Cap Self-hosted CAPTCHA
for the modern web.
No Google. No telemetry. No visual puzzles.
Switch from reCAPTCHA in minutes.
Privacy-first. No tracking.
Zero telemetry. No third-party network. Your users' data stays between you and them.
250x smaller than hCaptcha.
~20kb, zero dependencies. Loads in milliseconds, not seconds.
No visual puzzles. Always invisible.
PoW, time-lock challenges and instrumentation run silently in the background.
Apache 2.0 licensed
Free forever. Audit it, fork it, own it. No vendor can pull the rug.
Comply with privacy laws.
Fully compliant with GDPR, CCPA, LGPD and more, meeting strict privacy and accessibility standards.
Fully customizable
Colors, size, position, icons, all controllable via CSS variables. No iframe lock-in.
How it compares
Cap sits in the same detection tier as the big names, without shipping your users' data to a third party.
| Cap | reCAPTCHA | Turnstile | hCaptcha | Friendly | |
|---|---|---|---|---|---|
| Self-hosted | Yes | - | - | - | - |
| Open source | Apache 2.0 | No | No | No | No |
| No visual puzzles | Yes | Frequent | Yes | Frequent | Yes |
| No 3rd-party telemetry | Yes | Cloudflare | hCaptcha | Limited | |
| Bundle size | ~20 kb | 500 kb+ | 110 kb+ | 600 kb+ | 80 kb+ |
| Free at scale | Yes | Quota | Yes | Quota | Paid |
| Instrumentation layer | Yes | Yes | Yes | Yes | No |
Compliant out of the box.
Self-hosted and privacy-first, so the hard regulatory questions answer themselves. No cookies, no tracking, no data leaving your servers.*
GDPR
CCPA / CPRAHIPAA
PIPEDA / CPPA
LGPD
DPDPA
PIPLEAA / EN 301 549Section 508Two independent layers.
Bypass one, the other still holds.
Every challenge solves proof-of-work and runs browser instrumentation at the same time. Defeating one layer doesn't defeat the other.
PoW and time-locks
The client solves parallel SHA-256 hashes and time-lock challenges tuned against GPU acceleration in WASM.
sha256JS instrumentation
A freshly-generated JS program runs complex JavaScript, DOM and browser checks.
dom- Is it GDPR-friendly?
- Yes. Cap doesn't phone home, doesn't set cookies, and doesn't fingerprint users. Your server sees the verification, no one else does.
- Can I migrate from reCAPTCHA / hCaptcha?
- Yes. Cap's siteverify API is compatible with reCAPTCHA and hCaptcha, but you'll need to swap your client-side code to use Cap's widget.
- How effective is it against real bots?
- Cap's instrumentation combined with proof-of-work is very effective at making abuse extremely difficult to automate at scale.
- What does it cost to self-host?
- Cap Standalone fits on a $5 VPS for most sites. There are no per-request fees, no egress to a third party, and no API quotas to hit.
- What is an open-source CAPTCHA?
- An open-source CAPTCHA is bot protection whose code you can read, audit, and self-host, rather than a closed third-party service. Cap is licensed under Apache 2.0 and runs entirely on your own infrastructure, so visitor data never reaches a vendor.
- What is the best open-source alternative to reCAPTCHA?
- Cap is a privacy-first, self-hosted alternative to Google reCAPTCHA that uses proof-of-work and instrumentation instead of visual puzzles or tracking. Compare it against reCAPTCHA, hCaptcha, and Turnstile to find what fits your stack.
- How does proof-of-work CAPTCHA work?
- Instead of asking users to solve a puzzle, a proof-of-work CAPTCHA makes the browser compute a small cryptographic challenge before it submits. Cap solves SHA-256 challenges in WebAssembly in well under a second for real users, while making large-scale abuse computationally expensive. See how Cap works.
Ditch reCAPTCHA this afternoon.
Drop the widget into your site, point it at a $5 VPS, and stop paying anyone to see your users' traffic.