mCaptcha
mCaptcha is a privacy-focused CAPTCHA alternative that uses proof-of-work (SHA256 hashing) instead of image recognition to verify users. It offers a seamless one-click experience, no tracking, and can be self-hosted or used via public demo servers.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | mCaptcha/mCaptcha |
| Owner | mCaptcha |
| Primary language | Rust |
| License | AGPL-3.0 — OSI-approved |
| Stars | 2.5k |
| Forks | 94 |
| Open issues | 54 |
| Latest release | v0.1.0 (2024-03-15) |
| Last updated | 2025-10-07 |
| Source | https://github.com/mCaptcha/mCaptcha |
What mCaptcha is
Written in Rust using Actix-web, mCaptcha implements SHA256-based proof-of-work rate limiting with configurable difficulty. Users solve PoW challenges client-side, receive single-use tokens valid for 30 seconds, and websites validate tokens server-side before processing requests.
Get the mCaptcha source
Clone the repository and explore it locally.
git clone https://github.com/mCaptcha/mCaptcha.gitcd mCaptcha# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Verify AGPL-3.0 compliance: any modifications or network use require disclosure of source code to users; consult legal if integrating into closed-source products.
- Plan for PoW difficulty tuning: system must be configured to balance UX (user wait time) against security (attacker computational cost); requires monitoring and adjustment.
- Token validation workflow: integrating website must implement server-side token validation endpoint calls to mCaptcha; design API contract carefully.
- Infrastructure readiness: self-hosted deployment requires Docker, database, and persistent state management; review DEPLOYMENT.md for resource requirements.
- Fallback strategy: define behavior if mCaptcha instance becomes unavailable; consider whether to block all requests or allow with degraded verification.
When to avoid it — and what to weigh
- Requires accessibility compliance at scale — Proof-of-work CAPTCHAs may present barriers for users with limited computational resources (older devices, low-bandwidth networks). No mention of audio/alternative accessibility modes in provided data.
- Need proven, battle-tested maturity — Project is in active development (v0.1.0 as of March 2024) with 54 open issues. Not recommended for mission-critical deployments requiring production-grade stability guarantees.
- Requires commercial support/SLA — AGPL-3.0 license and community-driven development mean no commercial support contracts available. Enterprise users should verify internal policies on AGPL code.
- Need low-latency verification on mobile — Proof-of-work computation may drain battery or incur noticeable delays on mobile devices under attack scenarios. No performance benchmarks provided for mobile clients.
License & commercial use
AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring that any modifications or derivative works, as well as code distributed to users over a network, must disclose source code and grant the same license to recipients.
AGPL-3.0 permits commercial use, but with caveats: using mCaptcha as-is in a commercial product is allowed; however, any modifications, customizations, or network-delivered derivatives must open-source the changes under AGPL-3.0. Self-hosting avoids some obligations but does not eliminate source disclosure requirements for modifications. Consult legal counsel before integrating into proprietary systems. No commercial support entity or licensing exemptions mentioned.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Proof-of-work approach shifts attack cost to user devices rather than relying on image recognition; this is a design trade-off, not a guarantee of unbreakability. Token lifetime (30s) and single-use model mitigate replay attacks by design. No mention of vulnerability disclosure process, penetration testing, or security audit. AGPL license allows code review by community but does not mandate third-party security assessment. Rust memory safety reduces certain classes of bugs but does not eliminate logic or cryptographic implementation errors. Requires ongoing security monitoring during active development phase.
Alternatives to consider
Google reCAPTCHA
Mature, free, widely integrated, but collects user data and requires Google services; opposite privacy model from mCaptcha.
hCaptcha
Privacy-respecting alternative with image labeling; managed service with no self-host option; different PoW philosophy and established track record.
Friendly Captcha
Proof-of-work CAPTCHA as a service; similar UX to mCaptcha but proprietary and managed; no self-hosting but commercial support available.
Build on mCaptcha with DEV.co software developers
Assess fit with our evaluation framework. Consider proof-of-work trade-offs, AGPL license implications, and self-hosting requirements before integration.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
mCaptcha FAQ
Can I use mCaptcha without self-hosting?
Does mCaptcha work behind NAT or with shared IP addresses?
What happens if mCaptcha is compromised or the server goes down?
Is AGPL-3.0 compatible with my proprietary application?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like mCaptcha. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.
Evaluate mCaptcha for Your Infrastructure
Assess fit with our evaluation framework. Consider proof-of-work trade-offs, AGPL license implications, and self-hosting requirements before integration.