---
type: reference
---

# Features

Headline list of what Caputchin does, split across the three plans. Each row links to the topic doc for detail. This page is the "what does this product do?" reference; for "what we ship in MVP versus later" see [roadmap](roadmap.md).

Plans build on each other: Paid includes everything in Free, Enterprise includes everything in Paid. The columns below show **where a feature is first introduced**.

| Status | Meaning |
|---|---|
| **MVP** | Ships in the [10-week MVP](roadmap.md#build-phases) |
| **Post-MVP** | Deferred to a later build slot; design may not exist yet |

## Plans at a glance

| Dimension | Free | Paid | Enterprise |
|---|---|---|---|
| Rate limits (not configurable — auto-tiered) | Low | High | Unlimited |
| Statistics & data | Aggregated only | Aggregated + per-session details | Same as Paid |
| [Hosted verification](hosted-verification.md) | — | ✓ | ✓ |
| Scoreboards (Post-MVP) | — | ✓ | ✓ |
| Extended game languages (Post-MVP) | — | ✓ | ✓ |
| Custom game themes (Post-MVP) | — | ✓ | ✓ |
| White labeling (Post-MVP) | — | — | ✓ |
| Custom forwarder domains (Post-MVP) | — | — | ✓ |
| Audit logs (Post-MVP) | — | — | ✓ |
| Multi-account / teams (Post-MVP) | — | — | ✓ |
| SSO / SLA / dedicated support (Post-MVP, TBD) | — | — | ✓ |

## Core verification

| Feature | Plan | Status |
|---|---|---|
| Gamified CAPTCHA via [`<caputchin-widget>` element](widget.md) | Free | MVP |
| Cap PoW + browser instrumentation bundled into the widget — see [cap-integration](cap-integration.md) | Free | MVP |
| Three-endpoint platform API (`/game/start`, `/game/complete`, `/siteverify`) — see [api](api.md) | Free | MVP |
| Server-side replay protection + wrapped-token HMAC — see [api](api.md#wrapped-token) | Free | MVP |
| Pool selection (`games="a,b,c"` attribute) — see [widget](widget.md#pool-selection-games) | Free | MVP |

## Backend integration

| Feature | Plan | Status |
|---|---|---|
| Call `/siteverify` from any HTTP client — see [snippets](snippets.md) | Free | MVP |
| Public OpenAPI spec for codegen — see [api — OpenAPI spec](api.md#openapi-spec) | Free | MVP |
| [Hosted verification](hosted-verification.md) — point your form at Caputchin instead of running your own backend; webhook + email destinations | **Paid** | MVP |
| Custom forwarder domains (`forms.yourdomain.com`) for hosted verification | **Enterprise** | Post-MVP |

## Mobile

| Feature | Plan | Status |
|---|---|---|
| [Mobile embed page](mobile.md) for WebView integrations | Free | MVP |
| Native iOS / Android SDKs (thin wrappers over WebView) | Free | Post-MVP — see [mobile](mobile.md) |

## Game ecosystem

| Feature | Plan | Status |
|---|---|---|
| [Game SDK](game-sdk.md) — author games against a stable `register()` contract | Free | MVP |
| [Three distribution paths](game-distribution.md) (marketplace via jsDelivr, self-hosted, bundled) | Free | MVP |
| [Marketplace](marketplace.md) browse, support-flag filters, GitHub-topic indexer | Free | MVP |
| Marketplace publishing (anyone with a GitHub repo) | Free | MVP |
| 1–2 first-party games seeding the catalog | Free | MVP |
| Extended game language set beyond default | **Paid** | Post-MVP |
| Custom game themes (colors, custom assets) | **Paid** | Post-MVP |

## Account management — four [modalities](management-api.md)

All four modalities give every account the same management capability; the choice is ergonomic, not tier-gated. See [ADR-0012](adr/0012-four-management-modalities.md).

| Feature | Plan | Status |
|---|---|---|
| [Dashboard UI](dashboard.md) — humans clicking | Free | MVP |
| OpenAPI surface for the [management API](management-api.md) — programmatic from any language | Free | MVP |
| MCP server (`@caputchin/mcp` + hosted at `mcp.caputchin.com`) for AI agents | Free | MVP |
| Terraform provider (`caputchin/caputchin` on the Terraform Registry) for IaC | Free | MVP |
| Account-level management API tokens (`cpt_pat_...`) — see [management-api — Authentication](management-api.md#authentication) | Free | MVP |
| Site key management: create, rotate secrets, domain allowlist | Free | MVP |

