Cap is a fast, lightweight, and modern open-source CAPTCHA alternative based on SHA-256 proof-of-work (PoW). It’s 250x smaller than hCaptcha, privacy-focused, fully customizable, and easy to self-host. Cap helps prevent spam and abuse without tracking users, making it ideal for privacy-conscious developers. Built for speed and simplicity, Cap is perfect for modern web apps, forms, and APIs that need secure, lightweight human verification.
Cap
Elisi : AI-powered Goal Management App
Love this approach! 💡 Using SHA-256 proof-of-work as a CAPTCHA alternative is such a smart, elegant solution — especially in an era where user privacy and page speed really matter. 🔒⚡️
Curious how it performs in real-world bot scenarios — any benchmarks or early adopter feedback?
Awesome work, and congrats on the launch! 🚀
Typeform Alternative By Buildform
@williamrobertscott would love to know more about this @tr3 !
Great work BTW 🔥
Cap
@williamrobertscott @chamaru hi there, you can read more about PoW here: https://capjs.js.org/guide/effectiveness.html
and run a benchmark here: https://capjs.js.org/guide/benchmark.html
i'm still running this benchmark on a bunch of devices
I'm a bit concerned about it's effectiveness. Prove me wrong, I'd be happy if this works as good as the others.
First, this does not verify if I'm a human, but if I have enough computational resources. A similar system was developed (Hashcash) which is not really used in popular email clients. In my opinion, it works for Bitcoin for the same reason it didn't work work email: it doesn't verify if you're a human, it just verifies your computational resources.
This raises some questions. What if someone is browsing my site from an old computer? The verification will take a lot longer and possibly use all the resources that device has for minutes.
What happens to botnets? While tracking-based captchas have a chance to combat them, it doesn't really matter if hacker guy has to do some PoW on the botnet computers.
Thanks to Bitcoin, we also have really efficient sha256 ASICs - computers that only solve sha256, but they do it really efficiently. If a verification take 2 seconds on a CPU, then it will take milliseconds on an ASIC. So with just one ASIC, I'm able to essentially break any website.
Right now I think this captcha is MUCH better than not using any captcha - but I don't think it is better that the tracking based captchas. I'd be the happiest if this could work, so please prove me wrong if I didn't get it right. I also think it is really important to have experiments like this, I really support the direction.
Cap
@dawe You should read more about PoW here: https://capjs.js.org/guide/effectiveness.html
botnets can't really solve the captcha in a reasonable amount of time since they're usually very low-powered devices such as security cameras or routers
it's not really that slow on old computers, you can test it yourself here: https://capjs.js.org/guide/benchmark.html
yes, the concern about sha256 ASICs is valid. i'm working on moving the captcha to blake3 or other algorithm
@tr3 Wow this is awesome, maybe RandomX could work too