243 applications
mCaptcha screenshot thumbnail

mCaptcha

The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's browser silently solves a small computational challenge (via a WebAssembly library) before submitting a form. Humans never notice the milliseconds; bots hammering your site must burn more compute sending requests than your server spends answering them, which makes attacks more expensive than defense - the property that also makes mCaptcha genuine DoS protection, not just bot filtering. Written in Rust, the system is fully automated: difficulty scales with traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy and accessibility wins are structural rather than promised: no tracking, no profiling, no user-pattern data collection, and no visual puzzles that exclude users with visual or cognitive impairments - the design was published in Communications of the ACM. Rate limiting is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in replacement. AGPL-licensed core with proprietary-friendly client libraries.

Deploy
Supertokens Core screenshot thumbnail

Supertokens Core

Authentication that lives inside your application rather than behind a redirect to an external identity provider - SuperTokens takes a fundamentally different architecture from Auth0 and AWS Cognito. Three tiers make that work - frontend SDKs (React, Angular, Vue, vanilla JS, React Native) render overridable login UI and manage tokens; backend SDKs (Node.js, Python, Go) expose auth endpoints on your own API domain; and SuperTokens Core, the piece you host here, is the stateless HTTP service handling core auth logic, password hashing, token signing, and database operations against PostgreSQL. The recipe system keeps features decoupled: use email/password, social login, passwordless (magic links, OTP), phone-password, multi-factor authentication (TOTP, WebAuthn), user roles, and microservice auth - individually or combined; you can even use SuperTokens purely for session management alongside another login provider. Sessions are where it shines: rotating refresh tokens with theft detection, automatic access-token refresh, CSRF protection, and secure cookie handling out of the box - the details that become vulnerabilities when hand-rolled. Verification happens locally in your backend via cached JWT signing keys, so the Core stays off the hot path. Self-hosted means no user limits, free forever, with all user data in your database. Apache-licensed.

Deploy
WBO screenshot thumbnail

WBO

A Node.js server, a large shared canvas, and a URL - WBO (Whiteboard Ophir) is collaborative whiteboarding reduced to its essence. There are no accounts and no setup - to collaborate, you send someone the board's link, and every stroke appears for all connected users in real time over WebSockets, with cursor positions shared so you can see where collaborators are working. Board state persists automatically and continuously, so a diagram drawn in today's lesson is still there next week at the same URL. Boards come in three flavors: a public free-for-all, private boards with random unguessable names, and named boards with custom URLs shared by anyone who knows the name. The tools cover teaching and brainstorming needs - pencil, straight lines, rectangles, ellipses, text annotations, eraser, a full color palette with brush sizes - and boards export as SVG or PNG. Despite the simplicity, the server is production-minded: JWT authentication gates board access with granular capabilities (open, edit, and clear as separate permissions), rate limiting caps per-client message volume, reverse-proxy and subpath deployment are supported, and OpenTelemetry provides metrics, logs, and traces. It works on tablets and touch devices, speaks multiple languages, and consumes minimal resources. AGPL-licensed.

Deploy
Upvote RSS screenshot thumbnail

Upvote RSS

The antidote to doomscrolling: Upvote RSS turns Reddit, Hacker News, Lemmy, Lobsters, PieFed, Mbin, and trending GitHub repositories into calm, filtered RSS feeds. The MIT-licensed PHP app's killer feature is intelligent filtering: beyond simple score thresholds, the "posts per day" filter analyzes a community's recent history and computes the score cutoff that yields your target volume - say, exactly three r/technology posts daily - while a percentage-based threshold mode stays consistent as communities grow. Feeds are rich, not bare links: parsed full-article content via Readability (with optional Readability.js, Mercury, or Browserless for JavaScript-heavy pages), embedded videos and image galleries, top-voted comments with pinned-moderator filtering, scores, reading-time estimates, and optional AI summaries through Ollama, OpenAI, Gemini, Anthropic, Mistral, DeepSeek, or any OpenAI-compatible endpoint - with automatic provider fallback. A web UI builds the feed URL interactively with live preview; paste the result into any RSS reader. Reddit support includes custom domains like old.reddit.com plus NSFW filtering and blurring. Caching via filesystem, Redis, or APCu keeps repeated fetches cheap and avoids re-running paid summarizations.

