Open-Source CAPTCHA

F***Captcha

Detect bots, vision AI agents, and headless browsers through 50+ behavioral signals, keystroke cadence biometrics, and SHA-256 proof of work. Self-hosted, privacy-first, and fully open source.

View on GitHub Opens in a new tab Try Demo
Quick Integration
<!-- Add FCaptcha to your form -->
<div id="captcha"></div>

<script src="/fcaptcha.js"></script>
<script>
  FCaptcha.render('captcha', {
    siteKey: 'your-site-key',
    mode: 'checkbox', // or 'invisible'
    callback: (token) => {
      // Verify on your backend
      fetch('/api/verify', {
        method: 'POST',
        body: JSON.stringify({ token })
      });
    }
  });
</script>

How FCaptcha Works

Choose between visible checkbox verification or invisible background analysis based on your UX requirements.

Checkbox Mode

User clicks "I'm not a robot" checkbox. FCaptcha analyzes behavioral signals during the click event and preceding page interaction.

  • Visible verification provides clear feedback
  • Instant pass for most users, challenge for suspicious patterns
  • Best for forms where explicit verification is expected

Invisible Mode

Runs behavioral analysis passively in the background. No user interaction unless suspicious activity is detected.

  • Zero friction for legitimate users
  • Challenge only appears for high-risk signals
  • Ideal for checkout flows and premium experiences

50+ Detection Signals Across 4 Categories

FCaptcha analyzes behavioral, environmental, temporal, and keystroke signals to distinguish humans from bots with high accuracy.

Behavioral

35%
  • Mouse trajectory analysis
  • Micro-tremor detection (3-25Hz)
  • Click precision patterns
  • Zero-movement bypass detection

Environmental

30%
  • Playwright & WebDriver detection
  • Headless browser indicators
  • Canvas/WebGL fingerprinting
  • CDP artifact inspection

Temporal

15%
  • Server-side PoW timing validation
  • Interaction timing patterns
  • Event sequence analysis
  • Page load timing

Form & Keystroke

20%
  • Keystroke cadence biometrics (7 metrics)
  • Dwell variance & rollover detection
  • Shannon entropy of intervals
  • Programmatic submit detection
Advanced Detection

Vision AI Agent Detection

FCaptcha detects vision AI agents like Claude Computer Use and OpenAI Operator that use screenshots and computer vision to solve CAPTCHAs, making them invisible to traditional detection.

Screenshot Loop Timing

Detects 1-5 second delays when agents wait for vision API responses

Pixel-Perfect Click Detection

Vision agents click exact center coordinates; humans have natural offset

Movement Gap Analysis

Humans have micro-movements; agents show stillness during thinking

Zero-Movement Click Detection

AI agents clicking without mouse movement are flagged; touch and keyboard users are exempt

Prompt Injection Honeypots

Hidden instructions in ARIA labels that only vision models follow

Vision AI Detection
// FCaptcha v1.3 behavioral analysis
{
  "signals": {
    "timing_consistency": 0.18,
    "api_latency_pattern": 0.73,
    "zero_movement_click": true,
    "playwright_detected": true,
    "keystroke_cadence_bot": 0.82,
    "honeypot_interaction": true
  },
  "score": 0.96,
  "classification": "vision_ai",
  "verdict": "BLOCK"
}

// Human baseline
{
  "signals": {
    "timing_consistency": 0.64,
    "api_latency_pattern": 0.0,
    "zero_movement_click": false,
    "playwright_detected": false,
    "keystroke_cadence_bot": 0.12,
    "honeypot_interaction": false
  },
  "score": 0.08,
  "classification": "likely_human",
  "verdict": "ALLOW"
}

Key Features

Vision AI Detection

Detect screenshot-to-API automation patterns used by GPT-4V, Claude Computer Use, and OpenAI Operator. Catches zero-movement click bypasses.

Single-Click or Invisible

Choose checkbox mode for visible verification or invisible background analysis with zero user friction.

Proof of Work Challenges

SHA-256 cryptographic puzzles with server-side timing validation that force compute cost on bots while remaining imperceptible to humans.

