Security boundary
The browser receives only a public site key and a short-lived challenge token. Backend secrets are used only server-side for verification. Protected actions should continue only after your backend validates the submitted token with HumanProof.
Challenge and verification flow
HumanProof maps public site keys to internal challenge-engine credentials, checks project state, allowed domains, billing status, plan limits, widget capability, and risk mode before issuing or redeeming challenges.
Secrets and keys
Site keys are public and may be embedded in browser code. Backend secrets must stay on your server. HumanProof never requires your backend secret to be present in HTML, JavaScript, or client-side configuration.
Domain enforcement
Challenge requests are checked against configured production and testing domains. Requests from unconfigured origins are rejected before the protected attempt is completed.
Account access
Organization access is scoped by membership and role. Agency workspaces can group protected sites by client, while platform operator tools are separated from normal customer workspaces.
Telemetry and auditability
HumanProof records operational events such as challenge outcomes, verification status, risk reasons, billing state changes, project changes, and selected security settings so teams can investigate abuse and configuration changes.
Billing and plan gates
Public challenge traffic can be blocked when a monthly protected-attempt limit is reached, when a plan does not allow a requested widget capability, or when billing status requires action after the configured grace period.
Operational safeguards
HumanProof is hosted on Hetzner infrastructure and does not use Cloudflare for CDN or hosting. Public challenge, redeem, siteverify, contact, and billing actions use rate limits. Production readiness checks validate required challenge-engine, billing, webhook, and retention configuration before launch.
Incident contact
Report suspected security issues to security@humanproof.eu .