About

What reForge Captcha is, why we built it, and how it works under the hood.

Bot protection that respects everyone

reForge Captcha is a free, privacy-first CAPTCHA and bot detection platform built by CodeForgeX Studio. We believe protecting your forms and APIs from bots shouldn't require selling your users' data to an ad network, locking yourself into a CDN, or paying per verification.

Why we built this

The existing CAPTCHA landscape has problems. Google reCAPTCHA harvests behavioural data from your visitors to train its own ML models and serve better ads. Cloudflare Turnstile is only truly frictionless if you're already on Cloudflare. hCaptcha requires you to pay at scale. Every option asks you to trust a third party with your users' data and your uptime.

We wanted a captcha we'd actually be comfortable embedding on our own projects — one that scores risk signals without profiling people, stores only what's necessary, and never charges for it. So we built reForge Captcha and decided to make it free for everyone.

How the risk engine works

Every widget submission is scored in real-time on a scale of 0.0 (definitely a bot) to 1.0 (definitely human). The score is computed from a combination of client-side and server-side signals:

Behaviour Signals

Mouse movement count and timing, interaction latency, time spent on page before submission, and click naturalness patterns.

Browser Fingerprint

User agent analysis, headless browser detection (Puppeteer, Playwright, Selenium, PhantomJS), and automation framework signatures.

Network Signals

IP reputation checks, suspicious request patterns, and request timing analysis to catch automated scripts.

Your Threshold

You decide the minimum score per site. Set 0.3 for lenient forms, 0.9 for high-security login endpoints. The engine adapts to your requirements.

Privacy by design

We score signals — not people. Here's what that means in practice:

  • No cookies are placed on your visitors' browsers
  • No visitor data is ever sold or shared with third parties
  • Visitor behaviour signals are processed transiently and not stored permanently
  • Verification logs store only: IP address, result, score, timestamp — nothing more
  • Tokens are single-use and expire after 2 minutes
  • GDPR and CCPA compliant by default — no consent banner required for the widget

Technical stack

reForge Captcha is built with a simple, fast, dependency-light stack so it stays reliable and easy to maintain.

Backend

  • PHP 8.2+
  • PDO / MySQL 8
  • No frameworks
  • REST JSON API

Widget

  • Vanilla JS (ES5+)
  • Zero dependencies
  • ~8 KB minified
  • CORS-enabled

Storage

  • MySQL 8
  • Indexed queries
  • Daily stat rollups
  • Token TTL logic

Auth

  • CodeForgeX SSO
  • SHA-256 tokens
  • Session expiry
  • Scoped API keys

About CodeForgeX Studio

CodeForgeX Studio is an independent software studio that builds developer tools and open infrastructure. reForge Captcha is one of several free tools we maintain alongside CodeLockr (code encryption) and other projects in the CodeForgeX ecosystem.

We're funded entirely by our commercial projects and keep our free tools free because we think good infrastructure shouldn't be paywalled. If you'd like to get in touch, reach us at hello@codeforgex.studio.

Ready to protect your site?

Sign up for free and have your first widget live in under 2 minutes.

Get Started Free