50+ Behavioral Signals

Mouse micro-tremor, velocity curves, keystroke cadence biometrics, and environmental fingerprints for high accuracy.

Keystroke Cadence Analysis

7 biometric metrics analyze typing patterns: dwell variance, log-normal fit, entropy, autocorrelation, and rollover detection.

Multi-Language Servers

Server implementations in Go, Python, and Node.js. Self-hosted or WebDecoy managed cloud deployment.

Playwright & Headless Detection

Detects Playwright, Puppeteer, Selenium, and other automation frameworks through global variable inspection and CDP artifacts.

Privacy-First Design

No cookies, no cross-site tracking, no PII collection. Open-source scoring algorithm. Full GDPR/CCPA compliance.

Where to Use FCaptcha

Protect any form, login, or high-value action from automated abuse.

Account Registration

Block automated account farms while real users register instantly.

Login Protection

Stop credential stuffing without endless CAPTCHA challenges.

Contact Forms

Eliminate spam submissions and phishing attempts from bots.

Checkout Protection

Prevent checkout bots and inventory hoarding on e-commerce.

Comment Systems

Block spam bots and AI-generated comments on your content.

Event Ticketing

Stop scalper bots from purchasing tickets ahead of fans.

Learn More About CAPTCHA and Bot Detection

Technical deep-dives and implementation guides.

Detecting Vision-Based AI Agents

How to catch Claude Computer Use and OpenAI Operator with behavioral analysis.

Honeypot vs CAPTCHA: Complete Guide

Compare effectiveness and user experience of different bot detection methods.

Headless Browser Detection

Detect Playwright, Puppeteer, and Selenium with fingerprinting techniques.

See also: Bot Scanner for client-side detection, Decoy Links for honeypot traps, and Threat Scoring for automated responses.

Frequently Asked Questions

Common questions about FCaptcha and Vision AI detection.

What is FCaptcha and how does it detect bots?

FCaptcha is an open source CAPTCHA system that detects bots through multiple verification layers: vision AI detection that identifies screenshot-to-API automation, SHA-256 proof of work with server-side timing validation, keystroke cadence biometrics that analyze 7 typing metrics, and 50+ behavioral signals including mouse micro-tremor analysis and Playwright detection. Unlike traditional CAPTCHAs, FCaptcha catches modern AI agents like GPT-4V and Claude that use vision APIs to solve challenges programmatically.

How is FCaptcha different from reCAPTCHA or Cloudflare Turnstile?

FCaptcha differs in three key ways: it is fully open source with auditable scoring algorithms, it runs self-hosted with no external dependencies or data sharing, and it specifically detects vision-based AI agents that can solve traditional CAPTCHAs. While reCAPTCHA sends behavioral data to Google and Turnstile relies on Cloudflare's infrastructure, FCaptcha keeps all data on your servers with no persistent fingerprinting or cross-site tracking.

What is vision AI detection and why does it matter?

Vision AI detection identifies bots that take screenshots of CAPTCHA challenges, send them to vision APIs like GPT-4V or Claude, and use the returned coordinates to click. FCaptcha detects this pattern by analyzing timing signatures, interaction entropy, and behavioral inconsistencies that distinguish human solving from API-driven automation. This matters because traditional CAPTCHAs are increasingly solved by AI services.

Can I self-host FCaptcha without external API calls?

Yes. FCaptcha is designed for complete self-hosting with no external dependencies. Choose from server implementations in Go, Python, or Node.js. All verification happens on your infrastructure with no data sent to third parties. The open algorithm means you can audit exactly how threat scores are calculated, modify detection thresholds, and integrate with your existing security stack without vendor lock-in.

What does proof of work mean for CAPTCHA security?

Proof of work requires visitors to complete SHA-256 cryptographic challenges before submission. This forces bots to spend real compute resources on each request, making large-scale attacks economically unfeasible. A human user experiences a brief delay (typically under 500ms), while a botnet attempting thousands of requests faces significant CPU costs. Combined with behavioral analysis, proof of work creates defense-in-depth.

Ready to deploy FCaptcha?

Start with open-source self-hosting or try our managed cloud service with enterprise support.

Get Started