Crovly Documentation

How It Works

Crovly is a privacy-first captcha that uses Proof of Work instead of image challenges. When a user visits your page, their browser solves a small computational puzzle. Bots struggle because it requires real CPU time, while legitimate users barely notice a ~200ms delay.

1. Challenge — Browser receives a cryptographic puzzle from the API
2. Solve — Browser computes SHA-256 hashes + collects fingerprint signals
3. Verify — Your backend validates the token with a single API call

Quick Start

1. Create a Site

Sign up at app.crovly.com and create a new site. You'll receive a Site Key (public) and an API Key (private).

2. Add the Widget

<script src="https://get.crovly.com/widget.js"
        data-site-key="YOUR_SITE_KEY"></script>

<form action="/submit" method="POST">
  <div id="crovly-captcha"></div>
  <button type="submit">Submit</button>
</form>

3. Verify on Your Server

const res = await fetch("https://api.crovly.com/verify-token", {
  method: "POST",
  headers: {
    "Authorization": "Bearer YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    token: formData.get("crovly-token"),
    expectedIp: request.ip,
  }),
});

const { success, score } = await res.json();
if (!success) {
  // reject the request
}

Testing

Use these test site keys during development — no API calls are made:

<script src="https://get.crovly.com/widget.js"
        data-site-key="test_always_pass"></script>

<form action="/submit" method="POST">
  <div id="crovly-captcha"></div>
  <button type="submit">Submit</button>
</form>

Test keys work in any environment and do not require a Crovly account. The widget renders normally but skips the real challenge/verify flow. Use test_always_fail to test your error handling paths.

Next Steps

• Integration Guide — HTML, React, Vue, PHP, Python, WordPress
• API Reference — Interactive endpoint documentation (Scalar)
• Configuration — Themes, difficulty, thresholds
• Security & Privacy — How detection works

SDKs