ALTCHA
A self-hosted, privacy-first CAPTCHA alternative that uses memory-hard proof-of-work to stop bots without cookies, tracking, or third-party APIs.
ALTCHA is a self-hosted, open-source security solution that replaces visual CAPTCHAs with cryptographic proof-of-work challenges, blocking bots and spam without tracking users or depending on third-party services. Unlike reCAPTCHA or hCaptcha, ALTCHA stores no fingerprints, sets no cookies, and sends no behavioral data to external servers, making it fully compliant with GDPR, HIPAA, CCPA, LGPD, DPDPA, PIPL, and PIPEDA.
With v3, ALTCHA added support for memory-bound algorithms including Argon2id and Scrypt that resist GPU and ASIC acceleration, raising the cost of attack for bot farms while keeping verification fast for legitimate users. Standard browser crypto via PBKDF2 and SHA variants remains available for lightweight deployments, and all algorithms run in Web Workers off the main thread to avoid blocking the UI.
ALTCHA ships as a Svelte-compiled Web Component that works in any framework including React, Vue, Angular, Solid, Svelte, or plain HTML. It publishes UMD and ESM bundles, per-language i18n splits for 73 locales, and a separate altcha/lib package for server-side challenge creation and verification in TypeScript, with ports for Go, PHP, Python, Java, Ruby, Elixir, Rust, and C++. The widget weighs roughly 34 kB gzipped, about 90 percent smaller than reCAPTCHA.
Beyond the core widget, ALTCHA includes a Human Interaction Signature collector that gathers passive behavioral telemetry such as pointer trajectories, touch events, scroll patterns, and focus sequences to supplement PoW with biometric signals. Multiple display modes including standard, floating, overlay, bar, and invisible, alongside seven built-in visual themes and full CSS custom property support, make it adaptable to any product design.
What You Get
- Proof-of-Work Verification - Browser-side cryptographic challenge solved in Web Workers using PBKDF2/SHA variants bundled by default, or Argon2id/Scrypt memory-hard algorithms loaded as separate workers to block GPU and ASIC bot farms.
- Human Interaction Signature (HIS) - Passive behavioral biometrics collector sampling pointer trajectories, touch events, scroll patterns, and focus sequences to generate a confidence signal that supplements cryptographic PoW.
- Five Display Modes - Standard checkbox, floating widget anchored near the submit button, full-screen overlay, horizontal bar at top or bottom of page, and fully invisible silent verification with zero UI elements.
- 73-Locale Internationalization - Per-language i18n bundle splits loaded on demand, with automatic RTL text direction for Arabic, Farsi, Hebrew, and Urdu without additional configuration.
- Server-Side Library (altcha/lib) - Standalone TypeScript package for creating HMAC-signed challenges and verifying PoW solutions on your backend, with official ports for nine additional languages.
- Plugin System - Abstract BasePlugin class registered in the global plugin set, with lifecycle hooks for challenge fetching, server verification, and completion events, enabling clean extension without touching core widget code.
- Seven Built-In Visual Themes - Standalone CSS theme files for aqua, caramel, cupcake, cyberpunk, lime, wireframe, and business styles, plus comprehensive CSS custom property support for arbitrary visual customization.
- CSP-Safe External Bundle - The altcha/external distribution excludes all inlined workers and styles, enabling strict Content Security Policy compliance when serving assets from a dedicated CDN path.
- Accessible Code Challenges - Image and audio fallback challenges with WCAG 2.2 AA compliance and European Accessibility Act 2025 conformance built in for visually impaired users.
- Runtime Algorithm Registry - Callers register named algorithm factory functions at runtime via the global API, enabling algorithm swapping or custom cryptographic implementations without rebuilding the widget.
Common Use Cases
- Replacing reCAPTCHA on GDPR-regulated forms - A European fintech company eliminates cookie consent requirements and third-party data transfers by switching to ALTCHA on its registration and contact forms, with no change to the user-facing interaction.
- Protecting healthcare APIs from credential stuffing - A hospital system deploys Argon2id challenges on patient portal endpoints, making each automated login attempt computationally expensive enough to deter large-scale bot campaigns while remaining fast for humans.
- Silent bot protection on e-commerce checkout - An online retailer enables invisible mode with auto-submit triggering to verify every checkout POST silently, eliminating cart-stuffing bots without adding any friction to the purchase flow.
- Accessible public-sector forms - A European government ministry uses ALTCHA with WCAG 2.2 AA-compliant audio code challenges and RTL language support to protect citizen-facing forms while meeting EAA 2025 mandatory accessibility requirements.
- API abuse prevention on free tiers - A developer tools startup gates its free-tier API with PoW challenges, requiring each client to prove compute expenditure before burst requests, effectively rate-limiting bots without blocking legitimate developers.
- Comment spam prevention with floating UI - An open-source project forum embeds the floating display mode anchored near submit buttons on issue and comment forms, adding verification without disrupting the markdown editor layout.
Under The Hood
Architecture ALTCHA follows a layered Web Component architecture where a single custom element compiled with Svelte 5 encapsulates all verification state and UI, while a global service registry connects the widget to algorithms, plugins, and i18n stores via reactive stores. The algorithm registry maps named identifiers to factory functions returning Web Workers on demand, enabling runtime extensibility without coupling the widget to specific cryptographic implementations. Plugins hook into the verification lifecycle through an abstract base class registered globally, intercepting challenge fetching, server verification, and completion events in a predictable sequence. The separation between the widget UI layer, the cryptographic core handling PoW challenge creation and solution, the server-signature verification utilities, and the behavioral biometrics collector is clean and independently testable.
Tech Stack ALTCHA is built with Svelte 5 compiled to a framework-agnostic Web Component, with TypeScript in strict mode providing typed interfaces for all widget configuration, challenge payloads, and plugin contracts including React-specific and Svelte-specific type exports. Memory-bound algorithms leverage hash-wasm, a WebAssembly wrapper over optimized C implementations of Argon2id and Scrypt, keeping intensive computation within the browser sandbox without native binaries. The build system uses multiple Vite configurations producing modular outputs including a standard bundle with inlined workers and styles, a CSP-safe external bundle, per-language i18n splits, a server library build, and standalone theme CSS files. Vitest with Playwright browser integration handles both unit testing of cryptographic primitives and end-to-end behavioral tests across widget interaction scenarios.
Code Quality The codebase has comprehensive unit tests covering cryptographic operations, buffer manipulation, challenge creation, solution verification, and server signature parsing, with tests organized to mirror the module structure. TypeScript strict mode is applied throughout, with a dedicated types directory exporting framework-specific definitions for React, Svelte, and generic environments. Error handling uses typed result objects and explicit state enumerations rather than exception propagation, producing predictable state transitions across the widget lifecycle. The project restricts external contributions, concentrating quality control within the core team, while Husky pre-commit hooks and Prettier formatting with svelte and tailwind plugins enforce consistency automatically. End-to-end tests organized by behavioral scenario validate widget initialization, PoW flow, code challenges, internationalization, and auto-trigger modes.
What Makes It Unique The most technically distinctive contribution is integrating Argon2id and Scrypt into a browser CAPTCHA widget via WebAssembly, specifically to counteract GPU and ASIC parallelization that makes SHA-based PoW trivially cheap for bot farms with specialized hardware. The Human Interaction Signature collector adds a passive behavioral biometrics layer sampling pointer trajectories, touch geometry, scroll patterns, and focus sequences, positioning ALTCHA closer to a self-hosted Cloudflare Turnstile than a traditional CAPTCHA. Publishing both a compiled Web Component and a cryptographic server library from the same repository with HMAC-signed challenge tokens tying client-side work to server-side verification enforces the security contract without any third-party API dependency. The invisible display mode with silent auto-verification on submit delivers genuine zero-friction protection that is completely transparent to end users.
Self-Hosting
ALTCHA is released under the MIT License, one of the most permissive open-source licenses available. You are free to use it commercially, modify the source code, redistribute it in products, and integrate it into proprietary applications without any copyleft obligations. The only requirement is preserving the copyright notice. There are no license checks, feature flags, or gated enterprise tiers within the repository.
Running ALTCHA yourself means serving the widget bundle from your CDN or server and integrating one of the server-side libraries into your backend to generate HMAC-signed challenges and verify submitted solutions. The widget contacts only your own challenge endpoint at runtime, so there is no external infrastructure dependency. The main operational responsibility is HMAC key management, since rotating the secret invalidates in-flight challenges. For deployments using the Human Interaction Signature collector or adaptive Sentinel protection, additional storage and analysis infrastructure is required on your side to process behavioral telemetry.
Compared to managed alternatives like hCaptcha or reCAPTCHA, self-hosting ALTCHA gives you full data sovereignty and removes third-party cookie consent requirements entirely, but you absorb all operational responsibility: uptime of your challenge endpoint, keeping the widget updated as new algorithm versions and security patches release, and monitoring for evolving abuse patterns. The project does not accept external pull requests, so all updates come exclusively from the core team, making it important to track the GitHub releases feed closely. There is no paid enterprise tier or commercial SLA offered by the project, though ALTCHA Sentinel is available as a separate managed service for organizations needing adaptive bot protection without running their own analysis pipeline.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.
Traefik
MITVaultwarden
Password Manager · Security
Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.