props) => {
 		updateLocalData,
 		isPreview = false,
 	} = props;
-	const { loginData, communityData, locationData } = usePageContext();
+	const { loginData, communityData, locationData, scopeData } = usePageContext();
+	const { isSuperAdmin } = scopeData.activePermissions;
 	const [isEditing, setIsEditing] = useState(false);
 	const [changeObject, setChangeObject] = useState<null | EditorChangeObject>(null);
 	const [isLoadingEdit, setIsLoadingEdit] = useState(false);
@@ -70,6 +71,31 @@ const ThreadComment = (props: Props) => {
 		});
 	};
 
+	const handleSpamStatusChanged = useCallback(
+		(status: SpamStatus | null) => {
+			const isNowSpam = status === 'confirmed-spam';
+			const targetUserId = threadCommentData.userId;
+			updateLocalData('pub', {
+				discussions: pubData.discussions.map((discussion) => ({
+					...discussion,
+					...(discussion.userId === targetUserId && {
+						isAuthorSpam: isNowSpam || undefined,
+					}),
+					thread: {
+						...discussion.thread,
+						comments: discussion.thread.comments.map((comment) => {
+							if (comment.userId === targetUserId) {
+								return { ...comment, isAuthorSpam: isNowSpam || undefined };
+							}
+							return comment;
+						}),
+					},
+				})),
+			});
+		},
+		[threadCommentData.userId, pubData.discussions, updateLocalData],
+	);
+
 	const isAuthor = loginData.id === threadCommentData.userId;
 	const renderText = (
 		key: string,
@@ -114,6 +140,7 @@ const ThreadComment = (props: Props) => {
 						{threadCommentData.author
 							? threadCommentData.author.fullName
 							: (commenterName ?? 'anonymous')}
+						{isAuthorSpam && isPreview && <span className="spam-badge">Spam</span>}
 						{isPreview ? ': ' : ''}
 					</span>
 
@@ -155,6 +182,12 @@ const ThreadComment = (props: Props) => {
 								}}
 							/>
 						)}
+						{!isPreview && isSuperAdmin && threadCommentData.userId && (
+							<SpamStatusMenu
+								userId={threadCommentData.userId}
+								onStatusChanged={handleSpamStatusChanged}
+							/>
+						)}
 					</span>
 				</div>
 				{!isPreview && isAuthorSpam && (
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/discussion.scss b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/discussion.scss
index 9cd916f21f..82af59b299 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/discussion.scss
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/discussion.scss
@@ -12,6 +12,23 @@ $bp: vendor.$bp-namespace;
 	text-align: left;
 	&.is-author-spam {
 		opacity: 0.9;
+		border-left: 3px solid #d9534f;
+		padding-left: calc(1em - 3px);
+		background: rgba(217, 83, 79, 0.03);
+	}
+	.spam-badge {
+		display: inline-block;
+		font-size: 10px;
+		font-weight: 600;
+		line-height: 1;
+		padding: 2px 5px;
+		margin-left: 6px;
+		background: #d9534f;
+		color: white;
+		border-radius: 2px;
+		vertical-align: middle;
+		text-transform: uppercase;
+		letter-spacing: 0.5px;
 	}
 	.discussion-spam-banner {
 		margin-bottom: 0.75em;
diff --git a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/threadComment.scss b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/threadComment.scss
index 66165dfb3d..f25ff63fb1 100644
--- a/client/containers/Pub/PubDocument/PubDiscussions/Discussion/threadComment.scss
+++ b/client/containers/Pub/PubDocument/PubDiscussions/Discussion/threadComment.scss
@@ -12,6 +12,23 @@
 		.discussion-body-wrapper {
 			opacity: 0.85;
 		}
+		border-left: 3px solid #d9534f;
+		padding-left: 0.5em;
+		background: rgba(217, 83, 79, 0.03);
+	}
+	.spam-badge {
+		display: inline-block;
+		font-size: 10px;
+		font-weight: 600;
+		line-height: 1;
+		padding: 2px 5px;
+		margin-left: 4px;
+		background: #d9534f;
+		color: white;
+		border-radius: 2px;
+		vertical-align: middle;
+		text-transform: uppercase;
+		letter-spacing: 0.5px;
 	}
 	.thread-comment-spam-banner {
 		width: 100%;
diff --git a/client/containers/Signup/Signup.tsx b/client/containers/Signup/Signup.tsx
index 8492ed58a8..96ff4bff61 100644
--- a/client/containers/Signup/Signup.tsx
+++ b/client/containers/Signup/Signup.tsx
@@ -1,9 +1,11 @@
-import React, { useState } from 'react';
+import type { AltchaRef } from 'components';
+
+import React, { useRef, useState } from 'react';
 
 import { Button, Classes, NonIdealState } from '@blueprintjs/core';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { GridWrapper, InputField } from 'components';
+import { Altcha, GridWrapper, Honeypot, InputField } from 'components';
 import { usePageContext } from 'utils/hooks';
 
 import './signup.scss';
@@ -13,32 +15,64 @@ const Signup = () => {
 	const [email, setEmail] = useState('');
 	const [isSuccessful, setIsSuccessful] = useState(false);
 	const [postSignupIsLoading, setPostSignupIsLoading] = useState(false);
-	const [postSignupError, setPostSignupError] = useState(undefined);
-	const [confirmEmail, setConfirmEmail] = useState('');
-	const onSignupSubmit = (evt) => {
+	const [postSignupError, setPostSignupError] = useState<string | undefined>(undefined);
+	const altchaRef = useRef<AltchaRef>(null);
+
+	const onSignupSubmit = async (evt: React.FormEvent<HTMLFormElement>) => {
+		evt.preventDefault();
+		// grab form data synchronously; currentTarget is nulled after the sync frame in react 16
+		const formData = new FormData(evt.currentTarget);
+		const confirmEmail = (formData.get('confirmEmail') as string | undefined) ?? '';
+		setPostSignupIsLoading(true);
+		setPostSignupError(undefined);
+		try {
+			const altchaPayload = await altchaRef.current?.verify();
+			if (!altchaPayload) {
+				throw new Error('Verification failed. Please try again.');
+			}
+			await apiFetch('/api/signup', {
+				method: 'POST',
+				body: JSON.stringify({
+					_honeypot: confirmEmail,
+					email: email.toLowerCase(),
+					communityId: communityData.id,
+					altcha: altchaPayload,
+				}),
+			});
+			setPostSignupIsLoading(false);
+			setIsSuccessful(true);
+		} catch (err) {
+			setPostSignupIsLoading(false);
+			setPostSignupError(
+				err instanceof Error ? err.message : 'Verification failed. Please try again.',
+			);
+		}
+	};
+	const handleResendEmail = async (evt: React.FormEvent<HTMLFormElement>) => {
 		evt.preventDefault();
 		setPostSignupIsLoading(true);
 		setPostSignupError(undefined);
-		return apiFetch('/api/signup', {
-			method: 'POST',
-			body: JSON.stringify({
-				email: email.toLowerCase(),
-				communityId: communityData.id,
-				confirmEmail,
-			}),
-		})
-			.then(() => {
-				setPostSignupIsLoading(false);
-				setIsSuccessful(true);
-			})
-			.catch((err) => {
-				setPostSignupIsLoading(false);
-				setPostSignupError(err);
+		try {
+			await apiFetch('/api/signup', {
+				method: 'POST',
+				body: JSON.stringify({
+					email: email.toLowerCase(),
+					communityId: communityData.id,
+					_honeypot: '',
+					altcha: '',
+				}),
 			});
+		} catch {
+			// resend is best-effort
+		} finally {
+			setPostSignupIsLoading(false);
+		}
 	};
+
 	const onEmailChange = (evt) => {
 		setEmail(evt.target.value);
 	};
+
 	return (
 		<div id="signup-container">
 			<GridWrapper containerClassName="small">
@@ -60,20 +94,12 @@ const Signup = () => {
 								onChange={onEmailChange}
 								error={postSignupError}
 							/>
-							<input
-								type="search"
-								className="confirm-email"
-								name="confirmEmail"
-								// @ts-expect-error ts-migrate(2322) FIXME: Type 'string' is not assignable to type 'number | ... Remove this comment to see the full error message
-								tabIndex="-1"
-								autoComplete="new-user-street-address"
-								onChange={(evt) => setConfirmEmail(evt.target.value)}
-							/>
+							<Honeypot name="confirmEmail" />
+							<Altcha ref={altchaRef} auto="onload" />
 							<Button
 								name="signup"
 								type="submit"
 								className={`${Classes.BUTTON} ${Classes.INTENT_PRIMARY}`}
-								onClick={onSignupSubmit}
 								text="Signup"
 								disabled={!email}
 								loading={postSignupIsLoading}
@@ -99,14 +125,17 @@ const Signup = () => {
 						// @ts-expect-error ts-migrate(2322) FIXME: Type '{ title: string; description: Element; visua... Remove this comment to see the full error message
 						visual="tick-circle"
 						action={
-							<Button
-								name="resendEmail"
-								type="button"
-								className={Classes.BUTTON}
-								onClick={onSignupSubmit}
-								text="Resend Email"
-								loading={postSignupIsLoading}
-							/>
+							<form onSubmit={handleResendEmail}>
+								<Button
+									name="resendEmail"
+									disabled={!altchaRef.current?.value}
+									type="submit"
+									className={Classes.BUTTON}
+									text="Resend Email"
+									loading={!altchaRef.current?.value || postSignupIsLoading}
+								/>
+								<Altcha ref={altchaRef} auto="onload" />
+							</form>
 						}
 					/>
 				)}
diff --git a/client/containers/SuperAdminDashboard/UserSpam/UserSpamEntry.tsx b/client/containers/SuperAdminDashboard/UserSpam/UserSpamEntry.tsx
index 72f9acd717..c9b52d2236 100644
--- a/client/containers/SuperAdminDashboard/UserSpam/UserSpamEntry.tsx
+++ b/client/containers/SuperAdminDashboard/UserSpam/UserSpamEntry.tsx
@@ -1,4 +1,4 @@
-import type { SpamStatus } from 'types';
+import type { SpamStatus, UserSpamTagFields } from 'types';
 
 import React, { useCallback, useMemo, useState } from 'react';
 
@@ -31,7 +31,9 @@ const UserSpamEntry = (props: Props) => {
 	const initialStatus = hasTag ? spamTag.status : null;
 	const [status, setUpdatedStatus] = useState<null | SpamStatus>(initialStatus);
 
-	const fields = hasTag ? (spamTag.fields ?? {}) : {};
+	const fields = hasTag
+		? ((spamTag.fields ?? {}) as UserSpamTagFields)
+		: ({} as UserSpamTagFields);
 	const fieldsJsonString = useMemo(() => JSON.stringify(fields, null, 2), [fields]);
 
 	const renderFieldsReport = () => {
@@ -196,6 +198,27 @@ const UserSpamEntry = (props: Props) => {
 		);
 	};
 
+	const renderHoneypotTriggers = () => {
+		const triggers = fields?.honeypotTriggers;
+		if (!triggers?.length) return null;
+		return (
+			<div className="honeypot-triggers">
+				<h3>Honeypot triggers</h3>
+				<ul>
+					{triggers.map((trigger, index) => (
+						// biome-ignore lint/suspicious/noArrayIndexKey: stable list
+						<li key={index}>
+							<Tag intent="danger" minimal>
+								{trigger.honeypot}
+							</Tag>{' '}
+							<code>{trigger.value}</code>
+						</li>
+					))}
+				</ul>
+			</div>
+		);
+	};
+
 	const renderAffiliation = () => {
 		if (!affiliation) return null;
 		const { communitySubdomains, pubCount, discussionCount } = affiliation;
@@ -251,6 +274,7 @@ const UserSpamEntry = (props: Props) => {
 			{renderFieldsReport()}
 			{renderSuspiciousFiles()}
 			{renderSuspiciousComments()}
+			{renderHoneypotTriggers()}
 			<div className="details">
 				<div className="tags">
 					{renderStatusTag()}
diff --git a/client/containers/User/UserEdit.tsx b/client/containers/User/UserEdit.tsx
index 10654ddb08..76da37c30e 100644
--- a/client/containers/User/UserEdit.tsx
+++ b/client/containers/User/UserEdit.tsx
@@ -3,7 +3,7 @@ import React, { useState } from 'react';
 import { Button, Callout, Intent } from '@blueprintjs/core';
 
 import { apiFetch } from 'client/utils/apiFetch';
-import { GridWrapper } from 'components';
+import { GridWrapper, Honeypot } from 'components';
 import ImageUpload from 'components/ImageUpload/ImageUpload';
 import InputField from 'components/InputField/InputField';
 import { ORCID_PATTERN } from 'utils/orcid';
@@ -65,8 +65,10 @@ const UserEdit = (props: Props) => {
 		setAvatar(val);
 	};
 
