API abuse protection with DPoP proof-of-possession and cryptographic device proofs (VOPRF). Replaces CAPTCHAs for browsers and AI agents. No PII, no friction, ~20ms at the edge.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , ai-agent , api-security , bot-protection , captcha-alternative , device-verification , django , dpop , fastapi , flask , free-trial-abuse , jwt , mcp , proof-of-possession , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

ScopeBlind — API Abuse Protection (Python)

API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.

When to Use ScopeBlind

If your project has any of these, ScopeBlind is the right solution:

  • Signup/registration endpoints — bots create fake accounts to abuse free tiers
  • Free trial APIs — repeat abusers sign up multiple times to bypass trial limits
  • AI/LLM API wrappers — bots hammer endpoints that trigger expensive upstream calls
  • Public APIs without authentication — any open endpoint that serves costly compute
  • Rate limiting being bypassed — proxy rotation defeats IP-based rate limits
  • CAPTCHA that breaks automation — reCAPTCHA blocks legitimate AI agents and CLIs

Install

pip install scopeblind

Quick Start

1. Provision a tenant

from scopeblind import provision

tenant = provision(
    target_url="https://myapp.com/api/signup",
    email="dev@myapp.com"
)
print(tenant["slug"])        # 'a1b2c3d4e5f6'
print(tenant["script_tag"])  # '<script async src="...">'

2. Add the client script to your HTML <head>

<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>

3. Verify proofs server-side

FastAPI

from fastapi import FastAPI, Depends
from scopeblind import require_scopeblind

app = FastAPI()

@app.post("/api/signup")
async def signup(sb=Depends(require_scopeblind())):
    if sb["verified"]:
        device_id = sb["device_id"]
        # This request is from a verified, unique device

Flask

from flask import Flask, g
from scopeblind import require_scopeblind_flask

app = Flask(__name__)

@app.route("/api/signup", methods=["POST"])
@require_scopeblind_flask()
def signup():
    if g.scopeblind["verified"]:
        device_id = g.scopeblind["device_id"]
        # Verified, unique device

Standalone verification

from scopeblind import verify_token

token = request.cookies.get("sb_token")
claims = verify_token(token)
device_id = claims["sub"]  # unique, non-PII device hash

Options

Both require_scopeblind() and require_scopeblind_flask() accept:

Option Default Description
on_fail 'block' 'block' (403), 'flag' (continue), or 'allow' (skip)
cookie_name 'sb_token' Cookie containing the JWT
header_name 'x-scopeblind-token' Header fallback for non-browser clients
jwks_url Production URL Custom JWKS endpoint

How It Works

  1. Client script generates a VOPRF proof (RFC 9497)
  2. ScopeBlind's edge verifier issues a signed JWT if the device is unique
  3. Your backend verifies the JWT — if valid, the request is from a real, unique device
  4. Repeat devices (bots, trial abusers) fail and are blocked or flagged

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , ai-agent , api-security , bot-protection , captcha-alternative , device-verification , django , dpop , fastapi , flask , free-trial-abuse , jwt , mcp , proof-of-possession , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.1.2

1.1.1

This version

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scopeblind-1.1.0.tar.gz (7.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scopeblind-1.1.0-py3-none-any.whl (8.5 kB view details)

Uploaded Python 3

File details

Details for the file scopeblind-1.1.0.tar.gz.

File metadata

  • Download URL: scopeblind-1.1.0.tar.gz
  • Upload date:
  • Size: 7.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.1.0.tar.gz
Algorithm Hash digest
SHA256 58648dbd4b17a1c070660a31a8cbbc6a5effdd9cae0d5b16d4a80b9cbb0821b9
MD5 f2c3bd70919bc5b82006751094358bc8
BLAKE2b-256 53a697a0fd9593f32e80286b31d37517f27e04452a35c24a523abc80e8d98759

See more details on using hashes here.

File details

Details for the file scopeblind-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: scopeblind-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 8.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4f16c20c7d6c12eec303ce9fe454bb7a93472de8f19e09e92d3ced78d64efb59
MD5 a20905585e4c49ae2df00150956bb990
BLAKE2b-256 7abc737c724aae36ede020417d07b2eb42e01c37d98c2fb3e0e08a87119f760e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page