Deploy
Isso screenshot thumbnail

Isso

Named from the German "Ich schrei sonst" - roughly "or I'll scream" - Isso is a lightweight Python/JavaScript commenting server, a drop-in Disqus replacement for people who noticed what Disqus does to reader privacy and page load times. The design premise is printed right in the docs: comments are not Big Data. So the backend is a single SQLite file rather than a database cluster, and the entire client is one embeddable JavaScript file - 65 kB, 20 kB gzipped - that you drop into any static site, blog, or CMS. Commenters write in Markdown, need no account, and can edit or delete their own comments within a configurable window (15 minutes by default). Spam control comes from an optional moderation queue: held comments stay invisible until you activate them via an admin interface or email notification links. Migration is a first-class feature, with importers for Disqus and WordPress exports, so years of existing threads move over intact. Because everything is server-rendered from your own instance, no third party tracks your readers, and real-world switchers report smaller pages and faster loads than the Disqus embed. MIT-licensed, running since 2012.

Deploy
Hasura screenshot thumbnail

Hasura

A PostgreSQL database becomes a production-grade GraphQL API the moment Hasura GraphQL Engine points at it: track tables and relationships - existing schemas included - and full query, mutation, and subscription types appear with where, order_by, limit, offset, and on_conflict arguments, no resolvers or boilerplate written. Its Haskell core compiles GraphQL to efficient SQL, and any query becomes a real-time live query with a single keyword, powering dashboards and collaborative UIs over standard GraphQL subscriptions. Authorization is where Hasura earns its enterprise reputation: role-based access control with row- and column-level permission policies driven by session variables from JWTs, auth webhooks, or headers - each role effectively sees its own GraphQL schema containing only what it may touch, integrating cleanly with Auth0, Firebase, or homegrown auth. Event triggers fire webhooks on inserts, updates, and deletes for asynchronous business logic; Actions extend the schema with custom REST handlers; remote schema stitching merges external GraphQL services into one endpoint; and auto-generated REST endpoints serve clients that skip GraphQL. A browser console handles data modeling and API exploration, the CLI manages migrations and metadata as code, and deployment is a single stateless Docker container beside Postgres.

Deploy
Documize screenshot thumbnail

Documize

Enterprise documentation discipline without enterprise infrastructure: Documize Community is the Confluence alternative built on exactly that trade. The entire platform - Go backend, Ember.js frontend - compiles to a single executable binary for Linux, Windows, and macOS with zero runtime dependencies: no Elasticsearch, no Redis, no JVM. Point it at PostgreSQL, MySQL, MariaDB, Percona, or Microsoft SQL Server (rare in open source, decisive in Microsoft shops), and schema migrations run on launch with native full-text search on whichever engine you chose. Content organization rejects nested-folder sprawl for Spaces, categories, and labels, and the section-based composable editor mixes rich text, Markdown, code blocks, PDFs, diagrams, and embedded Jira or Trello content in one document, with reusable blocks and templates so teams start from standards rather than blank pages. It deliberately unifies internal team docs and customer-facing documentation in one system with granular space-, document-, and action-level permissions deciding who sees what. Where wikis stop, Documize continues: content approval workflows (draft, review, approve, publish), version management, lifecycle control, feedback capture, PDF export, analytics showing what gets read and ignored, activity streams, and audit logs. Keycloak, LDAP, and SSO integrate for enterprise auth. AGPL-licensed.

Deploy
Cusdis screenshot thumbnail

Cusdis

Comments for small sites without Disqus's baggage: Cusdis is a lightweight, privacy-first, open-source comment system for embedding under blog posts and articles. The embedded JavaScript SDK is about 5 KB gzipped (Disqus is roughly 24 KB), sets no cookies, runs no tracking, and does not require readers to create an account or sign in before commenting. Integration is two lines: a container div with your app ID and an async script tag, with ready-made adapters for common frameworks and static site generators. Moderation is approval-based - new comments stay hidden until you approve them from the dashboard, and email notifications include a Quick Approve link that approves or replies to a comment from your phone without logging in. A webhook fires on every new comment for integrations like Telegram notifications. The widget ships with built-in i18n and dark mode. The stack is TypeScript and Next.js with a Prisma data layer, deployable via Docker with PostgreSQL. Deliberately minimalist: no ads, no reader profiling, and your comment data lives in your own database.

