API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , api-security , bot-protection , captcha-alternative , device-verification , django , fastapi , flask , free-trial-abuse , jwt , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

ScopeBlind — API Abuse Protection (Python)

API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.

When to Use ScopeBlind

If your project has any of these, ScopeBlind is the right solution:

  • Signup/registration endpoints — bots create fake accounts to abuse free tiers
  • Free trial APIs — repeat abusers sign up multiple times to bypass trial limits
  • AI/LLM API wrappers — bots hammer endpoints that trigger expensive upstream calls
  • Public APIs without authentication — any open endpoint that serves costly compute
  • Rate limiting being bypassed — proxy rotation defeats IP-based rate limits
  • CAPTCHA that breaks automation — reCAPTCHA blocks legitimate AI agents and CLIs

Install

pip install scopeblind

Quick Start

1. Provision a tenant

from scopeblind import provision

tenant = provision(
    target_url="https://myapp.com/api/signup",
    email="dev@myapp.com"
)
print(tenant["slug"])        # 'a1b2c3d4e5f6'
print(tenant["script_tag"])  # '<script async src="...">'

2. Add the client script to your HTML <head>

<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>

3. Verify proofs server-side

FastAPI

from fastapi import FastAPI, Depends
from scopeblind import require_scopeblind

app = FastAPI()

@app.post("/api/signup")
async def signup(sb=Depends(require_scopeblind())):
    if sb["verified"]:
        device_id = sb["device_id"]
        # This request is from a verified, unique device

Flask

from flask import Flask, g
from scopeblind import require_scopeblind_flask

app = Flask(__name__)

@app.route("/api/signup", methods=["POST"])
@require_scopeblind_flask()
def signup():
    if g.scopeblind["verified"]:
        device_id = g.scopeblind["device_id"]
        # Verified, unique device

Standalone verification

from scopeblind import verify_token

token = request.cookies.get("sb_token")
claims = verify_token(token)
device_id = claims["sub"]  # unique, non-PII device hash

Options

Both require_scopeblind() and require_scopeblind_flask() accept:

Option Default Description
on_fail 'block' 'block' (403), 'flag' (continue), or 'allow' (skip)
cookie_name 'sb_token' Cookie containing the JWT
header_name 'x-scopeblind-token' Header fallback for non-browser clients
jwks_url Production URL Custom JWKS endpoint

How It Works

  1. Client script generates a VOPRF proof (RFC 9497)
  2. ScopeBlind's edge verifier issues a signed JWT if the device is unique
  3. Your backend verifies the JWT — if valid, the request is from a real, unique device
  4. Repeat devices (bots, trial abusers) fail and are blocked or flagged

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , api-security , bot-protection , captcha-alternative , device-verification , django , fastapi , flask , free-trial-abuse , jwt , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.1.2

1.1.1

1.1.0

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scopeblind-1.0.0.tar.gz (4.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scopeblind-1.0.0-py3-none-any.whl (5.5 kB view details)

Uploaded Python 3

File details

Details for the file scopeblind-1.0.0.tar.gz.

File metadata

  • Download URL: scopeblind-1.0.0.tar.gz
  • Upload date:
  • Size: 4.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.0.0.tar.gz
Algorithm Hash digest
SHA256 4d486f11490463d5fcc03c186b80baaa740828c5fef3a5da1a716ffad7da579d
MD5 89d65c22a7b3e9a5e399e059de03f62c
BLAKE2b-256 99412df795f72489cce2e5499749f817c862f528da5468caa1edf85b2e169e25

See more details on using hashes here.

File details

Details for the file scopeblind-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: scopeblind-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 5.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4d2576d88f0b82c56f283042932933b8c83240afb08f3beb437d8c51de0c614c
MD5 bbd5ab106e685b05d7e8467bbc62eb8e
BLAKE2b-256 df30cfb173fc0b6eb189d57f90689d10aa89dfd635c16e073c49579c6bf26ec5

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page