New ask Hacker News story: Ask HN: What do you consider the best way to protect a SaaS from bots?

Ask HN: What do you consider the best way to protect a SaaS from bots?
2 by jay-barronville | 4 comments on Hacker News.
I’m getting ready to launch a new AI SaaS. I’d like to offer a “try it for free without an account or credit card” option right on the home page. Unfortunately, due to (1) the cost of these GPUs, (2) the fact that I’m bootstrapping the service 100%, and (3) the fully automated nature of the backend infrastructure, the risk of bots targeting the website is not just a simple concern or inconvenience but rather something that could make it infeasible for me to continue running the service. I’ve tested a number of potential solutions and I’m still coming up empty. E.g., I could do like Troy Hunt [0] and rely on Cloudflare Turnstile [1], but unfortunately, after testing it, it doesn’t cut it: 1. Cloudflare claims Turnstile is “frustration-free” for users, but my personal experience says otherwise. I dislike the experience enough that I wouldn’t want my users experiencing it either. 2. Turnstile is actually easily bypassed. I found some web scraping-related services on the internet that claim to easily and programmatically bypass Turnstile for literal pennies*, but I didn’t 100% believe them, so I tested the services. <20 minutes later, I had a script running bypassing challenge after challenge for <$1.00. 3. The hyper-centralized nature of Cloudflare is something that never sits right with me. On one hand, I have tremendous respect for the great work they do and the awesome folks who work at the company (I personally know founders whose startups would probably no longer exist had it not been for Cloudflare’s DDoS protection services). On the other hand, they frankly control too much of the internet’s traffic for my liking. I’m starting to realize that my only option seems to be to keep the service locked down only for authenticated users (maybe via Google**). * I’m intentionally not linking to any of those services, but they’re very easy to find via Google. ** I’m not convinced that “Sign In with Google” solves this problem either, since a committed actor can easily create many Google accounts, but at least it’s more manageable. Also, centralization (via Google) is obviously also an issue with this option. [0]: https://news.ycombinator.com/item?id=37400018 [1]: https://www.cloudflare.com/products/turnstile