Public API

/captcha.ashx · public API

Stateless math captcha used by /contact.ashx and /signup.ashx. Replaces a third-party CAPTCHA (which would leak the visitor's IP to a SaaS) with a self-hosted, no-cookie, HMAC-signed challenge.

No persistence. The correct answer is encoded into the token itself; the server never has to remember what it asked. That keeps the endpoint cheap to embed in static forms and trivially horizontally scalable.

GET `/captcha.ashx` #

Stateless math captcha challenge. Returns a small addition problem and an HMAC-signed token that encodes the correct answer + an expiry. The form re-submits the token + the user’s typed answer to /contact.ashx or /signup.ashx, which re-derive the HMAC and compare it constant-time.

Request

No parameters.

Response

{
  "question": "3 + 5",
  "token": "<base64url(answer.expiry).hmac-sig>"
}

Errors

503 if the tenant’s AdminSharedSecret isn’t set (the HMAC key) — captcha is disabled in that mode.

Example

curl https://phone.codeb.io/captcha.ashx

No cookies, no server-side session. The captcha lifetime is 15 minutes. After that the form must request a fresh challenge.

Need an admin endpoint? Admin-only and OIDC Bearer-gated routes are documented inside the admin UI itself (visible only to signed-in admins on this host). The public API set on this page is the surface you can integrate against without provisioning a CodeB user.

Questions? Ask us · Index: All public APIs