Skip to main content

Anti-Abuse

Active defenses against abuse — captcha, honeypot, rate limits, AI budget.

Mode

BOT_DETECTION_MODE live
HMAC key Configured (64 chars)

ALTCHA is a self-hosted proof-of-work captcha. The browser computes a SHA-256 hash collision (cost 100,000), and the server verifies the answer + an HMAC signature. No third-party service, no tracking.

Configuration

Algorithm PBKDF2/SHA-256
Cost 100,000
Challenge expiry 300s
Replay store Upstash Redis
Replay key prefix altcha:nonce:
Replay TTL 10 min
Challenge rate limit 30 per 60 s (per client IP)

Live demo

Solve the captcha below. The widget fetches a challenge from /api/captcha/challenge, runs the proof-of-work in your browser, and surfaces the signed payload that would normally accompany an auth request.

Protected surfaces

  • POST /api/auth/sign-in/magic-link — magic-link send
  • POST /api/auth/email-otp/send-verification-otp — email OTP send

Enforcement happens in authCaptchaGate (a SvelteKit handler in hooks.server.ts) before the request reaches Better Auth.