Machine-to-Machine ALTCHA

M2M ALTCHA is a machine-to-machine (M2M) verification system designed as a rate-limiter implemented on the consumer’s end. It provides protection for valuable resources, mitigates spam, and prevents abuse within online services and APIs while ensuring continued accessibility for automated systems.

Usage flow

Request for expensive action:

The sender initiates a request to perform a resource-intensive action on the remote server, such as creating a new account, using HTTP endpoint:

POST /create_account

Server response with challenge:

Upon receiving the request, the remote server responds with a 401 Unauthorized status code and includes a challenge header in the response:

WWW-Authenticate: Altcha algorithm=SHA-512, challenge=..., salt=..., signature=...

Solution computation and resubmission:

The sender computes the solution to the received challenge and includes the solution in a subsequent request by adding a solution header:

Authorization: Altcha algorithm=SHA-512, number=..., challenge=..., salt=..., signature=...

Note To avoid conflicts with the standard Authorization header (which might already be in use for traditional authentication), the server can specify a custom header for ALTCHA authentication. This is done by sending the X-Altcha-Authorization-Header response header, which indicates the name of the custom header to be used instead: WWW-Authenticate: Altcha algorithm=SHA-512, challenge=..., salt=..., signature=... X-Altcha-Authorization-Header: X-My-Custom-Header In the next step, the sender must include the solution in the custom header specified by X-Altcha-Authorization-Header .

Complexity

Unlike consumer devices, server environments typically possess higher computational capabilities. Hence, challenges designed for servers should demand a higher level of computational effort compared to consumer devices.

As a guiding principle, it’s recommended to set the maximum number in the range of “tens of millions” when generating a new challenge. This threshold ensures that the computational task remains sufficiently challenging for server systems, requiring substantial computational resources and time to compute a solution.

Read more about adjusting complexity.

Purpose and benefits