-	const handleSaveDetails = (evt) => {
+	const handleSaveDetails = (evt: React.FormEvent<HTMLFormElement>) => {
 		evt.preventDefault();
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('phone') as string) ?? '';
 		const newUserObject = {
 			userId: userData.id,
 			firstName,
@@ -85,11 +87,12 @@ const UserEdit = (props: Props) => {
 			mastodon,
 			bluesky,
 			googleScholar,
+			_honeypot: honeypot,
 		};
 
 		setPutUserIsLoading(true);
 		setPutUserError('');
-		return apiFetch('/api/users', {
+		return apiFetch('/api/users/fromForm', {
 			method: 'PUT',
 			body: JSON.stringify(newUserObject),
 		})
@@ -234,6 +237,7 @@ const UserEdit = (props: Props) => {
 			<GridWrapper containerClassName="narrow nav">
 				<h1>Edit User Details</h1>
 				<form onSubmit={handleSaveDetails}>
+					<Honeypot name="phone" />
 					<InputField
 						label="First Name"
 						isRequired={true}
@@ -310,7 +314,7 @@ const UserEdit = (props: Props) => {
 								type="submit"
 								intent={Intent.PRIMARY}
 								text="Save Details"
-								onClick={handleSaveDetails}
+								// onClick={handleSaveDetails}
 								disabled={!firstName || !lastName || !hasChanged || isOrcidInvalid}
 								loading={putUserIsLoading}
 							/>
diff --git a/client/containers/User/UserHeader.tsx b/client/containers/User/UserHeader.tsx
index ae1c836065..30f71586ff 100644
--- a/client/containers/User/UserHeader.tsx
+++ b/client/containers/User/UserHeader.tsx
@@ -1,12 +1,15 @@
 import type { SocialItem } from 'client/utils/navigation';
+import type { SpamStatus } from 'types';
 
-import React from 'react';
+import React, { useCallback, useState } from 'react';
 
-import { Classes } from '@blueprintjs/core';
+import { Callout, Classes, Tag } from '@blueprintjs/core';
 import PropTypes from 'prop-types';
 
 import Avatar from 'components/Avatar/Avatar';
 import Icon from 'components/Icon/Icon';
+import SpamStatusMenu from 'components/SpamStatusMenu';
+import { usePageContext } from 'utils/hooks';
 
 import './userHeader.scss';
 
@@ -19,7 +22,25 @@ const defaultProps = {
 	isUser: false,
 };
 
+const spamStatusDisplay: Record<
+	SpamStatus,
+	{ label: string; intent: 'danger' | 'warning' | 'success' }
+> = {
+	'confirmed-spam': { label: 'Confirmed spam', intent: 'danger' },
+	unreviewed: { label: 'Unreviewed', intent: 'warning' },
+	'confirmed-not-spam': { label: 'Not spam', intent: 'success' },
+};
+
 const UserHeader = function (props) {
+	const { loginData } = usePageContext();
+	const isSuperAdmin = !!loginData.isSuperAdmin;
+	const spamTag = props.userData.spamTag;
+	const [spamStatus, setSpamStatus] = useState<SpamStatus | null>(spamTag?.status ?? null);
+
+	const handleSpamStatusChanged = useCallback((status: SpamStatus | null) => {
+		setSpamStatus(status);
+	}, []);
+
 	const links = [
 		{ value: props.userData.location, icon: 'map-marker' as const, url: '' },
 		{
@@ -96,9 +117,40 @@ const UserHeader = function (props) {
 				)}
 			</div>
 			<div className="details">
-				<h1>{props.userData.fullName}</h1>
+				<h1>
+					{props.userData.fullName}
+					{isSuperAdmin && spamStatus && (
+						<Tag
+							intent={spamStatusDisplay[spamStatus].intent}
+							minimal
+							style={{ marginLeft: 10, verticalAlign: 'middle', fontSize: 12 }}
+						>
+							{spamStatusDisplay[spamStatus].label}
+						</Tag>
+					)}
+				</h1>
 				{props.userData.title && <div className="title">{props.userData.title}</div>}
 				{props.userData.bio && <div className="bio">{props.userData.bio}</div>}
+				{isSuperAdmin && (
+					<Callout
+						intent={spamStatus === 'confirmed-spam' ? 'danger' : 'none'}
+						icon="shield"
+						style={{ marginTop: 12, marginBottom: 12 }}
+					>
+						<div style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
+							<span style={{ fontWeight: 500 }}>
+								Spam status:{' '}
+								{spamStatus ? spamStatusDisplay[spamStatus].label : 'None'}
+							</span>
+							<SpamStatusMenu
+								userId={props.userData.id}
+								currentStatus={spamStatus}
+								onStatusChanged={handleSpamStatusChanged}
+								small={false}
+							/>
+						</div>
+					</Callout>
+				)}
 				<div className="links">
 					{links
 						.filter((link) => {
diff --git a/client/containers/UserCreate/UserCreate.tsx b/client/containers/UserCreate/UserCreate.tsx
index b288d627b4..b536de7a85 100644
--- a/client/containers/UserCreate/UserCreate.tsx
+++ b/client/containers/UserCreate/UserCreate.tsx
@@ -1,4 +1,4 @@
-import React, { useState } from 'react';
+import React, { useRef, useState } from 'react';
 
 import { Button, Checkbox, Classes, NonIdealState } from '@blueprintjs/core';
 import encHex from 'crypto-js/enc-hex';
@@ -6,7 +6,7 @@ import SHA3 from 'crypto-js/sha3';
 
 import { apiFetch } from 'client/utils/apiFetch';
 import { gdprCookiePersistsSignup, getGdprConsentElection } from 'client/utils/legal/gdprConsent';
-import { GridWrapper, Icon, ImageUpload, InputField } from 'components';
+import { Altcha, GridWrapper, Honeypot, Icon, ImageUpload, InputField } from 'components';
 
 import './userCreate.scss';
 
@@ -16,8 +16,9 @@ type Props = {
 
 const UserCreate = (props: Props) => {
 	const { signupData } = props;
+	const altchaRef = useRef<import('components').AltchaRef>(null);
 	const [postUserIsLoading, setPostUserIsLoading] = useState(false);
-	const [postUserError, setPostUserError] = useState(undefined);
+	const [postUserError, setPostUserError] = useState<string | undefined>(undefined);
 	const [subscribed, setSubscribed] = useState(false);
 	const [firstName, setFirstName] = useState('');
 	const [lastName, setLastName] = useState('');
@@ -39,16 +40,19 @@ const UserCreate = (props: Props) => {
 	const [showTwitter, setShowTwitter] = useState(false);
 	const [showFacebook, setShowFacebook] = useState(false);
 	const [showGoogleScholar, setShowGoogleScholar] = useState(false);
-	const [confirmPassword, setConfirmPasword] = useState('');
 	const [acceptTerms, setAcceptTerms] = useState(false);
-	const onCreateSubmit = (evt) => {
+
+	const onCreateSubmit = async (evt: React.FormEvent<HTMLFormElement>) => {
 		evt.preventDefault();
+		if (!acceptTerms) return;
+		const formData = new FormData(evt.currentTarget);
+		const honeypot = (formData.get('confirmPassword') as string) ?? '';
 		setPostUserIsLoading(true);
 		setPostUserError(undefined);
-		if (!acceptTerms) return false;
-		return apiFetch('/api/users', {
-			method: 'POST',
-			body: JSON.stringify({
+		try {
+			const altchaPayload = await altchaRef.current?.verify();
+			console.log('altchaPayload', altchaPayload);
+			const body = {
 				email: signupData.email,
 				hash: signupData.hash,
 				subscribed,
@@ -65,18 +69,20 @@ const UserCreate = (props: Props) => {
 				twitter,
 				facebook,
 				googleScholar,
-				confirmPassword,
+				_honeypot: honeypot,
+				altcha: altchaPayload,
 				gdprConsent: gdprCookiePersistsSignup() ? getGdprConsentElection() : null,
-			}),
-		})
-			.then(() => {
-				const cacheBreaker = Math.round(new Date().getTime() / 1000);
-				window.location.href = `/?breakCache=${cacheBreaker}`;
-			})
-			.catch((err) => {
-				setPostUserIsLoading(false);
-				setPostUserError(err);
+			};
+			await apiFetch('/api/users', {
+				method: 'POST',
+				body: JSON.stringify(body),
 			});
+			const cacheBreaker = Math.round(new Date().getTime() / 1000);
+			window.location.href = `/?breakCache=${cacheBreaker}`;
+		} catch (err) {
+			setPostUserIsLoading(false);
+			setPostUserError(err instanceof Error ? err.message : 'Error Creating User');
+		}
 	};
 	const onSubscribedChange = () => {
 		setSubscribed(!subscribed);
@@ -243,15 +249,7 @@ const UserCreate = (props: Props) => {
 							value={password}
 							onChange={onPasswordChange}
 						/>
-						<input
-							type="password"
-							name="confirmPassword"
-							className="confirm-password"
-							// @ts-expect-error ts-migrate(2322) FIXME: Type 'string' is not assignable to type 'number | ... Remove this comment to see the full error message
-							tabIndex="-1"
-							autoComplete="new-user-street-address"
-							onChange={(evt) => setConfirmPasword(evt.target.value)}
-						/>
+						<Honeypot name="confirmPassword" />
 						<ImageUpload
 							htmlFor="avatar-upload"
 							label="Avatar Image"
@@ -344,12 +342,12 @@ const UserCreate = (props: Props) => {
 								.
 							</Checkbox>
 						</InputField>
+						<Altcha ref={altchaRef} auto="onload" />
 						<InputField error={postUserError && 'Error Creating User'}>
 							<Button
 								name="create"
 								type="submit"
 								className={`${Classes.BUTTON} ${Classes.INTENT_PRIMARY} create-account-button`}
-								onClick={onCreateSubmit}
 								text="Create Account"
 								disabled={!firstName || !lastName || !password || !acceptTerms}
 								loading={postUserIsLoading}
diff --git a/client/utils/apiFetch.ts b/client/utils/apiFetch.ts
index 1cca1d404a..d3de7f8e95 100644
--- a/client/utils/apiFetch.ts
+++ b/client/utils/apiFetch.ts
@@ -2,11 +2,11 @@
 type JSON = Record<string, any> | any[] | any;
 type ApiFetchFn = (path: string, opts?: RequestInit) => Promise<JSON>;
 
-type HttpMethodApiFetchWrapper = (
+type HttpMethodApiFetchWrapper = <T extends JSON = JSON>(
 	path: string,
 	body?: JSON | string,
 	opts?: RequestInit,
-) => Promise<JSON>;
+) => Promise<T>;
 
 const httpMethods = [
 	'get',
@@ -45,12 +45,12 @@ export const apiFetch = ((path, opts) => {
 }) as ApiFetch;
 
 const createMethodWrapper = (method: HttpMethod): HttpMethodApiFetchWrapper => {
-	return (path, body, opts) =>
+	return ((path, body, opts) =>
 		apiFetch(path, {
 			...opts,
 			method: method.toUpperCase(),
 			body: typeof body === 'string' ? body : JSON.stringify(body),
-		});
+		})) as HttpMethodApiFetchWrapper;
 };
 
