DEV.co
Open-Source DevOps · mCaptcha

mCaptcha

mCaptcha is a privacy-focused CAPTCHA alternative that uses proof-of-work (SHA256 hashing) instead of image recognition to verify users. It offers a seamless one-click experience, no tracking, and can be self-hosted or used via public demo servers.

Source: GitHub — github.com/mCaptcha/mCaptcha
2.5k
GitHub stars
94
Forks
Rust
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositorymCaptcha/mCaptcha
OwnermCaptcha
Primary languageRust
LicenseAGPL-3.0 — OSI-approved
Stars2.5k
Forks94
Open issues54
Latest releasev0.1.0 (2024-03-15)
Last updated2025-10-07
Sourcehttps://github.com/mCaptcha/mCaptcha

What mCaptcha is

Written in Rust using Actix-web, mCaptcha implements SHA256-based proof-of-work rate limiting with configurable difficulty. Users solve PoW challenges client-side, receive single-use tokens valid for 30 seconds, and websites validate tokens server-side before processing requests.

Quickstart

Get the mCaptcha source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/mCaptcha/mCaptcha.gitcd mCaptcha# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Self-hosted spam/DDoS mitigation

Organizations requiring on-premises CAPTCHA without external dependencies or data leakage can deploy mCaptcha via Docker and control all infrastructure.

Privacy-sensitive applications

Platforms where user tracking must be minimized (privacy-first products, GDPR-heavy regions) benefit from cookie-free, IP-independent verification.

Rate limiting without user friction

Services needing silent bot mitigation where a 1-2 second computational delay is acceptable can offer better UX than traditional image CAPTCHAs.

Implementation considerations

  • Verify AGPL-3.0 compliance: any modifications or network use require disclosure of source code to users; consult legal if integrating into closed-source products.
  • Plan for PoW difficulty tuning: system must be configured to balance UX (user wait time) against security (attacker computational cost); requires monitoring and adjustment.
  • Token validation workflow: integrating website must implement server-side token validation endpoint calls to mCaptcha; design API contract carefully.
  • Infrastructure readiness: self-hosted deployment requires Docker, database, and persistent state management; review DEPLOYMENT.md for resource requirements.
  • Fallback strategy: define behavior if mCaptcha instance becomes unavailable; consider whether to block all requests or allow with degraded verification.

When to avoid it — and what to weigh

  • Requires accessibility compliance at scale — Proof-of-work CAPTCHAs may present barriers for users with limited computational resources (older devices, low-bandwidth networks). No mention of audio/alternative accessibility modes in provided data.
  • Need proven, battle-tested maturity — Project is in active development (v0.1.0 as of March 2024) with 54 open issues. Not recommended for mission-critical deployments requiring production-grade stability guarantees.
  • Requires commercial support/SLA — AGPL-3.0 license and community-driven development mean no commercial support contracts available. Enterprise users should verify internal policies on AGPL code.
  • Need low-latency verification on mobile — Proof-of-work computation may drain battery or incur noticeable delays on mobile devices under attack scenarios. No performance benchmarks provided for mobile clients.

License & commercial use

AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring that any modifications or derivative works, as well as code distributed to users over a network, must disclose source code and grant the same license to recipients.

AGPL-3.0 permits commercial use, but with caveats: using mCaptcha as-is in a commercial product is allowed; however, any modifications, customizations, or network-delivered derivatives must open-source the changes under AGPL-3.0. Self-hosting avoids some obligations but does not eliminate source disclosure requirements for modifications. Consult legal counsel before integrating into proprietary systems. No commercial support entity or licensing exemptions mentioned.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Proof-of-work approach shifts attack cost to user devices rather than relying on image recognition; this is a design trade-off, not a guarantee of unbreakability. Token lifetime (30s) and single-use model mitigate replay attacks by design. No mention of vulnerability disclosure process, penetration testing, or security audit. AGPL license allows code review by community but does not mandate third-party security assessment. Rust memory safety reduces certain classes of bugs but does not eliminate logic or cryptographic implementation errors. Requires ongoing security monitoring during active development phase.

Alternatives to consider

Google reCAPTCHA

Mature, free, widely integrated, but collects user data and requires Google services; opposite privacy model from mCaptcha.

hCaptcha

Privacy-respecting alternative with image labeling; managed service with no self-host option; different PoW philosophy and established track record.

Friendly Captcha

Proof-of-work CAPTCHA as a service; similar UX to mCaptcha but proprietary and managed; no self-hosting but commercial support available.

Software development agency

Build on mCaptcha with DEV.co software developers

Assess fit with our evaluation framework. Consider proof-of-work trade-offs, AGPL license implications, and self-hosting requirements before integration.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

mCaptcha FAQ

Can I use mCaptcha without self-hosting?
Yes, public demo servers are available at demo.mcaptcha.org and demo2.mcaptcha.org; however, these are not production-grade and may be out of sync with master branch. For production use, self-hosting is the documented path.
Does mCaptcha work behind NAT or with shared IP addresses?
Yes. mCaptcha is IP-independent by design; it validates proof-of-work and tokens, not IP reputation, making it suitable for users behind corporate proxies or shared networks.
What happens if mCaptcha is compromised or the server goes down?
Not documented in provided data. Applications must define fallback logic; consider whether to block requests, retry, or allow with degraded verification during outages.
Is AGPL-3.0 compatible with my proprietary application?
AGPL-3.0 requires source disclosure for network-distributed derivatives. Using unmodified mCaptcha as a service is safer than modifying it. Consult legal counsel to confirm your use case is permissible.

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like mCaptcha. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source devops and beyond.

Evaluate mCaptcha for Your Infrastructure

Assess fit with our evaluation framework. Consider proof-of-work trade-offs, AGPL license implications, and self-hosting requirements before integration.