Privacy-respecting spam and bot protection for your forms and logins. No CAPTCHAs for real visitors. No tracking. No third parties.
Every other CAPTCHA makes your visitors do unpaid labour and hands their data to a third party. Unbotable does neither.
Real visitors sail through. Only genuinely suspicious sessions ever see a lightweight challenge — and it runs in the background.
Raw signals are used for a split second to make a decision, then thrown away. We never sell, share, or even keep anything useful.
Nothing is shipped off to Google or Cloudflare. The decision happens on infrastructure you can trust.
What little we store expires on its own. A bot that stops attacking is simply forgotten.
This is a live, random sample straight from our database right now. Go ahead — try to identify a single person from it. You can't. That's the entire point.
That's all of it — anonymous noise that deletes itself within weeks. None of it is you.
Three layers, each cheap to pass for a human and expensive for a bot.
Silent checks first. A hidden trap and a timing check catch the easy majority before anything else runs — no JavaScript required.
Behaviour, not identity. We look at how a session behaves — bots repeat themselves, humans don't — and score it in memory, then forget it.
A challenge only when needed. Borderline sessions solve a tiny background puzzle. Real people never notice; bot farms pay for it at scale.
No account, no API keys, no tracking — not even on this page. Both packages are in the works. Expect a little wiring to point them at your forms; not much.
Middleware, Blade directives and a Vue/Inertia helper. Install it, add the middleware to a route, drop a directive in your form.
Hooks into the forms you already use — Elementor, WPBakery, comments and login. A short setup, then it runs itself.
We're not collecting your email to tell you when they're ready — that wouldn't be very us. They'll show up right here.