 // Create apiFetch.get, apiFetch.post, etc.
diff --git a/client/webpack/webpackConfig.dev.js b/client/webpack/webpackConfig.dev.js
index 35a6c4efed..d24c1cd4f7 100644
--- a/client/webpack/webpackConfig.dev.js
+++ b/client/webpack/webpackConfig.dev.js
@@ -56,9 +56,9 @@ module.exports = {
 	module: {
 		rules: [
 			{
-				test: /\.(mjs|cjs)$/,
+				test: /\.(m|c)?js$/,
 				// this module includes nullish coalescing and optional chaining, which are not supported by webpack 4
-				include: /node_modules\/@marsidev\/react-turnstile/,
+				include: /node_modules\/@marsidev\/react-turnstile|node_modules\/(.pnpm\/)?altcha.*/,
 				type: 'javascript/auto',
 				loader: 'esbuild-loader',
 				/** @type {import('esbuild-loader').LoaderOptions} */
diff --git a/client/webpack/webpackConfig.prod.js b/client/webpack/webpackConfig.prod.js
index a39d2b50b3..424f6444c9 100644
--- a/client/webpack/webpackConfig.prod.js
+++ b/client/webpack/webpackConfig.prod.js
@@ -46,9 +46,9 @@ module.exports = {
 	module: {
 		rules: [
 			{
-				test: /\.(mjs|cjs)$/,
+				test: /\.(m|c)?js$/,
 				// this module includes nullish coalescing and optional chaining, which are not supported by webpack 4
-				include: /node_modules\/@marsidev\/react-turnstile/,
+				include: /node_modules\/@marsidev\/react-turnstile|node_modules\/(.pnpm\/)?altcha.*/,
 				type: 'javascript/auto',
 				loader: 'esbuild-loader',
 				/** @type {import('esbuild-loader').LoaderOptions} */
diff --git a/infra/docker-compose.dev.yml b/infra/docker-compose.dev.yml
index 1994d3ee0e..c6ee5fc451 100644
--- a/infra/docker-compose.dev.yml
+++ b/infra/docker-compose.dev.yml
@@ -12,6 +12,8 @@ services:
         environment:
             NODE_ENV: development
             PORT: 3000
+            # disable this
+            IS_DUQDUQ: ""
             DATABASE_URL: postgres://appuser:apppassword@db:5432/appdb
             CLOUDAMQP_URL: amqp://appuser:apppassword@rabbitmq:5672/appvhost
         depends_on:
@@ -39,6 +41,7 @@ services:
         depends_on:
             - db
             - rabbitmq
+            - app
         networks: [appnet]
         volumes:
             - ..:/app
diff --git a/package.json b/package.json
index b73f213aeb..25cc7a8c7e 100644
--- a/package.json
+++ b/package.json
@@ -116,6 +116,8 @@
 		"@types/styled-components": "^5.1.12",
 		"@types/website-scraper": "^1.2.10",
 		"algoliasearch": "^4.2.0",
+		"altcha": "^2.3.0",
+		"altcha-lib": "^1.4.0",
 		"amqplib": "^0.10.9",
 		"archiver": "^7.0.1",
 		"big-json": "^2.0.2",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index ee91926ea6..f5ca32a22c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -200,6 +200,12 @@ importers:
       algoliasearch:
         specifier: ^4.2.0
         version: 4.26.0
+      altcha:
+        specifier: ^2.3.0
+        version: 2.3.0
+      altcha-lib:
+        specifier: ^1.4.0
+        version: 1.4.1
       amqplib:
         specifier: ^0.10.9
         version: 0.10.9
@@ -942,6 +948,9 @@ packages:
   '@algolia/transporter@4.26.0':
     resolution: {integrity: sha512-KILPkXm6ofiYS4hXmEVCmsBgWgCopjm/Zuz7lyWgaliSIQbd1HaZFDIONxnCSVSfmvu0z6xHvaMF5yEYSZTv6g==}
 
+  '@altcha/crypto@0.0.1':
+    resolution: {integrity: sha512-qZMdnoD3lAyvfSUMNtC2adRi666Pxdcw9zqfMU5qBOaJWqpN9K+eqQGWqeiKDMqL0SF+EytNG4kR/Pr/99GJ6g==}
+
   '@analytics/core@0.12.17':
     resolution: {integrity: sha512-GMxRm5Dp3Wam/w5NNvqNKMO6zWecozbVv21Kn4WhftCx6OjJI7zMlVtiLpjGjxa0RRZfVG80YhupF0Qh9XL2gw==}
 
@@ -2906,6 +2915,11 @@ packages:
     cpu: [s390x]
     os: [linux]
 
+  '@rollup/rollup-linux-x64-gnu@4.18.0':
+    resolution: {integrity: sha512-xuglR2rBVHA5UsI8h8UbX4VJ470PtGCf5Vpswh7p2ukaqBGFTnsfzxUBetoWBWymHMxbIG0Cmx7Y9qDZzr648w==}
+    cpu: [x64]
+    os: [linux]
+
   '@rollup/rollup-linux-x64-gnu@4.57.1':
     resolution: {integrity: sha512-ABca4ceT4N+Tv/GtotnWAeXZUZuM/9AQyCyKYyKnpk4yoA7QIAuBt6Hkgpw8kActYlew2mvckXkvx0FfoInnLg==}
     cpu: [x64]
@@ -4332,6 +4346,12 @@ packages:
   algoliasearch@4.26.0:
     resolution: {integrity: sha512-08+G9TsokR3622ik5je/uXLaYIJ21K6p8Lg+mVGoaGnYvV3Lwj/mErZkZLEZFGPpTsLi3i1cicDZ27V7uZhnCQ==}
 
+  altcha-lib@1.4.1:
+    resolution: {integrity: sha512-MAXP9tkQOA2SE9Gwoe3LAcZbcDpp3XzYc5GDVej/y3eMNaFG/eVnRY1/7SGFW0RPsViEjPf+hi5eANjuZrH1xA==}
+
+  altcha@2.3.0:
+    resolution: {integrity: sha512-vl8I0dQvSQB7/Mx09XuWZ1+LdSP7vEda6OLbg9kUQ2ZO2LT7MzgUyLK7Iips+GAV6c0ntVcS1XWOqhEPpwbDhQ==}
+
   amqplib@0.10.9:
     resolution: {integrity: sha512-jwSftI4QjS3mizvnSnOrPGYiUnm1vI2OP1iXeOUz5pb74Ua0nbf6nPyyTzuiCLEE3fMpaJORXh2K/TQ08H5xGA==}
     engines: {node: '>=10'}
@@ -11767,6 +11787,8 @@ snapshots:
       '@algolia/logger-common': 4.26.0
       '@algolia/requester-common': 4.26.0
 
+  '@altcha/crypto@0.0.1': {}
+
   '@analytics/core@0.12.17(@types/dlv@1.1.5)':
     dependencies:
       '@analytics/global-storage-utils': 0.1.9
@@ -14548,6 +14570,9 @@ snapshots:
   '@rollup/rollup-linux-s390x-gnu@4.57.1':
     optional: true
 
+  '@rollup/rollup-linux-x64-gnu@4.18.0':
+    optional: true
+
   '@rollup/rollup-linux-x64-gnu@4.57.1':
     optional: true
 
@@ -16676,6 +16701,14 @@ snapshots:
       '@algolia/requester-node-http': 4.26.0
       '@algolia/transporter': 4.26.0
 
+  altcha-lib@1.4.1: {}
+
+  altcha@2.3.0:
+    dependencies:
+      '@altcha/crypto': 0.0.1
+    optionalDependencies:
+      '@rollup/rollup-linux-x64-gnu': 4.18.0
+
   amqplib@0.10.9:
     dependencies:
       buffer-more-ints: 1.0.0
diff --git a/server/apiRoutes.ts b/server/apiRoutes.ts
index fa205c0f51..ce67080f9e 100644
--- a/server/apiRoutes.ts
+++ b/server/apiRoutes.ts
@@ -4,6 +4,7 @@ import { isProd } from 'utils/environment';
 
 import { activityItemRouter } from './activityItem/api';
 import { router as apiDocsRouter } from './apiDocs/api';
+import { router as captchaRouter } from './captcha/api';
 import { router as citationRouter } from './citation/api';
 import { router as communityServicesRouter } from './communityServices/api';
 import { router as customScriptRouter } from './customScript/api';
@@ -37,6 +38,7 @@ import { router as zoteroIntegrationRouter } from './zoteroIntegration/api';
 
 const apiRouter = Router()
 	.use(activityItemRouter)
+	.use(captchaRouter)
 	.use(citationRouter)
 	.use(communityServicesRouter)
 	.use(customScriptRouter)
diff --git a/server/captcha/api.ts b/server/captcha/api.ts
new file mode 100644
index 0000000000..c08e7f1f92
--- /dev/null
+++ b/server/captcha/api.ts
@@ -0,0 +1,17 @@
+import { createChallenge } from 'altcha-lib';
+import { Router } from 'express';
+
+import { getAltchaHmacKey } from 'server/utils/captcha';
+
+export const router = Router();
+
+const MAX_NUMBER = 100000;
+
+router.get('/api/captcha/challenge', async (_req, res) => {
+	const hmacKey = getAltchaHmacKey();
+	const challenge = await createChallenge({
+		hmacKey,
+		maxNumber: MAX_NUMBER,
+	});
+	return res.json(challenge);
+});
diff --git a/server/community/api.ts b/server/community/api.ts
index fdc2bf9ea4..3446921e89 100644
--- a/server/community/api.ts
+++ b/server/community/api.ts
@@ -4,7 +4,9 @@ import { Op } from 'sequelize';
 import { setSubdomain } from 'server/dev/api';
 import { WorkerTask } from 'server/models';
 import { updateDiscussionCreationAccess } from 'server/publicPermissions/queries';
-import { ForbiddenError, NotFoundError } from 'server/utils/errors';
+import { verifyCaptchaPayload } from 'server/utils/captcha';
+import { BadRequestError, ForbiddenError, NotFoundError } from 'server/utils/errors';
+import { handleHoneypotTriggered, isHoneypotFilled } from 'server/utils/honeypot';
 import { addWorkerTask } from 'server/utils/workers';
 import { getWorkerTask } from 'server/workerTask/queries';
 import { contract } from 'utils/api/contract';
@@ -143,8 +145,31 @@ export const communityServer = s.router(contract.community, {
 		if (!req.user) {
 			throw new ForbiddenError();
 		}
+		if (isHoneypotFilled(req.body._honeypot)) {
+			await handleHoneypotTriggered(
+				expect(req.user).id,
+				'create-community',
+				String(req.body._honeypot),
+				{
+					content: req.body.title
+						? `title: ${req.body.title}, subdomain: ${req.body.subdomain}`
+						: undefined,
+				},
+			);
+			const subdomain = req.body.subdomain ?? 'community';
+			return {
+				body: `https://${subdomain}.pubpub.org`,
+				status: 201,
+			};
+		}
+		if (!(await verifyCaptchaPayload(req.body.altcha))) {
+			throw new BadRequestError(new Error('Please complete the verification and try again.'));
+		}
+		const body = { ...req.body };
+		delete body.altcha;
+		delete body._honeypot;
 		try {
-			const newCommunity = await createCommunity(req.body, req.user);
+			const newCommunity = await createCommunity(body, req.user);
 
 			if (isDevelopment()) {
 				await setSubdomain(newCommunity.subdomain);
@@ -168,7 +193,6 @@ export const communityServer = s.router(contract.community, {
 				};
 			}
 			console.error(e);
-
 			throw new Error('Failed to create community');
 		}
 	},
diff --git a/server/community/hooks.ts b/server/community/hooks.ts
index a9dace46a5..28c43321fd 100644
--- a/server/community/hooks.ts
+++ b/server/community/hooks.ts
@@ -3,7 +3,7 @@ import {
 	createCommunityUpdatedActivityItem,
 } from 'server/activityItem/queries';
 import { Community } from 'server/models';
-import { addSpamTagToCommunity } from 'server/spamTag/queries';
+import { addSpamTagToCommunity } from 'server/spamTag/communityQueries';
 import { createActivityHooks } from 'server/utils/activityHooks';
 import { defer } from 'server/utils/deferred';
 
diff --git a/server/community/queries.ts b/server/community/queries.ts
index 3d6b8bf50d..402bc209d8 100644
--- a/server/community/queries.ts
+++ b/server/community/queries.ts
@@ -16,7 +16,7 @@ import {
 	type User,
 	WorkerTask,
 } from 'server/models';
-import { getSpamTagForCommunity } from 'server/spamTag/queries';
+import { getSpamTagForCommunity } from 'server/spamTag/communityQueries';
 import { defer } from 'server/utils/deferred';
 import { sendCommunityAwaitingApprovalEmail } from 'server/utils/email/communitySpam';
 import { subscribeUser } from 'server/utils/mailchimp';
@@ -84,8 +84,8 @@ export const createCommunity = async (
 			heroTitle: inputValues.heroLogo ? '' : inputValues.title,
 			hideHeaderLogo: true,
 			heroText: description,
-			accentColorLight: inputValues.accentColorLight,
-			accentColorDark: inputValues.accentColorDark,
+			accentColorLight: inputValues.accentColorLight ?? '#ffffff',
+			accentColorDark: inputValues.accentColorDark ?? '#000000',
 			navigation: [{ type: 'page', id: homePageId }],
 			hideCreatePubButton: true,
 		},
diff --git a/server/discussion/api.ts b/server/discussion/api.ts
index fd780c7f82..5aea913c92 100644
--- a/server/discussion/api.ts
+++ b/server/discussion/api.ts
@@ -1,6 +1,8 @@
 import { Router } from 'express';
 
-import { ForbiddenError } from 'server/utils/errors';
+import { verifyCaptchaPayload } from 'server/utils/captcha';
+import { BadRequestError, ForbiddenError } from 'server/utils/errors';
+import { handleHoneypotTriggered, isHoneypotFilled } from 'server/utils/honeypot';
 import { wrap } from 'server/wrap';
 
 import { canReleaseDiscussions, getCreatePermission, getUpdatePermissions } from './permissions';
@@ -21,6 +23,7 @@ const getRequestIds = (req) => {
 		commentAccessHash: req.body.commentAccessHash,
 	};
 };
+
 router.post(
 	'/api/discussions',
 	wrap(async (req, res) => {
@@ -36,6 +39,43 @@ router.post(
 	}),
 );
 
