PowForge vs Cap.js
Both are self-hosted, MIT-licensed proof-of-work CAPTCHAs. The difference is architectural: Cap.js has a SHA-256 ASIC problem and no answer for iOS Safari WASM crashes. PowForge adds an L402 Lightning-skip tier — pay 3 sats, skip the hash race entirely. That makes the ASIC problem irrelevant and the mobile crash impossible.
Feature comparison
| Feature | PowForge | Cap.js | reCAPTCHA / hCaptcha |
|---|---|---|---|
| Self-hosted | Yes | Yes | No |
| Privacy — no tracking | Yes | Yes | No (Google / Intuition) |
| Open source (MIT) | Yes | Yes | No |
| Lightning L402 skip tier new | Yes — 3 sats | No | No |
| iOS Safari safe (no WASM required) | Yes — both paths WASM-free (pure JS SHA-256 + L402) | WASM-only — crashes on iOS 17 Safari | Yes (ML, no WASM) |
| ASIC-resistant hash function SHA-256 broken | L402 path bypasses hash race | SHA-256 (moving to blake3) | ML behavior, not hash-based |
| Bundle size (gzipped) | ~8 KB | ~12 KB | ~150 KB (Google) / ~120 KB (h) |
| Works offline (once loaded) | Yes | Yes | No |
| Cookies required | None | None | Yes |
| Identity pricing (caller depth) | Yes — DoI oracle integration | No | No |
| External dependencies | 0 (CDN optional) | 0 | Google / hCaptcha JS required |
| npm weekly downloads | ~500 / mo (early) | ~89,000 / mo | N/A (CDN-only) |
Cap.js download figures from npmjs.com as of 2026-05-07. SHA-256 ASIC concession from tiagozip on Product Hunt, 2026 Q1. iOS WASM crash reports: Cap.js issues #203, #237, #235, #243.
⚡ Why L402 changes everything
When a bot or agent pays 3 sats over Lightning, they prove economic stake without computing a single hash. Human users on iOS Safari — where WASM consistently crashes in Cap.js — can pay instead of computing. The Lightning path bypasses the ASIC arms race permanently: it doesn't matter if ASICs crack SHA-256 when the payment itself is the proof of work.
iOS Safari crash (Cap.js)
Cap.js relies on a WASM web worker for its hash loop. Safari on iOS 17 terminates WASM workers under memory pressure — an unrecoverable crash with no fallback path. PowForge avoids this on both paths: the PoW solver is pure JS SHA-256 (no WASM), and the L402 tier requires no computation at all. Either way, no WASM is loaded.
SHA-256 ASIC problem
SHA-256 is Bitcoin's mining hash. ASIC miners can solve a 16-bit PoW challenge in microseconds — bots with dedicated hardware bypass difficulty entirely. Cap.js's maintainer publicly acknowledged this on Product Hunt and announced a migration to blake3. PowForge skips the hash race: L402 payment = proof of economic friction, not computational friction.
When Cap.js wins
If you have no Lightning infrastructure and no mobile traffic from iOS Safari, Cap.js is a solid choice. It has 180x more installs, more community examples, and a simpler integration story. PowForge is the right call when you want Lightning-native pricing, identity-priced access, or iOS compatibility without WASM.
Try PowForge CAPTCHA
Drop-in npm package. Zero tracking. Works on every browser including iOS Safari.
npm install @powforge/captcha