ALTCHA is a privacy-first, self-hosted security solution that protects websites, APIs, and online services from spam and automated abuse using proof-of-work (PoW) and accessible code challenges instead of intrusive tracking or visual CAPTCHAs. It eliminates cookies, fingerprinting, and third-party dependencies, making it ideal for organizations requiring strict compliance with global privacy and accessibility regulations.
Built as a Web Component with native browser APIs, ALTCHA supports all modern browsers with Web Crypto support and integrates seamlessly with popular frameworks like React, Vue, Svelte, and Angular. It includes server libraries for TypeScript, PHP, Go, Python, Java, Ruby, and Elixir, and is complemented by ALTCHA Sentinel for adaptive bot protection and WordPress integration for form spam filtering.
What You Get
- Proof-of-Work (PoW) Verification - Replaces visual CAPTCHAs with computationally lightweight PoW challenges that verify human users without puzzles, cookies, or tracking.
- Accessible Code Challenges - Provides image and audio-based code entry for high-risk scenarios, fully compliant with WCAG 2.2 AA and EAA 2025 standards.
- Cookie-Free & Tracking-Free Design - No cookies, fingerprinting, or external data collection; fully compliant with GDPR, CCPA, HIPAA, PIPL, and other global privacy laws.
- 50+ Language Support with RTL - Built-in internationalization with automatic browser language detection and manual override for right-to-left languages like Arabic and Hebrew.
- Self-Hosted Server Libraries - Official libraries for TypeScript, PHP, Go, Python, Java, Ruby, and Elixir to verify PoW tokens on your own infrastructure.
- ALTCHA Sentinel Integration - Self-hosted adaptive bot protection system with machine learning, threat intelligence, and dynamic challenge escalation for APIs and high-traffic sites.
- Overlay and Floating UI Modes - Non-intrusive verification interfaces (overlay, floating) that appear only during form submission without disrupting user flow.
- Web Component Architecture - Deployable as a standalone <altcha-widget> element with no framework dependencies, compatible with any modern frontend stack.
- Data Obfuscation Plugin - Optional plugin to encrypt and obfuscate sensitive form data (emails, phone numbers) before transmission.
- File Upload Protection - Plugin to prevent spam uploads by requiring PoW verification before file submission.
Common Use Cases
- Running a GDPR-compliant contact form - A European e-commerce site uses ALTCHA to block bot submissions without collecting user data or violating cookie consent laws.
- Securing a healthcare portal API - A hospital system integrates ALTCHA Sentinel to protect patient registration endpoints from automated scraping while meeting HIPAA requirements.
- Protecting a multilingual news site from spam - A global publisher uses ALTCHA’s 50+ language support and audio code challenges to block spam comments while ensuring accessibility for visually impaired users.
- Preventing form abuse on a high-traffic SaaS dashboard - A fintech company deploys ALTCHA with floating UI to stop credential stuffing attacks without frustrating legitimate users.
Under The Hood
Architecture
- Modular design with clear separation between UI components, plugin system, and worker-based verification logic, enabling extensibility through a global plugin registry
- Dependency injection via PluginContext decouples configuration from implementation, promoting loose coupling and testability
- Component-based Svelte structure isolates concerns across UI, core widget, plugins, and background workers, with declarative CSS theming driven by data attributes
- Global polyfills and multi-format exports (UMD, ESM, I18n) ensure encapsulation while supporting diverse integration environments
Tech Stack
- Svelte 5 with Vite for efficient component rendering and fast development workflows, enhanced by TypeScript for strict type safety across all layers
- Vite-based multi-bundle build system supports modular distributions and internationalization with optimized production outputs
- CSS preprocessing and minification pipelines ensure lightweight, themable styles without runtime overhead
- Comprehensive test suite using Vitest and TestCafe validates cryptographic operations, challenge resolution, and browser behavior
- Privacy-first approach with no third-party dependencies, relying on client-side cryptographic primitives for secure verification
Code Quality
- Extensive test coverage for core functionality including edge cases and abort handling via AbortController
- Strong type safety enforced through comprehensive interfaces and enums, ensuring robust contracts between components and plugins
- Clean separation of concerns with minimal cross-cutting dependencies, promoting maintainability and scalability
- Consistent naming conventions and semantic CSS classes align with component structure and state-driven behavior
- State machines and event-driven feedback replace custom error classes, enabling predictable state transitions and user feedback
- Comprehensive type declarations enable type-safe usage in React, vanilla JS, and server environments without runtime checks
What Makes It Unique
- Self-contained Web Worker-based challenge solver operates entirely in-browser with no external dependencies, enabling offline CAPTCHA-like verification
- Plugin-driven architecture allows runtime extension for analytics, localization, and custom logic without modifying core code
- Dynamic theming via CSS custom properties enables deep visual customization without altering HTML structure
- Svelte’s compile-time optimizations deliver a lightweight, zero-runtime-framework widget with minimal page footprint
- Novel obfuscation layer for challenge tokens prevents automated scraping while preserving accessibility and usability
- Integrated audio/image challenge generation and verification in a single portable component, eliminating server-side rendering or CDN dependencies