captchaapi.eu Proof-of-Work CAPTCHA

captchaapi.eu stops form spam without making your visitors click traffic lights. The work happens in the background: the visitor’s browser solves a small proof-of-work puzzle while they fill in the form, and a signed token rides along with the submission. There is nothing to solve and nothing to see.

Your server checks that token locally with your secret key. No request is sent back to captchaapi.eu when a form is submitted, so the check adds no network latency and keeps working even if our service is briefly unreachable.

The service runs on hardware in the EU (Nuremberg, Germany). It sets no cookies and writes no per-visitor record to a database; the visitor’s IP address is used only transiently for rate limiting and abuse detection.

What it protects

• Login (wp-login.php)
• Registration
• Lost password
• Comments
• Contact Form 7

Each surface can be turned on or off from the settings screen. Contact Form 7 support appears only when that plugin is active.

How it works

1. The widget loads on the pages with a protected form and solves a proof-of-work puzzle in a Web Worker.
2. On submit, it attaches a short-lived, signed attestation to the form.
3. The plugin verifies the attestation with your secret key (an HMAC check) and rejects the submission if it is missing, forged, expired, or reused.

Reuse is blocked with a single-use record per token. If your site has a persistent object cache (Redis or Memcached), that record lives there. Otherwise the plugin keeps a small table and clears expired rows on a schedule.

You need an account

This plugin connects to the captchaapi.eu service. Create a project at https://captchaapi.eu to get a site key and a secret key. A free tier is available.

External services

This plugin connects to captchaapi.eu, a third-party CAPTCHA service, to protect your forms from spam. It is required for the plugin to function.

On any public page that contains a protected form, the plugin loads the service’s widget script (captcha.js) from your configured captchaapi.eu endpoint. The visitor’s browser then communicates with the captchaapi.eu API to perform a proof-of-work challenge and obtain a signed attestation that is attached to the form on submit. This happens for every visitor who loads a protected form.

To issue and validate an attestation the service receives your public site key, the proof-of-work result, and – as with any HTTP request – the visitor’s IP address. The IP address is used for rate limiting and abuse/bot detection (including a coarse, IP-derived country) and is processed transiently: a hashed form and aggregate counters are held briefly in a cache. No raw IP address and no per-visitor record are written to a database. The service sets no cookies. Data is processed on servers in the EU (Nuremberg, Germany).

Verification of the attestation on submit is performed locally on your server with your secret key; no request is sent back to captchaapi.eu at that point.

• Service provider: captchaapi.eu
• Terms of Service: https://captchaapi.eu/legal/terms
• Privacy Policy: https://captchaapi.eu/legal/privacy