captcha — dev

Try it

Click once. Behind that click runs Argon2id PoW, mouse-trajectory analysis, env fingerprint, headless heuristics, server-side TLS fingerprint (JA3 + JA4), and header order — all fused into a single decision.

Keep moving the cursor before clicking; otherwise mouse signal scores low and may force escalation. Try opening DevTools and running navigator.webdriver = true via redefining the property to see how the system reacts to a self-confessed bot.

Debug

Last attempt

No attempt yet — click the widget.

Decision waterfall

TLS / HTTP fingerprint (server-observed)

Score breakdown

Raw bundle (JSON)

Defense tests

All of these should fail. Each click reuses the most-recent bundle / token unless noted.

Trusted devices

Whitelist this machine so future clicks force-pass regardless of the behavioural score. Matched on (math_fp_hash, http/2 fingerprint). Click once to capture both; the button is disabled until the most recent attempt has both available.

Bot-mode toggle

Spoof bot signals on next click

Forces navigator_webdriver=true, marks mouse "absent", zero plugins, missing chrome object. The headless gate should fire and the verdict drop into escalate/reject territory.

Escalation kind

If the next click lands in the escalate band, which kind of inline puzzle to issue. Defaults to drag on desktop, tilt on touch devices.

Auto Drag Tilt (mobile) Keyboard (a11y)

Privacy Pass / VOPRF demo

Runs the full unlinkable-token protocol entirely in the browser: blind a random token, send to server, verify the DLEQ proof, unblind locally, then redeem. The server sees two completely uncorrelated byte strings — proving it cannot link issuance to redemption.

Tunable scoring

Edit the JSON config below and re-score the last bundle to see how thresholds and weights move the verdict. Doesn't issue a token.

Live server events (SSE)