I Built a CAPTCHA Killer Using Behavioral Micro-Signals — Here's the Math Behind It

Aswin S — Tue, 24 Feb 2026 14:01:35 +0000

The Problem
CAPTCHAs are the worst UX on the internet. And now they don't even work.
GPT-4V solves image CAPTCHAs with >99% accuracy. Google's reCAPTCHA is essentially a surveillance tool that tracks users across the web in exchange for "free" bot detection. And the $4.1B CAPTCHA industry has no answer.
I decided to build something fundamentally different.
The Insight
When you interact with a device, your body produces involuntary micro-signals. Your hand trembles slightly (3-12Hz physiological tremor). Your scroll speed varies with attention. Your typing rhythm reflects cognitive load. And critically — these signals are correlated because they share physiological drivers.
Your heartbeat creates micro-vibrations in your hand. Your breathing modulates your grip. Your neural oscillations affect your motor planning. This interconnection creates a coherence signature unique to living biological systems.
The 5 Signal Channels

Pointer Dynamics typescriptfunction pointerJitter(samples: {x: number, y: number, t: number}[]): number { const displacements = samples.map((s, i) => i > 0 ? Math.sqrt((s.x - samples[i-1].x)2 + (s.y - samples[i-1].y)2) : 0 ).filter(d => d > 0); const mean = displacements.reduce((a, b) => a + b, 0) / displacements.length; const variance = displacements.reduce((a, d) => a + (d - mean)**2, 0) / displacements.length; return Math.min(Math.sqrt(variance) / 5, 1); }
Scroll Entropy — Shannon entropy of scroll velocity distribution
Keystroke Rhythm — Coefficient of variation of inter-key intervals
Micro-Tremor — Power spectral density in the 3-12Hz band
Cross-Channel Coherence — Pearson correlation across all channel pairs Why Bots Can't Beat It A bot can fake one channel. For 5 channels, an attacker must satisfy:

10 pairwise coherence constraints
5 marginal distributions
All evolving naturally over time

This is equivalent to real-time neuromuscular simulation.
Try It
bashnpm install @areyouhuman/sdk
jsximport { AreYouHuman } from '@areyouhuman/sdk/react';

siteKey="your_key"
onVerify={(token) => console.log('Human!', token)}
/>
Demo: areyouhuman-io.vercel.app
Full SDK docs: areyouhuman-io.vercel.app/sdk
Technical whitepaper available on request.

Your app makes 47 API calls on page load. You just don't know it yet.

Aswin S — Sat, 21 Feb 2026 10:32:53 +0000

Open DevTools on your app. Go to Network tab. Filter by XHR. Refresh.

Count the requests.

Now look closer:

That /api/user endpoint? Called 4 times — once by Header, once by Sidebar, once by ProfileCard, once by NotificationBell. Same data. Four round-trips.
Those 25 product cards? Each one fires its own GET /api/products/:id. That's 25 requests instead of 1 batch call.
That status indicator? Polling every 2 seconds. The data changes once a minute. 95% of those polls are wasted.

Lighthouse doesn't see any of this. It scores your HTML, your images, your CSS. Your API layer? Invisible.

So I built a tool that sees it.

One command

npx flux-scan https://your-app.com

That's it. Opens headless Chrome. Watches every API call for 30 seconds. Runs 13 rules. Gives you a score.

Here's what the output looks like:

╔════════════════════════════════════════════════════╗
║  FluxAPI Report — Score: 38/100 (poor)            ║
╚════════════════════════════════════════════════════╝

⚡ Efficiency   ██████░░░░░░░░░░░░░░ 30%
💾 Caching      ████████████░░░░░░░░ 55%
🔄 Patterns     ██████████████░░░░░░ 70%

Issues Found:
  🔴 5 critical  🟡 5 warnings  ℹ️  3 info

Top Fixes:
  E2: GET /api/user called 4x from 4 components
     ⚡ 600ms faster  📉 3 fewer requests
  E3: N+1: 25 individual GET /products/:id
     ⚡ 2.1s faster  📉 24 fewer requests

📛 Add to your README:
  ![FluxAPI Score](https://img.shields.io/badge/FluxAPI_Score-38%2F100-red)

No config. No API key. No signup.

The 13 things it catches

I didn't invent these patterns. Every senior dev has debugged them at 2am. I just automated the detection.

The ones that hurt:

Request Waterfalls — A → B → C → D running sequentially when they have no data dependency. On WiFi, costs 200ms. On Jio 4G? 600ms.
Duplicate Fetches — Same endpoint called from multiple components because nobody made a shared hook. The most common bug I've seen in React/Vue apps.
N+1 Pattern — The backend dev's nightmare, happening in the frontend. List page doing individual fetches instead of one batch.
No Cache Strategy — Zero Cache-Control, zero staleTime. Every single component mount hits the network. Every. Single. One.

The ones that waste:

Over-fetching — API returns 50 fields. Component reads 6. That's 88% wasted bytes on every request.
Polling Waste — Polling every 2s when data changes every 60s. 95% of polls return identical data.
Missing Compression — JSON responses without gzip. On a 87KB product list, that's 52KB wasted per load.

The ones you forget:

Missing Revalidation — Has ETag but never sends If-None-Match
Over-Caching — Cache TTL of 1 hour but data changes every 5 minutes
No Error Recovery — 500s with no retry strategy

Each violation comes with copy-paste fix code that matches your stack. Using TanStack Query? It generates useQuery with the right staleTime. Using SWR? useSWR with dedupingInterval. Not using a data library? Plain Promise.all.

Here's what made me build this

I work at a company in Kerala building tax software. Our app is Laravel + Vue. Users are accountants across India — many on Jio 4G, some on BSNL connections that would make your WiFi cry.

One day I opened Network tab and counted. 43 API calls on the dashboard. Twelve were duplicates. Eight were sequential waterfalls. The app scored 85 on Lighthouse.

Lighthouse said we were fine. Our users in Patna said the app took 8 seconds to load.

That's when I realized: the same API patterns cost 3x more on a mobile network. A waterfall that's 200ms on WiFi is 600ms on Jio 4G. An N+1 that's 1 second on broadband is 4 seconds on Airtel 3G.

So FluxAPI has network-adjusted scoring:

npx flux-scan https://myapp.com --network jio-4g

Same code. Same API calls. Different score. Because your Tier 2 users aren't on WiFi.

Network	Score Impact
WiFi	Baseline
Jio 4G	~20% harder
Airtel 3G	~40% harder
BSNL 2G	~70% harder

Live monitoring during dev

The CLI gives you a snapshot. But what about catching issues as you write code?

npm install @fluxiapi/vue   # or @fluxiapi/react

<template>
  <RouterView />
  <FluxDevTools />
</template>

One component. A floating badge in the corner with your live score. Click it and a panel expands showing every violation, every request, real-time. Change code, refresh, score updates.

It integrates with TanStack Query, SWR, and Vue Query — so it knows your cache configuration and can suggest better values.

What I want you to do right now

Open your terminal. Run this:

npx flux-scan https://your-app.com -o report.html

Open the report. Look at the score. Look at the top issues. I bet you'll find at least one duplicate fetch you didn't know about.

Then open the report and try the "Copy Badge" button. Add it to your README. Show your team what your API health looks like.

GitHub: github.com/aswinsasi/fluxapi
npm: @fluxiapi/scan
Live demo: fluxapi-phi.vercel.app

MIT licensed. I'd love a ⭐ if this saved you time.

What's the worst API pattern you've found in your codebase? Drop it in the comments — I'm genuinely curious what patterns I should add next.