## Statistics & data

The privacy guardrail: **"details" means per-session metadata** (`sessionId`, `gameId`, `score`, `durationMs`, timestamp). It does **not** mean user-identifying data — no IPs, UAs, geo, fingerprints, or cross-session identifiers at any plan. The [structural privacy posture](privacy.md#why-structural) holds across all tiers.

| Feature | Plan | Status |
|---|---|---|
| Aggregate per-site-key counters: sessions started / client-completed / server-verified — see [dashboard](dashboard.md#integration-health-diagnostics) | Free | MVP |
| Integration health diagnostics derived from those counters | Free | MVP |
| Per-session details (`sessionId`, `gameId`, `score`, `durationMs`, timestamp) — enables scoreboards and richer dashboards | **Paid** | Post-MVP |
| Scoreboards — per-site-key, per-game leaderboards with 3-letter session-scoped handles set asynchronously, no per-user data — see [privacy](privacy.md), [ADR-0014](adr/0014-scoreboard-3letter-async-naming.md) | **Paid** | Post-MVP |

## Rate limits

Caputchin applies rate limits per site key. Not customer-configurable — set automatically based on plan. We adjust the thresholds as we observe abuse patterns; specifics are not pinned in docs to retain flexibility.

| Feature | Plan | Status |
|---|---|---|
| Low default rate limit | Free | MVP |
| High rate limit | **Paid** | MVP |
| Unlimited rate limit | **Enterprise** | MVP |

## Branding

| Feature | Plan | Status |
|---|---|---|
| Caputchin branding visible on the widget | Free / Paid | MVP |
| **White labeling** — remove Caputchin branding from the widget | **Enterprise** | Post-MVP |

## Enterprise extras

Specifics will be filled in as enterprise demand emerges and the first deal-shape informs scope.

| Feature | Plan | Status |
|---|---|---|
| Custom forwarder domains for [hosted verification](hosted-verification.md) | **Enterprise** | Post-MVP |
| Audit logs — who-did-what across the four [management modalities](management-api.md) | **Enterprise** | Post-MVP |
| Multi-account / teams — org-level membership + role split | **Enterprise** | Post-MVP |
| SSO for dashboard login | **Enterprise** | Post-MVP (TBD) |
| SLA guarantees | **Enterprise** | Post-MVP (TBD) |
| Dedicated support channel | **Enterprise** | Post-MVP (TBD) |

## What we deliberately do not offer — at any plan

These are structural commitments, not gaps to be filled — see [principles](principles.md) and [privacy](privacy.md).

| Feature | Why we don't offer it |
|---|---|
| Confidence / risk score from CAPTCHA | [ADR-0002](adr/0002-no-risk-scoring.md) — score is gameplay metadata, never a security signal |
| User-level analytics, IP / UA / geo / fingerprint collection | [Privacy is structural](principles.md#privacy-is-structural). We can't leak what we don't have. |
| Self-hosting | [ADR-0004](adr/0004-closed-source-mvp.md) — hosted-only at MVP; open-core remains a deferred option |
| Per-language server or client SDKs (Node, Python, Go, …) | [ADR-0011](adr/0011-drop-server-library-mvp.md) — we ship the contract + OpenAPI + snippets; customers codegen their own |
| Framework-specific widget wrappers (React / Vue / Svelte / etc.) | The [web component](widget.md) works in every framework natively — see [roadmap](roadmap.md#whats-deferred-entirely) |
| Game pool lock / centralized game configuration | [Honesty over theater](principles.md#honesty-over-theater) — looks like security, isn't |
| Action binding | Same — [deferred entirely](roadmap.md#whats-deferred-entirely) |
| Hosted verification submission storage / "inbox" UI | [ADR-0007](adr/0007-hosted-verification-paid-only.md) — privacy posture intact, customers build records on their webhook end |
| Indexing or querying scoreboards by nickname | [ADR-0014](adr/0014-scoreboard-3letter-async-naming.md) — would approximate per-user analytics |
| Configurable rate limits | Per-customer tuning is a support tax for limits that protect our infrastructure. Sensible defaults per plan, set by Caputchin. |