loading...
the swiss army knife of bot prevention and verification.
drop in one script tag. brickwall handles the rest with proof-of-work challenges, and signed tokens. static-site and dynamic-site friendly, extremely lightweight, extremely easy-to-use, very customizable, and very advanced with token audits and bot campaign detections. auth was here
<script src="https://brickwall.onrender.com/js/protect.min.js" data-site="YOUR_KEY"></script>
static sites, jamstack, single-page apps... if it serves html, brickwall works.
the script checks for a valid signed token in localStorage. already verified? pass through instantly and nothing shown, no delay.
no valid token — visitor is redirected to a challenge page. browser fingerprinting + a short proof-of-work puzzle. under two seconds for real users.
pass the challenge, receive a signed jwt. bounced back to where they came from with the token in the url. stored locally, lasts 24h by default.
repeated failures, abnormal timing, known bad ip ranges: all handled server-side. your site sees none of it.
no sdk, no complicated setup. just a script tag and a comprehensive dashboard where you can view everything.
minified client script is under 2kb. it will barely touch your lighthouse score.
verification state lives in a signed jwt. your site never calls a database, only we do
ip-level limits built in. bots hammering the challenge endpoint get progressively longer timeouts.
github pages, netlify, s3, cloudflare — anything that serves html works.
verified visitors pass silently every time. no captchas, no checkboxes, no hoops.
every attempt logged. country, detection type, pass/block status, in real-time. no sensitive info anywhere, privacy friendly
manage multiple sites from one dashboard. each gets its own key, log, and settings.
allow crawlers, block tor, flag vpns. set token ttl. toggle per site.
mit licensed. self-host it, fork it, read every single line. i really dont care to be honest
yeah, we thought about the weird stuff. we're not much of a sketchy cloudflare turnstile alternative are we now huh??? here's how brickwall handles the edge cases.
| scenario | what happens | user sees anything? |
|---|---|---|
| search engine crawlers googlebot, bingbot, etc. | allowed if enabled, crawlers auto-bypass the challenge and get a token immediately. logged as "crawler". | no |
| tor exit nodes known tor ip ranges | blocked if tor blocking is on, ip is denied before the challenge. shows an access denied message. | access denied page |
| vpn / datacenter ips known hosting asns | flagged logged with detection type. configurable to block outright or just flag. | challenge (not blocked by default) |
| headless browsers puppeteer, playwright, etc. | blocked navigator.webdriver check and phantom/nightmare artifact detection on the challenge page. | verification failed page |
| javascript disabled noscript users | graceful noscript fallback message explains that js is required. | noscript message |
| challenge timeout user walks away mid-challenge | expires challenge ids expire after 2 minutes. user is re-challenged cleanly on retry. | no |
| instant solve pow solved in <200ms | blocked timing check flags suspiciously fast solves. a human can't solve it that fast. | verification failed page |
| token expired returning visitor, ttl elapsed | re-challenged expired token cleared, visitor sent back through the challenge flow. | challenge page (transparent) |
one plan, no surprises. usage-based pricing coming post-beta.
no mailing lists. no sales calls. register and you're in.