Stop bots without compromising privacy.

Adaptive proof-of-work, puzzle challenges, and behavioral analysis — all without tracking your users. Fully stateless, self-hosted, and GDPR compliant by design.

Contact Sales Learn More
Adaptive PoW|No tracking|Stateless|5-signal risk scoring

Invisible to humans. Expensive for bots.

Ciphera's proof-of-work runs silently in a Web Worker — users see nothing while their browser solves a SHA-256 challenge in the background. Difficulty adapts per-IP based on request rate, scaling from easy to hard as suspicious activity increases.

  • Zero friction — runs invisibly in a background thread
  • Adaptive difficulty (4-6 leading zeros) based on request rate
  • Web Worker keeps the UI fully responsive
  • Graceful fallback to main thread on older browsers
I am human
Secured byCiphera
Ciphera

Recent verifications

192.168.1.***
login12ms
10.0.0.***
signup34ms
45.33.32.***
upload8ms
172.16.0.***
login21ms

Integration

// Add to any form
import { Captcha } from '@ciphera/captcha'
<Captcha siteKey="sk_..." onVerify={fn} />
No cookies. No cross-site tracking.
All systems operational

Verify you're human

Drag the piece to complete the puzzle

Slide to complete
Secured by Ciphera

A puzzle only humans can solve.

When stronger verification is needed, users drag a puzzle piece into position on an SVG background. It's spatial recognition — harder for computer vision than image labeling, and verified statelessly via HMAC-signed positions. No server-side session storage needed.

  • SVG-native puzzles — crisp at any resolution
  • Spatial positioning resists ML/OCR attacks
  • Stateless verification via HMAC signatures
  • ±5px tolerance for natural human imprecision
  • Audio fallback for full accessibility (WCAG 2.1 AAA)

Five signals. One confidence score.

Every verification produces a 0-100 risk score combining solve time, challenge difficulty, behavioral analysis, IP activity, and request patterns. Your backend decides the threshold — strict for payments, lenient for page views.

  • Solve time analysis — instant solutions flag bots
  • Behavioral signals: mouse entropy, typing patterns, scroll events
  • IP activity tracking with automatic rate scaling
  • Success/failure ratio over time detects brute-force
  • Classify as low, medium, or high risk

Risk Assessment

87/100
Low Risk
Solve Time
90
Method Difficulty
80
Behavioral Analysis
85
IP Activity
80
Request Pattern
95
Method: Proof-of-WorkDuration: 2.3s
Client requests challenge

POST /challenge?type=pow

HMAC-signed challenge
Browser solves + submits

POST /verify { nonce, signature }

JWT token issued
Your backend validates

POST /validate { token, action, ip }

No database. No sessions. Just HMAC signatures.

No database. No sessions. No state.

Challenges are HMAC-signed instead of stored — the server verifies its own signature, not a database record. This means zero state to manage, horizontal scaling without session affinity, and no cleanup jobs. JWT tokens bind to IP, action scope, and unique ID for replay prevention.

  • HMAC-signed challenges — no database lookups
  • Horizontal scaling with no session affinity
  • JWT tokens scoped to action (login vs upload)
  • IP-bound tokens prevent cross-origin reuse
  • Zero-downtime key rotation via comma-separated HMAC keys

How Ciphera Captcha compares.

Most captcha services track your users and send telemetry to third parties. Ciphera Captcha is self-contained.

Ciphera Captcha

Ciphera Captcha

Privacy-first bot protection

  • Invisible adaptive proof-of-work
  • No user tracking or fingerprinting
  • Self-hosted — your infrastructure
  • Fully stateless (HMAC-signed)
  • 5-signal behavioral risk scoring
  • Action-scoped JWT tokens
  • Zero-downtime key rotation
  • Audio + puzzle + PoW challenges
  • Swiss infrastructure

Traditional Captchas

reCAPTCHA, hCaptcha, Turnstile

  • Visible challenges or limited PoW
  • Sends telemetry to third parties
  • SaaS-only — vendor infrastructure
  • Session-based state
  • Proprietary risk scoring
  • Global tokens (no action scope)
  • Manual key rotation
  • Multiple challenge types
  • US/EU infrastructure
Zurich, Switzerland

Data residency

Switzerland (FADP protected)

Token lifetime

15 minutes, single-use

Privacy

No tracking, IPs hashed with SHA-256

Swiss infrastructure. Zero telemetry.

Ciphera Captcha runs entirely on Swiss infrastructure with no external dependencies. No telemetry sent to Google, Cloudflare, or any third party. Client IPs are SHA-256 hashed before embedding in tokens — we verify without storing identities.

  • Self-contained — no external API calls
  • IP addresses hashed, never stored in plaintext
  • Behavioral signals are optional and session-scoped
  • Tokens auto-expire with JTI replay prevention
  • Audio samples embedded in binary — no TTS API

Interested in Ciphera Captcha?

Ciphera Captcha is currently an internal service protecting the Ciphera ecosystem. Reach out if you're interested in the technology for your platform.

Contact Us About Ciphera