Friendly Captcha vs ALTCHA
Both proof-of-work, both no-cookie. One is hosted EU and paid, the other is MIT and self-hosted. Pick by trust model.
Both Friendly Captcha and ALTCHA use proof-of-work in the visitor's browser to defeat automation, neither sets cookies, neither fingerprints, and both work invisibly. The choice between them comes down to one thing: do you want to outsource trust or own it?
Friendly Captcha: outsource trust to a German company
Friendly Captcha GmbH is based in Munich, runs its servers in the EU, and gives you a managed dashboard with abuse signals, analytics, and rate limit visibility. You integrate a widget, drop in an API key, and they handle everything else. Pricing starts at €9/mo for 10,000 solves and scales up through €39 (50k) and €240 (Business, with self-host option).
The trust model: you trust Friendly Captcha not to be hacked, not to lose data, and not to change pricing dramatically. Their privacy story is excellent (no cookies, no tracking, full DPA), and they've been around since 2020 with no incidents. For most regulated industries this is the easiest "we use a CAPTCHA" story.
ALTCHA: own trust entirely
ALTCHA is an MIT-licensed library written by Daniel Regeci and a small community. There's no central service. You run a JavaScript widget on the client and a small verifier in your server language (Node, Go, Python, PHP, Ruby, Rust, etc.). It generates and verifies hash puzzles using only your own infrastructure.
The trust model: you trust yourself to deploy it correctly and your hosting provider not to lose data. There's no vendor that can change pricing, terms, or operations. The code is small enough to read in an afternoon.
When to pick which
Pick Friendly Captcha if: you want a dashboard, you need an SLA for compliance, you're already paying for security tooling and a CAPTCHA line item fits, EU data residency is procurement-mandated.
Pick ALTCHA if: you want zero ongoing vendor dependencies, your team is comfortable owning a small JavaScript widget, the form being protected is internal or low-volume, you specifically want to audit the code.
For high-traffic public forms with no compliance pressure, both work. The deciding factor is usually your team's preference for managed services vs. self-owned code.