Skip to content

Web Integration

Sepehr0Day edited this page Jun 13, 2026 · 1 revision

Web Integration

Recommended Flow

  1. Generate a challenge on the server.
  2. Store the answer and private metadata against a random challenge ID.
  3. Return only the challenge ID, prompt, public image and safe UI metadata.
  4. Receive the user's response.
  5. Validate server-side using constant-time comparison where appropriate.
  6. Delete or expire the challenge after one attempt or a short timeout.

Do Not Return

  • ChallengeResult.answer
  • click target coordinates
  • puzzle target positions
  • Maze solutions
  • sequence rules
  • metadata fields that directly reveal the answer

Public Metadata

Depending on the UI, safe metadata may include grid dimensions, number of options, piece dimensions and accessibility text. Build an explicit allowlist instead of returning the complete metadata dictionary.

Stateless Signing

For low-risk use cases, encrypted or authenticated challenge state can replace server storage. Do not merely Base64-encode the answer.

Clone this wiki locally