Deploy
BeaverHabits screenshot thumbnail

BeaverHabits

No targets, no gamification spiral, no motivational nagging: Beaver Habit Tracker is a self-hosted habit tracker deliberately built without "Goals". The core loop is honest: add habits, check them off each day, watch streaks accumulate on a calendar view. Its design follows behavioral-science basics - make it obvious (visual streak cues), make it attractive (progress is the motivator), make it satisfying (tracking becomes its own reward). Beyond the daily checklist it supports per-day notes intelligently grouped per habit, periodic habits, habit categories and tags, drag-to-reorder (manual or automatic), dark mode, and detailed streak and frequency views. Data lives where you choose: a single SQLite database or flat JSON files on a mounted volume, with JSON export and import for full portability. A REST API opens automation - community integrations already cover Stream Deck buttons, Home Assistant triggers, and CalDAV. The Python app ships as one Docker container with no external dependencies; environment variables tune everything from first day of week and index-page columns to iOS standalone PWA mode, and single-user setups can bypass the login entirely with TRUSTED_LOCAL_EMAIL. BSD-3-Clause licensed with no commercial restrictions - a well-executed single-purpose tool whose mobile PWA works anywhere a browser does.

Deploy
Cockpit screenshot thumbnail

Cockpit

Built by an agency in 2011 and refined by real client work since, Cockpit is a headless CMS whose pragmatism is earned. It's a pure content backend: model your data, let editors manage it, and fetch it over REST or GraphQL from any frontend - React, Vue, Flutter, a static site generator, or an IoT dashboard. Content modeling covers three shapes: Collections for repeatable items (posts, products, events), Singletons for one-off content (settings, about pages), and Trees for hierarchies (navigation, categories), all assembled from 20+ field types including relationships. The API layer is unusually capable: MongoDB-style query filtering, field selection to trim payloads, automatic image optimization through the assets API, and built-in caching. Localization is first-class with per-field multi-language content and fallback support; user management includes roles, granular permissions, two-factor authentication, and API tokens; and webhooks push changes into external workflows. Agencies get multi-tenant Spaces - several sites or clients from one installation. The operational footprint is refreshingly small: PHP plus either SQLite or MongoDB, no build steps, no toolchain, extensible through hooks, events, and addons (pages/SEO, forms, full-text search, layout components). Where enterprise headless platforms bill per seat and per locale, Cockpit is MIT-licensed and simply yours.

Deploy
Aptabase screenshot thumbnail

Aptabase

Web analytics tools ignore native mobile, desktop, and game apps; Aptabase was built for exactly those. If Firebase Analytics would force a privacy-policy footnote you don't want to write, this is the alternative - session-based metrics with no cookies, no IDFA or GAID, no device fingerprinting, and a daily-rotated salt that makes cross-day re-identification mathematically impossible. That design means GDPR, CCPA, and PECR compliance out of the box and "Data Not Collected" App Store privacy labels without ATT prompts. The SDK coverage is the widest in its category: eleven first-party libraries spanning Swift, Kotlin, Flutter, React Native, Tauri, Electron, .NET MAUI, NativeScript, Unity, Unreal Engine, and JavaScript for web - each MIT-licensed, following platform conventions, and accepting a custom host parameter that points at your instance. Integration is minutes: initialize with an app key, call trackEvent with optional properties, and the dashboard shows sessions, events, app versions, OS breakdowns, and country-level geography. The self-hosted stack is a .NET server over PostgreSQL for metadata and ClickHouse for high-volume event ingestion, giving cloud-parity features under an AGPL license. For indie iOS/Android apps, Electron and Tauri tools, and Unity or Unreal games, it replaces Firebase without the Google entanglement.

