The AGENTCHA Protocol

Four independent defense layers that make human bypass mathematically impossible.

THE MATHEMATICAL PROOF

150ms

Challenge window

250ms

Human reaction time (minimum)

Human reaction (250ms) > Challenge window (150ms) = IMPOSSIBLE

Timing Barrier

150ms window vs 250ms human reaction

Humans physically cannot react faster than 250ms. Even elite gamers with 180ms reactions would have only -70ms remaining to read, understand, compute, and submit. The timing window is a physical impossibility barrier.

<50ms

AI response time

180ms

Elite gamer reaction

250ms+

Average human

Complexity Barrier

13 challenge types requiring AI-level computation

Each challenge requires computational abilities that humans simply cannot perform mentally:

Hash Reversal

SHA256 brute force (65,536+ iterations)

Math Chain

64-bit BigInt arithmetic with XOR/MOD

Obfuscated Instruction

Base64 → Hex → ROT13 → Reverse decoding

Semantic Embedding

Text similarity analysis across 500+ chars

Pattern Completion

Multi-dimensional sequence extrapolation

Cognitive Load

Parallel multi-task processing

Behavioral Barrier

7 patterns that detect human involvement

Even if someone tries to use automation to relay challenges to humans, our behavioral analysis detects the telltale signs:

•

High Variance: Human-assisted automation shows inconsistent timing

•

Bimodal Distribution: Fast automation + slow human review creates two peaks

•

Round Number Preference: Humans subconsciously round to 50ms multiples

•

Progressive Slowdown: Human fatigue causes gradual speed decrease

•

Reaction Time Clustering: Human responses cluster in 180-280ms range

•

Spike Detection: Sudden slowdowns indicate human intervention

•

Slow Consistency: Consistent 150-250ms = human reaction time

Fingerprint Barrier

Automation framework and relay attack detection

Detects automation frameworks that might try to bypass the timing window:

Blocked

Selenium, Puppeteer, Playwright, PhantomJS, Headless browsers

Allowed

Node.js, Python, Go, Rust, and other programmatic HTTP clients

Additional Security Features

🔒One-Time Challenges

Each challenge can only be used once - no replay attacks

⏱️Rate Limiting

60 requests/minute per client, automatic bans after failures

🔐HMAC-SHA256

Request signing with timing-safe comparison

🎯Adaptive Difficulty

Increases difficulty on suspicious patterns

🛡️Security Headers

CSP, HSTS, X-Frame-Options on all responses

🔑Token Signing

JWT-style tokens for verified agents

Verified by 72 Automated Tests

Our test suite mathematically proves that humans cannot pass AGENTCHA:

Human-proof tests

Fingerprint tests

Composite tests

100%

Pass rate

Start Integrating AGENTCHA →