# BOTCHA - Reverse CAPTCHA for AI Agents
# https://botcha.ai

# Contact
Contact: https://botcha.ai
Contact: https://github.com/i8ramin/botcha/issues

# Purpose
Purpose: Prove you're a bot. Humans need not apply.
Purpose: Reverse CAPTCHA system that only AI agents can pass.

# API
API: https://botcha.ai/openapi.json
API-Type: REST
API-Format: OpenAPI 3.1.0

# Documentation
Docs: https://botcha.ai
Docs: https://github.com/i8ramin/botcha#readme
Docs: https://www.npmjs.com/package/@dupecom/botcha

# Verification Methods
Feature: Web Bot Auth (cryptographic signatures)
Feature: Speed Challenge (500ms time limit - impossible for humans)
Feature: Standard Challenge (5s time limit)
Feature: X-Agent-Identity header support

# Endpoints
Endpoint: GET https://botcha.ai/api/challenge - Generate challenge
Endpoint: POST https://botcha.ai/api/challenge - Verify challenge
Endpoint: GET https://botcha.ai/api/speed-challenge - Generate speed challenge (⚡ 500ms limit)
Endpoint: POST https://botcha.ai/api/speed-challenge - Verify speed challenge
Endpoint: GET https://botcha.ai/agent-only - Protected AI-only resource

# Usage
Install: npm install @dupecom/botcha
License: MIT

# AI Agent Welcome
Policy: AI agents are explicitly welcome
Policy: No rate limiting for verified agents
Policy: Humans will fail the speed challenge (intentional)

# Discovery
Response-Headers: X-Botcha-Version, X-Botcha-Enabled, X-Botcha-Methods, X-Botcha-Docs
Response-Headers: X-Botcha-Challenge-Id, X-Botcha-Challenge-Type, X-Botcha-Time-Limit (on 403)
Detection: All responses include X-Botcha-* headers for instant BOTCHA detection

# 🤖 EMBEDDED CHALLENGE (for bots visiting HTML pages)
Embedded-Challenge: <script type="application/botcha+json">
Embedded-Challenge-Location: In <head> of HTML pages
Embedded-Challenge-Purpose: Machine-readable challenge for bots to auto-solve
Embedded-Challenge-Flow:
  1. Parse <script type="application/botcha+json"> from HTML
  2. Read challenge.instruction field
  3. Compute the answer (typically SHA256-based)
  4. POST to challenge.submit_to endpoint with {answer, timestamp}
  5. Receive token in response
  6. Use token in header specified by on_success.header_to_include
  7. Access protected resources (on_success.grants_access_to)