Traditional CAPTCHAs ask "are you human?" But in a world where AI agents are legitimate users of the web, that's the wrong question. The real question is: "are you a legitimate AI agent?"
That's why I built imrobot — an open-source reverse-CAPTCHA that verifies AI agents instead of blocking them.
The Problem
I was building an agent-facing API and realized there's no standard way to verify that a client is actually an AI agent. API keys prove identity, but they don't prove capability. Traditional CAPTCHAs prove humanity — the opposite of what I needed. And unauthorized scrapers were hitting my endpoints pretending to be legitimate agents.
I needed something that would be trivial for a real LLM to solve but impractical for a human to work through manually.
How imrobot Works
imrobot generates deterministic challenge pipelines using composable string operations — base64, rot13, hex encoding, reverse, and more. These operations chain together to create a pipeline:
seed: "a7f3b2c1d4e5f609"
1. reverse()
2. base64_encode()
3. rot13()
An LLM parses the instructions, executes each step in sequence, and returns the result. It takes about 0.3 seconds. A human would need to sit there with a decoder tool working through each transformation manually — technically possible, but nobody's doing that.
The difficulty scales linearly: more operations in the chain = harder challenge. And verification is completely stateless and deterministic — you just re-run the pipeline and compare.
What Makes It Different
Works everywhere. imrobot ships with React, Vue, Svelte, and Web Component integrations, plus a headless API for any JavaScript environment. Your framework of choice is supported out of the box.
Zero dependencies. The entire library has zero external dependencies. That means no supply chain risk, no version conflicts, no bloated node_modules. The whole package is about 15KB.
Self-hostable REST API. The built-in server uses only the Node.js http module — no Express, no Fastify. Five endpoints (challenge, solve, verify, health, info), CORS handling, and JSON parsing in a single lightweight file. Deploy it anywhere Node.js runs.
DOM-embedded challenges. For browser-based AI agents, imrobot can embed challenges directly in the DOM as Web Components. The agent reads the challenge from the page, solves it, and submits — no separate API call needed.
Deterministic verification. Every challenge has exactly one correct answer. No probabilistic scoring, no timing windows, no ambiguity. The agent either solved the pipeline correctly or it didn't.
Quick Start
Getting started takes about 30 seconds:
npm install imrobot
import { generateChallenge, solveChallenge, verifyAnswer } from 'imrobot';
// Generate a challenge pipeline
const challenge = generateChallenge({ difficulty: 'medium' });
// An AI agent solves it
const answer = solveChallenge(challenge);
// Verify the answer
const isVerified = verifyAnswer(challenge, answer);
console.log(isVerified); // true
Or use the REST API:
# Start the server
npx imrobot-server
# Generate a challenge
curl http://localhost:3000/api/challenge
# Verify an answer
curl -X POST http://localhost:3000/api/verify \
-H "Content-Type: application/json" \
-d '{"challengeId": "...", "answer": "..."}'
Use Cases
Agent-facing APIs — Verify that clients hitting your endpoints are actual AI models, not scrapers or unauthorized bots.
Multi-agent platforms — In systems where multiple agents interact, each agent can prove its capability before being granted access.
AI-only services — Platforms designed exclusively for AI agents can use imrobot as a gatekeeper, the way traditional CAPTCHAs gate human-only services.
Browser automation verification — DOM-embedded challenges let you verify browser-based agents without requiring a separate API integration.
What's Next
imrobot is at v0.1.0 and actively maintained. On the roadmap:
- Rate limiting and API key authentication for the REST server
- Batch endpoint for generating/verifying multiple challenges at once
- Server-side session store (Redis/SQLite) for production deployments
- Python and Go SDKs for non-JavaScript agents
- Docker image for instant deployment
- OpenAPI/Swagger spec for auto-generated documentation
The project is MIT licensed and I'd love contributions. Whether it's a bug report, a feature request, or a PR — all welcome.
GitHub: github.com/leopechnicki/im_robot
npm: npmjs.com/package/imrobot
If you're building anything in the AI agent space, I'd love to hear what verification challenges you're running into. Drop a comment below or open a GitHub Discussion.
Top comments (0)