ALTCHA is a self-hosted security solution designed to replace traditional CAPTCHAs like reCAPTCHA and hCaptcha with a privacy-respecting proof-of-work (PoW) mechanism. It protects websites, APIs, and online services from spam, bots, and DDoS attacks without relying on cookies, fingerprinting, or third-party services. Built with accessibility and compliance in mind, ALTCHA meets GDPR, WCAG 2.2 AA, and the European Accessibility Act (EAA) standards, making it ideal for organizations handling sensitive user data or operating in regulated industries. The solution is lightweight, fast, and integrates seamlessly with modern web frameworks through a Web Component interface.
ALTCHA v2 introduces enhanced accessibility features, including accessible code challenges with audio and image options, built-in internationalization for 50+ languages, and a new self-hosted anti-spam backend called ALTCHA Sentinel. By eliminating third-party dependencies, it gives organizations full control over their security infrastructure while reducing page load times and improving compliance posture. The widget is distributed as a minimal 30kB bundle—90% smaller than reCAPTCHA—and supports all modern browsers with Web Crypto API and Web Components support.
What You Get
- Proof-of-Work (PoW) Mechanism - Replaces visual CAPTCHAs with computational challenges that require minimal user effort but deter bots by consuming server-side resources, making large-scale spam attacks economically unfeasible.
- Cookie-Free & GDPR-Compliant Design - No cookies, trackers, or user fingerprinting; fully compliant with GDPR, CCPA, HIPAA, and other global privacy regulations by default.
- WCAG 2.2 AA & EAA Accessibility - Fully accessible code challenges with both image and audio options, keyboard navigation support, and screen reader compatibility for users with visual impairments.
- Self-Hosted Architecture - No external API calls to Google, hCaptcha, or Cloudflare; all verification logic runs on your infrastructure with full data sovereignty.
- Lightweight Web Component - Only 30kB GZIPed (vs. 300+ kB for reCAPTCHA), with support for modern frameworks via npm, CDN, or direct script inclusion.
- Built-in Internationalization (i18n) - Supports 50+ languages out of the box with automatic browser language detection and manual override via
language attribute.
- Code Challenge Support - Requires users to enter a code from an image or audio clip, providing an accessible alternative to visual puzzles when used with ALTCHA Sentinel.
- Plugin System - Extend functionality with optional plugins like
obfuscation (for securing emails/phone numbers) and upload (for file uploads), installed separately from the core package.
- Programmatic Configuration - Dynamically configure widgets using JavaScript via the
configure() method, enabling server-side challenge generation and custom validation flows.
Common Use Cases
- Building a GDPR-compliant contact form - A European SaaS company needs to block bot submissions without collecting user data; ALTCHA provides spam protection with zero cookies and full privacy compliance.
- Securing a public API endpoint - A healthcare app exposes an API for patient signups; ALTCHA’s PoW mechanism prevents automated scraping and credential stuffing without violating HIPAA or PIPL.
- Protecting a multilingual e-commerce checkout - A global retailer with users in 30+ countries uses ALTCHA’s built-in i18n to deliver accessible, localized CAPTCHA challenges in French, German, Japanese, and Arabic without third-party scripts.
- DevOps teams managing high-traffic sites - Teams running infrastructure on private clouds use ALTCHA to replace reCAPTCHA, reducing dependency risks, improving load times by 90%, and avoiding CSP violations from external domains.
- Accessibility-focused web applications - Government portals or educational platforms require WCAG 2.2 AA compliance; ALTCHA’s audio code challenges and keyboard navigation ensure accessibility for users with disabilities.
- Problem → Solution flow: Replacing reCAPTCHA on a landing page - Problem: reCAPTCHA blocks users with disabilities, violates GDPR, and slows down page load. Solution: ALTCHA replaces it with a 30kB PoW widget that works offline, respects privacy, and passes accessibility audits.
Under The Hood
ALTCHA is a privacy-centric CAPTCHA solution designed to minimize server-side dependencies and maximize client-side computation. It provides a modular, extensible framework for CAPTCHA implementations with strong support for internationalization and accessibility.
Architecture
The system adopts a component-based architecture centered around Svelte for UI rendering, ensuring reactive and efficient updates. It emphasizes modularity through plugin extensions and clear separation between core logic and presentation layers.
- Modular design enables flexible integration of analytics, obfuscation, and upload features
- Component-based structure supports reusability across different web environments
- Extensible plugin system allows customization without modifying core modules
Tech Stack
The project leverages modern web technologies to ensure performance, security, and maintainability. It combines TypeScript for type safety with Svelte for UI development and Vite for streamlined builds.
- Built with JavaScript and TypeScript, using Svelte 5 and Vite for UI and build processes
- Integrates @altcha/crypto for cryptographic operations and csso for CSS optimization
- Employs Vitest and Playwright for unit and end-to-end testing, ensuring reliability
- Development and deployment pipelines support internationalized builds and multiple output formats
Code Quality
The codebase maintains a moderate level of quality with an emphasis on test coverage and cross-platform compatibility. It demonstrates consistent patterns in error handling and internationalization.
- Extensive test suite includes unit and end-to-end testing for robust functionality
- Consistent error handling and logging practices improve maintainability
- Well-organized directory structure supports long-term scalability and clarity
- Strong type safety through TypeScript reduces runtime errors and improves developer experience
What Makes It Unique
ALTCHA distinguishes itself through its client-first approach to CAPTCHA challenges and its support for modular extensibility. Its design prioritizes privacy, accessibility, and seamless integration in diverse web contexts.
- Plugin architecture enables non-intrusive extensions for analytics, obfuscation, and upload capabilities
- Client-side challenge solving reduces reliance on external services or complex server logic
- Comprehensive i18n support with language-specific builds enhances global accessibility
- Shadow DOM-free custom elements ensure compatibility across varying web environments