One script tag. Zero tracking. Zero third-party data. Your visitor's browser solves a cryptographic challenge invisibly — no images, no checkboxes, no Google. Difficulty auto-scales to stop bots while remaining invisible to real visitors.
CAPTCHAs, tracking scripts, and rate limiters all extract a cost from legitimate visitors. BotShield extracts the cost from the attacker instead.
Google collects behavioral data across every site using reCAPTCHA. Your visitors are the product. GDPR liability every time the widget loads. A tracking pixel disguised as security.
Visual puzzles block screen readers, frustrate mobile users, and add 10–30 seconds of friction. Accessibility lawsuits are increasing year over year. Your conversion rate drops with every puzzle.
VPNs, corporate networks, and mobile carriers share IPs. Rate limiting blocks legitimate users while sophisticated bots rotate IPs freely. You're blocking the wrong people.
BotShield shifts the cost from the user to the attacker. Every visitor's browser solves a small math problem. At scale, bots can't afford it.
Click the button to run a real SHA-256 proof-of-work challenge in your browser. Watch the hash counter, see how fast your device solves it, and understand what your visitors never see.
This runs real SHA-256 hashing in your browser using the Web Crypto API. No server calls in this demo — production BotShield verifies server-side.
Drop this widget anywhere BotShield runs. It turns a loading delay into a trust moment — your visitors watch the math happen in real time.
<div data-botshield></div>
<script src="https://h33.ai/assets/botshield-widget.js"></script>
From a single script tag to full API control. BotShield works with any stack, any framework, any language.
<!-- Add before </head> -->
<script src="https://api.h33.ai/v1/botshield/script.js"></script>// Request challenge from H33
const challenge = await fetch('https://api.h33.ai/v1/botshield/challenge', {
method: 'POST',
headers: { 'X-API-Key': 'your_api_key' },
}).then(r => r.json());
// Solve proof of work in Web Worker
const solution = await solveChallenge(challenge.nonce, challenge.difficulty);
// Send solution + form data to your backend
await fetch('/api/submit', {
method: 'POST',
body: JSON.stringify({ solution, ...formData }),
});import requests
def verify_botshield(solution: str) -> bool:
"""Verify proof-of-work solution with H33 API."""
resp = requests.post(
"https://api.h33.ai/v1/botshield/verify",
json={"solution": solution},
headers={"X-API-Key": "your_api_key"},
)
return resp.json()["valid"]use h33_botshield::{BotShieldLayer, Difficulty};
let app = Router::new()
.route("/api/submit", post(handler))
.layer(
BotShieldLayer::new("your_api_key")
.difficulty(Difficulty::Adaptive)
.session_ttl(Duration::from_secs(3600))
);Every other solution trades your users' privacy or patience for bot protection. BotShield trades math.
| reCAPTCHA | hCaptcha | Turnstile | BotShield | |
|---|---|---|---|---|
| Tracking | Extensive behavioral tracking | Privacy-focused, some data | Cloudflare telemetry | Zero. No personal data. |
| User friction | Image puzzles, 10-30s | Image puzzles, 10-30s | Invisible, occasional fallback | Invisible. Always. 1-3s. |
| Accessibility | Screen reader hostile | Screen reader hostile | Mostly accessible | Fully accessible. No UI. |
| Third-party dependency | Google infrastructure | hCaptcha infrastructure | Cloudflare infrastructure | Self-contained. One API call. |
| GDPR compliant | Requires consent banner | Improved, still collects data | Cloudflare DPA required | By architecture. No PII. |
| Open algorithm | Proprietary | Proprietary | Proprietary | Yes. SHA-256. Auditable. |
| Cost | Free (you pay with user data) | Free tier + paid | Free (Cloudflare lock-in) | 2.5K/mo free. Plans from $29.99/mo. |
BotShield monitors request patterns in real time. Normal visitors get a trivial challenge. Suspicious traffic faces exponentially harder proof of work. The cost is always on the attacker.
Default for all visitors. The browser finds a SHA-256 hash with 16 leading zero bits. Completely invisible. Runs in a Web Worker. The user never knows it happened.
Triggered by repeated requests from the same session or IP pattern. Slows scrapers and credential stuffing tools to a crawl. Human visitors in this bracket see a brief "verifying" message.
Reserved for confirmed bot signatures and volumetric attacks. Makes automated abuse economically unviable. A bot farm spending GPU cycles on proof of work is a bot farm not attacking you.
