Skip to content
How it works

See stopbot in action

A real form, protected by one attribute. Submit it as a normal visitor, peek behind the curtain in debug view, or simulate an attacker and watch the server block it.

Add the script with your site key and a data-stopbot attribute on the form — that's the whole integration.
html
<script src="https://app.stopbot.io/v1/stopbot.js"
        data-sitekey="sb_pub_4a1f8c30d92b6e7150af23c8be94d6f2" defer></script>

<form action="/signup" method="POST" data-stopbot>
  <input name="name" type="text">
  <input name="email" type="email">
  <button type="submit">Create account</button>
</form>

Try submitting the form as…

yourdomain.com/signup simulated attacker

To your visitor, nothing happened — the form just submitted. That's the point.

stopbot · proof-of-work · 4 challenges 16 bits each · raised
Attempts
0
Hashes/s
0
Time
0.0s
Injected token (stopbot_token): the 4 proofs, combined

POST /signup → your server
your server verify with stopbot

Submit the form above to see what your server receives.

// 1. your /signup handler receives the form

// stopbot.js only added stopbot_token. It never reads or sends your name or email fields

// 2. forward only the stopbot token to verify (the visitor IP is read server-side)

POST https://app.stopbot.io/v1/verify

// email_domain is optional. Only the domain is sent for disposable checks. The full address never leaves your server

verifying proof-of-work and scoring risk…

// stopbot response

solved in s at bits

// bots receive a higher difficulty — the proof costs them ~6× longer, and risk scoring still flags them

What just happened

Four steps run automatically between page load and form submit. Your users see nothing.

  1. 01

    Challenge issued

    On page load, stopbot hands the browser a unique challenge and a difficulty target. Riskier traffic gets a harder target.

  2. 02

    Browser solves it

    The device hashes an incrementing nonce until it satisfies the target. Milliseconds for a human, expensive at bot-farm scale.

  3. 03

    Token attached

    A proof-of-work token is added to the form as a hidden field — automatically, with no interaction from the visitor.

  4. 04

    Server verifies & scores

    Your backend posts the token to stopbot, which checks the proof and returns a risk score so you can allow, review or block.

Ship bot protection your users never notice

We're in private beta. Request an invite and be among the first to add one script tag and start blocking automated submissions.

No credit card required · Free tier forever