PrivateCaptcha

Privacy-first, self-hostable Proof-of-Work CAPTCHA for GDPR-compliant bot protection.

181stars
6forks
Custom / Unknown
Go

PrivateCaptcha is an independent, EU-built CAPTCHA service that replaces traditional image puzzles with background Proof-of-Work challenges. Instead of asking users to identify fire hydrants or traffic lights, it silently runs cryptographic hash computations in the browser — blocking bots and AI scrapers without collecting any Personally Identifiable Information or disrupting the user experience.

The system is designed from the ground up for privacy compliance. No behavior tracking, no third-party cookies, no PII processing. All infrastructure — servers, CDN, email — runs exclusively on EU-based providers, making it a natural fit for organizations that need to satisfy GDPR, data sovereignty, or security audit requirements that forbid third-party data processing.

Self-hosting is a first-class use case. The source code is publicly available, Docker-based deployment is documented, and an OpenAPI specification covers the full public API. Difficulty adapts automatically based on traffic patterns, scaling the computational burden on clients as bot activity increases while keeping the experience smooth for legitimate users.

PrivateCaptcha is built for sustainability: a managed SaaS offering funds continued development, while the community edition lets organizations run everything on their own infrastructure under a noncommercial license.

What You Get

  • Proof-of-Work CAPTCHA engine - Cryptographic hash challenges run silently in the browser using parallel Web Workers and optional WASM acceleration, verifying humans without any user interaction or visual puzzle.
  • Invisible widget - A lightweight JavaScript widget embeds into any HTML form with a single class attribute, triggering verification in the background during normal form interaction.
  • Adaptive difficulty scaling - A dual leaky-bucket algorithm tracks traffic per site and per user fingerprint, automatically raising computational difficulty when bot-like patterns emerge and relaxing it for normal users.
  • GDPR-compliant by design - No PII is collected, no behavior is tracked, and an optional Data Processing Agreement is available; all infrastructure runs on EU-based providers only.
  • Audit logs and usage statistics - The management portal provides real-time dashboards showing bot attempt rates, challenge difficulty levels, and API key usage, with full audit trails for compliance.
  • Enterprise feature gating via build tags - Go compile-time build tags produce community and enterprise binaries from a single codebase, with the enterprise edition unlocking API-based bulk property management, advanced rules, and organization-level controls.
  • Stable, versioned public API - A published OpenAPI 3.x specification documents all endpoints, with backward-compatible guarantees so integrations survive upgrades without modification.
  • Multi-language integrations - Official integrations cover Java, Ruby, and standard HTTP, with a reCAPTCHA compatibility mode that lets existing g-recaptcha widget deployments switch with minimal code changes.
  • Self-hosting deployment guide - A dedicated self-hosting repository provides Docker Compose configurations and environment setup documentation for running PrivateCaptcha on your own infrastructure.

Common Use Cases

  • GDPR-blocked reCAPTCHA replacement - A German SaaS company cannot legally embed Google reCAPTCHA after a DPA ruling; they replace it with PrivateCaptcha to keep forms protected without touching EU user data.
  • Healthcare portal bot protection - A medical appointment booking system needs invisible form protection that does not compromise patient privacy or trigger HIPAA/GDPR data minimization requirements.
  • E-commerce API scraping defense - An online retailer deploys PrivateCaptcha on product and pricing endpoints to raise the computational cost for AI-powered competitor scrapers without impacting legitimate customers.
  • Government agency self-hosting requirement - A public sector organization must host all security tooling internally with no third-party data flows; PrivateCaptcha’s self-hosted edition satisfies the requirement.
  • High-throughput registration forms - A newsletter or event platform processing hundreds of signups per minute uses adaptive difficulty to stay frictionless for humans while automatically throttling automated bulk registrations.
  • Developer API key protection - A developer tool platform gates API key issuance behind PrivateCaptcha to prevent automated mass account creation without requiring email verification delays.