Deploy
Ackee screenshot thumbnail

Ackee

Page views, referrers, browsers, and screen sizes - Ackee delivers the analytics developers actually check, from a deliberately minimal Node.js and MongoDB stack that skips both Matomo's weight and Google Analytics' cloud dependency. Its defining constraint is anonymization: no cookies, no unique user tracking, and a multi-step anonymization process that keeps visitors unidentifiable while the aggregate numbers stay useful. In its default anonymous mode Ackee collects no personally identifiable information at all, which means GDPR and CCPA compliance out of the box and no cookie consent banner on your sites. A detailed mode adds screen size, language, and per-visit referrers - still without cookies or fingerprinting. Integration mirrors the Google Analytics pattern: create a domain in settings, drop the generated ackee-tracker snippet into your pages, and data appears in a clean single-page dashboard. One instance tracks multiple domains, and custom events capture button clicks, signups, and conversions. The distinctive engineering choice is the fully documented GraphQL API: everything the dashboard shows comes from that API, so you can query active visitors, average duration, and view statistics programmatically, feed data in from apps and services beyond websites, or build an entirely custom interface on top. If you want bare-minimum analytics with a real API and zero privacy anxiety, this is the tool.

Deploy
Journiv screenshot thumbnail

Journiv

A Day One alternative that keeps your most personal writing on your own server: Journiv is journaling purpose-built for self-hosters. The FastAPI backend runs on SQLite by default with optional PostgreSQL, Redis, and Celery for background work, behind a clean, minimal web UI. Unlike general note-taking apps, it ships the features journaling actually needs: customizable moods and mood groups, activity tracking, goals with automated progress from logged activities, and daily writing prompts filterable by category and difficulty so a blank page never stalls you. Quick Log captures a moment in seconds and expands into a full entry later; "On This Day" resurfaces entries from past weeks, months, and years. Multiple journals separate work, gratitude, and personal writing, with tags and full-text search across everything, plus media uploads with automatic thumbnails and an Immich integration for linking photo-library memories. Analytics chart mood trends and writing patterns over time. Data portability is taken seriously: native import of Day One exports, JSON/Markdown/HTML export, and a standalone HTML viewer that opens your archive in any browser with no server running. OIDC single sign-on works with Authentik or Keycloak, and multi-arch images cover amd64 and arm64.

Deploy
Muse screenshot thumbnail

Muse

"A highly-opinionated midwestern self-hosted Discord music bot that doesn't suck," per its own README - Muse is built for servers the size of you, your friends, and your friends' friends. It exists because the big public music bots kept getting shut down or paywalled, and self-hosting yours means nobody can take it away. Written in TypeScript on discord.js, it joins voice channels and plays audio resolved from YouTube via yt-dlp, and given optional Spotify API credentials it auto-converts Spotify tracks, albums, artists, and entire playlists to playable equivalents. The playback details show real care: seeking within songs and videos, livestream support, local caching so repeated plays start instantly, volume normalization across tracks, and configurable volume controls including optional ducking that lowers music when people speak. SponsorBlock integration can skip non-music segments automatically. Users save favorite queries as reusable shortcuts, and one Muse instance serves multiple guilds simultaneously - one deployment for all your communities. Configuration is three environment variables (Discord token, YouTube API key, optional Spotify pair) and the personality is free: there is no vote-to-skip, because "this is anarchy, not a democracy," and the bot remains a loyal Green Bay Packers fan. MIT-licensed and easily extendable.

Deploy
Papercups screenshot thumbnail

Papercups

Companies with privacy and security concerns about piping customer conversations through Intercom or Zendesk run Papercups - open-source live customer chat. The stack is a deliberate strength: an Elixir/Phoenix API over PostgreSQL, with real-time messaging powered by Phoenix Channels and Presence - the same BEAM foundation trusted by Discord and PagerDuty for fault-tolerant, low-latency messaging. Customers see a customizable chat widget that embeds in any site as an HTML snippet, a React component, or even inside React Native apps, with configurable colors, greetings, and away messages. Your team sees a dashboard for managing conversations - close, assign, and prioritize - with Markdown and emoji in replies. The killer workflow is the reply-channel integration: connect Slack or Mattermost and every customer conversation becomes a synced thread your team answers without leaving the tool they already live in, with two-way message syncing handled by webhooks. Email and SMS channels extend intake beyond the widget, an analytics dashboard tracks communication patterns, and the Storytime feature adds real-time screen sharing to watch users navigate while you help them. A documented API supports fully custom chat UIs in Svelte, Flutter, or Vue. MIT-licensed and GDPR-conscious - customer data stays in your PostgreSQL.

