whatisgithub

What is chronoseal-rs?

thakares/chronoseal-rs — explained in plain English

Analysis updated 2026-05-18

3RustAudience · ops devopsComplexity · 4/5Setup · hard

In one sentence

A Rust and WebAssembly tool that continuously verifies a browser session is a real human, not a bot or AI scraper, using signed heartbeats instead of a CAPTCHA.

Mindmap

mindmap
  root((repo))
    What it does
      Detect bots silently
      No CAPTCHA needed
      Continuous verification
    Tech Stack
      Rust
      WebAssembly
      Axum
    Use Cases
      Block AI scrapers
      Protect API endpoints
      Self-hosted defense
    Audience
      Site operators
      Ops and DevOps
    How it works
      Signed heartbeats
      Hash chain
      Mouse entropy

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Block AI scrapers and headless browsers from silently scraping a website.

USE CASE 2

Add invisible bot detection to a page without a CAPTCHA or user friction.

USE CASE 3

Protect API endpoints from automated abuse using continuous session attestation.

USE CASE 4

Deploy a self-hosted anti-bot layer behind an existing reverse proxy.

What is it built with?

RustWebAssemblyAxumEd25519Blake3SQLite

How does it compare?

thakares/chronoseal-rscodeitlikemiley/antigravity-sdk-rustdedsec-xu/needle
Stars333
LanguageRustRustRust
Setup difficultyhardhardmoderate
Complexity4/54/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires building a WASM module with wasm-pack plus a separate Rust server build, then wiring both into a page.

The README does not state a license, so terms of use are unclear.

So what is it?

ChronoSeal is a Rust and WebAssembly framework designed to tell real human visitors apart from bots, headless browsers, and AI scrapers, without showing a CAPTCHA or adding any friction for legitimate users. Instead of a one time check, it keeps proving a browser session is genuine over and over for as long as the page stays open. When a page loads, the WASM module in the browser generates a cryptographic keypair using the Ed25519 signature scheme, and that private key never leaves the browser's WASM memory. The browser then sends its public key to the server, which starts a session and hands back a small random program made of simple stack machine instructions like push, add, subtract, and hash. Every twelve to twenty five seconds, with some random jitter, the browser runs that program, mixes in signals like recent mouse movement, computes a new hash that is chained to the previous one, signs the whole thing, and sends it back as a heartbeat. The server checks the signature, the hash chain, and the behavioral signals before accepting it. This approach protects against several common attacks. Tools like Playwright or Puppeteer that fake being a real browser can be caught because they typically produce no real mouse movement. Old captured heartbeats cannot be replayed because each one depends on the one before it. Because failed checks always get a normal looking success response back, an attacker watching network traffic cannot easily tell that they have been blocked. The project is honest that it is not unbeatable. It describes itself as a way to make scraping expensive and complicated rather than a wall no one can get past. It is written in Rust, split into a shared library, an Axum based server, a WASM client module, and a small vanilla JavaScript file that wires it into a page. Session data lives in an in-memory SQLite database that resets whenever the server restarts. It can run as a native binary under systemd or inside Docker, and is meant to sit behind a reverse proxy such as nginx.

Copy-paste prompts

Prompt 1
Help me integrate ChronoSeal's WASM heartbeat script into my website's login page.
Prompt 2
Explain how ChronoSeal's hash chain heartbeat system prevents replay attacks.
Prompt 3
Walk me through building and deploying the ChronoSeal server with Docker.
Prompt 4
Help me tune the heartbeat interval and rate limiting constants in ChronoSeal's constants file.

Frequently asked questions

What is chronoseal-rs?

A Rust and WebAssembly tool that continuously verifies a browser session is a real human, not a bot or AI scraper, using signed heartbeats instead of a CAPTCHA.

What language is chronoseal-rs written in?

Mainly Rust. The stack also includes Rust, WebAssembly, Axum.

What license does chronoseal-rs use?

The README does not state a license, so terms of use are unclear.

How hard is chronoseal-rs to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is chronoseal-rs for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.