At a Glance:
ALTCHA is a self-hosted, privacy-first CAPTCHA alternative that uses proof-of-work and memory-bound algorithms like Argon2 and Scrypt to protect websites and APIs from spam without collecting user data, using cookies, or fingerprinting.
Overview:
ALTCHA is an open-source security solution designed to protect websites, APIs, and online services from spam and abuse. It replaces traditional CAPTCHAs that often rely on tracking, cookies, or visual puzzles with a background proof-of-work mechanism. The project is built to be self-hosted, giving operators full control over their deployment infrastructure without depending on third-party API availability. It uses memory-bound algorithms to resist bot farms and hardware acceleration while remaining compliant with privacy regulations and accessibility standards. Developers can integrate the widget into forms, configure it extensively through HTML attributes or a JavaScript API, and extend its behavior with plugins for tasks like data obfuscation.
Key Decision Points:
Self-hosted infrastructure: Runs entirely on your own servers with no reliance on external API services or third-party availability.
Privacy-focused mechanism: Verifies users through background computation rather than tracking, cookies, or fingerprinting, and does not collect personal data.
Algorithm selection for security posture: Uses bundled SHA-256 and PBKDF2 algorithms by default, with optional support for memory-bound Argon2 and Scrypt to resist hardware-accelerated attacks.
Web Crypto API dependency: Requires browsers with
crypto.subtlesupport (Chrome 67+, Firefox 63+, Safari 11+), which means Internet Explorer is not supported.Form and API protection scope: Designed specifically for protecting web forms and API endpoints, providing widget integration methods and a verification API rather than broader network-level or application-level security.
Core Features:
Proof-of-Work verification: Challenges clients to solve a computational puzzle in the background, replacing visual tests with a frictionless process.
Memory-bound algorithm support: Implements Argon2 and Scrypt alongside standard SHA and PBKDF2 algorithms to neutralize the advantage of GPU and ASIC-based bot farms.
Accessible fallback challenges: Provides image-based code challenges with built-in audio support as an alternative verification path for users with visual impairments.
Internationalization: Ships with support for over 50 languages, with automatic browser language detection and the ability to manually override translations through the global configuration registry.
Pluggable data obfuscation: Includes an official plugin that obfuscates sensitive data such as email addresses, keeping them hidden from scrapers until a challenge is completed.
Widget display modes: Supports multiple visual configurations including standard, floating, overlay, bar, and invisible modes, with options for automatic verification triggers and custom validation messages.
Use Cases:
Developers protecting public-facing web forms from automated spam submissions without adding friction for legitimate users.
Self-hosters and privacy-conscious organizations seeking a CAPTCHA system that does not use cookies, track users, or rely on external third-party services.
API providers implementing a proof-of-work challenge layer to prevent abuse from automated scripts while maintaining stateless verification workflows.
Open-Source Alternative Value:
ALTCHA provides a self-hosted alternative to services like reCAPTCHA, hCaptcha, and Cloudflare Turnstile with a significantly smaller client-side footprint. Its server integrations are available across multiple languages including TypeScript, PHP, Go, Python, Java, and Rust, allowing developers to implement the verification endpoint within their own infrastructure. The plugin model enables extensions like data obfuscation to be loaded alongside the widget without modifying the core library. Because the project uses memory-bound algorithms and works through Web Workers, it can raise the computational cost for attackers without degrading the experience for normal browser users.
