ALTCHA: A Privacy-First Alternative to Spam Protection

ALTCHA is a self-hosted tool that protects websites and apps from spam and bot attacks without invading user privacy. Instead of relying on tracking cookies, fingerprinting, or those annoying visual puzzles you've probably encountered on forms, ALTCHA uses a "proof-of-work" system—basically asking the user's device to do a small math puzzle in the background. The process is fast and invisible to most users, making forms feel frictionless while still blocking bad actors.

The core appeal is privacy. ALTCHA collects no personal data, doesn't set cookies, and meets strict compliance standards like GDPR, CCPA, and the European Accessibility Act. Unlike popular third-party CAPTCHAs that track users across the web, this one runs entirely on your own server, so you're in complete control. It's also genuinely accessible—it supports screen readers, keyboard navigation, and audio alternatives for image-based code challenges, meeting WCAG 2.2 AA standards.

How It Works

When you add an ALTCHA widget to your form (it's a simple code snippet), your server generates a challenge—a cryptographic puzzle unique to that session. The widget sends the puzzle to the user's browser, where a worker process tries to solve it by trying different number combinations until it finds one that produces the right hash. Once solved, the solution is sent back to your server to verify it's legitimate. The whole thing happens quietly and quickly; the user just submits their form as normal.

The system also supports optional "code challenges"—the type where someone enters a code from an image (with audio playback as an accessible alternative). If you use ALTCHA Sentinel, the project's companion anti-spam tool, you get adaptive verification that learns what requests are spam and what aren't.

Who Uses This and Why

This is built for anyone running a website, API, or service that needs spam protection but cares about privacy and accessibility. A small blog, a SaaS startup, a nonprofit collecting donations, or even a major corporation with privacy obligations—any of them could drop this in. It's lightweight too, clocking in at about 29 kilobytes (compressed), roughly 90% smaller than reCAPTCHA, so it won't slow down your pages. If you're using React, Vue, Svelte, Angular, or similar frameworks, there are starter templates ready to go. For the backend, there are libraries for TypeScript, Python, PHP, Go, Java, Ruby, and Elixir, so you're not locked into any particular tech stack.