ALTCHA vs CAPTCHA.eu: Open Source or Managed CAPTCHA?

ALTCHA and CAPTCHA.eu solve the same problem: bot protection without cookies or reCAPTCHA’s privacy overhead, but they do it in fundamentally different ways. ALTCHA is open-source and self-hosted. CAPTCHA.eu is a managed, EU-hosted service. The right choice depends on how much infrastructure your team wants to own and what your compliance situation actually requires.

Estimated reading time: 12 minutes

---

---

What both solutions actually are

Both ALTCHA and CAPTCHA.eu use proof-of-work verification to protect websites from automated bots. Neither sets cookies for the CAPTCHA function, neither shows users image puzzles, and both position themselves as privacy-compliant alternatives to reCAPTCHA. The underlying approach is similar. The delivery model is not.

ALTCHA is an open-source project licensed under MIT. The core widget is free. For production-grade protection, teams deploy ALTCHA Sentinel: a self-hosted backend that adds adaptive CAPTCHA, threat intelligence, machine learning classification, and rate limiting. Sentinel runs on your own Docker or Kubernetes infrastructure. You own the deployment, the data, and the uptime.

CAPTCHA.eu is a managed SaaS service. You integrate a JavaScript widget, and CAPTCHA.eu handles verification, infrastructure, threat intelligence, and uptime from data centres in Austria. No server to deploy, no backend to maintain, no ops work beyond the initial integration.

---

Side-by-side comparison

FEATURE	ALTCHA (self-hosted)	CAPTCHA.EU (managed)
Verification approach	Proof-of-work (core); adaptive PoW + ML classification (Sentinel). Widget v3 uses memory-bound Argon2 and Scrypt algorithms that neutralise GPU/ASIC acceleration by bot farms	Proof-of-work + contextual signal analysis per request
Hosting model	Self-hosted on your infrastructure (Docker, Kubernetes, AWS, Azure)	Fully managed, hosted in Austria (EU)
Data location	Wherever you deploy: you control it	Austria on all commercial plans, by default
Cookies	None in default mode. An optional cookie configuration exists in the widget API but is not enabled by default	None for CAPTCHA function
Open source	Yes: widget and core under MIT license	No: closed source SaaS
Setup complexity	Docker or Kubernetes deployment required for Sentinel	JavaScript snippet + API key, no server required
Maintenance	You manage updates, security patches, and uptime	Fully managed, no maintenance on your side
WordPress plugin	Official plugin (V2, released 2026)	Official plugin
TYPO3 plugin	Not available	Official plugin (EXT:form + PowerMail)
Keycloak plugin	Community JAR (registration flow only)	Official JAR (login, registration, and password reset)
WCAG 2.2 AA	Self-declared compliant	Independently certified by TÜV Austria
GDPR DPA	Not applicable (you host it)	Standard DPA available
Pricing model	Free core; Sentinel Professional €99/month, Enterprise €799/month (April 2026, excl. infrastructure). 30-day free trial available	Usage-based; free tier available, paid plans from captcha.eu/pricing
Reference customers	Government agencies and enterprises (not publicly named)	ÖBB, OeNB, DGUV, A1, MG (publicly named)

---

Hosting and data location

This is the most consequential difference for European teams, and it cuts in both directions depending on your situation.

With ALTCHA, you control where verification data lives entirely. If your organisation has strict data residency requirements (for example, a government agency that cannot process any data on third-party infrastructure), ALTCHA’s self-hosted model is structurally the right answer. No third-party receives any request data because there is no third party.

With CAPTCHA.eu, verification requests are processed in Austria on all commercial plans. Austria is an EU member state, so GDPR applies, there are no US data transfers, and the processing location is fixed and documentable. For most European website operators, this is the simpler path: you point your DPO at a known Austrian data centre rather than at your own deployment.

---

Security model and threat response

Both solutions use proof-of-work at the base layer, which means neither relies on cookies, cross-site behavioral profiling, or user fingerprinting. That is the shared starting point. Where they diverge is in how threat intelligence gets updated when bot patterns change.

ALTCHA Sentinel includes threat intelligence: IP reputation databases, ML classification, and human interaction signature analysis. However, keeping those defences current requires you to update Sentinel on your own infrastructure. When ALTCHA releases a new version with improved bot detection, you deploy it. When a new threat pattern emerges, response time depends on your team’s patching cadence.

CAPTCHA.eu updates threat intelligence and signal analysis centrally. All protected sites benefit from improvements simultaneously without any action required from individual customers. This is the classic managed-vs-self-hosted trade-off in security: self-hosted gives you control; managed gives you speed of response.

