Cap

Cap is an open-source CAPTCHA alternative that protects web forms and APIs from automated bots using proof-of-work computation instead of visual puzzles. Built as a privacy-first replacement for services like Google reCAPTCHA, hCaptcha, and Cloudflare Turnstile, Cap runs a silent SHA-256 challenge in WebAssembly directly in the user's browser. Real users solve the challenge in milliseconds without noticing it; bots face a computational cost that makes mass submissions economically infeasible. No cookies are set, no behavioral data is tracked, and all verification happens on your own infrastructure.

Common Use Cases

Developers protecting user registration and login forms replace reCAPTCHA with Cap to eliminate the privacy concerns and third-party dependency that come with Google's service. Contact forms and comment sections on self-hosted websites use Cap to block spam submissions without degrading the user experience with image puzzles or accessibility barriers. API endpoints that accept public input — feedback forms, voting endpoints, public data submissions — add Cap token verification to prevent scripted abuse at no additional cost per request. Organizations under GDPR or other privacy regulations use Cap because it requires no user consent banner: there is no behavioral data to collect or consent to obtain. SaaS developers building multi-tenant products embed Cap across multiple client sites using separate site keys, each with independent analytics. Teams building internal tools self-host Cap on a VPS alongside their applications, keeping all bot-protection infrastructure within their own network perimeter and away from external audit.

Key Features

• Proof-of-work challenges: SHA-256 computation runs in WebAssembly inside the browser, invisible to real users and costly enough to deter bots without blocking them outright.
• Zero cookies and tracking: No cookies are set, no fingerprinting occurs, and no data is sent to any external server — GDPR-compliant with no consent prompt required.
• 20KB client widget: The embeddable JavaScript widget is lightweight and has no external dependencies, adding minimal overhead to any page.
• REST verification API: A single HTTP POST to your Cap instance verifies a challenge token from any backend language or framework.
• Admin dashboard: View per-site challenge pass rates, failure metrics, and usage analytics; manage site keys and rotate secrets without restarting the service.
• Valkey persistence: Challenge state is stored in a Valkey instance with disk persistence, so issued tokens survive container restarts.
• Multi-site support: Create separate site keys for multiple domains or projects, each with independent challenge analytics and usage statistics tracked in the admin panel.

Why deploy Cap on Hostinger VPS

Running Cap on a Hostinger VPS means your bot protection never depends on Google, Cloudflare, or any other third-party service that could change its pricing or terms. Verification latency is determined by your VPS location rather than an external API, keeping response times predictable for users and your backend alike. There are no per-verification charges — a single fixed VPS cost covers unlimited challenges across all your sites and applications. Because Cap is stateless except for its Valkey store, it runs efficiently on the smallest VPS plans and can protect dozens of sites simultaneously without noticeable resource usage.