Every CAPTCHA you have ever solved was a confession. You were confessing that you could not prove you were human through any means other than identifying crosswalks in a grid of images. The website could not verify you. The browser could not verify you. A third-party surveillance company had to verify you, and it tracked you across the internet while doing it.
We built something different. H33-BotShield replaces CAPTCHA with a cryptographic proof of work. Your browser solves a mathematical challenge. The server verifies the solution. No images. No checkboxes. No tracking. No third party. The proof is mathematical, and it happens in the background before the page finishes loading.
| Solution | Problem | BotShield |
|---|---|---|
| reCAPTCHA | Google tracks your users across the web. GDPR liability. Accessibility nightmare for screen readers. | Zero tracking. Zero third-party data. |
| hCaptcha | Still visual puzzles. Still friction. Still blocks visually impaired users. | Invisible. No user interaction. |
| Cloudflare Turnstile | Proprietary black box. You trust Cloudflare's classification algorithm. | Open math. Verifiable proof. |
| Rate limiting | Blocks legitimate users behind shared IPs. VPNs, corporate networks, mobile carriers all affected. | Per-request proof. Each request earns access individually. |
The fundamental issue is that every existing bot prevention tool either tracks your users (reCAPTCHA, hCaptcha), trusts a third party's judgment (Turnstile), or punishes legitimate users (rate limiting). BotShield does none of these things. It asks each client to perform a small amount of computational work — enough to be trivial for a human's device but prohibitively expensive for a bot operating at scale.
When a client connects, BotShield issues a cryptographic challenge: a random nonce and a difficulty level. The difficulty determines how many leading zero bits the hash must have. At the default difficulty of 16 bits, a modern laptop solves the challenge in one to three seconds. A phone takes slightly longer. The user never sees this happening.
The client's browser uses the Web Crypto API to compute SHA-256 hashes, searching for a value that satisfies the difficulty requirement. This runs asynchronously — it does not block the main thread, does not freeze the page, and does not affect scrolling or interaction. The browser is simply doing math in the background.
The client submits the solution. The server verifies it in microseconds — checking that SHA-256 of the nonce concatenated with the solution has the required leading zeros. If valid, the server issues a session token. Every subsequent request from that client carries the token and passes through without another challenge.
The session token is valid for a configurable duration — one hour by default. During that window, the verified client has unrestricted access to protected endpoints. When the session expires, a new challenge is issued automatically. The user never notices.
A single human solving a single challenge is trivial. But a bot farm attempting to solve thousands of challenges per minute faces an economic wall. At difficulty 16, each challenge requires approximately 65,000 SHA-256 hashes. At difficulty 20, it requires approximately one million. At difficulty 24 — which BotShield escalates to when it detects high-velocity requests from the same source — it requires approximately 16 million hashes per challenge.
This is the critical insight: proof of work scales defensively. The cost to the attacker grows exponentially with difficulty, while the cost to the defender stays constant (verification is always microseconds). A bot farm that could previously send 10,000 requests per second to an unprotected endpoint now needs 10,000 CPU cores running continuously just to solve the challenges — and each core produces only one verified session, not unlimited requests.
BotShield does not use a fixed difficulty for all clients. It observes request velocity per client fingerprint and adjusts automatically:
The difficulty adjustment happens server-side. The client receives a harder challenge and has no way to negotiate a lower one. The challenge nonce is signed with a CRYSTALS-Dilithium post-quantum signature, which means a bot cannot forge a pre-solved challenge — every nonce is cryptographically bound to the server that issued it.
For websites, BotShield is a single script tag:
The script runs automatically on page load. It requests a challenge, solves it in the background, and stores the session token in a cookie. Every subsequent fetch request from that page includes the token. No code changes. No event handlers. No configuration.
For API protection, BotShield provides an Axum middleware layer that drops into any Rust web server:
Any route behind this layer requires a valid BotShield session token. Requests without one receive a 429 response containing the challenge. The client SDK solves it and retries automatically.
For server-side verification, any backend can check a token:
BotShield does not fingerprint your users. It does not track them across sites. It does not send their data to a third party. It does not use cookies for tracking — only for storing the session token on that domain. It does not require JavaScript frameworks, browser extensions, or specific browser versions. It does not block screen readers, keyboard navigation, or assistive technology. It does not display visual puzzles, audio challenges, or interactive elements.
It computes hashes. That is all it does.
BotShield is built on the same privacy-first principles as the rest of the H33 platform. The challenge nonce is random — it contains no information about the client. The solution is a number — it contains no information about the client. The session token is a cryptographic hash — it identifies the session, not the person. The server stores challenge records for 30 seconds and session records for the token lifetime, then deletes them.
Under GDPR, there is no personal data processed. Under CCPA, there is no personal information collected. Under ePrivacy, the session cookie is strictly necessary for the service requested by the user. The legal analysis is simple because the technical architecture eliminates the data before the legal question arises.
BotShield is free for the first 10,000 challenges per month. No credit card required. No usage limits on the session tokens those challenges produce.
We made it free because bot prevention is infrastructure, not a feature. Every website using BotShield is already integrated with the H33 API. They already have an account. They already understand the platform. When they need encrypted authentication, fraud detection, healthcare record protection, or AI compliance — the integration is already done. BotShield is not the product we monetize. It is the product that brings developers to the platform where the monetized products live.
The economics work because challenge issuance and verification are computationally trivial. The SHA-256 verification on the server takes microseconds. The challenge storage is a DashMap entry that expires in 30 seconds. At 10,000 challenges per month, the server-side cost is negligible. The value of having that developer on the platform vastly exceeds the cost of serving their bot prevention.
The current implementation uses SHA-256 for the proof of work because it matches the browser's Web Crypto API — no additional libraries needed. The next version will offer Poseidon as an alternative hash function. Poseidon is a ZK-native hash designed for arithmetic circuits, and a Poseidon-based proof of work doubles as a zero-knowledge proof input. This means the bot challenge and the device attestation from H33-DeviceProof can become the same operation — proving you are not a bot AND proving your device is legitimate in a single computation.
Adaptive difficulty will also gain machine learning integration, using the same native Rust threat agents that power H33's authentication pipeline. The Harvest Detection agent already monitors for patterns consistent with automated data collection. Applying that same behavioral analysis to BotShield challenge patterns will enable difficulty escalation based on behavioral signals, not just velocity — catching sophisticated bots that throttle their request rate to stay below velocity thresholds.
One script tag. No account required for the first 10,000 challenges. No CAPTCHA. No tracking. Just math.
Get Started Free