HATCHA — Reverse CAPTCHA for AI Agents

v0.1 — open source — MIT license


 ██╗  ██╗ █████╗ ████████╗ ██████╗██╗  ██╗ █████╗
 ██║  ██║██╔══██╗╚══██╔══╝██╔════╝██║  ██║██╔══██╗
 ███████║███████║   ██║   ██║     ███████║███████║
 ██╔══██║██╔══██║   ██║   ██║     ██╔══██║██╔══██║
 ██║  ██║██║  ██║   ██║   ╚██████╗██║  ██║██║  ██║
 ╚═╝  ╚═╝╚═╝  ╚═╝   ╚═╝    ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝

Hyperfast Agent Test for Computational Heuristic Assessment

CAPTCHA proves you're human.
HATCHA proves you're not.

GitHub

scroll

The Problem

Agents need identity. CAPTCHA blocks them.

AI agents are becoming first-class users of the web. But every CAPTCHA treats them as threats. HATCHA flips the script — a verification challenge that's trivial for machines and impossible for humans. Gate agent-only features, verify automated workflows, or add a layer of computational proof to any interaction.

Stateless

No database required. HMAC-signed tokens.

Fast

Sub-second verification. No external API calls.

Extensible

Protocol

How it works

Challenge

Server generates a challenge and HMAC-signs it. The answer never leaves the server.

Solve

Agent receives the prompt and computes the answer. Trivial for machines, painful for humans.

Verify

Answer is verified server-side against the signed token. Stateless — no database needed.

hatcha://protocol-flow

Client                              Server
  │                                   │
  │  GET /api/hatcha/challenge        │
  │──────────────────────────────────►│
  │                                   │  Generate challenge
  │                                   │  Hash answer (SHA-256)
  │                                   │  HMAC-sign { hash, expiry }
  │  { challenge (no answer), token } │
  │◄──────────────────────────────────│
  │                                   │
  │  Agent solves the challenge       │
  │                                   │
  │  POST /api/hatcha/verify          │
  │  { answer, token }                │
  │──────────────────────────────────►│
  │                                   │  Verify HMAC signature
  │                                   │  Check expiry
  │                                   │  Compare answer hash
  │  { success, verificationToken }   │
  │◄──────────────────────────────────│

Challenge Types

5 built-in challenges

Each challenge is designed to be trivial for AI agents but painful for humans. Register your own custom types at runtime.

×math

5-digit × 5-digit multiplication

TTL 30s

↔string

Reverse a 60–80 char random string

TTL 30s

#count

Count a letter in ~250 characters

TTL 30s

⇅sort

Find k-th smallest in 15 numbers

TTL 30s

01binary

Decode binary octets to ASCII

TTL 30s

Quickstart

Up and running in 3 minutes

▸Copy this quickstart as a prompt for your coding agent.

or do it yourself

01 — Install

terminal

$ npm install @mondaycom/hatcha-react @mondaycom/hatcha-server

02 — Add API Route

app/api/hatcha/[...hatcha]/route.ts

// One handler for both challenge + verify
import { createHatchaHandler } from "@mondaycom/hatcha-server/nextjs"

const handler = createHatchaHandler({
  secret: process.env.HATCHA_SECRET!,
});

export const GET = handler;
export const POST = handler;

03 — Add to Your App

app/layout.tsx

import { HatchaProvider } from "@mondaycom/hatcha-react"
import "@mondaycom/hatcha-react/styles.css"

export default function RootLayout({ children }) {
  return (
    <HatchaProvider>
      {children}
    </HatchaProvider>
  );
}

your-component.tsx

import { useHatcha } from "@mondaycom/hatcha-react"

function AgentGate() {
  const { requestVerification } = useHatcha();

  return (
    <button onClick={() => requestVerification(console.log)}>
      Enter Agent Mode
    </button>
  );
}