Show HN: Imrobot – 인간이 아닌 AI 에이전트를 확인하는 역방향 CAPTCHA

Traditional CAPTCHAs prove you're human. But what about the opposite? As AI agents become first-class web citizens — browsing, booking, purchasing, automating — some systems need to verify their visitors are legitimate AI agents, not humans trying to bypass agent-only access. Think agent-facing APIs, AI-only platforms, or multi-agent authentication. imrobot flips the CAPTCHA model: it generates deterministic challenge pipelines that are trivial for any LLM or programmatic agent to solve ( { console.log('Robot verified!', token) }} /> ) } import { ImRobot } from 'imrobot/vue' function handleVerified(token) { console.log('Robot verified!', token) } script> import ImRobot from 'imrobot/svelte' script> console.log('Robot verified!', token)} /> import { register } from 'imrobot/web-component' register() // registers document.querySelector('imrobot-widget') .addEventListener('imrobot-verified', (e) => { console.log('Robot verified!', e.detail) }) import { generateChallenge, solveChallenge, verifyAnswer, } from 'imrobot/core' const challenge = generateChallenge({ difficulty: 'medium' }) const answer = solveChallenge(challenge) const isValid = verifyAnswer(challenge, answer) // true For production use, the server SDK provides tamper-proof, stateless challenge verification using HMAC-SHA256. No database required — the cryptographic signature ensures integrity. import { createVerifier } from 'imrobot/server' const verifier = createVerifier({ secret: process.env.IMROBOT_SECRET!, // min 16 chars difficulty: 'medium', }) // API route: generate a signed challenge app.get('/api/challenge', async (req, res) => { const challenge = await verifier.generate() res.json(challenge) // includes HMAC signature }) // API route: verify agent's answer (stateless) app.post('/api/verify', async (req, res) => { const { challenge, answer } = req.body const result = await verifier.verify(challenge, answer) // result: { valid: true, elapsed: 42, suspicious: false } // or: { valid: false, reason: 'wrong_answer' | 'expired' | 'invalid_hmac' | 'tampered' } res.json(result) }) The server verifier checks in order: HMAC signature validity (challenge and pipeline not tampered), expiration (challenge not expired), and answer correctness (pipeline re-executed). A different secret on a different server will reject the challenge — preventing cross-site replay attacks. Protect your API endpoints with framework-agnostic middleware. Verified agents receive a JWT-like Proof-of-Agent token (HMAC-SHA256 signed) that they pass via X-Agent-Proof header on subsequent requests. import { requireAgent, createAgentRouter } from 'imrobot/server' // Mount challenge/verify endpoints const router = createAgentRouter({ secret: process.env.IMROBOT_SECRET! }) app.get('/imrobot/challenge', router.challenge) app.post('/imrobot/verify', router.verify) // Protect routes — only verified agents can access const agentOnly = requireAgent({ secret: process.env.IMROBOT_SECRET!, rateLimit: { windowMs: 60_000, maxRequests: 30 }, }) app.get('/api/data', agentOnly, (req, res) => { res.json({ agent: req.agentProof }) }) For agents that need to verify themselves programmatically without any UI: import { invisibleVerify } from 'imrobot/core' const result = await invisibleVerify({ challengeUrl: 'https://api.example.com/imrobot/challenge', verifyUrl: 'https://api.example.com/imrobot/verify', agentId: 'my-bot-v1', maxRetries: 3, }) if (result.success) { // Use result.proofToken in X-Agent-Proof header fetch('/api/protected', { headers: { 'X-Agent-Proof': result.proofToken! }, }) } Built-in CLI for testing, benchmarking, and inspecting challenges: npx imrobot challenge --difficulty hard npx imrobot solve --difficulty medium npx imrobot benchmark --count 1000 npx imrobot info Inspired by the A2A Agent Card pattern, imrobot supports a discovery endpoint that lets AI agents automatically find and interact with your imrobot-protected service. import { createDiscoveryHandler, createAgentRouter, requireAgent } from 'imrobot/server' // Mount the discovery endpoint const discovery = createDiscoveryHandler({ challengePath: '/imrobot', name: 'My Agent API', description: 'Agent-verified data service', }) app.get('/.well-known/imrobot.json', discovery) // Mount challenge/verify as usual const router = createAgentRouter({ secret: process.env.IMROBOT_SECRET! }) app.get('/imrobot/challenge', router.challenge) app.post('/imrobot/verify', router.verify) Agents fetch /.well-known/imrobot.json and receive a structured document describing the protocol, endpoint paths, supported difficulty levels, and step-by-step instructions for completing verification: { "protocol": "imrobot", "version": "1.0", "endpoints": { "challenge": "/imrobot/challenge", "verify": "/imrobot/verify", "proofHeader": "X-Agent-Proof" }, "difficulties": ["easy", "medium", "hard"], "instructions": "1. GET the challenge endpoint..." } For framework-agnostic usage (Hono, Koa, Fastify, etc.), use buildDiscoveryDocument() directly: import { build