Private Captcha is an open-source, EU-built CAPTCHA service that replaces traditional user-interaction-based challenges with adaptive Proof-of-Work (PoW) mechanisms to combat bots, AI scrapers, and spam without tracking user behavior. Designed for privacy-conscious organizations, it eliminates the need for third-party services like Google reCAPTCHA or hCaptcha by offering full control over data and infrastructure. The system is optimized for low resource usage, supports invisible deployments, and provides detailed usage statistics—all while remaining compliant with GDPR. It’s ideal for developers and DevOps teams seeking a sustainable, self-hosted anti-abuse solution that doesn’t compromise user privacy.
Built with Go for the backend and JavaScript/WASM for the client widget, Private Captcha uses PostgreSQL for account data and ClickHouse for operational metrics. It’s designed to be deployed on-premises or in private clouds, with official documentation and a dedicated self-hosting repository to simplify setup. Unlike commercial alternatives that rely on behavioral tracking, Private Captcha authenticates clients through computational work, making it resilient against modern AI-based automation while remaining unobtrusive to legitimate users.
What You Get
- Adaptive Proof-of-Work Challenges - Adjusts difficulty dynamically based on bot detection signals, ensuring high-security without frustrating users; configurable via API and dashboard.
- Invisible CAPTCHA Widget - Lightweight JavaScript widget that operates in the background without UI elements, reducing user friction while maintaining bot protection.
- Privacy-First Design - No PII collection, no behavioral tracking, and no external data sharing—fully compliant with GDPR and privacy regulations.
- Self-Hostable Architecture - Complete control over deployment; official Docker-based development setup and separate self-hosting repository for production environments.
- Usage Statistics & Monitoring - Built-in backend dashboard provides real-time metrics on challenge attempts, difficulty scaling, and bot detection rates.
- High-Throughput Backend - Optimized Go-based API with low-latency response times, avoiding JavaScript execution on the server side for scalability.
Common Use Cases
- Building a GDPR-compliant e-commerce platform - Replacing reCAPTCHA with Private Captcha to avoid user tracking while blocking automated cart abuse and ticket scalpers without intrusive challenges.
- Protecting a SaaS dashboard from AI scraping - Using adaptive PoW to prevent competitors from harvesting pricing or user data via headless browsers, without collecting IP addresses or cookies.
- Problem: Third-party CAPTCHAs leak user data → Solution: Self-hosted PoW - Organizations subject to strict data governance (e.g., healthcare, finance) use Private Captcha to eliminate tracking by Google/hCaptcha while maintaining bot resistance.
- DevOps teams managing multi-cloud infrastructure - Deploying Private Captcha across Kubernetes clusters in EU regions to ensure data sovereignty and reduce dependency on US-based SaaS providers.
Under The Hood
The project is a Go-based backend system that integrates a web frontend and widget component to deliver a comprehensive captcha and anti-abuse solution. It combines server-side logic with client-side interactivity to provide a modular, extensible platform for handling user verification challenges.
Architecture
The system adopts a monolithic structure with well-defined module boundaries, supporting multiple entry points and layered concerns.
- The codebase is organized into distinct components such as CLI tools, a web server, and widget interfaces that manage different aspects of the application lifecycle
- UI rendering is handled through HTML templates and JavaScript, with modular widget components for enhanced reusability and styling
- Design patterns such as component-based rendering and strategy-like challenge handling are employed to decouple state and behavior
- Inter-module communication is managed through clearly defined interfaces, especially in the widget and web layers where performance and responsiveness are prioritized
Tech Stack
The project leverages a blend of backend and frontend technologies to support its core functionality.
- Built primarily in Go for the backend services, complemented by a web UI using HTML, CSS, and JavaScript
- Utilizes Tailwind CSS for styling and esbuild for efficient JavaScript bundling and development workflows
- Integrates Node.js packages such as base64-arraybuffer and blakejs for cryptographic operations and data handling
- Employs esbuild, Makefiles, and various testing tools like happy-dom and node:test to support build and test automation
Code Quality
The codebase reflects a balanced approach to quality with strengths in testing and error handling, though some structural complexity exists.
- A comprehensive test suite covers various scenarios with consistent error handling and validation across modules
- Code linting and type safety are enforced using TypeScript and ESLint to maintain code consistency and reduce bugs
- While most modules follow clean practices, some areas show increased complexity that can raise the learning curve for new contributors
- The project demonstrates good modularity and separation of concerns despite minor technical debt in certain areas
What Makes It Unique
The project introduces innovative client-side and server-side integration patterns that distinguish it from typical captcha systems.
- Implements Web Workers for client-side CAPTCHA solving, ensuring non-blocking UI interactions and improved user experience
- Features a puzzle-based CAPTCHA system with visual progress tracking, offering an engaging and accessible alternative to traditional challenges
- Provides a flexible widget architecture that supports multiple UI layouts and customization, enhancing extensibility and adaptability
- Seamlessly connects frontend templates (HTML/CSS/JS) with Go-based backend services to create a unified and scalable verification layer