Overview
Human-friendly protection for real forms.
HumanProof combines a lightweight widget, proof-of-work challenge solving, domain enforcement, short-lived response tokens, and optional risk scoring. The browser receives a token only after the challenge flow succeeds. Your server then verifies that token before accepting the action.
How it works
Render
Load widget.js and render human-proof on the protected form.
Challenge
HumanProof starts solving on click, form interaction, load, or an explicit solve() call.
Token
A hidden humanproof-token field is filled after a successful solve.
Verify
Your backend posts the token and backend secret to siteverify.
Core concepts
| Project | A project represents one protected production domain and its testing domains. |
|---|---|
| Site key | A public key used in the browser challenge endpoint. It is safe to expose. |
| Backend secret | A private server-side secret used for siteverify. Never expose it in HTML or JavaScript. |
| Protected attempt | A challenge attempt that reaches HumanProof and is counted for usage, including blocked risk attempts and failed solves. |