Zeno is a high-security, privacy-preserving, proof-of-work CAPTCHA system designed for the modern web.
It runs on the edge using Cloudflare Workers and WebAssembly (Rust), ensuring low latency and high scalability.
- Physics-Based Security: Uses Memory (Cuckatoo Cycle) and Time (VDF) to physically constrain attackers.
- ASIC/GPU Resistant: Default configuration (
GB=18) requires ~32MB RAM per instance.
Attackers need 32GB RAM for 1,000 parallel threads. - Configurable Defense: Adjust
graph_bits(10-20) andvdf(10-1M) to balance security vs UX. - Privacy-First: No cookies, no tracking, no third-party scripts.
- Edge Deployment: Runs entirely on Cloudflare Workers (Serverless).
- WebAssembly: Core logic powered by Rust-based WASM for performance/security.
- Modes:
- Standard: In-page widget.
- Floating: Corner popup.
- Invisible: Background verification for seamless UX.
- Universal Compatibility:
- Pure JS Fallback: Automatically activates on devices without WebAssembly support. Full feature parity including progress reporting.
- Force Mode: Option to strictly enforce JS or WASM for testing.
- Internationalization (i18n): Fully customizable strings and styling via CSS variables.
Try the live demo: https://zeno.js.org/demo/, you can also try the SPEEDTEST: https://fast.kalman.co.il (REPO)
<script type="module" src="https://cdn.jsdelivr.net/gh/zeno-security/zeno@latest/dist/client/zeno.min.js"></script>
<zeno-widget zeno-site-key="YOUR_SITE_KEY" zeno-api-endpoint="/api"></zeno-widget>Listen for the completion event:
document.querySelector('zeno-widget').addEventListener('solve', (e) => {
console.log('Token:', e.detail.token);
});| Parameter | Default | Effect |
|---|---|---|
graph_bits |
18 | ~32 MB RAM required |
vdf |
300 | ~1.6s sequential delay |
| Total | — | ~1.6s solve time |
| Threat | Recommended Config | Time | Memory |
|---|---|---|---|
| Script Bots | GB=13, VDF=100 | ~0.2s | 2 MB |
| Bot Farms | GB=15, VDF=150 | ~0.4s | 5 MB |
| GPU Attacks | GB=17, VDF=100 | ~0.5s | 16 MB |
| ASIC/GPU (Default) | GB=18, VDF=300 | ~1.6s | 32 MB |
| Maximum Security | GB=19, VDF=200 | ~2.5s | 62 MB |
- Fork the Repository: Fork zeno-security/zeno to your GitHub account.
- Log in to Cloudflare: Go to the Cloudflare Dashboard > Workers & Pages.
- Create Application:
- Click Create Application.
- Connect your GitHub account.
- Select your forked
zenorepository.
- Configure Build:
- Framework Preset: None / Custom.
- Build Command:
npm run build - Build Output Directory:
dist
- Environment Variables & R2:
- Once created, go to Settings > R2 Object Storage.
- Create and bind three buckets:
zeno-challenges,zeno-tokens,zeno-bans-dayto the variable nameszeno_challenges,zeno_tokens,zeno_bans_day.
# Clone the repository
git clone https://github.com/zeno-security/zeno.git
cd zeno
# Install Dependencies
npm install
# Create R2 Buckets
npx wrangler r2 bucket create zeno-challenges
npx wrangler r2 bucket create zeno-tokens
npx wrangler r2 bucket create zeno-bans-day
# Deploy
npx wrangler deployZeno consists of three main components:
- Core (Rust/WASM): Handles Cuckatoo Graph generation and Class Group VDF computation.
- Solver (WASM + JS): Dual-mode solver ensures 100% device compatibility (WASM primary, Pure JS fallback).
- Server (Cloudflare Worker): Issues challenges, verifies proofs, and manages storage via R2.
- Client (TypeScript): A lightweight Web Component (
<zeno-widget>) that orchestrates the solving process in a web worker.
Run the benchmark yourself: docs/benchmark/benchmark.html
npm run buildRequired Notice: © Copyright 2025 KSEC - Erez Kalman (kaerez[at]gmail[dot]com | www.kalman.co.il | https://github.com/zeno-security/zeno | https://github.com/kaerez)
This software is licensed under the PolyForm Strict License 1.0.0.
You may obtain a copy of the License at: https://polyformproject.org/licenses/strict/1.0.0/
SPDX-License-Identifier: PolyForm-Strict-1.0.0