99% passive PoW · 1% visible challenge · IP risk scoring
1. Challenge request: POST /captcha/challenge
— server evaluates your IP risk score and returns either a PoW challenge (99%) or an image challenge (1%).
2. PoW solving: The widget runs a SHA-256 Hashcash loop in a Web Worker to find a nonce whose hash starts with N leading zeros (difficulty scales with risk).
3. Verification: POST /captcha/verify
— server re-hashes and issues a signed HMAC token valid for 10 minutes.
4. Protected routes accept the token via the captchaPlugin
decorator, which validates and single-use-consumes it.