One genuine technical strength of ALTCHA worth noting: Widget v3, released in April 2026, makes automated attacks more expensive by forcing attackers to spend more memory and computing power per verification attempt. Technically, this works through memory-bound algorithms called Argon2 and Scrypt, which neutralise GPU and ASIC hardware acceleration, the tools bot farms use to process challenges cheaply at scale. It is a thoughtful design choice that goes beyond basic proof-of-work. CAPTCHA.eu uses a different approach (contextual signal analysis per request rather than client-side computational hardening), but the ALTCHA v3 architecture is a genuine advancement that anyone seriously evaluating the two should understand.

For most website operators, bot patterns evolve faster than internal patching cycles can match. For security-focused teams with dedicated DevOps capacity, the control that comes with self-hosting may outweigh the convenience of managed updates.

---

Setup, maintenance, and ops overhead

This is where the practical difference becomes most visible for smaller teams.

The ALTCHA open-source widget is genuinely easy to integrate: a JavaScript snippet, a backend verification call, and you are done. The challenge starts with Sentinel. Production-grade ALTCHA protection requires deploying and operating a Docker or Kubernetes container, configuring PostgreSQL or Redis for persistence and clustering, managing TLS, setting up monitoring, and handling updates when new versions ship. For a team with existing DevOps infrastructure, this is manageable. For a two-person development team or a public-sector web team without dedicated ops, it is a real ongoing commitment.

CAPTCHA.eu requires no server deployment. You add a JavaScript snippet, configure your API keys, and the integration is complete. WordPress and TYPO3 administrators can install an official plugin without writing any code. Updates, infrastructure scaling, and uptime are handled by CAPTCHA.eu.

---

GDPR and compliance documentation

Both solutions are designed for GDPR compliance, but the compliance documentation process looks different for each.

With ALTCHA, because you self-host, there is no data processor relationship to document. ALTCHA processes no data on your behalf. This simplifies your Article 30 records: the CAPTCHA component is internal infrastructure, not a third-party processor. For DPOs who prefer minimal third-party relationships, this is a genuine advantage.

With CAPTCHA.eu, you enter into a Data Processing Agreement (DPA) that names Austria as the processing location and bot protection as the purpose. This adds one line to your processor list, but it gives your DPO a documented, verifiable processor relationship rather than an internal self-hosted system they need to audit themselves.

On accessibility, both solutions claim WCAG 2.2 AA compliance. CAPTCHA.eu has this independently certified by TÜV Austria. ALTCHA self-declares compliance. For procurement in public sector, healthcare, or regulated financial contexts, the difference between an independently certified certification and a self-declaration is material. Many procurement frameworks specifically require third-party certification rather than self-attestation.

---

Platform integrations

Integration availability is one of the clearest practical differences between the two solutions, particularly for TYPO3 and Keycloak users.

WordPress: Both have official plugins. ALTCHA launched WordPress V2 in 2026. CAPTCHA.eu has had an official WordPress plugin since earlier in the platform’s history. Both work.

TYPO3: CAPTCHA.eu has official extensions for both EXT:form and PowerMail. ALTCHA has no TYPO3 extension. For TYPO3 sites (common in DACH public sector and enterprise environments), CAPTCHA.eu is the only option of the two.

Keycloak: CAPTCHA.eu has an official JAR that covers all three authentication flows: login, registration, and password reset, supporting Keycloak 22.0.3 and later. ALTCHA has a community-maintained JAR that covers registration only, and requires a self-hosted Sentinel backend. For IAM teams running Keycloak in production, CAPTCHA.eu’s broader flow coverage and lower version requirements are a meaningful difference. See our full Keycloak integration guide for setup details.

Other platforms: CAPTCHA.eu provides official integrations for a range of additional platforms including Shopware, Symfony, and others. ALTCHA’s integration ecosystem is primarily community-driven outside of WordPress.

---

Cost comparison

Cost comparison between a self-hosted and a managed solution is more complex than it first appears, because the infrastructure and DevOps costs of self-hosting are real even when the license is free.

The ALTCHA open-source widget is free. ALTCHA Sentinel, which provides the production-grade adaptive protection, requires a paid license. Sentinel pricing starts at €99/month for the Professional plan and €799/month for Enterprise (monthly billing, as of April 2026; check altcha.org/docs/v2/sentinel/pricing/ for current rates). A 30-day free trial is available. Infrastructure costs are not included in the license fee.

Separately, you pay for the infrastructure on which Sentinel runs: a server or container runtime, persistent storage, and any redundancy you configure. For high-availability deployments, this typically means clustering with PostgreSQL, which adds infrastructure complexity and cost. For a team already running Kubernetes, marginal infrastructure cost is low. For a team that has to provision new infrastructure for Sentinel specifically, the cost comparison shifts.

CAPTCHA.eu pricing is usage-based, with a free tier available and paid plans scaling by verified request volume. Infrastructure is included in the price. There are no separate hosting costs, no ops time required, and no version management overhead.

---

Which one should you choose?

---

---

Frequently Asked Questions

---

Related reading

---