All features
Configuration

Wire it up. Tune it. Move on.

Configuration is the foundation. Site keys connect your pages to Caputchin. The dashboard is how humans tune them. Site controls reject bad requests before they ever reach the verification gates.

Request gauntlet
Every plan

The request gauntlet.

Before a request reaches verification, it has to clear three site controls. Each one rejects a different kind of bad actor at the cheapest possible cost.

  1. Incoming

    Humans, bots, scripts, all hitting your site key.

  2. Gate 1Origin allowlistRejects: wrong-domain callers
  3. Gate 2Required headersRejects: incomplete envelopes
  4. Gate 3Per-second rate limitRejects: rate floods
  5. SurvivorsReach the verification gates
Bad requests die at the cheapest possible step. Verification only sees what survived the gauntlet.
Dashboard
Every plan

Tune it from the dashboard.

Every site control lives on the per-site config screen. Toggle, slide, type, save. The same options are available through the API for code-first setups.

Stylized preview of the per-site configuration panel. The real dashboard handles the same fields with the same shape.

Foundations

The two things every account uses on every plan. Wire site keys into your pages, click through the dashboard when you need to change something.

Every plan

Dashboard

The browser UI for the humans on your team. Click through everything Caputchin does, including site keys, tokens, billing, members, without writing code. Designed to be the place you spend the least time in once everything is set up.

Where it fits

Day-one setup. Day-thirty audit. Day-365 onboarding a new teammate. The dashboard is where humans do the work that humans should be doing.

Every plan

Site keys

One site key per site. Each carries its own configuration: which domains can use it, what headers it requires, what rate-limit ceiling, what verification surface. Keys rotate without redeploying.

Where it fits

Sub-brands, staging vs production, internal vs customer-facing flows, each gets its own key with its own config. Rotation is a one-click action that doesn't bring down active integrations.

Site controls

Per-site-key knobs that reject bad requests before they reach the verification gates. Tunable from the dashboard, available on every plan. Also covered on the Verification page since they protect what verifies.

Every plan

Per-second rate limit

Each site key has a ceiling on requests per second, set by your plan and tunable below the ceiling. Sustained floods get cut off at the worker, before they reach verification or your backend.

Where it fits

A botnet pointed at your verification endpoint can't drown out your real users by saturating the quota. The cap stops them at the worker.

Every plan

Origin allowlist

List the domains allowed to call each site key. Anything from elsewhere, a leaked key reused on a phishing clone of your site, gets rejected before doing anything.

Where it fits

If a site key leaks (committed to a public repo, scraped off a page), the allowlist stops anyone from using it from a different origin.

Every plan

Required headers

Configure which HTTP headers a request must carry. Real browsers always send them. Cheap or aging scripts often don't bother spoofing the full set.

Where it fits

Cuts most of the noise from low-effort bots that send half a request envelope and call it a day.

Common questions

Site keys, the dashboard, and the controls that screen requests.

What is a site key?
The credential that connects your pages to Caputchin. Each one carries its own configuration: which domains may use it, which headers it requires, its rate-limit ceiling, and its verification surface.
Can I rotate a site key without downtime?
Yes. Rotation is a one-click action that does not bring down active integrations, and keys are decoupled from your account.
What are site controls?
Per-key checks that reject bad requests before verification even runs: an origin allowlist, required headers, and a per-second rate limit. Each one stops a different bad actor at the cheapest possible cost.
What happens if a site key leaks?
The origin allowlist stops anyone from using it from a domain you did not list, so a key scraped off a page or committed to a public repo cannot be reused on a clone of your site.
Do I have to write code to configure it?
No. The dashboard handles every site control with toggles and sliders. The same options are available through the API for code-first setups.

Mint a site key. Set the dials. Ship.

Sign up free, create your first site key, pick the controls that fit your site. Defaults are sane.

Start free