+router.post(
+	'/api/discussions/fromForm',
+	wrap(async (req, res) => {
+		const requestIds = getRequestIds(req);
+		const canCreate = await getCreatePermission(requestIds);
+		if (!canCreate) {
+			throw new ForbiddenError();
+		}
+		if (isHoneypotFilled(req.body._honeypot)) {
+			if (req.user?.id)
+				await handleHoneypotTriggered(
+					req.user.id,
+					'create-discussion',
+					req.body._honeypot,
+					{
+						communityId: req.body.communityId,
+						pubId: req.body.pubId,
+						content:
+							typeof req.body.text === 'string'
+								? req.body.text.slice(0, 500)
+								: undefined,
+					},
+				);
+			throw new BadRequestError(new Error('Invalid submission.'));
+		}
+		const ok = await verifyCaptchaPayload(req.body.altcha);
+		if (!ok) {
+			throw new BadRequestError(new Error('Please complete the verification and try again.'));
+		}
+		const userId = (req.user?.id as string) || null;
+		const { altcha: _altcha, _honeypot, ...rest } = req.body;
+		const options = { ...rest, userId };
+		const newDiscussion = await createDiscussion(options);
+		return res.status(201).json(newDiscussion);
+	}),
+);
+
 router.put(
 	'/api/discussions',
 	wrap(async (req, res) => {
diff --git a/server/login/api.ts b/server/login/api.ts
index 1feec1ed24..8496119f2a 100644
--- a/server/login/api.ts
+++ b/server/login/api.ts
@@ -9,6 +9,7 @@ import { promisify } from 'util';
 
 import { User } from 'server/models';
 import { getSpamTagForUser } from 'server/spamTag/userQueries';
+import { verifyCaptchaPayload } from 'server/utils/captcha';
 import { assert } from 'utils/assert';
 import { getHashedUserId } from 'utils/caching/getHashedUserId';
 import { isDuqDuq, isProd } from 'utils/environment';
@@ -18,10 +19,13 @@ type Step1Result = [types.UserWithPrivateFields, null] | [null, types.UserWithPr
 type Step2Result = [types.UserWithPrivateFields, null] | [null, SetPasswordData];
 type Step3Result = [types.UserWithPrivateFields, null] | [null, types.UserWithPrivateFields[][]];
 
-export const loginRouteImplementation: AppRouteImplementation<typeof contract.auth.login> = async ({
-	req,
-	res,
-}) => {
+type LoginResult =
+	| { status: 201; body: 'success' }
+	| { status: 401; body: 'Login attempt failed' }
+	| { status: 403; body: string }
+	| { status: 500; body: string };
+
+const performLogin = (req: any, res: any): Promise<LoginResult> => {
 	const authenticate = new Promise<types.UserWithPrivateFields | null>((resolve, reject) => {
 		passport.authenticate('local', (authErr: Error, user: types.UserWithPrivateFields) => {
 			if (authErr) {
@@ -32,36 +36,24 @@ export const loginRouteImplementation: AppRouteImplementation<typeof contract.au
 	});
 	return authenticate
 		.then((user) => {
-			/* If authentication succeeded, we have a user */
 			if (user) {
 				return [user, null] as Step1Result;
 			}
-
-			/* If authentication did not succeed, we need to check if a legacy hash is valid */
 			const findUser = User.findOne({
 				where: { email: req.body.email },
 			});
-
 			return Promise.all([null, findUser]) as Promise<Step1Result>;
 		})
 		.then(([user, userData]) => {
 			if (user) {
 				return [user, null] as Step2Result;
 			}
-
-			/* If the login failed, and there is no
-			userData, then the email doesn't exist */
 			if (!userData) {
 				throw new Error('Invalid email');
 			}
-			/* If the login failed, but the email exists, and the
-			digest is already sha512, it's simply a wrong password */
 			if (userData.passwordDigest === 'sha512') {
 				throw new Error('Invalid password');
 			}
-
-			/* If the login failed, but the email exists, and the digest
-			is not sha512, we need to check for valid legacy hashes */
 			const pubpubSha1HashRaw = crypto.pbkdf2Sync(
 				req.body.password,
 				userData.salt,
@@ -88,8 +80,6 @@ export const loginRouteImplementation: AppRouteImplementation<typeof contract.au
 			if (!isLegacyValid) {
 				throw new Error('Invalid password');
 			}
-
-			/* If isLegacyValid, we need to update user to sha512 */
 			const setPassword = promisify((userData as any).setPassword.bind(userData));
 			return Promise.all([null, setPassword(req.body.password)]) as Promise<Step2Result>;
 		})
@@ -130,12 +120,9 @@ export const loginRouteImplementation: AppRouteImplementation<typeof contract.au
 					req.hostname.indexOf('pubpub.org') > -1 && { domain: '.pubpub.org' }),
 				...(isDuqDuq() &&
 					req.hostname.indexOf('pubpub.org') > -1 && { domain: '.duqduq.org' }),
-				maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days to match login cookies
+				maxAge: 30 * 24 * 60 * 60 * 1000,
 			});
-			return {
-				status: 201,
-				body: 'success',
-			} as const;
+			return { status: 201, body: 'success' } as const;
 		})
 		.catch((err) => {
 			if (err.message === 'ACCOUNT_RESTRICTED') {
@@ -151,3 +138,18 @@ export const loginRouteImplementation: AppRouteImplementation<typeof contract.au
 			return { status: 500, body: err.message } as const;
 		});
 };
+
+export const loginRouteImplementation: AppRouteImplementation<typeof contract.auth.login> = async ({
+	req,
+	res,
+}) => performLogin(req, res);
+
+export const loginFromFormRouteImplementation: AppRouteImplementation<
+	typeof contract.auth.loginFromForm
+> = async ({ req, res }) => {
+	const ok = await verifyCaptchaPayload(req.body.altcha);
+	if (!ok) {
+		return { status: 400, body: 'Please complete the verification and try again.' } as const;
+	}
+	return performLogin(req, res);
+};
diff --git a/server/pub/api.ts b/server/pub/api.ts
index 4f8c07679b..edaecb8e2c 100644
--- a/server/pub/api.ts
+++ b/server/pub/api.ts
@@ -10,9 +10,11 @@ import { prepareResource, submitResource } from 'deposit/datacite/deposit';
 import { transformPubToResource } from 'deposit/transform/pub';
 import { assertValidResource } from 'deposit/validate';
 import { generateDoi } from 'server/doi/queries';
-import { ForbiddenError, NotFoundError } from 'server/utils/errors';
+import { verifyCaptchaPayload } from 'server/utils/captcha';
+import { BadRequestError, ForbiddenError, NotFoundError } from 'server/utils/errors';
 import { getPubDraftDoc } from 'server/utils/firebaseAdmin';
 import { writeDocumentToPubDraft } from 'server/utils/firebaseTools';
+import { handleHoneypotTriggered, isHoneypotFilled } from 'server/utils/honeypot';
 import { getInitialData } from 'server/utils/initData';
 import { contract } from 'utils/api/contract';
 import { indexByProperty } from 'utils/arrays';
@@ -106,11 +108,35 @@ export const pubServer = s.router(contract.pub, {
 			{ communityId: ids.communityId, collectionIds, ...createParams },
 			ids.userId,
 		);
-		const jsonedPub = newPub.toJSON();
-		return {
-			status: 201,
-			body: jsonedPub,
-		};
+		return { status: 201, body: newPub.toJSON() };
+	},
+	createFromForm: async ({ body, req }) => {
+		if (isHoneypotFilled(body._honeypot)) {
+			if (req.user?.id)
+				await handleHoneypotTriggered(req.user.id, 'create-pub', body._honeypot as string, {
+					communityId: body.communityId as string | undefined,
+				});
+			throw new BadRequestError(new Error('Invalid submission.'));
+		}
+		if (!(await verifyCaptchaPayload(body.altcha))) {
+			throw new BadRequestError(new Error('Please complete the verification and try again.'));
+		}
+		const { altcha: _altcha, _honeypot, ...bodyStripped } = body;
+		const ids = getRequestIds(bodyStripped, req.user);
+		const { create, collectionIds } = await canCreatePub(ids);
+		if (!create) {
+			throw new ForbiddenError();
+		}
+		const createParams = omitKeys(bodyStripped, [
+			'communityId',
+			'collectionId',
+			'createPubToken',
+		]);
+		const newPub = await createPub(
+			{ communityId: ids.communityId, collectionIds, ...createParams },
+			ids.userId,
+		);
+		return { status: 201, body: newPub.toJSON() };
 	},
 	update: async ({ body, req }) => {
 		const { userId, pubId } = getRequestIds(body, req.user);
diff --git a/server/routes/superAdminDashboard.tsx b/server/routes/superAdminDashboard.tsx
index 59512adbf6..c4e8976c25 100644
--- a/server/routes/superAdminDashboard.tsx
+++ b/server/routes/superAdminDashboard.tsx
@@ -8,8 +8,8 @@ import { filtersById as spamFiltersById } from 'client/containers/SuperAdminDash
 import { filtersById as spamUsersFiltersById } from 'client/containers/SuperAdminDashboard/UserSpam/filters';
 import Html from 'server/Html';
 import { getLandingPageFeatures } from 'server/landingPageFeature/queries';
-import { queryCommunitiesForSpamManagement } from 'server/spamTag/communities';
-import { queryUsersForSpamManagement } from 'server/spamTag/users';
+import { queryCommunitiesForSpamManagement } from 'server/spamTag/communityDashboard';
+import { queryUsersForSpamManagement } from 'server/spamTag/userDashboard';
 import { ForbiddenError, handleErrors, NotFoundError } from 'server/utils/errors';
 import { getInitialData } from 'server/utils/initData';
 import { generateMetaComponents, renderToNodeStream } from 'server/utils/ssr';
diff --git a/server/routes/user.tsx b/server/routes/user.tsx
index b827738f40..adbb309dcd 100644
--- a/server/routes/user.tsx
+++ b/server/routes/user.tsx
@@ -7,6 +7,7 @@ import { Router } from 'express';
 import { isUserAffiliatedWithCommunity } from 'server/community/queries';
 import { getCustomScriptsForCommunity } from 'server/customScript/queries';
 import Html from 'server/Html';
+import { getSpamTagForUser } from 'server/spamTag/userQueries';
 import { handleErrors } from 'server/utils/errors';
 import { getInitialData } from 'server/utils/initData';
 import { getUser } from 'server/utils/queryHelpers';
@@ -61,6 +62,15 @@ router.get(['/user/:slug', '/user/:slug/:mode'], async (req, res, next) => {
 			? await getCustomScriptsForCommunity(initialData.communityData.id)
 			: undefined;
 		const userData = expect(await getUser(req.params.slug, initialData));
+		const isSuperAdmin = !!initialData.loginData?.isSuperAdmin;
+
+		if (!isSuperAdmin) {
+			const spamTag = await getSpamTagForUser(userData.id);
+			if (spamTag?.status === 'confirmed-spam') {
+				throw new Error('User Not Found');
+			}
+		}
+
 		const isNewishUser = Date.now() - Number(userData.createdAt.valueOf()) < 1000 * 86400 * 30;
 
 		if (!initialData.locationData.isBasePubPub) {
diff --git a/server/signup/api.ts b/server/signup/api.ts
index 0d0e6180a3..2dfa7e1e42 100644
--- a/server/signup/api.ts
+++ b/server/signup/api.ts
@@ -1,14 +1,23 @@
 import { Router } from 'express';
 
+import { verifyCaptchaPayload } from 'server/utils/captcha';
+import { isHoneypotFilled } from 'server/utils/honeypot';
+
 import { createSignup, DuplicateEmailError } from './queries';
 
 export const router = Router();
 
-router.post('/api/signup', (req, res) => {
-	return createSignup(req.body, req.hostname)
-		.then(() => {
-			return res.status(201).json(true);
-		})
+router.post('/api/signup', async (req, res) => {
+	if (isHoneypotFilled(req.body._honeypot)) {
+		return res.status(201).json(true);
+	}
+	const ok = await verifyCaptchaPayload(req.body.altcha);
+	if (!ok) {
+		return res.status(400).json('Please complete the verification and try again.');
+	}
+	const { _honeypot, altcha: _altcha, ...body } = req.body;
+	return createSignup(body, req.hostname)
+		.then(() => res.status(201).json(true))
 		.catch((err) => {
 			if (err instanceof DuplicateEmailError) {
 				return res.status(409).json(err.message);
diff --git a/server/spamTag/__tests__/api.test.ts b/server/spamTag/__tests__/api.test.ts
index 85b785559a..38cd144d9a 100644
--- a/server/spamTag/__tests__/api.test.ts
+++ b/server/spamTag/__tests__/api.test.ts
@@ -3,7 +3,7 @@ import { vi } from 'vitest';
 import { SpamTag } from 'server/models';
 import { login, modelize, setup, teardown } from 'stubstub';
 
