Widget Integration

Integrating ALTCHA into your website or web app is straightforward and can be done within minutes.

The widget performs the user verification by computing the proof-of-work challenge and when used with the Sentinel, it also provides necessary UI for the optional code challenge.

Note Ensure you install the latest 2.x.x version of the altcha package.

Installation via NPM

Install the package:

Terminal window npm install altcha

Import it into your project:

form.js import " altcha " ;

Alternatively, download the script

Download the ALTCHA script from GitHub or use the CDN:

https://cdn.jsdelivr.net/gh/altcha-org/altcha/dist/altcha.min.js

To integrate the widget, add the script to your website:

form.html < script async defer src = " /altcha.js " type = " module " ></ script >

For optimal integration, place the script tag within the <head> section.

Examples

Mobile

Using <altcha-widget>

The ALTCHA widget functions as a Web Component and utilizes the browser’s internal capabilities to register a new tag <altcha-widget> . Integrate this tag within your forms:

form.html < form > < altcha-widget challengeurl = " {YOUR_SERVER_HERE} " ></ altcha-widget > </ form >

Configure the challengeurl with your server’s address.

Usage with Sentinel

When using Sentinel for challenge generation, configure the widget with your Sentinel endpoint URL:

< form > < altcha-widget challengeurl = " https://sentinel.example.com/v1/challenge?apiKey=key_... " ></ altcha-widget > </ form >

Where to find these values:

Endpoint URL: This is your Sentinel instance’s base URL with /v1/challenge path API Key: A unique key authenticating your application with Sentinel

Both values are available in your Sentinel app.

Internationalization (i18n)

ALTCHA supports 50+ languages. You can import individual language translations or a bundle that includes all of them.

To import all translations:

import " altcha/i18n/all " ;

To import specific languages only:

import " altcha/i18n/de " ; import " altcha/i18n/fr-fr " ;

Alternatively, you can import the combined bundle, which includes both the widget and all translations:

import " altcha/i18n " ;

When using the CDN:

https://cdn.jsdelivr.net/gh/altcha-org/altcha/dist_i18n/fr-fr.min.js

Language Detection

The widget automatically detects the language from:

The <html lang="..."> attribute

attribute The user’s browser settings ( navigator.languages )

To override the language manually, use the language attribute:

< altcha-widget language = " de " ></ altcha-widget >

Customizing Translations

You can override default translations by updating the global altchaI18n registry ( globalThis.altchaI18n or window.altchaI18n ):

import " altcha/i18n/de " ; globalThis . altchaI18n . set ( " de " , { ...globalThis . altchaI18n . get ( " de " ), label: " Ich bin ein Mensch " , // Custom label });

Supported Languages

Afrikaans ( af )

) Albanian ( sq )

) Amharic ( am )

) Arabic ( ar )

) Armenian ( hy )

) Azerbaijani ( az )

) Bengali ( bn )

) Basque ( eu )

) Belarusian ( be )

) Bosnian ( bs )

) Bulgarian ( bg )

) Catalan ( ca )

) Chinese - Simplified ( zh-cn )

) Chinese - Traditional ( zh-tw )

) Croatian ( hr )

) Czech ( cs )

) Danish ( da )

) Dutch ( nl )

) English ( en )

) Estonian ( et )

) Finnish ( fi )

) French - Canada ( fr-ca )

) French - France ( fr-fr )

) Georgian ( ka )

) German ( de )

) Greek ( el )

) Hebrew ( he )

) Hindi ( hi )

) Hungarian ( hu )

) Icelandic ( is )

) Indonesian ( id )

) Italian ( it )

) Irish ( ga )

) Japanese ( ja )

) Kazakh ( kk )

) Korean ( ko )

) Latvian ( lv )

) Lithuanian ( lt )

) Luxembourgish ( lb )

) Macedonian ( mk )

) Maltese ( mt )

) Marathi ( mr )

) Montenegrin ( me )

) Norwegian Bokmål ( nb , no )

, ) Persian ( fa )

) Polish ( pl )

) Portuguese - Brazil ( pt-br )

) Portuguese - Portugal ( pt-pt )

) Romanian ( ro )

) Russian ( ru )

) Serbian ( sr )

) Slovak ( sk )

) Slovenian ( sl )

) Spanish - Spain ( es-es )

) Spanish - Latin America ( es-419 )

) Swahili ( sw )

) Swedish ( sv )

) Tamil ( ta )

) Telugu ( te )

) Thai ( th )

) Turkish ( tr )

) Turkmen ( tk )

) Ukrainian ( uk )

) Urdu ( ur )

) Vietnamese ( vi )

) Yoruba ( yo )

Regional packages:

All ( all )

) Africa ( africa )

) Americas ( americas )

) Asia ( asia )

) Europe ( europe )

Widget Customization

To tweak and adjust the widget to match your aesthetics and UI, refer to the Widget Customization guide.

