Cap

lightweight, modern open-source CAPTCHA

5.0•1 review•

405 followers

lightweight, modern open-source CAPTCHA

5.0•1 review•

405 followers

Visit website

Safety and Privacy platforms

Cap is a fast, lightweight, and modern open-source CAPTCHA alternative based on SHA-256 proof-of-work (PoW). It’s 250x smaller than hCaptcha, privacy-focused, fully customizable, and easy to self-host. Cap helps prevent spam and abuse without tracking users, making it ideal for privacy-conscious developers. Built for speed and simplicity, Cap is perfect for modern web apps, forms, and APIs that need secure, lightweight human verification.

Free

Launch tags:User Experience•Developer Tools•GitHub

Launch Team / Built With

Customer.io — Automate Messaging Everywhere — Startups Get 12 Months Free

Automate Messaging Everywhere — Startups Get 12 Months Free

Promoted

Cap

Hunter

📌

star the repo on github! 👉 https://github.com/tiagorangel1/cap

Report

12mo ago

Elisi : AI-powered Goal Management App

Love this approach! 💡 Using SHA-256 proof-of-work as a CAPTCHA alternative is such a smart, elegant solution — especially in an era where user privacy and page speed really matter. 🔒⚡️

Curious how it performs in real-world bot scenarios — any benchmarks or early adopter feedback?

Awesome work, and congrats on the launch! 🚀

Report

12mo ago

Donely

@williamrobertscott would love to know more about this @tr3 !

Great work BTW 🔥

Report

12mo ago

Cap

Hunter

@williamrobertscott @chamaru hi there, you can read more about PoW here: https://capjs.js.org/guide/effectiveness.html
and run a benchmark here: https://capjs.js.org/guide/benchmark.html

i'm still running this benchmark on a bunch of devices

Report

12mo ago

Manna

250x smaller than hCaptcha is huge for web performance. Can we modify PoW parameters per use case, like stricter thresholds for login vs. comment forms?

Report

12mo ago

Cap

Hunter

@desmond_ren1 yes! you can fully adjust the difficulty

Report

12mo ago

I'm a bit concerned about it's effectiveness. Prove me wrong, I'd be happy if this works as good as the others.

First, this does not verify if I'm a human, but if I have enough computational resources. A similar system was developed (Hashcash) which is not really used in popular email clients. In my opinion, it works for Bitcoin for the same reason it didn't work work email: it doesn't verify if you're a human, it just verifies your computational resources.

This raises some questions. What if someone is browsing my site from an old computer? The verification will take a lot longer and possibly use all the resources that device has for minutes.

What happens to botnets? While tracking-based captchas have a chance to combat them, it doesn't really matter if hacker guy has to do some PoW on the botnet computers.

Thanks to Bitcoin, we also have really efficient sha256 ASICs - computers that only solve sha256, but they do it really efficiently. If a verification take 2 seconds on a CPU, then it will take milliseconds on an ASIC. So with just one ASIC, I'm able to essentially break any website.

Right now I think this captcha is MUCH better than not using any captcha - but I don't think it is better that the tracking based captchas. I'd be the happiest if this could work, so please prove me wrong if I didn't get it right. I also think it is really important to have experiments like this, I really support the direction.

Report

12mo ago

Cap

Hunter

@dawe You should read more about PoW here: https://capjs.js.org/guide/effectiveness.html

botnets can't really solve the captcha in a reasonable amount of time since they're usually very low-powered devices such as security cameras or routers
it's not really that slow on old computers, you can test it yourself here: https://capjs.js.org/guide/benchmark.html
yes, the concern about sha256 ASICs is valid. i'm working on moving the captcha to blake3 or other algorithm

Report

12mo ago

@tr3 Wow this is awesome, maybe RandomX could work too

Report

12mo ago

This is great. I will use it on my next project as it seems really straightforward and easy to implement. Congrats for the launch & good luck!

Report

12mo ago

Cap

Hunter

@aeromaniax thanks!

Report

12mo ago

This alternative looks promising. I'm saving it for use on a future project! Good work on the launch!

Report

11mo ago

DiffSense

Interesting! How does it work? How does it verify i'm a human?

Report

12mo ago

Cap

Hunter

@sentry_co it uses private, accessible proof-of-work. you can read more on the docs

Report

12mo ago

DiffSense

@tr3 Very interesting! Forgive me! But I did not understand the problem and the solution here. So I asked perplexity. It came up with a pretty good answer: https://www.perplexity.ai/search/how-does-this-technology-work-GRfvnIltTXKObXZPQBvVaA#0 Maybe some content for your readme docs to make it more succinct?

One question remains. So the PoW algo. Makes it prohibitive for bots to cheat the captcha. How much cost does it penalize bots with? is this CPU watts or? Like 0.1$ in computation?

And do you think this is the future of captcha? Mine some "bitcoins", to fight bots?

Report

12mo ago

Cap

Hunter

@sentry_co hi there, you should read the effectiveness page, it explains much more in detail: https://capjs.js.org/guide/effectiveness.html

How much cost does it penalize bots with?

just like training AIs or mining bitcoin is expensive, so is solving a huge quantity of proof-of-work. i recommend checking https://www.researchgate.net/publication/374638786_Proof-of-Work_CAPTCHA_with_password_cracking_functionality

Report

12mo ago

DiffSense

@tr3 It doesnt say anything about how much cost is incurred on the bots. Some transparency around this would be gold. Also Does it increase the difficulty of the challenge on repeated attempts? If not, may this be a future feature? The research paper you linked to describes a password cracking functionality. Is cap used for this purpose? That raises ethical dilemma, and End user legal dilemmas. Also how does it perform on mobile devices with limited computational resources and battery? Some transparency around this would also be great. Btw. I think this project is really cool! So that's why I'm curious. 😸 I also asked pplx regarding the research paper. And it echoed some of the questions: https://www.perplexity.ai/search/what-are-some-of-the-pros-and-uy_EbHZ1TsSlpMGSkFVTXw#0

Report

12mo ago

1 2 3

5.0

Based on 1 review

Review Cap?

Reviews

Most Informative

I'm a bit concerned about it's effectiveness. Prove me wrong, I'd be happy if this works as good as the others.

This raises some questions. What if someone is browsing my site from an old computer? The verification will take a lot longer and possibly use all the resources that device has for minutes.

What happens to botnets? While tracking-based captchas have a chance to combat them, it doesn't really matter if hacker guy has to do some PoW on the botnet computers.