DEV Community: Roco

We replaced reCAPTCHA and haven't looked back

Roco — Sun, 01 Feb 2026 12:30:05 +0000

Why we ditched reCAPTCHA

We had reCAPTCHA on our signup form. Standard stuff.

Then we looked at the analytics. 15% of users who started the signup flow dropped off at the CAPTCHA step. Fifteen percent.

Some of them probably were bots. But most? Regular people who didn't want to click on traffic lights.

We get it. We hate those things too.

The search for alternatives

We looked at:

hCaptcha - Same problem, different pictures
Invisible reCAPTCHA - Better, but still shows challenges sometimes
Turnstile - Decent, but we wanted more control

None of them gave us what we wanted: verification that's truly invisible to legitimate users.

What we built

GATE. Human verification without puzzles.

It works by combining three things:

Behavioral analysis - How does the user interact with the page? Mouse movements, scroll patterns, keyboard timing. Humans are messy. Bots are perfect.

Proof of work - The browser solves a small computational puzzle. Trivial for a single user. Expensive at scale for bot operators.

Environment detection - Is this a real browser? Are dev tools open? Is it running headless?

All of this happens in the background. The user fills out the form normally. By the time they click submit, we already have a verdict.

The score

Each visitor gets a score from 0-100. You decide the threshold.

90+ is almost certainly human
70-89 is probably human
50-69 is suspicious
Below 50 is likely automated

We set our threshold at 60. Aggressive, but our use case tolerates some false positives.

Implementation

<script src="https://gate.sekyuriti.build/v1/gate.js" data-site-key="your-key"></script>

On form submit:

const token = await gate.getToken();
// Send token to your backend for verification

Backend:

const result = await gate.verify(token, secretKey);
if (!result.valid) {
  // Handle bot
}

Results

After switching:

Signup completion: up 12%
Bot signups: down 94%
Support tickets about CAPTCHAs: zero

Honest downsides

It's not free at scale (but neither is reCAPTCHA Enterprise)
Very old browsers might have issues
Some privacy-focused users with heavy blocking might get low scores

Try it

Free tier available. No credit card required.

sekyuriti.build/modules/gate

Blocking bots without blocking users: what actually works

Roco — Fri, 30 Jan 2026 12:30:02 +0000

The bot problem

We run APIs. Nothing special, just services that people pay for.

One day we noticed weird traffic patterns. Thousands of requests from the same endpoints, perfect timing, no mouse movements before the clicks. Bots.

They weren't doing anything malicious per se. Just scraping data and abusing free tiers. But they were costing us money and slowing things down for real users.

What we tried first

Rate limiting by IP - Useless. Residential proxies are cheap. They just rotate IPs.

CAPTCHAs - Users hated it. Conversion dropped. And there are CAPTCHA-solving services anyway.

User agent checks - Trivial to fake.

Honeypot fields - Caught maybe 10% of bots.

None of this worked well enough.

The real question

How do you tell a human from a bot?

Humans are chaotic. They move their mouse in curves. They pause to read. They scroll at irregular intervals. They make typos.

Bots are mechanical. Perfect timing. Straight-line mouse movements (if any). No reading time. Predictable patterns.

What we built

ATTEST. An API protection layer that analyzes request authenticity.

It looks at:

Browser fingerprint consistency
Request timing patterns
Environment signals (headless browser detection)
Behavioral patterns from the frontend

Each request gets a score. You set the threshold for what gets through.

Implementation

Server-side, you verify the attestation token:

const result = await attest.verify(req.headers['x-attest-token']);

if (!result.valid || result.score < 70) {
  return res.status(403).json({ error: 'Verification failed' });
}

The frontend SDK collects signals and generates tokens. The backend verifies them.

What it catches

Headless browsers (Puppeteer, Playwright)
Basic HTTP clients (curl, Python requests)
Most commercial scraping tools
Automated form submissions

What it doesn't catch

Sophisticated attackers who instrument real browsers, solve challenges manually, and mimic human behavior perfectly. But those are rare and expensive to operate at scale.

