One script tag. Zero tracking. Zero third-party data. Your visitor's browser solves a cryptographic challenge invisibly — no images, no checkboxes, no Google. Difficulty auto-scales to stop bots while remaining invisible to real visitors.
CAPTCHAs, tracking scripts, and rate limiters all extract a cost from legitimate visitors. BotShield extracts the cost from the attacker instead.
Google collects behavioral data across every site using reCAPTCHA. Your visitors are the product. GDPR liability every time the widget loads. A tracking pixel disguised as security.
Visual puzzles block screen readers, frustrate mobile users, and add 10–30 seconds of friction. Accessibility lawsuits are increasing year over year. Your conversion rate drops with every puzzle.
VPNs, corporate networks, and mobile carriers share IPs. Rate limiting blocks legitimate users while sophisticated bots rotate IPs freely. You're blocking the wrong people.
BotShield shifts the cost from the user to the attacker. Every visitor's browser solves a small math problem. At scale, bots can't afford it.
From a single script tag to full API control. BotShield works with any stack, any framework, any language.
<!-- Add before </head> -->
<script src="https://api.h33.ai/v1/botshield/script.js"></script>// Request challenge from H33
const challenge = await fetch('https://api.h33.ai/v1/botshield/challenge', {
method: 'POST',
headers: { 'X-API-Key': 'your_api_key' },
}).then(r => r.json());
// Solve proof of work in Web Worker
const solution = await solveChallenge(challenge.nonce, challenge.difficulty);
// Send solution + form data to your backend
await fetch('/api/submit', {
method: 'POST',
body: JSON.stringify({ solution, ...formData }),
});import requests
def verify_botshield(solution: str) -> bool:
"""Verify proof-of-work solution with H33 API."""
resp = requests.post(
"https://api.h33.ai/v1/botshield/verify",
json={"solution": solution},
headers={"X-API-Key": "your_api_key"},
)
return resp.json()["valid"]use h33_botshield::{BotShieldLayer, Difficulty};
let app = Router::new()
.route("/api/submit", post(handler))
.layer(
BotShieldLayer::new("your_api_key")
.difficulty(Difficulty::Adaptive)
.session_ttl(Duration::from_secs(3600))
);Every other solution trades your users' privacy or patience for bot protection. BotShield trades math.
| reCAPTCHA | hCaptcha | Turnstile | BotShield | |
|---|---|---|---|---|
| Tracking | Extensive behavioral tracking | Privacy-focused, some data | Cloudflare telemetry | Zero. No personal data. |
| User friction | Image puzzles, 10-30s | Image puzzles, 10-30s | Invisible, occasional fallback | Invisible. Always. 1-3s. |
| Accessibility | Screen reader hostile | Screen reader hostile | Mostly accessible | Fully accessible. No UI. |
| Third-party dependency | Google infrastructure | hCaptcha infrastructure | Cloudflare infrastructure | Self-contained. One API call. |
| GDPR compliant | Requires consent banner | Improved, still collects data | Cloudflare DPA required | By architecture. No PII. |
| Cost | Free (you pay with user data) | Free tier + paid | Free (Cloudflare lock-in) | 10K/mo free. $49/mo unlimited. |
BotShield monitors request patterns in real time. Normal visitors get a trivial challenge. Suspicious traffic faces exponentially harder proof of work. The cost is always on the attacker.
Default for all visitors. The browser finds a SHA-256 hash with 16 leading zero bits. Completely invisible. Runs in a Web Worker. The user never knows it happened.
Triggered by repeated requests from the same session or IP pattern. Slows scrapers and credential stuffing tools to a crawl. Human visitors in this bracket see a brief "verifying" message.
Reserved for confirmed bot signatures and volumetric attacks. Makes automated abuse economically unviable. A bot farm spending GPU cycles on proof of work is a bot farm not attacking you.
The "Secured by H33.ai" badge tells visitors your site uses cryptographic bot prevention instead of invasive tracking. It means no CAPTCHA, no behavioral profiling, no third-party data collection.
Start protecting your site today. No credit card required for the free tier. Upgrade when you need more.
BotShield uses cryptographic proof of work instead of visual puzzles. When a visitor loads your page, their browser receives a random nonce and difficulty level from the H33 API. The browser then uses the Web Crypto API to find a SHA-256 hash that meets the difficulty target. This takes 1–3 seconds for a normal browser and is completely invisible to the user. No images, no checkboxes, no puzzles. The server verifies the solution in microseconds and issues a session token valid for 1 hour.
No. BotShield processes zero personal data. No cookies are set for tracking purposes. No behavioral data is collected. No fingerprinting occurs. The only data transmitted is the cryptographic challenge and its solution. There is no user profile, no cross-site tracking, and no data shared with any third party including H33. Your visitors remain completely anonymous.
Yes, by architecture rather than by policy. BotShield does not process any personal data as defined by GDPR Article 4. No IP addresses are stored, no behavioral profiles are created, no cookies are used for tracking, and no data is shared with third parties. Because no personal data is processed, no consent banner is required for BotShield specifically. This is compliance through engineering, not through legal paperwork.
At the default difficulty level (16 bits), the challenge takes 1–3 seconds on a modern browser. The computation runs in a Web Worker so it does not block the main thread or affect page responsiveness. The user never sees any indication that a challenge is being solved. If elevated difficulty is triggered due to suspicious patterns, the challenge may take 10–30 seconds, which naturally rate-limits automated tools.
BotShield works on all modern browsers including iOS Safari, Chrome for Android, and Firefox Mobile. The Web Crypto API is supported on all major mobile browsers. Challenge difficulty automatically adjusts based on the client's reported capabilities, ensuring mobile users are not penalized for lower compute power. Typical solve times on mobile are 2–4 seconds at normal difficulty.
Yes, any computer can solve a SHA-256 proof-of-work challenge. That is by design. The protection comes from the cost: at scale, solving thousands of challenges per minute requires significant compute resources that cost real money. A single human visitor solves one challenge in 1–3 seconds and gets a 1-hour session token. A bot farm trying to generate 10,000 sessions faces exponentially harder challenges as BotShield's adaptive difficulty kicks in, making the attack economically unviable.
The "Secured by H33.ai" badge is displayed on the free tier as attribution. Upgrading to the Pro plan at $49 per month removes the badge requirement and gives you unlimited challenges, custom difficulty settings, webhooks, and analytics. You can upgrade at any time from the H33 dashboard.
Yes. Add the single script tag to your WordPress theme header (Appearance > Theme Editor > header.php) or use a plugin like Insert Headers and Footers. BotShield automatically protects all forms on the page. No WordPress-specific configuration is needed. It also works with WooCommerce checkout, Contact Form 7, Gravity Forms, and any other form plugin.
One line of HTML. No backend changes. No signup friction. Start protecting your site right now.