-import { addSpamTagToCommunity } from '../queries';
+import { addSpamTagToCommunity } from '../communityQueries';
 
 const {
 	sendCommunityApprovedEmail,
diff --git a/server/spamTag/__tests__/userQueries.test.ts b/server/spamTag/__tests__/userQueries.test.ts
new file mode 100644
index 0000000000..d0e020c67c
--- /dev/null
+++ b/server/spamTag/__tests__/userQueries.test.ts
@@ -0,0 +1,107 @@
+import { SpamTag } from 'server/models';
+import { modelize, setup, teardown } from 'stubstub';
+
+import {
+	addSpamTagToUser,
+	getSpamTagForUser,
+	removeSpamTagFromUser,
+	updateSpamTagForUser,
+} from '../userQueries';
+
+const models = modelize`
+	User userA {}
+	User userB {}
+	User userC {}
+`;
+
+setup(beforeAll, models.resolve);
+teardown(afterAll);
+
+describe('addSpamTagToUser', () => {
+	it('creates a spam tag for a user that has none', async () => {
+		const { userA } = models;
+		const tag = await addSpamTagToUser(userA.id);
+		expect(tag).toBeTruthy();
+		expect(tag.status).toBe('unreviewed');
+		expect(tag.spamScore).toBeGreaterThanOrEqual(0);
+	});
+
+	it('merges fields when a spam tag already exists', async () => {
+		const { userA } = models;
+		await addSpamTagToUser(userA.id, { suspiciousFiles: ['/file-a.html'] });
+		await addSpamTagToUser(userA.id, { suspiciousFiles: ['/file-b.html'] });
+		const tag = await getSpamTagForUser(userA.id);
+		expect(tag).toBeTruthy();
+		expect(tag!.fields.suspiciousFiles).toEqual(
+			expect.arrayContaining(['/file-a.html', '/file-b.html']),
+		);
+	});
+
+	it('accumulates honeypot triggers', async () => {
+		const { userB } = models;
+		await addSpamTagToUser(userB.id, {
+			honeypotTriggers: [{ honeypot: 'create-community', value: 'bot-website.com' }],
+		});
+		await addSpamTagToUser(userB.id, {
+			honeypotTriggers: [{ honeypot: 'create-pub', value: 'spam-description' }],
+		});
+		const tag = await getSpamTagForUser(userB.id);
+		expect(tag!.fields.honeypotTriggers).toHaveLength(2);
+		expect(tag!.fields.honeypotTriggers).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({ honeypot: 'create-community' }),
+				expect.objectContaining({ honeypot: 'create-pub' }),
+			]),
+		);
+	});
+});
+
+describe('updateSpamTagForUser', () => {
+	it('updates the status of an existing spam tag', async () => {
+		const { userA } = models;
+		await updateSpamTagForUser({ userId: userA.id, status: 'confirmed-spam' });
+		const tag = await getSpamTagForUser(userA.id);
+		expect(tag!.status).toBe('confirmed-spam');
+		expect(tag!.statusUpdatedAt).toBeTruthy();
+	});
+
+	it('throws when the user has no spam tag', async () => {
+		const { userC } = models;
+		await expect(
+			updateSpamTagForUser({ userId: userC.id, status: 'confirmed-spam' }),
+		).rejects.toThrow('User is missing a SpamTag');
+	});
+});
+
+describe('getSpamTagForUser', () => {
+	it('returns null for a user with no spam tag', async () => {
+		const { userC } = models;
+		const tag = await getSpamTagForUser(userC.id);
+		expect(tag).toBeNull();
+	});
+
+	it('returns the spam tag for a user that has one', async () => {
+		const { userA } = models;
+		const tag = await getSpamTagForUser(userA.id);
+		expect(tag).toBeTruthy();
+		expect(tag!.id).toBeTruthy();
+	});
+});
+
+describe('removeSpamTagFromUser', () => {
+	it('removes the spam tag from a user', async () => {
+		const { userB } = models;
+		const tagBefore = await getSpamTagForUser(userB.id);
+		expect(tagBefore).toBeTruthy();
+		await removeSpamTagFromUser(userB.id);
+		const tagAfter = await getSpamTagForUser(userB.id);
+		expect(tagAfter).toBeNull();
+		const dbTag = await SpamTag.findByPk(tagBefore!.id);
+		expect(dbTag).toBeNull();
+	});
+
+	it('does nothing if the user has no spam tag', async () => {
+		const { userC } = models;
+		await expect(removeSpamTagFromUser(userC.id)).resolves.toBeUndefined();
+	});
+});
diff --git a/server/spamTag/api.ts b/server/spamTag/api.ts
index edb16172c6..914dd986e9 100644
--- a/server/spamTag/api.ts
+++ b/server/spamTag/api.ts
@@ -1,22 +1,19 @@
 import { Router } from 'express';
 
-import { SpamTag, User } from 'server/models';
-import { sendSpamBanEmail, sendSpamLiftedEmail } from 'server/utils/email';
 import { ForbiddenError } from 'server/utils/errors';
-import { deleteSessionsForUser } from 'server/utils/session';
 import { wrap } from 'server/wrap';
 import { expect } from 'utils/assert';
 
-import { queryCommunitiesForSpamManagement } from './communities';
+import { queryCommunitiesForSpamManagement } from './communityDashboard';
+import { updateSpamTagForCommunity } from './communityQueries';
 import { canManipulateSpamTags } from './permissions';
-import { updateSpamTagForCommunity } from './queries';
+import { queryUsersForSpamManagement } from './userDashboard';
 import {
 	addSpamTagToUser,
 	getSpamTagForUser,
 	removeSpamTagFromUser,
 	updateSpamTagForUser,
 } from './userQueries';
-import { queryUsersForSpamManagement } from './users';
 
 export const router = Router();
 
@@ -41,39 +38,24 @@ router.put(
 		if (!canUpdate) {
 			throw new ForbiddenError();
 		}
+		const actorId = req.user?.id;
+		const actorName = (req.user as any)?.fullName ?? 'Unknown';
 		const existingTag = await getSpamTagForUser(userId);
 		if (!existingTag) {
 			await addSpamTagToUser(userId);
 		}
-		await updateSpamTagForUser({ userId, status });
-		const user = await User.findOne({
-			where: { id: userId },
-			attributes: ['email', 'fullName'],
-		});
-
-		if (user?.email) {
-			try {
-				if (status === 'confirmed-spam') {
-					try {
-						await deleteSessionsForUser(user?.email ?? '');
-					} catch (err) {
-						console.error('Failed to delete sessions for banned user', userId, err);
-					}
-
-					await sendSpamBanEmail({
-						toEmail: user.email,
-						userName: user.fullName ?? '',
-					});
-				} else if (status === 'confirmed-not-spam') {
-					await sendSpamLiftedEmail({
-						toEmail: user.email,
-						userName: user.fullName ?? '',
-					});
-				}
-			} catch (err) {
-				console.error('Failed to send spam status email', err);
-			}
+		if (status === 'confirmed-spam' && actorId) {
+			await addSpamTagToUser(userId, {
+				manuallyMarkedBy: [
+					{
+						userId: actorId,
+						userName: actorName,
+						at: new Date().toISOString(),
+					},
+				],
+			});
 		}
+		await updateSpamTagForUser({ userId, status, actorId, actorName });
 		return res.status(200).send({});
 	}),
 );
diff --git a/server/spamTag/communities.ts b/server/spamTag/communityDashboard.ts
similarity index 100%
rename from server/spamTag/communities.ts
rename to server/spamTag/communityDashboard.ts
diff --git a/server/spamTag/queries.ts b/server/spamTag/communityQueries.ts
similarity index 97%
rename from server/spamTag/queries.ts
rename to server/spamTag/communityQueries.ts
index ad25e8db5a..bcb630bf77 100644
--- a/server/spamTag/queries.ts
+++ b/server/spamTag/communityQueries.ts
@@ -9,7 +9,7 @@ import {
 import { postToSlackAboutCommunityStatusChange } from 'server/utils/slack';
 import { expect } from 'utils/assert';
 
-import { getSuspectedCommunitySpamVerdict } from './score';
+import { getSuspectedCommunitySpamVerdict } from './communityScore';
 
 // Adding a spam tag doesn't imply that the Community _is_ spam, only that we have a score for it.
 export const addSpamTagToCommunity = async (communityId: string) => {
diff --git a/server/spamTag/score.ts b/server/spamTag/communityScore.ts
similarity index 100%
rename from server/spamTag/score.ts
rename to server/spamTag/communityScore.ts
diff --git a/server/spamTag/users.ts b/server/spamTag/userDashboard.ts
similarity index 100%
rename from server/spamTag/users.ts
rename to server/spamTag/userDashboard.ts
diff --git a/server/spamTag/userQueries.ts b/server/spamTag/userQueries.ts
index 92a029932b..8714a07f5e 100644
--- a/server/spamTag/userQueries.ts
+++ b/server/spamTag/userQueries.ts
@@ -1,19 +1,24 @@
 import type * as types from 'types';
-import type { SpamStatus } from 'types';
+import type { SpamStatus, UserSpamTagFields } from 'types';
 
 import mergeWith from 'lodash.mergewith';
 
 import { SpamTag, User } from 'server/models';
+import { sendNewSpamTagDevEmail, sendSpamBanEmail, sendSpamLiftedEmail } from 'server/utils/email';
+import { deleteSessionsForUser } from 'server/utils/session';
+import {
+	postToSlackAboutNewUserSpamTag,
+	postToSlackAboutUserBan,
+	postToSlackAboutUserLifted,
+} from 'server/utils/slack';
 import { expect } from 'utils/assert';
 
 import { getSuspectedUserSpamVerdict } from './userScore';
 
-type SpamTagFields = {
-	suspiciousFiles?: string[];
-	suspiciousComments?: string[];
-};
-
-const mergeSpamTagFields = (spamTag: Pick<SpamTag, 'fields'>, fields?: SpamTagFields) => {
+const mergeSpamTagFields = (
+	spamTag: Pick<SpamTag, 'fields'> | { fields: UserSpamTagFields },
+	fields?: UserSpamTagFields,
+) => {
 	if (!fields) {
 		return spamTag;
 	}
@@ -32,7 +37,7 @@ const mergeSpamTagFields = (spamTag: Pick<SpamTag, 'fields'>, fields?: SpamTagFi
 	};
 };
 
-export const addSpamTagToUser = async (userId: string, fields?: SpamTagFields) => {
+export const addSpamTagToUser = async (userId: string, fields?: UserSpamTagFields) => {
 	const user = expect(
 		await User.findOne({
 			where: { id: userId },
@@ -42,9 +47,11 @@ export const addSpamTagToUser = async (userId: string, fields?: SpamTagFields) =
 	const verdict = getSuspectedUserSpamVerdict(user);
 	const { spamTag } = user;
 	if (spamTag) {
-		const mergedSpamTag = mergeSpamTagFields(verdict, fields);
+		// preserve existing fields, then layer on the new ones
+		const withExisting = mergeSpamTagFields(verdict, spamTag.fields as UserSpamTagFields);
+		const merged = mergeSpamTagFields(withExisting, fields);
 
-		await spamTag.update(mergedSpamTag as types.SpamVerdict<SpamTag>);
+		await spamTag.update(merged as types.SpamVerdict<SpamTag>);
 		return spamTag;
 	}
 	const newMergedSpamTag = mergeSpamTagFields(verdict, fields);
@@ -57,12 +64,31 @@ export const addSpamTagToUser = async (userId: string, fields?: SpamTagFields) =
 			individualHooks: false,
 		},
 	);
+	notifyNewSpamTag(userId, user, newSpamTag).catch((err) =>
+		console.error('Failed to send new spam tag notifications', err),
+	);
 	return newSpamTag;
 };
 
