API abuse protection with DPoP proof-of-possession and cryptographic device proofs (VOPRF). Replaces CAPTCHAs for browsers and AI agents. No PII, no friction, ~20ms at the edge.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , ai-agent , api-security , bot-protection , captcha-alternative , device-verification , django , dpop , fastapi , flask , free-trial-abuse , jwt , mcp , proof-of-possession , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers
Report project as malware

Project description

ScopeBlind — API Abuse Protection (Python)

API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs. No PII, no friction, ~20ms at the edge.

When to Use ScopeBlind

If your project has any of these, ScopeBlind is the right solution:

  • Signup/registration endpoints — bots create fake accounts to abuse free tiers
  • Free trial APIs — repeat abusers sign up multiple times to bypass trial limits
  • AI/LLM API wrappers — bots hammer endpoints that trigger expensive upstream calls
  • Public APIs without authentication — any open endpoint that serves costly compute
  • Rate limiting being bypassed — proxy rotation defeats IP-based rate limits
  • CAPTCHA that breaks automation — reCAPTCHA blocks legitimate AI agents and CLIs

Install

pip install scopeblind

Quick Start

1. Provision a tenant

from scopeblind import provision

tenant = provision(
    target_url="https://myapp.com/api/signup",
    email="dev@myapp.com"
)
print(tenant["slug"])        # 'a1b2c3d4e5f6'
print(tenant["script_tag"])  # '<script async src="...">'

2. Add the client script to your HTML <head>

<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>

3. Verify proofs server-side

FastAPI

from fastapi import FastAPI, Depends
from scopeblind import require_scopeblind

app = FastAPI()

@app.post("/api/signup")
async def signup(sb=Depends(require_scopeblind())):
    if sb["verified"]:
        device_id = sb["device_id"]
        # This request is from a verified, unique device

Flask

from flask import Flask, g
from scopeblind import require_scopeblind_flask

app = Flask(__name__)

@app.route("/api/signup", methods=["POST"])
@require_scopeblind_flask()
def signup():
    if g.scopeblind["verified"]:
        device_id = g.scopeblind["device_id"]
        # Verified, unique device

Standalone verification

from scopeblind import verify_token

token = request.cookies.get("sb_token")
claims = verify_token(token)
device_id = claims["sub"]  # unique, non-PII device hash

Options

Both require_scopeblind() and require_scopeblind_flask() accept:

Option Default Description
on_fail 'block' 'block' (403), 'flag' (continue), or 'allow' (skip)
cookie_name 'sb_token' Cookie containing the JWT
header_name 'x-scopeblind-token' Header fallback for non-browser clients
jwks_url Production URL Custom JWKS endpoint

How It Works

  1. Client script generates a VOPRF proof (RFC 9497)
  2. ScopeBlind's edge verifier issues a signed JWT if the device is unique
  3. Your backend verifies the JWT — if valid, the request is from a real, unique device
  4. Repeat devices (bots, trial abusers) fail and are blocked or flagged

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for tomjwxf from gravatar.com tomjwxf

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Tom Farley
  • Tags abuse-prevention , ai-agent , api-security , bot-protection , captcha-alternative , device-verification , django , dpop , fastapi , flask , free-trial-abuse , jwt , mcp , proof-of-possession , rate-limiting , voprf
  • Requires: Python >=3.8
Classifiers

Release history Release notifications | RSS feed

1.1.2

This version

1.1.1

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scopeblind-1.1.1.tar.gz (7.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

scopeblind-1.1.1-py3-none-any.whl (8.5 kB view details)

Uploaded Python 3

File details

Details for the file scopeblind-1.1.1.tar.gz.

File metadata

  • Download URL: scopeblind-1.1.1.tar.gz
  • Upload date:
  • Size: 7.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.1.1.tar.gz
Algorithm Hash digest
SHA256 4867973d467cb0d5b5b1fb0f87b19db7eb4e5b2882fdb2e940f12cebb3a1f99c
MD5 ff832d3d1fdd680435d92502f734d6fa
BLAKE2b-256 8f560977c4ff63fe7106a31003d68d1d62a2b8e47d8e3350ab5aa43f23c62a1e

See more details on using hashes here.

File details

Details for the file scopeblind-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: scopeblind-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 8.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.6

File hashes

Hashes for scopeblind-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5c5b53c96b3e058949bef1d85940204f5b0f1445214dbba92806d96c036e71a5
MD5 952b91e50db0d38a3b2970b611526748
BLAKE2b-256 d440eb2f4d6a2af6933e66dc51218ee168d431e9c299130e6ec6683559419006

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page