Open-Source CAPTCHA

F***Captcha

Detect bots, vision AI agents, and headless browsers through 40+ behavioral signals and SHA-256 proof of work. Self-hosted, privacy-first, and fully open source.

View on GitHub Opens in a new tab Try Demo
Quick Integration
<!-- Add FCaptcha to your form -->
<div id="captcha"></div>

<script src="/fcaptcha.js"></script>
<script>
  FCaptcha.render('captcha', {
    siteKey: 'your-site-key',
    mode: 'checkbox', // or 'invisible'
    callback: (token) => {
      // Verify on your backend
      fetch('/api/verify', {
        method: 'POST',
        body: JSON.stringify({ token })
      });
    }
  });
</script>

How FCaptcha Works

Choose between visible checkbox verification or invisible background analysis based on your UX requirements.

Checkbox Mode

User clicks "I'm not a robot" checkbox. FCaptcha analyzes behavioral signals during the click event and preceding page interaction.

  • Visible verification provides clear feedback
  • Instant pass for most users, challenge for suspicious patterns
  • Best for forms where explicit verification is expected

Invisible Mode

Runs behavioral analysis passively in the background. No user interaction unless suspicious activity is detected.

  • Zero friction for legitimate users
  • Challenge only appears for high-risk signals
  • Ideal for checkout flows and premium experiences

40+ Detection Signals Across 4 Categories

FCaptcha analyzes behavioral, environmental, temporal, and form signals to distinguish humans from bots with high accuracy.

Behavioral

40%
  • Mouse trajectory analysis
  • Micro-tremor detection (3-25Hz)
  • Click precision patterns
  • Velocity and acceleration curves

Environmental

35%
  • WebDriver detection
  • Headless browser indicators
  • Canvas/WebGL fingerprinting
  • Browser feature checks

Temporal

15%
  • PoW timing analysis
  • Interaction timing patterns
  • Event sequence analysis
  • Page load timing

Form Signals

10%
  • Programmatic submit detection
  • Typing speed and rhythm
  • Paste detection
  • Field completion order
Advanced Detection

Vision AI Agent Detection

FCaptcha detects vision AI agents like Claude Computer Use and OpenAI Operator that use screenshots and computer vision to solve CAPTCHAs, making them invisible to traditional detection.

Screenshot Loop Timing

Detects 1-5 second delays when agents wait for vision API responses

Pixel-Perfect Click Detection

Vision agents click exact center coordinates; humans have natural offset

Movement Gap Analysis

Humans have micro-movements; agents show stillness during thinking

Prompt Injection Honeypots

Hidden instructions in ARIA labels that only vision models follow

Vision AI Detection
// FCaptcha behavioral analysis
{
  "signals": {
    "timing_consistency": 0.18,
    "api_latency_pattern": 0.73,
    "perfect_center_clicks": 0.82,
    "movement_gaps": 6,
    "cursor_curvature": 0.03,
    "honeypot_interaction": true
  },
  "score": 0.94,
  "classification": "vision_ai",
  "verdict": "BLOCK"
}

// Human baseline
{
  "signals": {
    "timing_consistency": 0.64,
    "api_latency_pattern": 0.0,
    "perfect_center_clicks": 0.12,
    "movement_gaps": 0,
    "cursor_curvature": 0.38,
    "honeypot_interaction": false
  },
  "score": 0.08,
  "classification": "likely_human",
  "verdict": "ALLOW"
}

Key Features

Vision AI Detection

Detect screenshot-to-API automation patterns used by GPT-4V, Claude Computer Use, and OpenAI Operator.

Single-Click or Invisible

Choose checkbox mode for visible verification or invisible background analysis with zero user friction.

Proof of Work Challenges

SHA-256 cryptographic puzzles that force compute cost on bots while remaining imperceptible to humans.

40+ Behavioral Signals

Mouse micro-tremor, velocity curves, timing analysis, and environmental fingerprints for high accuracy.

Multi-Language Servers

Server implementations in Go, Python, and Node.js. Self-hosted or WebDecoy managed cloud deployment.

Privacy-First Design

No cookies, no cross-site tracking, no PII collection. Open-source scoring algorithm. Full GDPR/CCPA compliance.

Where to Use FCaptcha

Protect any form, login, or high-value action from automated abuse.

Account Registration

Block automated account farms while real users register instantly.

Login Protection

Stop credential stuffing without endless CAPTCHA challenges.

Contact Forms

Eliminate spam submissions and phishing attempts from bots.

Checkout Protection

Prevent checkout bots and inventory hoarding on e-commerce.

Comment Systems

Block spam bots and AI-generated comments on your content.

Event Ticketing

Stop scalper bots from purchasing tickets ahead of fans.

Learn More About CAPTCHA and Bot Detection

Technical deep-dives and implementation guides.

Detecting Vision-Based AI Agents

How to catch Claude Computer Use and OpenAI Operator with behavioral analysis.

Honeypot vs CAPTCHA: Complete Guide

Compare effectiveness and user experience of different bot detection methods.

Headless Browser Detection

Detect Playwright, Puppeteer, and Selenium with fingerprinting techniques.

See also: Bot Scanner for client-side detection, Decoy Links for honeypot traps, and Threat Scoring for automated responses.

Frequently Asked Questions

Common questions about FCaptcha and Vision AI detection.

What is FCaptcha and how does it detect bots?

FCaptcha is an open source CAPTCHA system that detects bots through three layers of verification: vision AI detection that identifies screenshot-to-API automation patterns, SHA-256 proof of work challenges that force computational cost on attackers, and 40+ behavioral signals including mouse micro-tremor analysis. Unlike traditional CAPTCHAs that rely solely on image recognition, FCaptcha catches modern AI agents like GPT-4V and Claude that use vision APIs to solve challenges programmatically.

How is FCaptcha different from reCAPTCHA or Cloudflare Turnstile?

FCaptcha differs in three key ways: it is fully open source with auditable scoring algorithms, it runs self-hosted with no external dependencies or data sharing, and it specifically detects vision-based AI agents that can solve traditional CAPTCHAs. While reCAPTCHA sends behavioral data to Google and Turnstile relies on Cloudflare's infrastructure, FCaptcha keeps all data on your servers with no persistent fingerprinting or cross-site tracking.

What is vision AI detection and why does it matter?

Vision AI detection identifies bots that take screenshots of CAPTCHA challenges, send them to vision APIs like GPT-4V or Claude, and use the returned coordinates to click. FCaptcha detects this pattern by analyzing timing signatures, interaction entropy, and behavioral inconsistencies that distinguish human solving from API-driven automation. This matters because traditional CAPTCHAs are increasingly solved by AI services.

Can I self-host FCaptcha without external API calls?

Yes. FCaptcha is designed for complete self-hosting with no external dependencies. Choose from server implementations in Go, Python, or Node.js. All verification happens on your infrastructure with no data sent to third parties. The open algorithm means you can audit exactly how threat scores are calculated, modify detection thresholds, and integrate with your existing security stack without vendor lock-in.

What does proof of work mean for CAPTCHA security?

Proof of work requires visitors to complete SHA-256 cryptographic challenges before submission. This forces bots to spend real compute resources on each request, making large-scale attacks economically unfeasible. A human user experiences a brief delay (typically under 500ms), while a botnet attempting thousands of requests faces significant CPU costs. Combined with behavioral analysis, proof of work creates defense-in-depth.

Ready to deploy FCaptcha?

Start with open-source self-hosting or try our managed cloud service with enterprise support.

Get Started