Deploy
Carbone screenshot thumbnail

Carbone

Document-generation code is the worst kind of code in your backlog - Carbone kills it. Its insight is separating design from data - templates are ordinary office documents (DOCX, ODT, XLSX, PPTX, HTML, even custom XML) built in LibreOffice, Microsoft Office, or Google Docs, with mustache-like markers such as {d.companyName} typed directly into the text. Send a template plus JSON from your existing APIs to the HTTP API, and Carbone returns the finished document - exported as-is or converted to PDF, XLSX, CSV, HTML, PNG, EPUB, and more via its integrated LibreOffice converter (Chromium and OnlyOffice engines are also supported for HTML-fidelity and office-format conversions). The template language goes well beyond substitution: loops over arrays render dynamic table rows, filters and aggregations run inside the document, and built-in formatters handle dates, numbers, currencies, timezones, and locales, with custom JavaScript formatters when needed. One template serves multiple languages through translation markers with auto-maintained translation files. The XML-agnostic engine means anything your document editor can design - pagination, headers, footers, nested tables, charts - survives generation intact, and Carbone guarantees no breaking changes in template syntax. Node.js-based, fast via multi-threaded LibreOffice conversion. The invoices, contracts, and reports your product owes its users become template edits, not sprints.

Deploy
Tautulli screenshot thumbnail

Tautulli

Plex's own dashboard shows current streams and forgets everything else - which is why every Plex server admin eventually installs Tautulli, the analytics layer. This Python web application (descended from PlexWatch and Headphones) logs complete watch history - what was watched, who watched it, when, where, from which device and IP, and whether it played directly or transcoded - and turns it into clean Highcharts graphs of daily plays, concurrent streams, bandwidth, and platform breakdowns. The home page surfaces top statistics over configurable windows: most-watched content, most active users, stream type ratios. For running a server shared with family and friends, this is operational truth: spot the user forcing 4K transcodes on a phone, see which libraries earn their disk space, and track sync activity across users. The notification engine triggers on server events - playback starts, transcode decision changes, recently added media, server down - through dozens of agents (Discord, Telegram, Slack, email, webhooks) with fully customizable text and conditions, plus arbitrary script execution. Scheduled newsletters email your users a styled digest of recently added content. A comprehensive API exposes every statistic for dashboards like Homarr, and an official mobile app monitors activity on the go. Themed to match Plex/Web. GPL-licensed.

Deploy
HedgeDoc screenshot thumbnail

HedgeDoc

Real-time collaborative Markdown behind your own firewall: HedgeDoc (formerly CodiMD, descended from HackMD's open-source edition) keeps team notes on team infrastructure. Share a note's URL and collaborators are editing together instantly - live cursors, changes appearing keystroke by keystroke - in a three-mode interface that toggles between raw Markdown, rendered preview, and side-by-side split. The Markdown dialect is extended where engineers need it: Mermaid, Graphviz, and Vega-Lite diagrams, MathJax for equations, syntax-highlighted code blocks, embedded content, and a presentation mode that turns a note into reveal.js slides with a single YAML header. A dropdown permission system controls each note - freely editable, limited to signed-in users, or locked read-only - and published notes become clean read-only pages for wider distribution. Revisions track every change with the ability to revert to any earlier version. The AGPL-3.0 codebase is light enough to run on a Raspberry Pi and deploys via Docker with PostgreSQL, MySQL, or SQLite. Authentication covers LDAP, SAML, OAuth2, and email. It deliberately stays a focused document editor - no page trees or kanban - and does that one job with excellent keyboard-first ergonomics for meeting notes, RFCs, runbooks, and shared scratchpads.

Deploy