Ciphera Captcha

Stop bots without compromising privacy.

Adaptive proof-of-work, puzzle challenges, and behavioral analysis — all without tracking your users. Fully stateless, self-hosted, and GDPR compliant by design.

Adaptive PoWNo trackingStateless5-signal risk scoring

01 · Bot defense

Invisible to humans. Expensive for bots.

Ciphera's proof-of-work runs silently in a Web Worker — users see nothing while their browser solves a SHA-256 challenge in the background. Difficulty adapts per-IP based on request rate, scaling from easy to hard as suspicious activity increases.

  • Zero friction — runs invisibly in a background thread
  • Adaptive difficulty (4-6 leading zeros) based on request rate
  • Web Worker keeps the UI fully responsive
  • Graceful fallback to main thread on older browsers
I am human
Secured byCiphera
Ciphera

Recent verifications

192.168.1.***
login12ms
10.0.0.***
signup34ms
45.33.32.***
upload8ms
172.16.0.***
login21ms

Integration

// Add to any form
import { Captcha } from '@ciphera/captcha'
<Captcha siteKey="sk_..." onVerify={fn} />
No cookies. No cross-site tracking.
All systems operational

02 · Features

Everything in Ciphera Captcha.

Human challenge

When stronger proof is needed, a drag-to-fit SVG puzzle resists ML and OCR, verifies statelessly via HMAC-signed positions, and ships an audio fallback (WCAG 2.1 AAA).

Risk scoring

Every check returns a 0–100 score from solve time, behavioral entropy, IP activity, and request patterns — your backend sets the threshold, strict or lenient.

Client requests challenge

POST /challenge?type=pow

HMAC-signed challenge
Browser solves + submits

POST /verify { nonce, signature }

JWT token issued
Your backend validates

POST /validate { token, action, ip }

No database. No sessions. Just HMAC signatures.

03 · Stateless

No database. No sessions. No state.

Challenges are HMAC-signed instead of stored — the server verifies its own signature, not a database record. This means zero state to manage, horizontal scaling without session affinity, and no cleanup jobs. JWT tokens bind to IP, action scope, and unique ID for replay prevention.

  • HMAC-signed challenges — no database lookups
  • Horizontal scaling with no session affinity
  • JWT tokens scoped to action (login vs upload)
  • IP-bound tokens prevent cross-origin reuse
  • Zero-downtime key rotation via comma-separated HMAC keys
Zurich, Switzerland — where Ciphera data is hosted

Data residency

Switzerland (FADP protected)

Token lifetime

15 minutes, single-use

Privacy

No tracking, IPs hashed with SHA-256

04 · Swiss privacy

Swiss infrastructure. Zero telemetry.

Ciphera Captcha runs entirely on Swiss infrastructure with no external dependencies. No telemetry sent to Google, Cloudflare, or any third party. Client IPs are SHA-256 hashed before embedding in tokens — we verify without storing identities.

  • Self-contained — no external API calls
  • IP addresses hashed, never stored in plaintext
  • Behavioral signals are optional and session-scoped
  • Tokens auto-expire with JTI replay prevention
  • Audio samples embedded in binary — no TTS API

05 · Compare

How Ciphera Captcha compares.

Most captcha services track your users and send telemetry to third parties. Ciphera Captcha is self-contained.

Ciphera Captcha

Ciphera Captcha

Privacy-first bot protection

  • Invisible adaptive proof-of-work
  • No user tracking or fingerprinting
  • Self-hosted — your infrastructure
  • Fully stateless (HMAC-signed)
  • 5-signal behavioral risk scoring
  • Action-scoped JWT tokens
  • Zero-downtime key rotation
  • Audio + puzzle + PoW challenges
  • Swiss infrastructure

Traditional Captchas

reCAPTCHA, hCaptcha, Turnstile

  • Visible challenges or limited PoW
  • Sends telemetry to third parties
  • SaaS-only — vendor infrastructure
  • Session-based state
  • Proprietary risk scoring
  • Global tokens (no action scope)
  • Manual key rotation
  • Multiple challenge types
  • US/EU infrastructure

06 · Get started

Interested in Ciphera Captcha?

Ciphera Captcha is currently an internal service protecting the Ciphera ecosystem. Reach out if you're interested in the technology for your platform.