mCaptcha
The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with
economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's
browser silently solves a small computational challenge (via a WebAssembly library) before
submitting a form. Humans never notice the milliseconds; bots hammering your site must burn
more compute sending requests than your server spends answering them, which makes attacks more
expensive than defense - the property that also makes mCaptcha genuine DoS protection, not
just bot filtering. Written in Rust, the system is fully automated: difficulty scales with
traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy
and accessibility wins are structural rather than promised: no tracking, no profiling, no
user-pattern data collection, and no visual puzzles that exclude users with visual or
cognitive impairments - the design was published in Communications of the ACM. Rate limiting
is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of
endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration
is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in
replacement. AGPL-licensed core with proprietary-friendly client libraries.
Deploy