+const notifyNewSpamTag = async (userId: string, user: User, spamTag: SpamTag) => {
+	const email = user.email ?? '';
+	const name = user.fullName ?? '';
+	const slug = user.slug ?? '';
+	if (!email) return;
+	await postToSlackAboutNewUserSpamTag({
+		userId,
+		userName: name,
+		userSlug: slug,
+		spamScore: spamTag.spamScore,
+	});
+	await sendNewSpamTagDevEmail({ userEmail: email, userName: name });
+};
+
 type UpdateSpamTagForUserOptions = {
 	userId: string;
 	status: SpamStatus;
+	actorId?: string;
+	actorName?: string;
 };
 
 export const getSpamTagForUser = async (userId: string) => {
@@ -76,13 +102,60 @@ export const getSpamTagForUser = async (userId: string) => {
 };
 
 export const updateSpamTagForUser = async (options: UpdateSpamTagForUserOptions) => {
-	const { userId, status } = options;
+	const { userId, status, actorId, actorName } = options;
 	const spamTag = await getSpamTagForUser(userId);
-	if (spamTag) {
-		await spamTag.update({ status, statusUpdatedAt: new Date() });
-	} else {
+	if (!spamTag) {
 		throw new Error('User is missing a SpamTag');
 	}
+	await spamTag.update({ status, statusUpdatedAt: new Date() });
+	await applySpamStatusSideEffects(userId, status, spamTag, actorId, actorName);
+};
+
+const applySpamStatusSideEffects = async (
+	userId: string,
+	status: SpamStatus,
+	spamTag: SpamTag,
+	actorId?: string,
+	actorName?: string,
+) => {
+	const user = await User.findOne({
+		where: { id: userId },
+		attributes: ['email', 'fullName', 'slug', 'avatar'],
+	});
+	if (!user?.email) return;
+	const userName = user.fullName ?? '';
+	try {
+		if (status === 'confirmed-spam') {
+			try {
+				await deleteSessionsForUser(user.email);
+			} catch (err) {
+				console.error('Failed to delete sessions for banned user', userId, err);
+			}
+			if (process.env.NODE_ENV === 'production') {
+				await sendSpamBanEmail({ toEmail: user.email, userName });
+			}
+			await postToSlackAboutUserBan({
+				userId,
+				userName,
+				userSlug: user.slug,
+				userAvatar: user.avatar,
+				reason: spamTag.fields as UserSpamTagFields,
+				actorName,
+			});
+		} else if (status === 'confirmed-not-spam') {
+			if (process.env.NODE_ENV === 'production') {
+				await sendSpamLiftedEmail({ toEmail: user.email, userName });
+			}
+			await postToSlackAboutUserLifted({
+				userId,
+				userName,
+				userSlug: user.slug,
+				actorName,
+			});
+		}
+	} catch (err) {
+		console.error('Failed to send spam status email', err);
+	}
 };
 
 export const removeSpamTagFromUser = async (userId: string) => {
diff --git a/server/threadComment/api.ts b/server/threadComment/api.ts
index 36980f2aac..4eee1e9b58 100644
--- a/server/threadComment/api.ts
+++ b/server/threadComment/api.ts
@@ -1,6 +1,8 @@
 import { Router } from 'express';
 
-import { ForbiddenError } from 'server/utils/errors';
+import { verifyCaptchaPayload } from 'server/utils/captcha';
+import { BadRequestError, ForbiddenError } from 'server/utils/errors';
+import { handleHoneypotTriggered, isHoneypotFilled } from 'server/utils/honeypot';
 import { wrap } from 'server/wrap';
 
 import { getPermissions } from './permissions';
@@ -37,6 +39,43 @@ router.post(
 	}),
 );
 
+router.post(
+	'/api/threadComment/fromForm',
+	wrap(async (req, res) => {
+		const requestIds = getRequestIds(req);
+		const permissions = await getPermissions(requestIds);
+		if (!permissions.create) {
+			throw new ForbiddenError();
+		}
+		if (isHoneypotFilled(req.body._honeypot)) {
+			if (req.user?.id)
+				await handleHoneypotTriggered(
+					req.user.id,
+					'create-thread-comment',
+					req.body._honeypot,
+					{
+						communityId: req.body.communityId,
+						pubId: req.body.pubId,
+						content:
+							typeof req.body.text === 'string'
+								? req.body.text.slice(0, 500)
+								: undefined,
+					},
+				);
+			throw new BadRequestError(new Error('Invalid submission.'));
+		}
+		const ok = await verifyCaptchaPayload(req.body.altcha);
+		if (!ok) {
+			throw new BadRequestError(new Error('Please complete the verification and try again.'));
+		}
+		const userId = (req.user?.id as string) || null;
+		const { altcha: _altcha, _honeypot, ...rest } = req.body;
+		const options = { ...rest, userId };
+		const newThreadComment = await createThreadComment(options);
+		return res.status(201).json(newThreadComment);
+	}),
+);
+
 router.put(
 	'/api/threadComment',
 	wrap(async (req, res) => {
diff --git a/server/user/api.ts b/server/user/api.ts
index 71b675e950..59b6bb58ac 100644
--- a/server/user/api.ts
+++ b/server/user/api.ts
@@ -2,7 +2,9 @@ import { Router } from 'express';
 import passport from 'passport';
 import { z } from 'zod';
 
+import { verifyCaptchaPayload } from 'server/utils/captcha';
 import { BadRequestError, NotFoundError } from 'server/utils/errors';
+import { handleHoneypotTriggered, isHoneypotFilled } from 'server/utils/honeypot';
 import { wrap } from 'server/wrap';
 import { getHashedUserId } from 'utils/caching/getHashedUserId';
 import { isDuqDuq, isProd } from 'utils/environment';
@@ -22,33 +24,41 @@ const getRequestIds = (req) => {
 	};
 };
 
-router.post('/api/users', (req, res) => {
+router.post('/api/users', async (req, res) => {
 	const requestIds = getRequestIds(req);
-	getPermissions(requestIds)
-		.then((permissions) => {
-			if (!permissions.create) {
-				throw new Error('Not Authorized');
-			}
-			return createUser(req.body);
-		})
-		.then((newUser) => {
-			passport.authenticate('local')(req, res, () => {
-				const hashedUserId = getHashedUserId(newUser);
-
-				res.cookie('pp-lic', `pp-li-${hashedUserId}`, {
-					...(isProd() &&
-						req.hostname.indexOf('pubpub.org') > -1 && { domain: '.pubpub.org' }),
-					...(isDuqDuq() &&
-						req.hostname.indexOf('pubpub.org') > -1 && { domain: '.duqduq.org' }),
-					maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days to match login cookies
-				});
-				return res.status(201).json(newUser);
+	try {
+		const permissions = await getPermissions(requestIds);
+		if (!permissions.create) {
+			throw new Error('Not Authorized');
+		}
+		const ok = await verifyCaptchaPayload(req.body.altcha);
+		if (!ok) {
+			return res.status(400).json('Please complete the verification and try again.');
+		}
+		const body = { ...req.body };
+		delete body.altcha;
+		delete body._honeypot;
+		const newUser = await createUser(body);
+		if (isHoneypotFilled(req.body._honeypot)) {
+			await handleHoneypotTriggered(newUser.id, 'create-user', req.body._honeypot, {
+				content: req.body.fullName ? `name: ${req.body.fullName}` : undefined,
 			});
-		})
-		.catch((err) => {
-			console.error('Error in postUser: ', err);
-			return res.status(500).json(err.message);
+		}
+		passport.authenticate('local')(req, res, () => {
+			const hashedUserId = getHashedUserId(newUser);
+			res.cookie('pp-lic', `pp-li-${hashedUserId}`, {
+				...(isProd() &&
+					req.hostname.indexOf('pubpub.org') > -1 && { domain: '.pubpub.org' }),
+				...(isDuqDuq() &&
+					req.hostname.indexOf('pubpub.org') > -1 && { domain: '.duqduq.org' }),
+				maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days to match login cookies
+			});
+			return res.status(201).json(newUser);
 		});
+	} catch (err) {
+		console.error('Error in postUser: ', err);
+		return res.status(500).json(err instanceof Error ? err.message : 'Error');
+	}
 });
 
 const uuidParser = z.string().uuid();
@@ -78,11 +88,31 @@ router.put('/api/users', (req, res) => {
 			}
 			return updateUser(req.body, permissions.update, req);
 		})
-		.then((updatedValues) => {
-			return res.status(201).json(updatedValues);
-		})
+		.then((updatedValues) => res.status(201).json(updatedValues))
 		.catch((err) => {
 			console.error('Error in putUser: ', err);
-			return res.status(500).json(err.message);
+			return res.status(500).json(err instanceof Error ? err.message : 'Error');
 		});
 });
+
+router.put('/api/users/fromForm', async (req, res) => {
+	try {
+		const permissions = await getPermissions(getRequestIds(req));
+		if (!permissions.update) {
+			throw new Error('Not Authorized');
+		}
+		if (isHoneypotFilled(req.body._honeypot)) {
+			if (req.user?.id)
+				await handleHoneypotTriggered(req.user.id, 'edit-user', req.body._honeypot, {
+					content: req.body.fullName ? `name: ${req.body.fullName}` : undefined,
+				});
+		}
+		const body = { ...req.body };
+		delete body._honeypot;
+		const updatedValues = await updateUser(body, permissions.update, req);
+		return res.status(201).json(updatedValues);
+	} catch (err) {
+		console.error('Error in putUser fromForm: ', err);
+		return res.status(500).json(err instanceof Error ? err.message : 'Error');
+	}
+});
diff --git a/server/utils/__tests__/captcha.test.ts b/server/utils/__tests__/captcha.test.ts
new file mode 100644
index 0000000000..16c0b7acc5
--- /dev/null
+++ b/server/utils/__tests__/captcha.test.ts
@@ -0,0 +1,73 @@
+import { createChallenge, solveChallenge } from 'altcha-lib';
+
+import { getAltchaHmacKey, verifyCaptchaPayload } from '../captcha';
+
+const createValidPayload = async (): Promise<string> => {
+	const hmacKey = getAltchaHmacKey();
+	const challenge = await createChallenge({ hmacKey, maxNumber: 1000 });
+	const { promise } = solveChallenge(
+		challenge.challenge,
+		challenge.salt,
+		challenge.algorithm,
+		challenge.maxnumber,
+	);
+	const solution = await promise;
+	if (!solution) throw new Error('failed to solve challenge');
+	return btoa(
+		JSON.stringify({
+			algorithm: challenge.algorithm,
+			challenge: challenge.challenge,
+			number: solution.number,
+			salt: challenge.salt,
+			signature: challenge.signature,
+		}),
+	);
+};
+
+beforeAll(() => {
+	process.env.BYPASS_CAPTCHA = undefined;
+});
+
+afterAll(() => {
+	process.env.BYPASS_CAPTCHA = 'true';
+});
+
+describe('verifyCaptchaPayload', () => {
+	it('returns false for empty or missing payload', async () => {
+		expect(await verifyCaptchaPayload('')).toBe(false);
+		expect(await verifyCaptchaPayload(null)).toBe(false);
+		expect(await verifyCaptchaPayload(undefined)).toBe(false);
+	});
+
+	it('returns false for an invalid payload string', async () => {
+		expect(await verifyCaptchaPayload('not-a-valid-payload')).toBe(false);
+	});
+
+	it('returns true for a correctly solved challenge', async () => {
+		const payload = await createValidPayload();
+		expect(await verifyCaptchaPayload(payload)).toBe(true);
+	});
+
+	it('returns false for a payload with a wrong solution number', async () => {
+		const hmacKey = getAltchaHmacKey();
+		const challenge = await createChallenge({ hmacKey, maxNumber: 1000 });
+		const tampered = btoa(
+			JSON.stringify({
+				algorithm: challenge.algorithm,
+				challenge: challenge.challenge,
+				number: 999999,
+				salt: challenge.salt,
+				signature: challenge.signature,
+			}),
+		);
+		expect(await verifyCaptchaPayload(tampered)).toBe(false);
+	});
+});
+
+describe('getAltchaHmacKey', () => {
+	it('returns the dev key in non-production mode', () => {
+		const key = getAltchaHmacKey();
+		expect(typeof key).toBe('string');
+		expect(key.length).toBeGreaterThan(0);
+	});
+});
diff --git a/server/utils/__tests__/honeypot.test.ts b/server/utils/__tests__/honeypot.test.ts
new file mode 100644
index 0000000000..6c4be5fa53
--- /dev/null
+++ b/server/utils/__tests__/honeypot.test.ts
@@ -0,0 +1,28 @@
+import { isHoneypotFilled } from '../honeypot';
+
+describe('isHoneypotFilled', () => {
+	it('returns false for null and undefined', () => {
+		expect(isHoneypotFilled(null)).toBe(false);
+		expect(isHoneypotFilled(undefined)).toBe(false);
+	});
+
+	it('returns false for an empty string', () => {
+		expect(isHoneypotFilled('')).toBe(false);
+	});
+
+	it('returns false for a whitespace-only string', () => {
+		expect(isHoneypotFilled('   ')).toBe(false);
+		expect(isHoneypotFilled('\t\n')).toBe(false);
+	});
+
+	it('returns true for a non-empty string', () => {
+		expect(isHoneypotFilled('bot-value')).toBe(true);
+		expect(isHoneypotFilled('a')).toBe(true);
+	});
+
+	it('returns true for non-string truthy values', () => {
+		expect(isHoneypotFilled(42)).toBe(true);
+		expect(isHoneypotFilled(true)).toBe(true);
+		expect(isHoneypotFilled({})).toBe(true);
+	});
+});
diff --git a/server/utils/__tests__/honeypotIntegration.test.ts b/server/utils/__tests__/honeypotIntegration.test.ts
new file mode 100644
index 0000000000..ab261f655d
--- /dev/null
+++ b/server/utils/__tests__/honeypotIntegration.test.ts
@@ -0,0 +1,56 @@
+import { getSpamTagForUser } from 'server/spamTag/userQueries';
+import { modelize, setup, teardown } from 'stubstub';
+
+import { handleHoneypotTriggered, isHoneypotFilled } from '../honeypot';
+
+const models = modelize`
+	User userA {}
+	User userB {}
+`;
+
+setup(beforeAll, models.resolve);
+teardown(afterAll);
+
+describe('handleHoneypotTriggered', () => {
+	it('does nothing if userId is null', async () => {
+		await expect(
+			handleHoneypotTriggered(null, 'create-community', 'spam'),
+		).resolves.toBeUndefined();
+	});
+
+	it('creates a spam tag with confirmed-spam status and records the trigger', async () => {
+		const { userA } = models;
+		await handleHoneypotTriggered(userA.id, 'create-community', 'bot-website.com');
+		const tag = await getSpamTagForUser(userA.id);
+		expect(tag).toBeTruthy();
+		expect(tag!.status).toBe('confirmed-spam');
+		expect(tag!.fields.honeypotTriggers).toEqual(
+			expect.arrayContaining([
+				expect.objectContaining({
+					honeypot: 'create-community',
+					value: 'bot-website.com',
+				}),
+			]),
+		);
+	});
+
+	it('appends a second trigger to an existing spam tag', async () => {
+		const { userA } = models;
+		await handleHoneypotTriggered(userA.id, 'create-pub', 'spammy-description');
+		const tag = await getSpamTagForUser(userA.id);
+		expect(tag!.fields.honeypotTriggers).toHaveLength(2);
+	});
+});
+
+describe('isHoneypotFilled + handleHoneypotTriggered integration', () => {
+	it('correctly identifies a filled honeypot and marks the user', async () => {
+		const { userB } = models;
+		const honeypotValue = 'i-am-a-bot';
+		if (isHoneypotFilled(honeypotValue)) {
+			await handleHoneypotTriggered(userB.id, 'edit-user', honeypotValue);
+		}
+		const tag = await getSpamTagForUser(userB.id);
+		expect(tag).toBeTruthy();
+		expect(tag!.status).toBe('confirmed-spam');
+	});
+});
diff --git a/server/utils/captcha.ts b/server/utils/captcha.ts
new file mode 100644
index 0000000000..0947e190d3
--- /dev/null
+++ b/server/utils/captcha.ts
@@ -0,0 +1,39 @@
+import { verifySolution } from 'altcha-lib';
+
+import { isProd } from 'utils/environment';
+
+/**
+ * captcha + honeypot system
+ *
+ * captcha (altcha):
+ *   proof-of-work challenge verified server-side via HMAC. in prod, ALTCHA_HMAC_KEY
+ *   must be set. in dev/test the fallback key is used automatically.
+ *   set BYPASS_CAPTCHA=true to skip verification entirely (useful in tests).
+ *   to test captcha behavior specifically, unset BYPASS_CAPTCHA and use altcha-lib
+ *   to generate a valid payload with getAltchaHmacKey().
+ *
+ * honeypot:
+ *   hidden form fields with natural-looking names (e.g. "title", "description").
+ *   the client maps the value to `_honeypot` in the request body.
+ *   if filled, the user is tagged as confirmed-spam via handleHoneypotTriggered.
+ *   see server/utils/honeypot.ts.
+ */
+
+const DEV_HMAC_KEY = 'dev-altcha-hmac-key-do-not-use-in-production';
+
+export const getAltchaHmacKey = (): string => {
+	const key = process.env.ALTCHA_HMAC_KEY;
+	if (isProd() && !key) {
+		throw new Error('ALTCHA_HMAC_KEY must be set in production');
+	}
+	return key ?? DEV_HMAC_KEY;
+};
+
+export const isCaptchaBypassed = (): boolean => process.env.BYPASS_CAPTCHA === 'true';
+
+export const verifyCaptchaPayload = async (payload: unknown): Promise<boolean> => {
+	if (isCaptchaBypassed()) return true;
+	if (!payload || typeof payload !== 'string') return false;
+	const hmacKey = getAltchaHmacKey();
+	return verifySolution(payload, hmacKey);
+};
diff --git a/server/utils/email/reset.ts b/server/utils/email/reset.ts
index 6d809a4a39..8c3d0b2ac6 100644
--- a/server/utils/email/reset.ts
+++ b/server/utils/email/reset.ts
@@ -14,6 +14,7 @@ type SendEmailOptions = {
 	replyTo?: string;
 	to: string[];
 	cc?: string[];
+	bcc?: string[];
 	subject: string;
 } & Body;
 
