Public Beta — all plans are free while we scale infrastructure

Stop bots.
Respect humans.

Captxa is an invisible, Proof-of-Work CAPTCHA built in pure C on the H2O HTTP server. With puzzle solving for suspicious requests. No cookies, no tracking pixels. Built for privacy and

Start for free → Try the Demo

NOBLOCKING

NO BLOCKING BY IP

~16KB

Client script size

0 cookies

No tracking, ever

EU-hosted

GDPR compliant by design

Frugal & Fair Pricing

Because C and H2O run on almost nothing, our server costs are a fraction of traditional CAPTCHA services.

All plans are completely free during the Beta — original prices crossed out for transparency.

Hobbyist

Free

Always free

Personal projects, portfolios, and open source apps.

50,000 verifications/mo
Invisible PoW + puzzle fallback
Community support

Get started

Starter

$0 /mo $9

Free during beta

Small commercial sites and early-stage startups.

100,000 verifications/mo
Analytics dashboard
Email support

Get started

How Captxa Works

We believe security systems should be fully transparent. Below is an exact, honest description of every step our server executes when verifying a user — no black boxes.

Normal Path — Invisible to Users

TLS JA4 Fingerprint

At the TLS handshake level, the server computes a JA4 fingerprint of the client's cipher suite, extensions, and TLS version. This fingerprint is bound to the session and re-verified on every request to detect fingerprint spoofing.

Browser Environment Check

A small JS snippet collects browser signals: WebGL renderer, screen dimensions, hardware concurrency, timezone, device memory, and checks for WebDriver presence, missing Chrome runtime, and error stack tripwires that reveal headless environments.

Encrypted PoW Challenge (18-bit)

The server generates a random 16-byte nonce and encrypts a token SIMP|ip|ja4|timestamp|pow_hex using ChaCha20-Poly1305. The browser must find a nonce such that SHA256(challenge + nonce) has 18 leading zero bits.

Token Binding & Replay Prevention

On submission, the server decrypts the challenge token, verifies the PoW solution, confirms IP match and JA4 match, and checks a Bloom filter to prevent replay attacks. Valid sessions receive a signed Ed25519 pass token in the response header.

Suspicious Path — Sliding Puzzle

Triggers

Complex mode is triggered when: the IP is on the suspicious Bloom filter, the JA4 fingerprint mismatches the User-Agent, the browser environment check reveals automation, or the rate limiter is exceeded.

Puzzle Generation

The server generates a randomized sliding puzzle image. The target solution coordinates are embedded inside a COMP|ip|ja4|ts|pow_hex|sol_x|sol_y token, encrypted with ChaCha20-Poly1305. Solution tolerance is ±7 pixels.

Mouse Movement Analysis

The full drag trajectory is recorded as [x, y, timestamp_ms] points and sent to the server. The trajectory passes through a multi-stage ML pipeline: integrity filters, burstiness analysis, sample entropy + jerk calculation, Fitts' law validation, and velocity coefficient-of-variation check.

Harder PoW (19-bit) + Final Token

Simultaneously with the puzzle, the browser must solve a slightly harder 19-bit PoW. A combined bot score must stay below 0.50 (vs 0.30 for the simple path). On success, a signed Ed25519 token is issued.

Infrastructure — Honest Status

Currently, Captxa runs on a single server located in Nuremberg, Germany (EU). This means latency may be slightly higher for users in Asia or the Americas. This is a known limitation and expanding to additional regions is on the roadmap. We will update this page as new nodes come online. We don't display uptime numbers yet — we'd rather earn that claim over time.

Developer Integration

Integrate Captxa in minutes. Add one script tag, call one function on your form, validate one token on your server.

index.html

<!-- Add before </body> — ~16 KB, zero external dependencies -->
<script src="https://cdn.jsdelivr.net/gh/HelloCaptxa/PublicJS@latest/script.js"></script>

<!-- Add a mount-point for the widget inside your form -->
<div id="captcha-widget"></div>

form integration (JavaScript)

// 1. Render the widget — call once after the DOM is ready.
//    It silently runs PoW; suspicious users see the slider.
Captxa.render('captcha-widget', {
  serverUrl:      'https://api.captxa.com',
  form:           '#my-form',        // CSS selector — # prefix required
  tokenFieldName: 'captchatoken',    // name of the injected hidden <input>
  onVerify: () => {
    // Fires when PoW (or puzzle) passes — enable your submit button
    document.getElementById('submit-btn').disabled = false;
  },
  onError: () => { /* ask user to refresh */ }
});

// 2. On submit the token is already in the hidden field — just read it.
const form = document.getElementById('my-form');
form.addEventListener('submit', async (e) => {
  e.preventDefault();
  const token = form.querySelector('input[name="captchatoken"]')?.value;
  await fetch('/api/my-action', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ captchatoken: token, /* ...other fields */ })
  });
});

server-side validation (Node.js example)

// POST /api/validate on api.captxa.com
// Call this from YOUR backend — never from the browser.
// OR SELF VERIFY IT with public key.

const res = await fetch('https://api.captxa.com/api/validate', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    captcha_token: req.body.captchatoken,  // hidden field injected by the widget
    secret_key:   process.env.CAPTXA_SECRET_KEY
  })
});

const data = await res.json();

if (!data.Is_Correct) {
  return res.status(403).json({ error: 'Bot detected' });
}

API response reference

// ✅ Valid token — human verified
{
  "Is_Correct": true,
  "RequestLimit": false,
  "requests": 1
}

// ❌ Invalid or tampered token
{
  "Is_Correct": false,
  "reason": "invalid_token"
}

// ⚠️ Token reused too many times (HTTP 429)
{
  "Is_Correct": true,
  "RequestLimit": true,
  "requests": 12
}

Full API reference & SDKs →

How We Compare

Captxa was built from scratch to fix what's broken in every existing CAPTCHA solution.

Feature	Captxa	reCAPTCHA v3	hCaptcha
Invisible to users	✓ Always	Mostly	Sometimes
Tracking & fingerprinting	✓ None	Extensive	Some
GDPR / privacy-first	✓ By design	Problematic	Partial
Token Self Verifyable	✓ Yes	NO	NO
Open, auditable logic	✓ Fully	Black box	Black box
Script weight	~16 KB	~500 KB	~300 KB
Free tier	✓ 50K/mo	✓ 10K/mo	✓ 100K/mo NON private

Frequently Asked Questions

Ready to drop the checkbox?

Get started free → Talk to us

Stop bots. Respect humans.