Cap

Cap is an open-source CAPTCHA alternative that helps protect web forms and APIs from automated bots by using proof-of-work computation instead of visual puzzles. Developed as a privacy-first replacement for services such as Google reCAPTCHA, hCaptcha, and Cloudflare Turnstile, Cap runs a silent SHA-256 challenge in WebAssembly directly within the user's browser. Real users can solve the challenge in milliseconds without even noticing it; bots, however, face a computational cost that makes mass submissions economically infeasible. No cookies are set, no behavioural data is tracked, and all verification happens right on your own infrastructure.

Common Use Cases

Developers looking to protect user registration and login forms replace reCAPTCHA with Cap to eliminate the privacy concerns and third-party dependency that typically come with Google's service. Contact forms and comment sections on self-hosted websites utilise Cap to block spam submissions without degrading the user experience with image puzzles or accessibility barriers. API endpoints that accept public input — such as feedback forms, voting endpoints, or public data submissions — can add Cap token verification to prevent scripted abuse at no additional cost per request. Organisations under GDPR or other privacy regulations use Cap because it requires no user consent banner: there is no behavioural data to collect or consent to obtain. SaaS developers building multi-tenant products embed Cap across multiple client sites, using separate site keys, each with independent analytics. Teams building internal tools can self-host Cap on a VPS alongside their applications, keeping all bot-protection infrastructure within their own network perimeter and away from external audit.

Key Features

• Proof-of-work challenges: SHA-256 computation runs in WebAssembly inside the browser, making it invisible to real users and costly enough to deter bots without blocking them outright.
• Zero cookies and tracking: No cookies are set, no fingerprinting occurs, and no data is sent to any external server — making it GDPR-compliant with no consent prompt required.
• 20KB client widget: The embeddable JavaScript widget is lightweight and has no external dependencies, thus adding minimal overhead to any page.
• REST verification API: A single HTTP POST to your Cap instance can verify a challenge token from any backend language or framework.
• Admin dashboard: View per-site challenge pass rates, failure metrics, and usage analytics; manage site keys and rotate secrets without needing to restart the service.
• Valkey persistence: Challenge state is stored in a Valkey instance with disk persistence, ensuring issued tokens survive container restarts.
• Multi-site support: Create separate site keys for multiple domains or projects, each with independent challenge analytics and usage statistics, all tracked in the admin panel.

Why deploy Cap on Hostinger VPS

Running Cap on a Hostinger VPS means your bot protection never depends on Google, Cloudflare, or any other third-party service that could change its pricing or terms. Verification latency is determined by your VPS location rather than an external API, keeping response times predictable for users and your backend alike. There are no per-verification charges — a single fixed VPS cost covers unlimited challenges across all your sites and applications. Because Cap is stateless except for its Valkey store, it runs efficiently on the smallest VPS plans and can protect dozens of sites simultaneously without noticeable resource usage.