Logo
Deploy Now

Stars

2472

Forks

94

Watchers

13

Developer links

mCaptcha

The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's browser silently solves a small computational challenge (via a WebAssembly library) before submitting a form. Humans never notice the milliseconds; bots hammering your site must burn more compute sending requests than your server spends answering them, which makes attacks more expensive than defense - the property that also makes mCaptcha genuine DoS protection, not just bot filtering. Written in Rust, the system is fully automated: difficulty scales with traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy and accessibility wins are structural rather than promised: no tracking, no profiling, no user-pattern data collection, and no visual puzzles that exclude users with visual or cognitive impairments - the design was published in Communications of the ACM. Rate limiting is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in replacement. AGPL-licensed core with proprietary-friendly client libraries.

mCaptcha
mCaptcha
mCaptcha

Benefits

  • Users Never See It
  • Proof-of-work runs silently in milliseconds - no image grids, no checkbox, no friction.
  • Attacks Cost More Than Defense
  • Bots must burn more compute per request than your server spends responding.
  • Privacy by Architecture
  • No tracking, profiling, or behavioral data - nothing to hand to an ad company.
  • Accessible by Design
  • No visual puzzles means no exclusion of users with visual or cognitive impairments.

Features

  • SHA256 Proof-of-Work
  • WASM-computed challenges with difficulty that scales automatically under attack.
  • Drop-In Compatibility
  • API compatible with reCAPTCHA and hCaptcha for painless migration.
  • IP-Independent Rate Limiting
  • Users behind NATs, VPNs, and Tor get the same experience as everyone else.
  • Replay Resistance
  • Proofs can't be reused, defeating captcha-farm economics.
  • DoS Throttling
  • Automatic bot throttling doubles as denial-of-service protection.
  • Rust Core
  • Fast, memory-safe server with a published, peer-reviewed design.