The "Secured by H33.ai" badge tells visitors your site uses cryptographic bot prevention instead of invasive tracking. It means no CAPTCHA, no behavioral profiling, no third-party data collection.
Every other fraud tool analyzes behavior after the fact. BotShield prevents fraud by making it economically impossible — before the first fake account, before the first stolen credential, before the first fraudulent transaction.
Bots mass-create fake accounts to exploit free tiers and send spam. BotShield makes each signup cost real CPU time. At scale, 10,000 fake accounts require 650,000,000 SHA-256 hashes — economically unviable.
Attackers test stolen passwords at scale. PoW before each login attempt means 100,000 credential tests require 100,000 solutions. At elevated difficulty, that's 100 billion hashes.
Fraudsters test stolen card numbers with small transactions. PoW on payment forms makes rapid-fire testing impossible. Difficulty auto-scales at 50+ attempts per minute.
Bots trigger OTP sends to premium-rate numbers, costing you per SMS. BotShield before "send code" means each OTP request costs computation first.
Bots buy limited inventory faster than humans. 1-3 second solve is invisible for one purchase but devastating for 500 simultaneous bot purchases.
Bots hammer public APIs to scrape data or cause denial of service. Every API call must carry a valid PoW token. Server-side verification rejects calls without one.
Post-quantum signed challenges. Each BotShield challenge is signed with CRYSTALS-Dilithium (FIPS 204). Challenges can't be forged, pre-computed, or replayed. The session token is cryptographic proof that a device performed real computation — admissible evidence for TCPA defense, chargeback disputes, and fraud investigations.
Start protecting your site today. No credit card required for the free tier. Upgrade when you need more.
BotShield uses cryptographic proof of work instead of visual puzzles. When a visitor loads your page, their browser receives a random nonce and difficulty level from the H33 API. The browser then uses the Web Crypto API to find a SHA-256 hash that meets the difficulty target. This takes 1–3 seconds for a normal browser and is completely invisible to the user. No images, no checkboxes, no puzzles. The server verifies the solution in microseconds and issues a session token valid for 1 hour.
No. BotShield processes zero personal data. No cookies are set for tracking purposes. No behavioral data is collected. No fingerprinting occurs. The only data transmitted is the cryptographic challenge and its solution. There is no user profile, no cross-site tracking, and no data shared with any third party including H33. Your visitors remain completely anonymous.
Yes, by architecture rather than by policy. BotShield does not process any personal data as defined by GDPR Article 4. No IP addresses are stored, no behavioral profiles are created, no cookies are used for tracking, and no data is shared with third parties. Because no personal data is processed, no consent banner is required for BotShield specifically. This is compliance through engineering, not through legal paperwork.
At the default difficulty level (16 bits), the challenge takes 1–3 seconds on a modern browser. The computation runs in a Web Worker so it does not block the main thread or affect page responsiveness. The user never sees any indication that a challenge is being solved. If elevated difficulty is triggered due to suspicious patterns, the challenge may take 10–30 seconds, which naturally rate-limits automated tools.
BotShield works on all modern browsers including iOS Safari, Chrome for Android, and Firefox Mobile. The Web Crypto API is supported on all major mobile browsers. Challenge difficulty automatically adjusts based on the client's reported capabilities, ensuring mobile users are not penalized for lower compute power. Typical solve times on mobile are 2–4 seconds at normal difficulty.
Yes, any computer can solve a SHA-256 proof-of-work challenge. That is by design. The protection comes from the cost: at scale, solving thousands of challenges per minute requires significant compute resources that cost real money. A single human visitor solves one challenge in 1–3 seconds and gets a 1-hour session token. A bot farm trying to generate 10,000 sessions faces exponentially harder challenges as BotShield's adaptive difficulty kicks in, making the attack economically unviable.
The "Secured by H33.ai" badge is displayed on the free tier as attribution. Any paid plan ($29.99/mo Starter and above) removes the badge. Starter gives you 10,000 challenges/mo, Pro gives you 100,000, and Business gives you 1,000,000. You can upgrade at any time from the H33 dashboard.
Yes. Add the single script tag to your WordPress theme header (Appearance > Theme Editor > header.php) or use a plugin like Insert Headers and Footers. BotShield automatically protects all forms on the page. No WordPress-specific configuration is needed. It also works with WooCommerce checkout, Contact Form 7, Gravity Forms, and any other form plugin.
One line of HTML. No backend changes. No signup friction. Start protecting your site right now.
