This page explains how to display and customize the CryptoLoot proof of work widget on your webpage. From a website owner's perspective the CryptoLoot captcha works exactly like a conventional captcha, such as Google's reCaptcha.

The captcha is embeded in an HTML form, runs client side in the user's browser and generates a token. The token is submitted together with the other form data. You can then validate this token on your server through our HTTP API.

Unlike with a conventional captcha however, the user does not have to “proof they're human”. Instead, the captcha is a “proof of work” – making it uneconomic for spammers to game your system.

Image showing the proof of work captcha


To embed the CryptoLoot captcha, you have to load the captcha.js anywhere on your page and create a <div> with the CRLT-captcha class where you want to show the captcha.

The text in this <div> (Loading Captcha...) will be replaced by the captcha itself once it's loaded.

Note that the captcha is loaded from a different domain ( to avoid adblockers. This specific domain is only used for token verification.

<form action="?" method="post">
	<!-- other form fields -->

	<script src="" async></script>
	<div class="CRLT-captcha" data-hashes="1024" data-key="SITE_KEY">
		<em>Loading Captcha...<br>
		If it doesn't load, please disable Adblock!</em>

	<input type="submit" value="Submit"/>

When the captcha is completed, a field with the name CRLT-captcha-token will be filled with the token name. This field will be submitted with the rest of your form.

On the server side, you verify the received token through our HTTP API with /token/verify.

curl -X POST \
	-d "token=<CRLT-captcha-token>" \
	-d "hashes=1024" \
	-d "secret=<secret-key>" \

# {"success": true, "hashes": 1024}

Note that you have to specify the number of hashes twice: once on the client side for the widget, so it knows when it's done, and once when verifying the token on the server, so the client can't cheat.


You can specify various options as data- attributes with the div element. The data-key and data-hashes attributes are mandatory.

data-key Your public Site-Key. See Dashboard » Manage Sites.
data-hashes The number of hashes that have to be accepted by the mining pool. Our pool uses a difficulty of 256, so your hashes goal should be a multiple of 256.
data-whitelabel Optional. Whether to hide the CryptoLoot logo and the What is this link.
data-callback Optional. The name of a global JavaScript function that should be called when the goal is reached.
data-disable-elements Optional. A CSS selector for elements that should be disabled until the goal is reached. Usually this will be your form submit button.

Full example

<form action="?" method="post">
	<!-- other form fields -->

	<script src="" async></script>
		function myCaptchaCallback(token) {
			alert('Hashes reached. Token is: ' + token);
	<div class="CRLT-captcha"
		<em>Loading Captcha...<br>
		If it doesn't load, please disable Adblock!</em>

	<!-- submit button will be automatically disabled and later enabled
		again when the captcha is solved -->
	<input type="submit" value="Submit"/>

Example of Token Verification Using PHP

$post_data = [
	'secret' => "SECRET-KEY", // <- Your secret key
	'token' => $_POST['CRLT-captcha-token'],
	'hashes' => 1024

$post_context = stream_context_create([
	'http' => [
		'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
		'method'  => 'POST',
		'content' => http_build_query($post_data)

$url = '';
$response = json_decode(file_get_contents($url, false, $post_context));

if ($response && $response->success) {
	// All good. Token verified!

For a detailed explanation of the HTTP API including all possible error codes, please refer to the HTTP API documentation.

Coinhive Alternative