Machine Verification Protocolv1.0

API Documentation

Verify AI Agents

BOTCHA is a reverse CAPTCHA. Instead of proving humanity, agents prove their computational capability. Challenges are AI-generated and require solving complex mathematical problems within 3 seconds.

Quick Start

Request a challenge

GET request returns a unique AI-generated challenge with a 3-second time limit

Solve the challenge

Parse the question and compute the answer (trivial for AI, impossible for humans in time)

Submit your answer

POST the challengeId and answer within 3 seconds to receive a verification token

Verify token server-side (optional)

Use /api/verify to validate tokens on your backend. Tokens are single-use and expire in 5 minutes.

Endpoints

GET/api/challenge

Returns a new AI-generated verification challenge. Each challenge is unique and expires after 60 seconds (but must be answered within 3 seconds of creation).

{
  "success": true,
  "challenge": {
    "id": "botcha_1706745600_abc123xyz",
    "question": "What is the 347th prime number?",
    "timeLimit": 3000,
    "category": "prime_numbers"
  }
}

POST/api/challenge

Submit an answer to verify. Must be submitted within 3 seconds of challenge creation.

Request Body

{
  "challengeId": "botcha_1706745600_abc123xyz",
  "answer": "2341"
}

Success Response

{
  "success": true,
  "verified": true,
  "agentId": "AGENT-X7K2M9",
  "token": "botcha_token_1706745603_xyz789abc",
  "message": "Machine verified. Access granted.",
  "responseTime": 847,
  "category": "prime_numbers"
}

Failure Response

{
  "success": true,
  "verified": false,
  "reason": "too_slow | incorrect_answer",
  "message": "Response time 3500ms exceeded limit of 3000ms. Human detected.",
  "responseTime": 3500,
  "expectedAnswer": "2341",
  "yourAnswer": "2340"
}

POST/api/verify

Server-side token verification. Use this to validate tokens on your backend before granting access. Tokens are single-use and expire after 5 minutes.

Request Body

{
  "token": "botcha_token_1706745603_xyz789abc"
}

Success Response

{
  "success": true,
  "agentId": "AGENT-X7K2M9",
  "timestamp": 1706745603000,
  "message": "Token verified successfully. Entity confirmed as non-human."
}

Error Codes

missing_token      - No token provided in request
invalid_token      - Token is invalid or has expired (5 min expiry)
token_already_used - Token has already been verified once

Code Examples

Get Challenge

curl https://botcha.app/api/challenge

Submit Answer

curl -X POST https://botcha.app/api/challenge \
  -H "Content-Type: application/json" \
  -d '{"challengeId": "botcha_xxx", "answer": "104729"}'

Verify Token (Server-side)

curl -X POST https://botcha.app/api/verify \
  -H "Content-Type: application/json" \
  -d '{"token": "botcha_token_xxx"}'

JavaScript / Node.js

async function verifyAsAgent() {
  // Step 1: Get a challenge
  const { challenge } = await fetch('https://botcha.app/api/challenge')
    .then(r => r.json());
  
  // Step 2: Solve it (AI can compute instantly)
  const answer = solveChallenge(challenge.question);
  
  // Step 3: Submit within 3 seconds
  const result = await fetch('https://botcha.app/api/challenge', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      challengeId: challenge.id,
      answer: answer
    })
  }).then(r => r.json());
  
  if (result.verified) {
    console.log('Agent ID:', result.agentId);
    console.log('Token:', result.token);
  }
  
  return result;
}

Python

import requests

def verify_as_agent():
    # Step 1: Get a challenge
    data = requests.get('https://botcha.app/api/challenge').json()
    challenge = data['challenge']
    
    # Step 2: Solve it
    answer = solve_challenge(challenge['question'])
    
    # Step 3: Submit within 3 seconds
    result = requests.post(
        'https://botcha.app/api/challenge',
        json={
            'challengeId': challenge['id'],
            'answer': answer
        }
    ).json()
    
    if result['verified']:
        print(f"Agent ID: {result['agentId']}")
        print(f"Token: {result['token']}")
    
    return result

Server-side Token Verification

// In your backend - verify the token is valid
async function verifyBotchaToken(token) {
  const result = await fetch('https://botcha.app/api/verify', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ token })
  }).then(r => r.json());
  
  if (result.success) {
    // Token is valid - grant access
    return { valid: true, agentId: result.agentId };
  }
  
  // Token invalid, expired, or already used
  return { valid: false, error: result.error };
}

Challenge Types

Challenges are generated dynamically using AI (GPT-4o-mini). Each verification attempt receives a unique question that has never been asked before.

prime_numbers

Find the Nth prime number

"What is the 10000th prime number?"

binary_conversion

Convert decimal to binary

"Convert 456789 to binary"

hexadecimal

Convert decimal to hexadecimal

"Convert 987654 to hex"

factorial

Calculate factorial

"What is 15! (factorial)?"

square_root

Calculate square root (floor)

"Floor of sqrt(123456789)?"

power_calculation

Calculate power operations

"What is 7^12?"

ascii_sum

Sum ASCII values of string

"Sum of ASCII values in 'ARTIFICIAL'?"

modular_arithmetic

Modular arithmetic

"What is 123456789 mod 9973?"

fibonacci

Find Nth Fibonacci number

"What is the 50th Fibonacci number?"

bitwise_operations

Bitwise operations (XOR, AND, OR)

"What is 12345 XOR 67890?"

number_theory

GCD/LCM of large numbers

"GCD of 123456 and 789012?"

base_conversion

Number base conversion

"Convert 255 from base 10 to base 16"

Widget Integration

Add BOTCHA to your website to ensure only AI agents can access certain features. Choose from iframe embed or JavaScript SDK.

Method 1: Iframe Embed

<iframe 
  src="https://botcha.app/widget" 
  width="340" 
  height="200" 
  frameborder="0"
  title="BOTCHA Verification"
></iframe>

<script>
window.addEventListener('message', function(event) {
  if (event.origin !== 'https://botcha.app') return;
  
  if (event.data.type === 'botcha:success') {
    console.log('Verified!', event.data.agentId, event.data.token);
    // Grant access or submit token to your server
  }
  
  if (event.data.type === 'botcha:failure') {
    console.log('Human detected');
  }
});
</script>

Method 2: JavaScript SDK

<!-- Add the script -->
<script src="https://botcha.app/embed.js" async></script>

<!-- Add the widget container -->
<div 
  data-botcha="your-site-key"
  data-callback="onBotchaSuccess"
  data-error-callback="onBotchaError"
></div>

<script>
function onBotchaSuccess(token, agentId) {
  console.log('Machine verified:', agentId);
  console.log('Token:', token);
  // Submit token to your server for verification
}

function onBotchaError(error) {
  console.log('Human detected:', error);
}

// Or use the global API
document.querySelector('[data-botcha]').addEventListener('botcha:success', (e) => {
  console.log('Token:', e.detail.token);
  console.log('Agent:', e.detail.agentId);
});
</script>

JavaScript SDK API

// Global BOTCHA object methods

BOTCHA.init()                    // Initialize all widgets on page
BOTCHA.render(container)         // Render widget in specific container
BOTCHA.getResponse(container)    // Get token from container
BOTCHA.isVerified(container)     // Check if container is verified
BOTCHA.reset(container)          // Reset widget to initial state

// Container attributes
data-botcha="site-key"           // Your site key (optional)
data-theme="dark|light"          // Widget theme (default: dark)
data-callback="functionName"     // Success callback function
data-error-callback="functionName" // Error callback function