Cap Self-hosted CAPTCHA
for the modern web.
No Google. No telemetry. No visual puzzles.
Switch from reCAPTCHA in minutes.
Privacy-first. No tracking.
Zero telemetry. No third-party network. Your users' data stays between you and them.
250x smaller than hCaptcha.
~20kb, zero dependencies. Loads in milliseconds, not seconds.
No visual puzzles. Always invisible.
PoW, time-lock challenges and instrumentation run silently in the background.
Free & open-source
Apache 2.0 licensed. Audit it, fork it, self-host it. No vendor can pull the rug.
Built for privacy laws.
Designed to help you meet GDPR, CCPA, LGPD and more, with strict privacy and accessibility standards baked in.
Fully customizable
Colors, size, position, icons, all controllable via CSS variables. No iframe lock-in.
Compliant out of the box.
Open-source, self-hosted and privacy-first. We don't use cookies or tracking and no data leaves your servers.
See how Cap complies ↗
GDPR
CCPA / CPRAHIPAA
PIPEDA / CPPA
LGPD
DPDPA
PIPLEAA / EN 301 549Section 508Internationalization (i18n)RTL supportA fraction of the weight
Cap's widget is extremely lightweight and runs invisibly, shipping only about 20 kB of JavaScript with no third-party scripts.
How it compares
Cap is the free, open-source, self-hosted option, same detection tier as the big names, without shipping your users' data to a third party.
See the full comparison ↗Self-hosted
Runs entirely on your own server. reCAPTCHA, hCaptcha and Turnstile are cloud-only.
Open source
Apache 2.0. Read it, fork it, own it. The big three are closed source.
No visual puzzles
Invisible proof-of-work, no crosswalks. reCAPTCHA and hCaptcha still show puzzles.
Zero third-party telemetry
Your visitors' data never leaves your server. Google, Cloudflare and hCaptcha all phone home.
Free at scale
No quotas, no per-request fees. reCAPTCHA and hCaptcha meter or charge.
Layered defense
Proof-of-work layered with dynamic JavaScript instrumentation challenges
Two independent layers.
Bypass one, the other still holds.
Every challenge solves proof-of-work and runs browser instrumentation at the same time. Defeating one layer doesn't defeat the other.
PoW and time-locks
The client solves parallel SHA-256 hashes and time-lock challenges tuned against GPU acceleration in WASM.
JS instrumentation
A freshly-generated JS program runs complex JavaScript, DOM and browser checks.
dom- Is it GDPR-friendly?
- Yes. Cap doesn't phone home, doesn't set cookies, and doesn't fingerprint users. Your server sees the verification, no one else does.
- Can I migrate from reCAPTCHA / hCaptcha?
- Yes. Cap's siteverify API is compatible with reCAPTCHA and hCaptcha, but you'll need to swap your client-side code to use Cap's widget.
- How effective is it against real bots?
- Cap's instrumentation combined with proof-of-work is very effective at making abuse extremely difficult to automate at scale.
- What does it cost to self-host?
- Cap Standalone fits on a $5 VPS for most sites. There are no per-request fees, no egress to a third party, and no API quotas to hit.
- What is an open-source CAPTCHA?
- An open-source CAPTCHA is bot protection whose code you can read, audit, and self-host, rather than a closed third-party service. Cap is licensed under Apache 2.0 and runs entirely on your own infrastructure, so visitor data never reaches a vendor.
Ditch reCAPTCHA this afternoon.
Drop the widget into your site, point it at a $5 VPS, and stop paying anyone to see your users' traffic.