Configuration

Required options (at least one is required):

challengeurl - URL of your server to fetch the challenge from. Refer to server integration.

- URL of your server to fetch the challenge from. Refer to server integration. challengejson - JSON-encoded challenge data. If avoiding an HTTP request to challengeurl , provide the data here.

Additional options:

auto : Automatically verify without user interaction (possible values: off , onfocus , onload , onsubmit ).

: Automatically verify without user interaction (possible values: , , , ). credentials : Whether to include credentials with the challenge request (possible values: omit , same-origin , include ).

: Whether to include credentials with the challenge request (possible values: , , ). customfetch : A custom fetch function for retrieving the challenge.

Accepts url: string and init: RequestInit as arguments and must return a Response .

: A custom function for retrieving the challenge. Accepts and as arguments and must return a . delay : Artificial delay in milliseconds before verification (defaults to 0).

: Artificial delay in milliseconds before verification (defaults to 0). disableautofocus : If true, prevents the code-challenge input from automatically receiving focus on render (defaults to false ).

: If true, prevents the code-challenge input from automatically receiving focus on render (defaults to ). expire : Challenge expiration duration in milliseconds.

: Challenge expiration duration in milliseconds. floating : Enable floating UI (possible values: auto , top , bottom ).

: Enable floating UI (possible values: , , ). floatinganchor : CSS selector of the “anchor” to which the floating UI will be attached (defaults to the button[type="submit"] in the related form).

: CSS selector of the “anchor” to which the floating UI will be attached (defaults to the in the related form). floatingoffset : Y offset from the anchor element for the floating UI in pixels (defaults to 12 ).

: Y offset from the anchor element for the floating UI in pixels (defaults to ). floatingpersist : Whether to “persist” (keep visible) the floating widget after verification (possible values: true | false | focus ; defaults to false , meaning the widget will hide).

: Whether to “persist” (keep visible) the floating widget after verification (possible values: | | ; defaults to , meaning the widget will hide). hidefooter : Hide the footer (ALTCHA link).

: Hide the footer (ALTCHA link). hidelogo : Hide the ALTCHA logo.

: Hide the ALTCHA logo. id : The checkbox id attribute. Useful for multiple instances of the widget on the same page.

: The checkbox attribute. Useful for multiple instances of the widget on the same page. language : The ISO alpha-2 code of the language to use (the language file be imported from altcha/i18n/* ).

: The ISO alpha-2 code of the language to use (the language file be imported from ). maxnumber : Max number to iterate to (defaults to 1,000,000).

: Max number to iterate to (defaults to 1,000,000). name : Name of the hidden field containing the payload (defaults to “altcha”).

: Name of the hidden field containing the payload (defaults to “altcha”). overlay : Enables overlay UI mode (automatically sets auto="onsubmit" ).

: Enables overlay UI mode (automatically sets ). overlaycontent : CSS selector of the HTML element to display in the overlay modal before the widget.

: CSS selector of the HTML element to display in the overlay modal before the widget. strings : JSON-encoded translation strings. Refer to customization.

: JSON-encoded translation strings. Refer to customization. refetchonexpire : Automatically re-fetch and re-validate when the challenge expires (defaults to true).

: Automatically re-fetch and re-validate when the challenge expires (defaults to true). workers : Number of workers to utilize for PoW (defaults to navigator.hardwareConcurrency || 8 , max value 16 ).

: Number of workers to utilize for PoW (defaults to , max value ). workerurl: URL of the Worker script (defaults to ./worker.js , only works with external build).

Data Obfuscation options:

obfuscated: The obfuscated data provided as a base64-encoded string (requires altcha/obfuscation plugin). Use only without challengeurl / challengejson .

Development / testing options:

debug - Print log messages in the console.

- Print log messages in the console. mockerror - Causes the verification to always fail with a “mock” error.

