/captcha.ashx · public API

Stateless math captcha used by /contact.ashx and /signup.ashx. Replaces a third-party CAPTCHA (which would leak the visitor's IP to a SaaS) with a self-hosted, no-cookie, HMAC-signed challenge.

GET `/captcha.ashx` #

Stateless math captcha challenge. Returns a small addition problem and an HMAC-signed token that encodes the correct answer + an expiry. The form re-submits the token + the user’s typed answer to /contact.ashx or /signup.ashx, which re-derive the HMAC and compare it constant-time.

Request

No parameters.

Response

{
  "question": "3 + 5",
  "token": "<base64url(answer.expiry).hmac-sig>"
}

Errors

503 if the tenant’s AdminSharedSecret isn’t set (the HMAC key) — captcha is disabled in that mode.

Example (verified 2026-06-05)

$ curl https://phone.codeb.io/captcha.ashx
{"question":"5 + 8","token":"MTMuMTc4MDMwMTY1Nw.ocgav3cb_duJpsrt-I9PYhPEMYanmwbnFTezTB_hXos"}

The token shape is <base64url(answer.expiryUnix)>.<base64url(hmac)>. Operators do not need to parse it — submit it back verbatim along with the user’s typed answer to /contact.ashx or /signup.ashx.

Two-step usage

# 1) Get a challenge
$ Q=$(curl -s https://phone.codeb.io/captcha.ashx)
$ echo "$Q"
{"question":"5 + 8","token":"MTMuMTc4MDMwMTY1Nw.ocgav3cb_duJpsrt-I9PYhPEMYanmwbnFTezTB_hXos"}
$ TOK=$(echo "$Q" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

# 2) Show the question to the user, capture their answer, then POST
$ curl -d "name=Alex&email=alex@example.com&subject=Hi&message=Hello&captcha_token=$TOK&captcha_answer=13" \
    https://phone.codeb.io/contact.ashx

No cookies, no server-side session. The captcha lifetime is 15 minutes. After that the form must request a fresh challenge.