The trade-off

False positives happen. Legitimate users with unusual setups (Tor, heavy privacy extensions, very old browsers) might get flagged. You tune the threshold based on your tolerance.

We run ours at 65. Blocks most bots, rarely affects real users.

Details

sekyuriti.build/modules/attest

Free tier available for testing.

Your JavaScript source code is public. Here's what we do about it.

Roco — Wed, 28 Jan 2026 12:30:03 +0000

A reality check

Open your browser. Go to any website. Press F12. Click Sources.

Congratulations, you can now read their JavaScript.

Sure, it might be minified. But minified isn't protected. There are tools that un-minify code in seconds. Your variable names might be mangled, but the logic is right there.

For most websites, this doesn't matter. But if you're building:

License checks
Proprietary algorithms
Anti-cheat logic
Premium features

...having that code readable is a problem.

What obfuscation actually does

Let us be clear: obfuscation is not encryption. A determined attacker with enough time will figure it out. That's not the point.

The point is making the cost of reverse-engineering higher than the value of what you're protecting.

If it takes someone 40 hours to understand your license check, and your software costs $20, most people will just pay. Economics.

What we built

CLOAK. JavaScript protection that goes beyond basic minification.

npx @sekyuriti/cloak protect src/

It does a few things:

Control flow flattening - Your nice, readable if/else statements become a state machine. Good luck following the logic.

String encryption - Strings like API endpoints and error messages get encrypted. They're decrypted at runtime.

Domain locking - Code only runs on specified domains. Someone copies your JS to their site? It doesn't execute.

Expiration dates - Time-limited code. Useful for trials or beta releases.

Dead code injection - Fake code paths that do nothing but confuse anyone reading it.

An honest assessment

Will this stop a skilled reverse engineer? No. Given enough time, anything can be cracked.

Will this stop 99% of casual copying? Yes.

Will this make the 1% spend significant time? Also yes.

That's the trade-off. You're not buying invincibility. You're buying friction.

Performance

The protected code is slower. How much depends on the protection level. Light protection is barely noticeable. Heavy protection can add 20-30% overhead.

We recommend protecting only sensitive files, not your entire codebase.

Try it

npx @sekyuriti/cloak protect ./src/license-check.js --domain yourdomain.com

Details at sekyuriti.build/modules/cloak

We got tired of users asking "is this file legit?" so we built a verification system

Roco — Mon, 26 Jan 2026 12:30:01 +0000

The problem

We distribute software. Installers, mods, assets. The usual.

Every week we get messages like:

"Hey I downloaded this from some forum, is it real?"
"Someone shared your file on Discord, should I trust it?"
"How do I know this wasn't tampered with?"

We used to tell them to check the SHA-256 hash. Nobody does that. They don't know how, and honestly, it's a pain.

What we wanted

A simple way for anyone to verify if a file is legitimate. No technical knowledge required. Just drag, drop, done.

What we built

TRACE. A file verification system.

As the creator, you register your files:

npx @sekyuriti/trace register installer.exe

This gives you a TRACE ID like TRC.A7X2.9K4M. Share this ID alongside your downloads.

When someone downloads your file from wherever, they verify it:

npx @sekyuriti/trace verify installer.exe

Or they can just drag the file to sekyuriti.build/trace if they don't want to use the terminal.

If the hashes match, it's real. If not, someone modified it.

How it works

Nothing fancy. When you register a file:

SHA-256 hash is computed locally (your file never leaves your machine)
Hash + metadata gets stored in our database
You get a TRACE ID

When someone verifies:

They compute the hash locally
We check if that hash exists
If yes, we show who registered it and when

That's it. The file itself is never uploaded anywhere.

The "aha" moment

A user messaged us last week. They downloaded a mod from a sketchy reupload site. Before installing, they ran the verify command. Hash matched. They knew it was safe.

That's the whole point. Trust, but verify.

Try it

If you distribute files and deal with the same "is this legit" questions, give it a shot:

sekyuriti.build/modules/trace

Free tier covers most use cases. Questions welcome.