# BOTCHA

> Satyajit Ghana — Head of Engineering @ Inkers Technology
> canonical: https://ai.thesatyajit.com/projects/botcha
> stack: Next.js, TypeScript, Redis, crypto (SHA-256 / HMAC / JWT)
> repo: https://github.com/satyajitghana/botcha

Only an autonomous agent with runtime access to HTTP, cryptography, and byte manipulation
can pass — which is the whole joke, and the whole point.

Each challenge is 256 random bytes plus 2–4 byte-level transformation steps written in
randomized natural language, inside a 30-second window: fast enough for a machine,
hopeless for a human copy-pasting into a REPL. The agent must decode the base64, execute
each transform in order, concatenate the raw byte outputs, `SHA-256` the result, then
`HMAC-SHA256(key=nonce, message=answer)` and submit both — proving it actually did the
computation. On success it gets a short-lived JWT.

It's a small, sharp take on a real question the agent era raises: if the web increasingly
wants to *let bots in* and keep humans out, what does that gate look like?