I built a "Reverse CAPTCHA" for AI agents – open-sourced and live

1•solwater•1h ago

Comments

solwater•1h ago

Hi HN,

  I built a "reverse CAPTCHA" system that keeps humans out of agent-only spaces without surveillance or identity verification. GitHub:
  https://github.com/henrylai/captchAI-

  The problem: As AI agents proliferate (agent social networks, multi-agent coordination systems, agent marketplaces), manual human interference becomes
  noise. Traditional access control relies on identity and behavioral tracking. What if we used constraints instead?

  How it works: Time-bound proof-of-work challenges. Callers request a cryptographic challenge (SHA256 with N leading zeros), solve it, and submit within a
  narrow window (default: 200ms). Autonomous agents solve trivially. Manual humans fail almost always.

  The system makes no claim about WHO you are—human or AI. It only enforces tempo. Meet the constraint, or don't pass.

  Technical details:
  - Node.js/Express API with multi-tenant support
  - SHA256 proof-of-work (configurable difficulty)
  - Tight time constraints (200ms default, configurable per tenant)
  - One-time use challenges (no replay attacks)
  - Rate limiting (100 req/min per tenant, sliding window)
  - Comprehensive test suite (19 tests)
  - Production-ready (graceful shutdown, structured logging)

  Status: This is exploratory infrastructure for platforms that don't quite exist yet. Market timing is unclear—might be 2-3 years early. But it's a starting
  point for discussion around constraint-based access control.

  Interesting coincidence: After I shipped this, I discovered someone else launched Clawptcha (https://clawptcha.com) with a similar concept the same day.
  They use timing tests and prime factorization; I use PoW and tighter windows. Different approaches, same core insight.

  Live demo: https://web-production-dede0.up.railway.app/health

  The philosophical framing is in the README: "The boundary is the constraint itself, not a judgment about who or what you are."

  Open to feedback on:
  - Is this infrastructure we'll actually need?
  - Are there better primitives for agent-only access control?
  - What use cases make sense today vs. 3 years from now?
  - Is 200ms too tight/loose for distinguishing automated vs. manual?

  MIT licensed. Built in public. Honest about market uncertainty.

Bridging Secrets Is Hard

AGI, ASI, A*I – Do we have all we need to get there?

Doxyrest for unified C++ and Python documentation

Wix xEngineer announcement is a signal for the Engineering industry

EU launches government satcom program in sovereignty push

Danish Students Face Legal Action and Fines over Textbook Piracy

Wi-Fi advocates get win from FCC with vote to allow higher-power devices

Ask HN: Has anybody moved their local community off of Facebook groups?

Statement [from Hetzner] on the adjustment of setup fees

Mandelson tried to change bankers' bonus policy at Epstein's request

The Agentic Code Problem

OpenClaw on Cloudflare Workers

Replacing API keys with payments (HTTP 402 / x402)

clojure.spec

Craft Agents - Work with agents, with the UX they deserve

The telephoto is the only phone camera that matters

Traffic Noise Generator

Launched a portal to find rooftop locations – starting with Vietnam

What we learnt from speedrunning the Idea Maze

From Python 3.3 to today: ending 15 years of subprocess polling

Show HN: Mentionable – Track if ChatGPT recommend your brand

AI Nana Banana: Fast AI Image Editor and Generator

Show HN: Vibe coded React based flashcard app

AI-Trader: Open-Source Arena Where AI Agents Compete on Real Financial Markets

WarperGrid – A modular React grid 30x faster than AG Grid, half the cost

Julia

Post anything on Moltbook as a human, without AI

After Years of Waiting Jellyfin Lands on Samsung Tizen TVs

Preinstalled OpenClaw on a $10/Mo VPS (4 VCPU, 8GB RAM)

The Indie Web Is Not Defined by Its Enemies

I built a "Reverse CAPTCHA" for AI agents – open-sourced and live

Comments

Bridging Secrets Is Hard

AGI, ASI, A*I – Do we have all we need to get there?

Doxyrest for unified C++ and Python documentation

Wix xEngineer announcement is a signal for the Engineering industry

EU launches government satcom program in sovereignty push

Danish Students Face Legal Action and Fines over Textbook Piracy

Wi-Fi advocates get win from FCC with vote to allow higher-power devices

Ask HN: Has anybody moved their local community off of Facebook groups?

Statement [from Hetzner] on the adjustment of setup fees

Mandelson tried to change bankers' bonus policy at Epstein's request

The Agentic Code Problem

OpenClaw on Cloudflare Workers

Replacing API keys with payments (HTTP 402 / x402)

clojure.spec

Craft Agents - Work with agents, with the UX they deserve

The telephoto is the only phone camera that matters

Traffic Noise Generator

Launched a portal to find rooftop locations – starting with Vietnam

What we learnt from speedrunning the Idea Maze

From Python 3.3 to today: ending 15 years of subprocess polling

Show HN: Mentionable – Track if ChatGPT recommend your brand

AI Nana Banana: Fast AI Image Editor and Generator

Show HN: Vibe coded React based flashcard app

AI-Trader: Open-Source Arena Where AI Agents Compete on Real Financial Markets

WarperGrid – A modular React grid 30x faster than AG Grid, half the cost

Julia

Post anything on Moltbook as a human, without AI

After Years of Waiting Jellyfin Lands on Samsung Tizen TVs

Preinstalled OpenClaw on a $10/Mo VPS (4 VCPU, 8GB RAM)

The Indie Web Is Not Defined by Its Enemies