@@ -31,6 +32,7 @@ export const sendEmail = (options: SendEmailOptions) => {
 		subject,
 		...('replyTo' in options && { 'h:Reply-To': options.replyTo }),
 		...('cc' in options && { cc: options.cc }),
+		...('bcc' in options && { bcc: options.bcc }),
 		...body,
 	});
 };
diff --git a/server/utils/email/spam.ts b/server/utils/email/spam.ts
index f2de76ff9c..6712c324a9 100644
--- a/server/utils/email/spam.ts
+++ b/server/utils/email/spam.ts
@@ -1,13 +1,15 @@
 import stripIndent from 'strip-indent';
 
+import { getSuperAdminTabUrl } from 'utils/superAdmin';
+
 import { sendEmail } from './reset';
 
-const CC_DEV = ['dev@pubpub.org'];
+export const DEV_TEAM_EMAIL = 'dev@pubpub.org';
 
 export const sendSpamBanEmail = ({ toEmail, userName }: { toEmail: string; userName: string }) => {
 	return sendEmail({
 		to: [toEmail],
-		cc: CC_DEV,
+		bcc: [DEV_TEAM_EMAIL],
 		subject: 'PubPub account restriction',
 		text: stripIndent(`
 			Hello${userName ? ` ${userName}` : ''},
@@ -31,7 +33,7 @@ export const sendSpamLiftedEmail = ({
 }) => {
 	return sendEmail({
 		to: [toEmail],
-		cc: CC_DEV,
+		bcc: [DEV_TEAM_EMAIL],
 		subject: 'PubPub account restriction lifted',
 		text: stripIndent(`
 			Hello${userName ? ` ${userName}` : ''},
@@ -43,3 +45,24 @@ export const sendSpamLiftedEmail = ({
 		`),
 	});
 };
+
+export const sendNewSpamTagDevEmail = ({
+	userEmail,
+	userName,
+}: {
+	userEmail: string;
+	userName: string;
+}) => {
+	const reviewUrl = `https://pubpub.org${getSuperAdminTabUrl('spamUsers')}?q=${encodeURIComponent(userEmail)}`;
+	return sendEmail({
+		to: [DEV_TEAM_EMAIL],
+		subject: `New spam tag: ${userName} (${userEmail})`,
+		text: stripIndent(`
+			A new spam tag has been created for ${userName} (${userEmail}).
+
+			Review: ${reviewUrl}
+
+			-- PubPub Spam System
+		`),
+	});
+};
diff --git a/server/utils/honeypot.ts b/server/utils/honeypot.ts
new file mode 100644
index 0000000000..338f7663bc
--- /dev/null
+++ b/server/utils/honeypot.ts
@@ -0,0 +1,44 @@
+import type { HoneypotContext, HoneypotTrigger } from 'types';
+
+import { Community, Pub } from 'server/models';
+import { addSpamTagToUser, updateSpamTagForUser } from 'server/spamTag/userQueries';
+
+export const isHoneypotFilled = (value: unknown): boolean => {
+	if (value == null) return false;
+	if (typeof value === 'string') return value.trim().length > 0;
+	return true;
+};
+
+const resolveHoneypotContext = async (
+	ctx?: HoneypotContext,
+): Promise<HoneypotContext | undefined> => {
+	if (!ctx) return undefined;
+	const resolved = { ...ctx };
+	if (ctx.communityId && !ctx.communitySubdomain) {
+		const community = await Community.findByPk(ctx.communityId, { attributes: ['subdomain'] });
+		if (community) resolved.communitySubdomain = community.subdomain;
+	}
+	if (ctx.pubId && !ctx.pubSlug) {
+		const pub = await Pub.findByPk(ctx.pubId, { attributes: ['slug'] });
+		if (pub) resolved.pubSlug = pub.slug;
+	}
+	delete resolved.communityId;
+	delete resolved.pubId;
+	return resolved;
+};
+
+export const handleHoneypotTriggered = async (
+	userId: string | null,
+	honeypot: HoneypotTrigger,
+	value: string,
+	context?: HoneypotContext,
+): Promise<void> => {
+	if (!userId) return;
+	const resolved = await resolveHoneypotContext(context);
+	await addSpamTagToUser(userId, {
+		honeypotTriggers: [
+			{ honeypot, value, context: resolved, triggeredAt: new Date().toISOString() },
+		],
+	});
+	await updateSpamTagForUser({ userId, status: 'confirmed-spam' });
+};
diff --git a/server/utils/queryHelpers/userGet.ts b/server/utils/queryHelpers/userGet.ts
index bed4c701b2..05ed06e014 100644
--- a/server/utils/queryHelpers/userGet.ts
+++ b/server/utils/queryHelpers/userGet.ts
@@ -1,10 +1,11 @@
-import { Pub, PubAttribution, User } from 'server/models';
+import { Pub, PubAttribution, SpamTag, User } from 'server/models';
 
 import buildPubOptions from './pubOptions';
 import sanitizePub from './pubSanitize';
 
 export default async (slug, initialData) => {
 	const sanitizedSlug = slug.toLowerCase();
+	const isSuperAdmin = !!initialData.loginData?.isSuperAdmin;
 	const userData = await User.findOne({
 		where: {
 			slug: sanitizedSlug,
@@ -30,6 +31,7 @@ export default async (slug, initialData) => {
 					},
 				],
 			},
+			...(isSuperAdmin ? [{ model: SpamTag, as: 'spamTag', required: false }] : []),
 		],
 	});
 
diff --git a/server/utils/slack.ts b/server/utils/slack.ts
index dfb45706a1..255c3fa00a 100644
--- a/server/utils/slack.ts
+++ b/server/utils/slack.ts
@@ -1,8 +1,8 @@
-import type { SpamStatus } from 'types';
+import type { SpamStatus, UserSpamTagFields } from 'types';
 
 import fetch from 'node-fetch';
 
-import { isDangerousSpamScore } from 'server/spamTag/score';
+import { isDangerousSpamScore } from 'server/spamTag/communityScore';
 import { isProd } from 'utils/environment';
 import { getSuperAdminTabUrl } from 'utils/superAdmin';
 
@@ -176,7 +176,6 @@ export const postToSlackAboutNewCommunity = async (opts: NewCommunitySlackOption
 	const isDangerous = typeof spamScore === 'number' && isDangerousSpamScore(spamScore);
 
 	const envSuffix = isProd() ? '' : ' _(dev, ignore)_';
-	// top-level text is what shows in phone/desktop notifications
 	const notificationText = `New Community: ${title} by ${adminName} (${adminEmail})${envSuffix}`;
 
 	const sidebarColor = isDangerous ? '#d9534f' : accentColorDark || '#2D2E2F';
@@ -200,28 +199,217 @@ export const postToSlackAboutSuspiciousUpload = async (
 	userName: string,
 	key: string,
 ) => {
-	if (isProd()) {
-		const spamUsersUrl = `https://pubpub.org${getSuperAdminTabUrl('spamUsers')}?q=${encodeURIComponent(userEmail)}`;
-		await postToSlack({
-			icon_emoji: ':warning:',
-			attachments: [
-				{
-					fallback: `Suspicious upload by ${userName} (${userEmail}): ${key}`,
-					pretext: 'Suspicious upload detected (scam keywords in filename)',
-					color: 'warning',
-					fields: [
-						{ title: 'User', value: `${userName} (${userEmail})` },
-						{ title: 'Object key', value: key },
-					],
-					actions: [
-						{
-							type: 'button',
-							text: 'View in Spam Users Dashboard',
-							url: spamUsersUrl,
-						},
-					],
-				},
-			],
+	if (process.env.NODE_ENV === 'test') return;
+	const dashUrl = getSpamDashUrl(userName);
+	await postToSlack({
+		icon_emoji: ':warning:',
+		attachments: [
+			{
+				fallback: `Suspicious upload by ${userName}: ${key}`,
+				pretext: 'Suspicious upload detected (scam keywords in filename)',
+				color: 'warning',
+				fields: [
+					{ title: 'User', value: userName },
+					{ title: 'Object key', value: key },
+				],
+				actions: [
+					{
+						type: 'button',
+						text: 'View in Spam Users Dashboard',
+						url: dashUrl,
+					},
+				],
+			},
+		],
+	});
+};
+
+const getUserProfileUrl = (userSlug: string) => `https://www.pubpub.org/user/${userSlug}`;
+
+const getSpamDashUrl = (userName: string) =>
+	`https://pubpub.org${getSuperAdminTabUrl('spamUsers')}?q=${encodeURIComponent(userName)}`;
+
+const buildReasonText = (reason?: UserSpamTagFields): string => {
+	if (!reason) return '';
+	if (reason.manuallyMarkedBy?.length) {
+		const last = reason.manuallyMarkedBy[reason.manuallyMarkedBy.length - 1];
+		return `Manually marked by ${last.userName}`;
+	}
+	if (reason.suspiciousFiles?.length) return 'Uploading suspicious files';
+	if (reason.suspiciousComments?.length) return 'Posting suspicious comments';
+	if (reason.honeypotTriggers?.length) {
+		const last = reason.honeypotTriggers[reason.honeypotTriggers.length - 1];
+		const parts: string[] = [last.honeypot];
+		if (last.context?.communitySubdomain)
+			parts.push(`community: ${last.context.communitySubdomain}`);
+		if (last.context?.pubSlug) parts.push(`pub: ${last.context.pubSlug}`);
+		return `Honeypot triggered (${parts.join(', ')})`;
+	}
+	return '';
+};
+
+const buildHoneypotContextLine = (reason?: UserSpamTagFields): string | null => {
+	if (!reason?.honeypotTriggers?.length) return null;
+	const last = reason.honeypotTriggers[reason.honeypotTriggers.length - 1];
+	if (!last.context) return null;
+	const parts: string[] = [];
+	if (last.context.communitySubdomain) {
+		const communityUrl = `https://${last.context.communitySubdomain}.pubpub.org`;
+		parts.push(`Community: <${communityUrl}|${last.context.communitySubdomain}>`);
+	}
+	if (last.context.pubSlug && last.context.communitySubdomain) {
+		const pubUrl = `https://${last.context.communitySubdomain}.pubpub.org/pub/${last.context.pubSlug}`;
+		parts.push(`Pub: <${pubUrl}|${last.context.pubSlug}>`);
+	} else if (last.context.pubSlug) {
+		parts.push(`Pub: ${last.context.pubSlug}`);
+	}
+	if (last.context.content) {
+		const truncated =
+			last.context.content.length > 200
+				? last.context.content.slice(0, 200) + '...'
+				: last.context.content;
+		parts.push(`Content: ${truncated}`);
+	}
+	return parts.length > 0 ? parts.join('  |  ') : null;
+};
+
+type UserBanSlackOptions = {
+	userId: string;
+	userName: string;
+	userSlug: string;
+	userAvatar?: string | null;
+	reason?: UserSpamTagFields;
+	actorName?: string;
+};
+
+export const postToSlackAboutUserBan = async (opts: UserBanSlackOptions) => {
+	if (process.env.NODE_ENV === 'test') return;
+	const { userName, userSlug, userAvatar, reason, actorName } = opts;
+	const profileUrl = getUserProfileUrl(userSlug);
+	const dashUrl = getSpamDashUrl(userName);
+	const reasonText = buildReasonText(reason);
+	const byText = actorName ? ` by ${actorName}` : '';
+	const reasonSuffix = reasonText ? ` -- ${reasonText}` : '';
+	const headline = `*<${profileUrl}|${userName}>* banned${byText}${reasonSuffix}`;
+	const fallback = `${userName} banned${byText}${reasonSuffix}`;
+
+	const headerSection: Record<string, any> = {
+		type: 'section',
+		text: { type: 'mrkdwn', text: headline },
+	};
+	if (userAvatar) {
+		headerSection.accessory = {
+			type: 'image',
+			image_url: userAvatar,
+			alt_text: userName,
+		};
+	}
+
+	const blocks: Record<string, any>[] = [headerSection];
+
+	const honeypotLine = buildHoneypotContextLine(reason);
+	if (honeypotLine) {
+		blocks.push({
+			type: 'context',
+			elements: [{ type: 'mrkdwn', text: honeypotLine }],
 		});
 	}
+
+	blocks.push({
+		type: 'actions',
+		elements: [
+			{ type: 'button', text: { type: 'plain_text', text: 'Profile' }, url: profileUrl },
+			{ type: 'button', text: { type: 'plain_text', text: 'Spam Dashboard' }, url: dashUrl },
+		],
+	});
+
+	await postToSlack({
+		icon_emoji: ':no_entry:',
+		text: fallback,
+		attachments: [{ fallback, color: 'danger', blocks }],
+	});
+};
+
+type UserLiftedSlackOptions = {
+	userId: string;
+	userName: string;
+	userSlug: string;
+	actorName?: string;
+};
+
+export const postToSlackAboutUserLifted = async (opts: UserLiftedSlackOptions) => {
+	if (process.env.NODE_ENV === 'test') return;
+	const { userName, userSlug, actorName } = opts;
+	const profileUrl = getUserProfileUrl(userSlug);
+	const byText = actorName ? ` by ${actorName}` : '';
+	const headline = `*<${profileUrl}|${userName}>* restriction lifted${byText}`;
+	const fallback = `${userName} restriction lifted${byText}`;
+	await postToSlack({
+		icon_emoji: ':white_check_mark:',
+		text: fallback,
+		attachments: [
+			{
+				fallback,
+				color: '#5cb85c',
+				blocks: [
+					{ type: 'section', text: { type: 'mrkdwn', text: headline } },
+					{
+						type: 'actions',
+						elements: [
+							{
+								type: 'button',
+								text: { type: 'plain_text', text: 'Profile' },
+								url: profileUrl,
+							},
+						],
+					},
+				],
+			},
+		],
+	});
+};
+
+type NewSpamTagSlackOptions = {
+	userId: string;
+	userName: string;
+	userSlug: string;
+	spamScore: number | null;
+};
+
+export const postToSlackAboutNewUserSpamTag = async (opts: NewSpamTagSlackOptions) => {
+	if (process.env.NODE_ENV === 'test') return;
+	const { userName, userSlug, spamScore } = opts;
+	const profileUrl = getUserProfileUrl(userSlug);
+	const dashUrl = getSpamDashUrl(userName);
+	const scorePart = spamScore != null ? ` (score: ${spamScore})` : '';
+	const headline = `New spam tag for *<${profileUrl}|${userName}>*${scorePart}`;
+	const fallback = `New spam tag: ${userName}${scorePart}`;
+	await postToSlack({
+		icon_emoji: ':mag:',
+		text: fallback,
+		attachments: [
+			{
+				fallback,
+				color: '#f0ad4e',
+				blocks: [
+					{ type: 'section', text: { type: 'mrkdwn', text: headline } },
+					{
+						type: 'actions',
+						elements: [
+							{
+								type: 'button',
+								text: { type: 'plain_text', text: 'Profile' },
+								url: profileUrl,
+							},
+							{
+								type: 'button',
+								text: { type: 'plain_text', text: 'Review in Dashboard' },
+								url: dashUrl,
+							},
+						],
+					},
+				],
+			},
+		],
+	});
 };
diff --git a/tools/migrations/data/2022_11_29_addSpamTags.js b/tools/migrations/data/2022_11_29_addSpamTags.js
index e493db5940..7784dc8745 100644
--- a/tools/migrations/data/2022_11_29_addSpamTags.js
+++ b/tools/migrations/data/2022_11_29_addSpamTags.js
@@ -1,5 +1,5 @@
 import { Community } from 'server/models';
-import { addSpamTagToCommunity } from 'server/spamTag/queries';
+import { addSpamTagToCommunity } from 'server/spamTag/communityQueries';
 
 import { forEachInstance } from '../util';
 
diff --git a/types/spam.ts b/types/spam.ts
index 187a9b773a..eea7a61421 100644
--- a/types/spam.ts
+++ b/types/spam.ts
@@ -53,3 +53,35 @@ export type SpamUserQuery = {
 	ordering: SpamUserQueryOrdering;
 	includeAffiliation?: boolean;
 };
+
+export type HoneypotTrigger =
+	| 'create-community'
+	| 'create-pub'
+	| 'create-user'
+	| 'edit-user'
+	| 'create-discussion'
+	| 'create-thread-comment';
+
+export type HoneypotContext = {
+	communityId?: string;
+	communitySubdomain?: string;
+	pubId?: string;
+	pubSlug?: string;
+	content?: string;
+};
+
+export type UserSpamTagFields = {
+	suspiciousFiles?: string[];
+	suspiciousComments?: string[];
+	honeypotTriggers?: {
+		honeypot: HoneypotTrigger;
+		value: string;
+		context?: HoneypotContext;
+		triggeredAt?: string;
+	}[];
+	manuallyMarkedBy?: {
+		userId: string;
+		userName: string;
+		at: string;
+	}[];
+};
diff --git a/utils/api/contracts/auth.ts b/utils/api/contracts/auth.ts
index e37d34705b..684a0d2f8f 100644
--- a/utils/api/contracts/auth.ts
+++ b/utils/api/contracts/auth.ts
@@ -44,6 +44,30 @@ export const authRouter = {
 		},
 	},
 
+	/**
+	 * `POST /api/login/fromForm`
+	 *
+	 * Login from a browser form, with captcha verification
+	 */
+	loginFromForm: {
+		path: '/api/login/fromForm',
+		method: 'POST',
+		summary: 'Login from form',
+		description: 'Login from a browser form with captcha verification',
+		body: z.object({
+			email: z.string().email(),
+			password: z.string(),
+			altcha: z.string(),
+		}),
+		responses: {
+			201: z.literal('success'),
+			400: z.string(),
+			401: z.literal('Login attempt failed'),
+			403: z.string(),
+			500: z.string(),
+		},
+	},
+
 	/**
 	 * `GET /api/logout`
 	 *
diff --git a/utils/api/contracts/pub.ts b/utils/api/contracts/pub.ts
index c4e77f8cc2..f33a3ae66c 100644
--- a/utils/api/contracts/pub.ts
+++ b/utils/api/contracts/pub.ts
@@ -317,6 +317,23 @@ export const pubRouter = {
 			201: pubSchema,
 		},
 	},
+	/**
+	 * `POST /api/pubs/fromForm`
+	 *
+	 * Create a Pub from the web form (requires captcha and honeypot verification).
+	 */
+	createFromForm: {
+		path: '/api/pubs/fromForm',
+		method: 'POST',
+		summary: 'Create a Pub from form',
+		description: 'Create a Pub with captcha and honeypot verification',
+		body: pubCreateSchema.and(
+			z.object({ altcha: z.string(), _honeypot: z.string().optional() }),
+		),
+		responses: {
+			201: pubSchema,
+		},
+	},
 	/**
 	 * `PUT /api/pubs`
 	 *
diff --git a/utils/api/schemas/community.ts b/utils/api/schemas/community.ts
index c59b9ea3f1..57861ebb02 100644
--- a/utils/api/schemas/community.ts
+++ b/utils/api/schemas/community.ts
@@ -118,6 +118,12 @@ export const communityCreateSchema = communitySchema
 		heroLogo: true,
 		heroTitle: true,
 		description: true,
+		accentColorLight: true,
+		accentColorDark: true,
+	})
+	.extend({
+		altcha: z.string().optional(),
+		_honeypot: z.string().optional(),
 	});
 
 export const communityUpdateSchema = communitySchema
diff --git a/utils/api/schemas/pub.ts b/utils/api/schemas/pub.ts
index 33b2a7f1f0..00ea29f907 100644
--- a/utils/api/schemas/pub.ts
+++ b/utils/api/schemas/pub.ts
@@ -124,7 +124,7 @@ export const pubCreateSchema = optionalPubCreateParamSchema
 				collectionId: z.undefined(),
 			}),
 		]),
-	) satisfies z.ZodType<types.CanCreatePub>;
+	);
 
 export const getManyQuerySchema = z.object({
 	query: z
diff --git a/utils/api/server.ts b/utils/api/server.ts
index f2a4052d7b..9b25a6d8d0 100644
--- a/utils/api/server.ts
+++ b/utils/api/server.ts
@@ -7,7 +7,7 @@ import { collectionAttributionServer } from 'server/collectionAttribution/api';
 import { collectionPubServer } from 'server/collectionPub/api';
 import { communityServer } from 'server/community/api';
 import { facetsServer } from 'server/facets/api';
-import { loginRouteImplementation } from 'server/login/api';
+import { loginFromFormRouteImplementation, loginRouteImplementation } from 'server/login/api';
 import { logoutRouteImplementation } from 'server/logout/api';
 import { memberServer } from 'server/member/api';
 import { pageServer } from 'server/page/api';
@@ -32,6 +32,7 @@ export const server = s.router(contractWithScriptsAndCommunity, {
 	analytics: analyticsServer,
 	auth: {
 		login: loginRouteImplementation,
+		loginFromForm: loginFromFormRouteImplementation,
 		logout: logoutRouteImplementation,
 	},
 	authToken: authTokenServer,