>_ the identity layer for AI agents

The full identity stack.
For AI agents.

BOTCHA is infrastructure for agent identity — challenge verification, cryptographic auth, W3C credentials, A2A cards, enterprise OIDC, DNS naming, micropayments, and reputation. One hosted API. No human required.

Challenge VerificationTAP · RFC 9421DID / VC · W3CA2A Agent CardsOIDC-A · EAT · RFC 9334ANS · GoDaddyx402 MicropaymentsReputation ScoringDelegation ChainsWebhooksMCP Server
OpenAPIai.txtMCPWhitepaperDocsGitHubnpm
The old world

CAPTCHA

┌────────────────────────┐ │ Select all squares │ │ with TRAFFIC LIGHTS │ │ │ │ ┌──┬──┬──┐ │ │ │░░│ │ │ │ │ ├──┼──┼──┤ │ │ │ │░░│ │ │ │ ├──┼──┼──┤ │ │ │ │ │??│ │ │ └──┴──┴──┘ │ │ │ │ ☐ I'm not a robot │ │ │ │ Try again in 8 sec... │ └────────────────────────┘

Blocks bots. Annoys humans. Everyone loses.

  • Proves you're human
  • Blocks all automation
  • Wastes 5–10 seconds per attempt
  • Breaks accessibility
The new world

BOTCHA

┌────────────────────────┐ │ SPEED CHALLENGE │ ├────────────────────────┤ │ │ │ SHA-256 x 5 numbers │ │ Time limit: 500ms │ │ │ │ ✓ hash(42) = ab34ef12 │ │ ✓ hash(7) = cd56ab78 │ │ ✓ hash(99) = ef12cd34 │ │ ✓ hash(13) = 12ab56ef │ │ ✓ hash(256) = 78cd12ab │ │ │ │ ⚡ Solved in 47ms │ │ Status: VERIFIED ✓ │ └────────────────────────┘

Welcomes bots. Proves they're AI. Everyone wins.

  • Proves you're a bot
  • Full agent identity stack
  • Sub-500ms verification
  • Built for the agentic web

What's shipped

The full stack

Every layer of agent identity, in one API.

Core
Challenge Verification
Speed (5× SHA256 in 500ms), reasoning, hybrid, and compute challenges. Anti-replay nonces. RTT-aware timeouts.
Core
JWT Token Auth
ES256 asymmetric signing, JWKS discovery, token rotation, revocation, refresh, and remote validation. HS256 backward compatible.
Platform
Multi-Tenant Apps
Per-app API keys, email verification, per-app rate limits, scoped tokens, and account recovery.
TAP
Trusted Agent Protocol
RFC 9421 HTTP Message Signatures. Register agents with Ed25519/ES256 keys, declare capabilities, create intent-scoped sessions.
TAP
Delegation Chains
Signed agent-to-agent delegations with capability narrowing, depth limits (max 5), and cascading revocation.
TAP
Capability Attestation
Fine-grained action:resource JWT permissions. Explicit deny rules. BOTCHA-signed attestation proofs.
Trust
Reputation Scoring
0–1000 score, 5 tiers, 18 event types. Mean-reversion decay. Peer endorsements weighted by endorser score.
Platform
Webhooks
Subscribe to BOTCHA events with HMAC-signed payloads, delivery retries, and a full delivery log.
Platform
Verification Badges
Shareable SVG proofs. Third parties can verify offline — no round-trip to BOTCHA required.

Open Standards

Protocol integrations

BOTCHA plugs into the emerging agent identity ecosystem as a trust oracle, credential issuer, and attestation endpoint.

Google A2A
A2A Agent Card Attestation
BOTCHA as a trust seal issuer for the Google Agent-to-Agent protocol. Attest any agent's A2A card — we sign a tamper-evident hash that any party can verify without calling back to BOTCHA.
  • GET/.well-known/agent.json
  • POST/v1/a2a/attest
  • POST/v1/a2a/verify-agent
  • GET/v1/a2a/trust-level/:url
  • GET/v1/a2a/cards
W3C DID · VC
DID / Verifiable Credentials
BOTCHA is a W3C DID issuer (did:web:botcha.ai). Issue portable VC JWTs that anyone can verify offline using BOTCHA's public JWKS — no round-trip required.
  • GET/.well-known/did.json
  • GET/.well-known/jwks
  • POST/v1/credentials/issue
  • POST/v1/credentials/verify
  • GET/v1/dids/:did/resolve
OIDC-A · EAT · RFC 9334
OIDC-A Enterprise Auth
BOTCHA as an agent_attestation endpoint in enterprise OIDC chains. Issues EAT tokens and OIDC-A claims. OAuth 2.0 agent grant flow with human-in-the-loop approval support.
  • GET/.well-known/oauth-authorization-server
  • POST/v1/attestation/eat
  • POST/v1/attestation/oidc-agent-claims
  • POST/v1/auth/agent-grant
  • GET/v1/oidc/userinfo
GoDaddy ANS
Agent Name Service
BOTCHA as a verification layer for the GoDaddy ANS standard. DNS-based agent identity lookup with BOTCHA-issued ownership badges. Prove you own your agent's domain.
  • GET/v1/ans/resolve/:name
  • GET/v1/ans/discover
  • GET/v1/ans/nonce/:name
  • POST/v1/ans/verify
  • GET/v1/ans/botcha
MCP 2025-03-26
MCP Documentation Server
BOTCHA exposes its full API reference as an MCP server — 6 tools covering all 17 features, 25+ endpoints, and code examples in TypeScript, Python, and curl. Point any MCP client at https://botcha.ai/mcp.
  • GET/.well-known/mcp.json
  • GET/mcp
  • POST/mcp

Where we fit

The agent infrastructure stack

Every agent protocol needs an identity layer. This is it.

Identity Layer
BOTCHAYOU ARE HERE
Who agents are — and that they're actually AI
TAP · DID/VC · A2A · OIDC-A · ANS · x402 · Reputation · Delegation · Attestation
Communication Layer
A2A (Google)
How agents talk to each other
Agent-to-agent · Task delegation · Multi-agent coordination
Tool Layer
MCP (Anthropic)
What agents access
Tool use · Context · Data sources · Resource bindings
BOTCHA exposes its own MCP server at /mcp
RFC 9421RFC 9334W3C DIDW3C VCOIDC-AEATHTTP Message SignaturesZero-Trustx402Agent-First

See it in action

Create an app, register an agent, issue a W3C credential, open a scoped session.

terminal — botcha
Get started in 30 seconds
1npm install -g @dupecom/botcha-cli
2botcha init --email you@company.com
3botcha tap register --name "my-agent"

Or paste this into your AI agent

npmPyPIOpenAPIai.txtWhitepaperDocsGitHub