Changelog
What has shipped, newest first. This page is the running record of what actually changed in production, not a roadmap of intentions.
2026-06-21
- Dashboard - The Monthly Challenges card now shows how many challenges were
confirmed server-side via
/verifythis billing period, right under the usage count. It's the quickest way to tell that your backend integration is actually verifying: the number stays at zero until a/verifycall succeeds. Available on every plan, including Free. Like the rest of the meter it updates on page load with a short delay.
2026-06-10
- Verification - Verification moved to a server-to-server call. Your backend
reads the
captchaapi_responsefield and confirms it with one POST to the/verifyendpoint, authenticated with your secret key as a Bearer token. Single-use is now enforced on our side, so a given response verifies exactly once and there is no local replay cache to run yourself. - Protection - Added signals that flag automated and suspicious traffic alongside the proof-of-work check, surfaced to your backend at verification time. No change to how the widget works for real visitors.
- Integrations - The Laravel package (3.0) and the WordPress plugin (2.0) both moved to server-side verification; the WordPress plugin no longer keeps a local replay table, and upgrades remove it automatically.
2026-06-06
- Site - New "For agencies" page at
/agencies(and/de/agencies): the case for making captchaapi the default across every client site you build, with free small sites, no cookie banner, EU hosting, and an exit that costs an afternoon. - Plans - The Free tier's monthly limit is now 5,000 challenges (previously 10,000). Commercial use stays allowed, and paid tiers are unchanged.
2026-06-04
- Integrations - The WordPress plugin is now live in the official WordPress.org plugin directory at https://wordpress.org/plugins/captchaapi/, installable straight from any site's Plugins screen.
- Site - New comparison page at
/compare(and/de/compare): a head-to-head against reCAPTCHA, hCaptcha, Cloudflare Turnstile and Friendly Captcha across privacy, EU hosting, cookies and price, with every claim cross-referenced to each provider's own documentation. - Blog - New German article on the WordPress plugin: DSGVO-compliant, cookie-banner-free spam protection for the WordPress login, registration, password-reset and comment forms plus Contact Form 7, installed from the plugin directory without code.
- Blog - New German article on picking a DSGVO-compliant reCAPTCHA alternative, covering the US-transfer, cookie-banner and controller-responsibility issues that fall on the integrator.
- Blog - New German Friendly Captcha comparison: same EU proof-of-work approach, but 20× the requests at the Starter price, commercial use on the free tier, and EU-only hosting from the first request (Friendly gates its EU endpoint to the €200 plan).
- Blog - The German articles now have their own German-language home at
/de/blog, with German navigation, layout and reading experience; the English/blogstays English-only. - Blog - Code blocks in posts now have a one-click copy button.
2026-06-02
- Site - German is now available across the marketing pages (home, demo,
Why EU, Trust Center) at
/de, with a language switcher in the header. - Integrations - Official WordPress plugin: drop-in proof-of-work CAPTCHA for the login, registration, lost-password, and comment forms plus Contact Form 7, with no code or markup. Verification runs locally with your secret key.
2026-06-01
- Plans - The Free tier now allows commercial use (previously non-commercial) and its monthly limit rose to 10,000 challenges.
- Plans - Repeatedly hitting the Free cap deactivates the account. Upgrading restores it instantly - otherwise the account and its data are removed after a retention period. Paid plans are unchanged: they keep serving over the limit and just get an upgrade reminder.
- Trust - Added a Key Timelines table consolidating every due-diligence deadline (breach 48h, DSAR, sub-processor notice, deletion) in one place.
2026-05-31
- API - Per-project in-quota rate cap to keep a single noisy project from burning an account's whole monthly allowance.
- Trust - Added a Business Continuity section (low switching cost, 90-day wind-down notice, protocol published on shutdown).
2026-05-20
- Privacy - Switched the marketing site to first-party, server-side, cookieless analytics (no IP stored, no third party).
2026-05-15
- Account - Registration now records versioned legal consent with an audit trail.
2026-05-12
- Protection - Adaptive attack detection: per-sitekey PoW difficulty now scales up automatically under coordinated abuse, including cross-sitekey IP reputation and offline GeoIP signals - visitors are never hard-blocked.
- Protection - Flattened the tier difficulty multiplier so a paid sitekey is never a cheaper attack target than a Free one.
2026-05-11
- Reliability - Production exception monitoring with alerting.
2026-05-08
- Widget - Per-project configurable attestation TTL, surfaced in the dashboard, debug console, and demo.
2026-05-05
- Dashboard - Chart-preview upgrade view for Free users.
2026-05-04
- Site - New /why-eu positioning page; added the ML-vs-PoW trade-off disclosure to the comparison table.
2026-05-03
- Widget - Added 'event' submit mode for Livewire / SPA integrations and
automatic re-init on
wire:navigate. - Billing - Exposed the Lemon Squeezy customer portal for consumers.
- Admin - Internal /admin users panel; SEO metadata + JSON-LD across public pages.
2026-04-30
- Widget - Debug mode for client-side timing visibility
(
data-captcha-debug). - Blog - Launched the engineering blog at /blog.
At launch (April 2026)
- Widget - Drop-in script with
data-captcha, HMAC-signedcaptcha_attestationverified locally with a per-project secret key; lazy/eager load control; rotating secret keys. - Protection - Proof-of-Work challenge with soft-serve over-limit on paid plans (visitors never blocked) and a cap on Free.
- Billing - Paid plans live: Stripe for CZ + EU B2B (reverse charge with live VIES validation), Lemon Squeezy as Merchant of Record for consumers and ROW; self-service downgrade; invoice list + PDF download.
- Dashboard - Usage tracking, limit banners (80% / 100%), project key management, transactional emails for limits and payments.
- Legal - Trust center, DPA, sub-processors, privacy with full data disclosure, ePrivacy notice, controller/processor split.
- Docs - Documentation and live demo pages.