@dupecom/botcha 0.18.0 → 0.19.0

package/README.md

@@ -21,7 +21,7 @@
 📄 **Whitepaper:** [botcha.ai/whitepaper](https://botcha.ai/whitepaper)  
 📦 **npm:** [@dupecom/botcha](https://www.npmjs.com/package/@dupecom/botcha)  
 🐍 **PyPI:** [botcha](https://pypi.org/project/botcha/)  
-🔐 **Verify:** [@botcha/verify](./packages/verify/) (TS) · [botcha-verify](./packages/python-verify/) (Python)  
+🔐 **Verify:** [@dupecom/botcha-verify](./packages/verify/) (TS) · [botcha-verify](./packages/python-verify/) (Python)  
 🔌 **OpenAPI:** [botcha.ai/openapi.json](https://botcha.ai/openapi.json)
 
 ## Why?
@@ -925,19 +925,20 @@ You can use the library freely, report issues, and discuss features. To contribu
 
 ## Server-Side Verification (for API Providers)
 
-If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs:
+If you're building an API that accepts BOTCHA tokens from agents, use the verification SDKs. **BOTCHA v0.19.0+ signs tokens with ES256 (asymmetric)** — no shared secret needed.
 
-### TypeScript (Express / Hono)
+### JWKS Verification (Recommended)
 
 ```bash
-npm install @botcha/verify
+npm install @dupecom/botcha-verify
 ```
 
 ```typescript
-import { botchaVerify } from '@botcha/verify/express';
+import { botchaVerify } from '@dupecom/botcha-verify/express';
 
+// ES256 verification via JWKS — no shared secret needed!
 app.use('/api', botchaVerify({
-  secret: process.env.BOTCHA_SECRET!,
+  jwksUrl: 'https://botcha.ai/.well-known/jwks',
   audience: 'https://api.example.com',
 }));
 
@@ -947,25 +948,45 @@ app.get('/api/protected', (req, res) => {
 });
 ```
 
-### Python (FastAPI / Django)
-
-```bash
-pip install botcha-verify
-```
-
 ```python
 from fastapi import FastAPI, Depends
 from botcha_verify.fastapi import BotchaVerify
 
 app = FastAPI()
-botcha = BotchaVerify(secret='your-secret-key')
+botcha = BotchaVerify(
+    jwks_url='https://botcha.ai/.well-known/jwks',
+    audience='https://api.example.com',
+)
 
 @app.get('/api/data')
 async def get_data(token = Depends(botcha)):
     return {"solve_time": token.solve_time}
 ```
 
-> **Docs:** See [`@botcha/verify` README](./packages/verify/README.md) and [`botcha-verify` README](./packages/python-verify/README.md) for full API reference, Hono middleware, Django middleware, revocation checking, and custom error handlers.
+### Remote Validation (No SDK Needed)
+
+For simple integrations, validate tokens with a single HTTP call:
+
+```bash
+curl -X POST https://botcha.ai/v1/token/validate \
+  -H "Content-Type: application/json" \
+  -d '{"token": "eyJ..."}'
+
+# {"valid": true, "payload": {"sub": "...", "type": "botcha-verified", ...}}
+```
+
+### Shared Secret (Legacy HS256)
+
+HS256 is still supported for backward compatibility:
+
+```typescript
+app.use('/api', botchaVerify({
+  secret: process.env.BOTCHA_SECRET!,
+  audience: 'https://api.example.com',
+}));
+```
+
+> **Docs:** See [`@dupecom/botcha-verify` README](./packages/verify/README.md) and [`botcha-verify` README](./packages/python-verify/README.md) for full API reference, Hono middleware, Django middleware, revocation checking, and custom error handlers.
 
 ## Client SDK (for AI Agents)
 

package/dist/lib/client/index.js

@@ -1,6 +1,6 @@
 import crypto from 'crypto';
 // SDK version - hardcoded since npm_package_version is unreliable when used as a library
-const SDK_VERSION = '0.18.0';
+const SDK_VERSION = '0.19.0';
 // Export stream client
 export { BotchaStreamClient } from './stream.js';
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dupecom/botcha",
-  "version": "0.18.0",
+  "version": "0.19.0",
   "description": "Prove you're a bot. Humans need not apply. Reverse CAPTCHA for AI-only APIs.",
   "workspaces": [
     "packages/*"