CAPTCHA

A simple CAPTCHA system using HMAC-signed tokens. Tokens expire after 5 minutes.

Flow

Call /captcha/generate to get a CAPTCHA challenge and a signed token.
Display the captcha string to the user.
Submit the user's input along with the token to /captcha/verify.

Generate

GET /captcha/generate

No parameters required.

Response

{
  "success": true,
  "captcha": "aB3xZq",
  "token": "1700000000000.abc123def456...",
  "expiresIn": 300
}

Field

Description

captcha

The challenge string to display to the user

token

Signed token to send back with the verification request

expiresIn

Seconds until the token expires (always 300 / 5 minutes)

Verify

GET /captcha/verify

Parameters

Parameter

Required

Description

input

Yes

The user's answer to the CAPTCHA challenge

token

Yes

The token returned from /api/captcha/generate

Response (valid)

{
  "success": true,
  "valid": true
}

Response (invalid / expired)

{
  "success": false,
  "error": "Invalid or expired CAPTCHA."
}

Notes

Verification is case-insensitive.
Tokens are verified using crypto.timingSafeEqual to prevent timing attacks.
Once a token expires (after 5 minutes), it cannot be used again — request a new one.

PreviousGetting Started NextAge

Last updated 1 hour ago

Was this helpful?

Good morning

hashtagFlow

hashtagGenerate

hashtagResponse

hashtagVerify

hashtagParameters

hashtagResponse (valid)

hashtagResponse (invalid / expired)

hashtagNotes