The CAPTCHA that doesn’t spy on your users.

A 5-second mini-game your users will actually finish — no tracking, no “select all the buses”.

live demo

Loading widget

The same widget your users will see. Try it.

Get your site key See the 5-minute install →See the 5-minute install →

Free up to 5,000 verifications a month. No credit card.

Made to feel human
Privacy-first
Fast integration

Build01

See the install path

Jump straight to the page markup and the verify call instead of reading the whole pitch first.

Open integration →

Trade-off02

Compare it to reCAPTCHA

Check the UX, privacy, and bundle-weight differences without leaving the landing page.

Open comparison →

Proof03

See what we refuse to collect

Go straight to the privacy posture and the public verification story that supports it.

Open trust →

Plan04

Price the rollout fast

See the free-to-paid path, white-labeling, and support tiers before you commit time.

Open pricing →

Live, served by Playtcha across the public web in the last 30 days.

0 verifications0 rejected attempts

How it works

Three things happen, in this order.

You drop in two lines.

A <script> tag and a <div>. That's the integration.

Your user plays a tiny game.

They get one short game from the rotation, with no immediate repeats. It finishes in seconds and feels like part of your product instead of a punishment.

Your server verifies the token.

One POST to /v1/verify. We say yes or no. You decide what to do.

That’s it. No SDK required.

Why users actually finish it

The goal is not to win an arms race in public copy. The goal is to stop common abuse without making real people hate your form.

No image-grid punishment.

Users get a short game up front, not an invisible score that may suddenly turn into fire hydrants and buses.

Fast enough for signup flows.

The goal is a few seconds of friction, not a side quest. That matters on mobile, checkout, and auth screens.

Feels like part of your product.

Branding controls and a compact widget make it look deliberate instead of pasted in from a third party.

Honest about the trade.

We are not claiming magic or an unbeatable moat. The bet is better user experience, cleaner privacy posture, and enough verification for real-world abuse.

Pick the trade-off you actually want

If your real question is what feels better for customers, start with the direct comparisons instead of another long vendor checklist.

Experience guide

Turnstile vs Playtcha

Invisible giant-vendor flow versus a lighter, visible check that feels more human.

Read →

Experience guide

hCaptcha vs Playtcha

Classic image-grid replacement versus a shorter, less hostile verification moment.

Read →

Experience guide

Friendly Captcha vs Playtcha

Two privacy-first approaches: disappear entirely or show up briefly in a way that feels better.

Read →

Why not just use reCAPTCHA?

Because the best CAPTCHA is the one real users finish without resentment.

	Playtcha	reCAPTCHA v3
How it feels	A short game users can finish right away.	An invisible score until it turns into an image grid.
Tracks user behavior	No	Yes
Sends data to ad network	No	Yes
Bundle weight	~14 KB gzipped.	~250 KB+.
Works without third-party cookies	yes	Degraded.
GDPR / CCPA paperwork required	Minimal.	Yes — DPA + cookie consent.

We are not trying to out-Google Google on abuse telemetry. The product bet is better user experience, cleaner privacy posture, and enough layered verification for normal web flows.

Numbers from public sources, March 2026. We will keep this honest as both products evolve. If something here is wrong, tell us.

Integration

Two lines on the page. One POST on your server. That’s it.

On the page

index.html

<script src="https://playtcha.com/v1/widget.js" async defer></script>
<div class="playtcha" data-sitekey="YOUR_PUBLIC_SITE_KEY"></div>

On your server (Node example)

server.ts

const verifyRes = await fetch("https://playtcha.com/v1/verify", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    secret: process.env.PLAYTCHA_SECRET,
    token: req.body["playtcha-token"],
  }),
});

const result = await verifyRes.json();
if (!verifyRes.ok || !result.success) {
  return res.status(400).send("Verification failed");
}

Server-side check is the security guarantee — without it, an attacker can fake the front-end token. Want the full language versions? Open the quickstart →

Full quickstart — Node, Python, Go, Ruby, PHP →

Simple pricing. No surprises.

Start free. Upgrade when you need more volume, white-labeling, or the full game lineup.

