Changelog

What shipped

The running record of what actually changed in production, newest first. Not a roadmap of intentions.

Changelog

What has shipped, newest first. This page is the running record of what actually changed in production, not a roadmap of intentions.

2026-06-21

  • Dashboard - The Monthly Challenges card now shows how many challenges were confirmed server-side via /verify this billing period, right under the usage count. It's the quickest way to tell that your backend integration is actually verifying: the number stays at zero until a /verify call succeeds. Available on every plan, including Free. Like the rest of the meter it updates on page load with a short delay.

2026-06-10

  • Verification - Verification moved to a server-to-server call. Your backend reads the captchaapi_response field and confirms it with one POST to the /verify endpoint, authenticated with your secret key as a Bearer token. Single-use is now enforced on our side, so a given response verifies exactly once and there is no local replay cache to run yourself.
  • Protection - Added signals that flag automated and suspicious traffic alongside the proof-of-work check, surfaced to your backend at verification time. No change to how the widget works for real visitors.
  • Integrations - The Laravel package (3.0) and the WordPress plugin (2.0) both moved to server-side verification; the WordPress plugin no longer keeps a local replay table, and upgrades remove it automatically.

2026-06-06

  • Site - New "For agencies" page at /agencies (and /de/agencies): the case for making captchaapi the default across every client site you build, with free small sites, no cookie banner, EU hosting, and an exit that costs an afternoon.
  • Plans - The Free tier's monthly limit is now 5,000 challenges (previously 10,000). Commercial use stays allowed, and paid tiers are unchanged.

2026-06-04

  • Integrations - The WordPress plugin is now live in the official WordPress.org plugin directory at https://wordpress.org/plugins/captchaapi/, installable straight from any site's Plugins screen.
  • Site - New comparison page at /compare (and /de/compare): a head-to-head against reCAPTCHA, hCaptcha, Cloudflare Turnstile and Friendly Captcha across privacy, EU hosting, cookies and price, with every claim cross-referenced to each provider's own documentation.
  • Blog - New German article on the WordPress plugin: DSGVO-compliant, cookie-banner-free spam protection for the WordPress login, registration, password-reset and comment forms plus Contact Form 7, installed from the plugin directory without code.
  • Blog - New German article on picking a DSGVO-compliant reCAPTCHA alternative, covering the US-transfer, cookie-banner and controller-responsibility issues that fall on the integrator.
  • Blog - New German Friendly Captcha comparison: same EU proof-of-work approach, but 20× the requests at the Starter price, commercial use on the free tier, and EU-only hosting from the first request (Friendly gates its EU endpoint to the €200 plan).
  • Blog - The German articles now have their own German-language home at /de/blog, with German navigation, layout and reading experience; the English /blog stays English-only.
  • Blog - Code blocks in posts now have a one-click copy button.

2026-06-02

  • Site - German is now available across the marketing pages (home, demo, Why EU, Trust Center) at /de, with a language switcher in the header.
  • Integrations - Official WordPress plugin: drop-in proof-of-work CAPTCHA for the login, registration, lost-password, and comment forms plus Contact Form 7, with no code or markup. Verification runs locally with your secret key.

2026-06-01

  • Plans - The Free tier now allows commercial use (previously non-commercial) and its monthly limit rose to 10,000 challenges.
  • Plans - Repeatedly hitting the Free cap deactivates the account. Upgrading restores it instantly - otherwise the account and its data are removed after a retention period. Paid plans are unchanged: they keep serving over the limit and just get an upgrade reminder.
  • Trust - Added a Key Timelines table consolidating every due-diligence deadline (breach 48h, DSAR, sub-processor notice, deletion) in one place.

2026-05-31

  • API - Per-project in-quota rate cap to keep a single noisy project from burning an account's whole monthly allowance.
  • Trust - Added a Business Continuity section (low switching cost, 90-day wind-down notice, protocol published on shutdown).

2026-05-20

  • Privacy - Switched the marketing site to first-party, server-side, cookieless analytics (no IP stored, no third party).

2026-05-15

  • Account - Registration now records versioned legal consent with an audit trail.

2026-05-12

  • Protection - Adaptive attack detection: per-sitekey PoW difficulty now scales up automatically under coordinated abuse, including cross-sitekey IP reputation and offline GeoIP signals - visitors are never hard-blocked.
  • Protection - Flattened the tier difficulty multiplier so a paid sitekey is never a cheaper attack target than a Free one.

2026-05-11

  • Reliability - Production exception monitoring with alerting.

2026-05-08

  • Widget - Per-project configurable attestation TTL, surfaced in the dashboard, debug console, and demo.

2026-05-05

  • Dashboard - Chart-preview upgrade view for Free users.

2026-05-04

  • Site - New /why-eu positioning page; added the ML-vs-PoW trade-off disclosure to the comparison table.

2026-05-03

  • Widget - Added 'event' submit mode for Livewire / SPA integrations and automatic re-init on wire:navigate.
  • Billing - Exposed the Lemon Squeezy customer portal for consumers.
  • Admin - Internal /admin users panel; SEO metadata + JSON-LD across public pages.

2026-04-30

  • Widget - Debug mode for client-side timing visibility (data-captcha-debug).
  • Blog - Launched the engineering blog at /blog.

At launch (April 2026)

  • Widget - Drop-in script with data-captcha, HMAC-signed captcha_attestation verified locally with a per-project secret key; lazy/eager load control; rotating secret keys.
  • Protection - Proof-of-Work challenge with soft-serve over-limit on paid plans (visitors never blocked) and a cap on Free.
  • Billing - Paid plans live: Stripe for CZ + EU B2B (reverse charge with live VIES validation), Lemon Squeezy as Merchant of Record for consumers and ROW; self-service downgrade; invoice list + PDF download.
  • Dashboard - Usage tracking, limit banners (80% / 100%), project key management, transactional emails for limits and payments.
  • Legal - Trust center, DPA, sub-processors, privacy with full data disclosure, ePrivacy notice, controller/processor split.
  • Docs - Documentation and live demo pages.