- Causes the verification to always fail with a “mock” error. test - Generate

Methods

configure(options) - Configures the widget with the given options. See Configuration options above.

- Configures the widget with the given options. See Configuration options above. getConfiguration() - Returns the current configuration.

- Returns the current configuration. getState() - Returns the current state of the widget.

- Returns the current of the widget. show() - Displays the widget (used in floating or overlay mode).

- Displays the widget (used in floating or overlay mode). hide() - Hides the widget (used in floating or overlay mode).

- Hides the widget (used in floating or overlay mode). reset(state?, err?) - Resets the internal state , optionally with an error.

- Resets the internal , optionally with an error. setState(state, err?) - Manually sets the specified state , optionally with an error.

- Manually sets the specified , optionally with an error. setFloatingAnchor(element) - Sets the anchor element for the floating UI.

- Sets the anchor element for the floating UI. verify() - Initiates the verification process.s a “mock” challenge within the widget, bypassing the request to challengeurl .

Events

code - Triggers when code-challenge verification is requested.

- Triggers when code-challenge verification is requested. load - Triggers when the widget loads. The exported methods become available after this event.

- Triggers when the widget loads. The exported methods become available after this event. sentinelverification - Triggers upon a verification with ALTCHA Sentinel.

- Triggers upon a verification with ALTCHA Sentinel. serververification - (Deprecated) Triggers upon a server verification (only in conjunction with spamfilter ).

- (Deprecated) Triggers upon a server verification (only in conjunction with ). statechange - Triggers whenever an internal state changes.

- Triggers whenever an internal changes. verified - Triggers when the challenge is verified.

Using events:

form.js document . querySelector ( " #altcha " ) . addEventListener ( " statechange " , ( ev ) => { // state can be: unverified, verifying, verified, error console . log ( " state: " , ev . detail . state ); if ( ev . detail . state === " verified " ) { // payload contains base64 encoded data for the server console . log ( " payload: " , ev . detail . payload ); } });

Content Security Policy (CSP)

The default Web Component bundle includes both styles and the Web Worker in a single file. To support this setup, the worker is executed from a Blob . This requires your CSP to allow the blob: source:

Content-Security-Policy : script-src 'self'; worker-src 'self' blob:

However, bundling everything into a single file may not be compatible with strict CSP configurations. For strict CSP compliance, use the modular assets provided in the /dist_external directory, or import the external build manually.

form.js

altcha_worker.js import " altcha/external " ; import " altcha/altcha.css " ; import " altcha/worker " ;

With this approach, the following components are included separately:

altcha/external – The Web Component without injected CSS or Web Worker.

– The Web Component without injected CSS or Web Worker. altcha/worker – The Web Worker.

– The Web Worker. altcha/altcha.css – CSS for the widget.

This modular setup allows ALTCHA to function properly without requiring blob: in your CSP, making it suitable for applications with strict security requirements.

For a complete example and setup guide, see the altcha-starter-csp repository.

Caveats

Secure context requirement The widget utilizes the browser’s built-in subtle.crypto interface to compute solutions securely. It’s essential to note that this cryptographic interface is exclusively available in a secure context, commonly implemented through HTTPS. The widget necessitates a secure HTTPS connection to operate. Websites served over insecure HTTP connections will not support the widget’s functionality due to the absence of the required cryptographic interface. To ensure seamless widget operation, always serve your website securely via HTTPS.

JavaScript dependency The widget operates with JavaScript and relies on its execution environment to perform computation and submission functions. Consequently, JavaScript-enabled browsers are a prerequisite for users to interact successfully with the widget. When integrating the widget into website forms, consider that users without JavaScript enabled in their browsers will be unable to utilize or submit forms protected by the widget. Ensure your audience is aware of this requirement for seamless form submission.

Bundle Size

ALTCHA’s default bundle is lightweight, combining all assets, including CSS and the JavaScript Web Worker, into a single file. When GZIPped, it totals about 30 kB, making ALTCHA’s widget about 90% smaller than reCAPTCHA.

Distribution Size (GZIPped) ALTCHA 30 kB ALTCHA with all translations 46 kB Cloudflare Turnstile 85+ kB hCaptcha 250+ kB reCAPTCHA 300+ kB

Accessibility

For details on WCAG compliance and accessibility best practices, see the WCAG compliance guide.

Having Troubles?