Free

Best for side projects and first integrations

€0

Enough volume to test the full verification loop in production without a card.

Verifications/mo: 5,000
Domains per project: 1
Games included: 4 rotating games
Widget branding: Powered by Playtcha
Email support: Community

Get your site key

Starter

Best for production signup and auth flows

€4.99 /mo

The clean upgrade when the widget is already part of your product and you want white-labeling.

Verifications/mo: 50,000
Domains per project: 5
Games included: All 8 games
Widget branding: White-label
Email support: 48h

Start Starter

Business

Best for teams shipping at real volume

€9.99 /mo

For customer-facing products that want the full game pool.

Verifications/mo: 500,000
Domains per project: 25
Games included: All 8 games
Widget branding: White-label
Email support: 24h

Start Business

No credit card for Free. Stay on it forever if it fits.

If you exceed your tier we warn you at 80% and 100%. We never break your site silently.

Paid tiers can disable the powered-by chip per project from the dashboard, so white-label branding is a real product feature today, not a sales promise.

EU consumers: subscribing to a paid plan is a distance contract. You have a 14-day right of withdrawal. See the refund & withdrawal policy for how to cancel and the model withdrawal form.

Availability without an SLA number

Four-nines numbers are easy to print and hard to verify. We’d rather tell you exactly how our outages affect your form, and give you the code that makes the promise true.

Designed to fail open.

When our verifier is unavailable, the documented server-side pattern treats the user as human instead of rejecting them. See failure handling for the exact code.

Your signup form never breaks because of us.

A Playtcha outage shouldn’t become your downtime. Our contract with you is the snippet, not a four-nines number we can’t verify from outside.

Project-owner email at Sev-1 (coming soon).

Project owners will get an email when a Sev-1 incident is declared and when it resolves. The alerting pipeline is in progress; the trust page will list the trigger criteria once it’s live.

Honest framing on bot tolerance during outages.

Fail-open means we accept a small amount of bot traffic during our own outages so your form keeps working. For high-stakes flows that can’t tolerate that, opt into fail-closed with PLAYTCHA_FAIL_CLOSED=1.

What we refuse to collect

The experience gets better when verification doesn’t double as surveillance. This is the short list. The long list is in our privacy policy.

No behavioral tracking.

We don't measure mouse paths, scroll, or time-on-page.

No third-party cookies.

Nothing on your site loads from an ad network because of us.

No data sold or shared.

Telemetry stays in our database. We have nothing to sell.

No fingerprinting.

We don't compute device identifiers. We don't need them.

Public metrics and the backend rules we actually enforce →

Questions developers actually ask

Are you claiming stronger security than the giants?

No. Google and Cloudflare have larger abuse teams and more telemetry than we do. Playtcha's bet is different: better user experience, better privacy posture, and enough layered verification for normal signup, auth, and contact-form abuse. Pair it with rate limits and sane app-level defenses.

Can a bot still beat the games?

A determined attacker can spend money on human solvers or build for the exact widget, just like with any other CAPTCHA. We rotate games, randomize the challenge, and bind each run to short-lived single-use tokens so trivial automation is much harder, but we do not market this as unbeatable.

What happens if Playtcha goes down?

Your form keeps working. Playtcha is designed to fail open: when our verifier is unavailable, the documented server-side pattern treats the user as human instead of breaking the form. High-stakes flows can opt into fail-closed with an env var. The full contract is in our failure-handling guide at /learn/failure-handling.

Can I self-host?

Not at the moment. We host both the widget and the verification backend. If you have hard data-residency requirements, email support@playtcha.com and we'll talk through what's possible.

Is the user's audio / camera ever used?

No camera or microphone. The shipped widget is mouse, keyboard, or touch only.

What about screen-reader users?

The widget has better focus management, keyboard support, and larger mobile touch targets than traditional image CAPTCHAs, but it is still a visual minigame product. We do not ship a non-visual completion path today.

How is this priced compared to reCAPTCHA Enterprise?

reCAPTCHA Enterprise is roughly €0.92 per 1,000 assessments ($1 USD) past its 10,000/month free tier. Our Business plan is roughly €0.02 per 1,000. Numbers as of May 2026.