Under The Hood

Architecture PrivateCaptcha follows a layered monolith where domain packages are cleanly separated: the puzzle package owns the full cryptographic challenge lifecycle (generation, HMAC signing, expiry, verification), the api package assembles HTTP handlers via composable middleware chains, the difficulty package encapsulates the adaptive algorithm using dual leaky-bucket modeling (one per site, one per user fingerprint), and the portal package handles the management plane independently. Go build tags (enterprise/!enterprise) at the package level produce two distinct binaries from one codebase without runtime conditionals polluting hot paths — an architectural decision that keeps community and enterprise feature sets cleanly separated at compile time. The browser widget runs entirely outside the Go boundary: a JavaScript WorkersPool spawns four parallel Web Workers that each attempt Blake2b hash preimage solutions, with results serialized as a binary metadata frame plus concatenated solution bytes before submission to the verify endpoint.

Tech Stack Go 1.26 powers the backend with vendored dependencies and SQLC-generated type-safe queries over PostgreSQL via pgx/v5. ClickHouse handles time-series storage for per-property difficulty data and usage analytics. The HTTP layer is composed with justinas/alice middleware chains providing CORS, request tracing, rate limiting, authentication, and Prometheus metrics emission. The client widget is bundled with ESBuild using a custom inline-worker plugin that packages Web Workers and WASM binaries as base64 strings to avoid separate network fetches. SonarCloud provides continuous maintainability, reliability, and security ratings. Tailwind CSS with a dedicated build pipeline powers the Portal frontend. Development orchestration runs via Docker Compose with separate ClickHouse and PostgreSQL test containers.

Code Quality The core puzzle package has comprehensive Go test coverage across puzzle generation, HMAC signing, solution verification, and solver correctness, all running with t.Parallel() for speed. The CI pipeline is unusually thorough: unit tests, race-condition detection, golangci-lint, JavaScript widget linting, OpenAPI specification validation, Dockerfile security scanning via zizmor, govulncheck, and SQLC migration validation all run on every push. Error handling uses typed sentinel errors with a centralized HTTP status mapper, providing consistent responses without scattered http.Error calls. JavaScript widget code validates solution binary formats and worker message structures explicitly, compensating for the absence of TypeScript. Coverage tracking through SonarCloud shows publicly reported metrics, reflecting a team that treats code quality as an observable property.

What Makes It Unique The most distinctive technical decision is the bidimensional adaptive difficulty system: leaky buckets track traffic pressure separately per site and per masked user fingerprint, allowing the algorithm to punish suspicious users individually without penalizing all visitors on a busy site. Combined with a WASM-accelerated browser solver that runs four Web Workers in parallel, the system can absorb high-throughput legitimate traffic while making automated attacks computationally expensive without any server-side decision per request. The reCAPTCHA compatibility mode — responding to .g-recaptcha CSS selectors and emitting reCAPTCHA v2-shaped JSON responses — lets existing deployments migrate without touching backend verification code, a pragmatic choice that removes the largest migration friction point for teams evaluating a switch.

Self-Hosting

PrivateCaptcha is distributed under the PolyForm Noncommercial License 1.0.0. In plain terms: you can self-host, study, modify, and redistribute the software freely for any noncommercial purpose — including use by nonprofits, educational institutions, public research organizations, and government agencies regardless of their funding source. However, any commercial use requires a separate commercial license, which the team offers for the enterprise edition. This is a strong copyleft-adjacent restriction for commercial operators: if your organization earns revenue and deploys PrivateCaptcha to protect commercial services, you need to contact the team at hello@privatecaptcha.com before going to production.

Running PrivateCaptcha yourself means operating a Go backend server, a PostgreSQL instance for account and property data, and a ClickHouse cluster for time-series difficulty metrics and usage analytics. The Docker Compose setup in the companion self-hosting repository handles local development, but a production deployment requires you to own uptime, backups, database maintenance, and schema migrations across version upgrades. The team publishes migration scripts as SQL files and maintains backward-compatible API guarantees, which reduces upgrade risk, but you are responsible for running them. The backend is designed to be low-resource under normal load, and the adaptive difficulty system is built to handle high-throughput scenarios without becoming a bottleneck.

Compared to using PrivateCaptcha’s managed SaaS offering, self-hosting means you give up automatic upgrades, managed database infrastructure, and direct support from the team. The SaaS tier funds continued development and provides the enterprise edition features — bulk API-based property management, organization-level controls, audit log retention, and advanced traffic rules — that are not compiled into the community binary. If your compliance requirements permit using a hosted EU service (the SaaS runs exclusively on EU infrastructure), the managed option significantly reduces operational burden while still avoiding the privacy problems of Google reCAPTCHA or hCaptcha.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search