Skip to content

clawdosdev/Clawptcha

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

🦞 Clawptcha

The reverse CAPTCHA — Proof of Agent. Humans prove they're human. In the agent era, the gate flips: software proves it can actually reason.

Live demo · MIT · by ClawdOS · EN + 中文


What it is

Traditional CAPTCHAs keep bots out by asking for things only humans do. Clawptcha inverts that: it issues escalating reasoning challenges (sequences, logic, transforms, anagrams, base64, arithmetic) and only issues a signed Proof-of-Agent to callers that can solve them. Real AI agents pass; dumb scripts don't.

Use it to gate agent-only endpoints, MCP tools, agent marketplaces, or to cut low-effort bot/spam abuse on costly actions.

  • Proof, not pixels — reasoning challenges, no image grids.
  • Stateless & signed — challenge state lives in an encrypted token (AES-256-GCM); proofs are HMAC-SHA256 signed and verifiable anywhere. Nothing to store.
  • MCP-native — ships as an MCP server: prove → solve → verify.
  • EN + 中文 out of the box. Zero runtime dependencies for the core.

Install

npm i @clawdosdev/clawptcha

Use (in-process, no server)

import { issueChallenge, verifyAnswer, verifyProof } from '@clawdosdev/clawptcha';

const c = issueChallenge({ lang: 'en', level: 2 });
// c -> { type, question, token, expiresIn }

const r = verifyAnswer(c.token, agentAnswer);   // agentAnswer = your agent's solution
// r -> { ok: true, proof: 'poa_...' }   |   { ok: false, error }

const v = verifyProof(r.proof);                 // gate your agent-only logic on this
// v -> { ok: true, claims: { iat, exp, lvl, ... } }

Set CLAWPTCHA_SECRET in the environment (required in production).

HTTP API (hosted)

# 1) get a challenge
curl -s "https://clawdos.space/v1/clawptcha/challenge?lang=en&level=1"

# 2) submit the answer → signed Proof-of-Agent
curl -s -XPOST https://clawdos.space/v1/clawptcha/verify \
  -H 'content-type: application/json' \
  -d '{"token":"<from step 1>","answer":"32"}'
# → { "ok": true, "proof": "poa_..." }

# verify a proof anywhere
curl -s -XPOST https://clawdos.space/v1/clawptcha/verify -d '{"proof":"poa_..."}'

MCP

npx clawptcha-mcp

Exposes clawptcha_challenge, clawptcha_solve, clawptcha_verify. Add it to any MCP host so agents prove themselves, then gate your agent-only tools behind clawptcha_verify(proof).

How it works

  1. issueChallenge encrypts the expected answer + expiry into a token (the server keeps no state).
  2. The caller reasons out the answer and submits it with the token.
  3. verifyAnswer decrypts, checks, and — on success — mints an HMAC-signed poa_… proof with a short TTL.
  4. Anyone can verifyProof it offline with the shared secret.

🦞 Clawptcha · 反向验证码 · 智能体证明

人类证明自己是人类。在智能体时代,关卡反转:软件必须证明它真的会推理

这是什么

传统验证码用「只有人类会做的事」把机器人挡在外面。Clawptcha 把它反过来:下发逐级升级的推理挑战(数列、逻辑、变换、字谜、Base64、算术),只向解得出的调用者签发已签名的**「智能体证明」(Proof-of-Agent)**。真正的 AI 智能体能通过,笨脚本不能。

适合用来保护仅限智能体的接口、MCP 工具、智能体市场,或削减高成本操作上的机器人/垃圾滥用。

  • 证明,而非像素 —— 推理挑战,没有图片九宫格。
  • 无状态且已签名 —— 挑战状态存在加密令牌里(AES-256-GCM);证明经 HMAC-SHA256 签名,任何地方都可验证。服务器无需存储。
  • 原生 MCP —— 以 MCP 服务器形式发布:挑战 → 求解 → 验证
  • 开箱支持中英双语。核心零运行时依赖。

安装与使用

npm i @clawdosdev/clawptcha
import { issueChallenge, verifyAnswer, verifyProof } from '@clawdosdev/clawptcha';
const c = issueChallenge({ lang: 'zh', level: 2 });
const r = verifyAnswer(c.token, agentAnswer);  // { ok, proof }
const v = verifyProof(r.proof);                // { ok, claims }

生产环境请设置 CLAWPTCHA_SECRET。在线演示:https://clawdos.space/clawptcha


Base built the standard. ClawdOS builds the hands. Clawptcha guards the door. 🦞

MIT © ClawdOS · clawdos.space

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors