Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/midudev/mundial-de-clicks/llms.txt

Use this file to discover all available pages before exploring further.

GET /api/captcha/session is called on every page load to determine whether the Cap captcha widget needs to be shown. It reads the cap_session cookie, then validates the session in DragonFly by checking the remaining vote quota and the IP binding stored when the session was created. The result drives two binary decisions in the client: whether to download the Cap WASM bundle at all, and whether to show the challenge UI immediately.

Request

The browser’s Cookie header. The endpoint reads the cap_session value from it. No Authorization header or request body is required.
GET /api/captcha/session HTTP/1.1
Cookie: cap_session=550e8400-e29b-41d4-a716-446655440000

Response

200 OK — always returned (errors are represented in the body fields, never as non-200 statuses).
{ "required": true, "valid": false }
required
boolean
required
true when CAP_API_URL is set and DragonFly is reachable (hasCaptcha). When false, the captcha widget is never loaded — no WASM download occurs — and all POST /api/vote requests are accepted without a session cookie.
valid
boolean
required
true when all of the following hold: a cap_session cookie was sent, the corresponding cap:sess:{id} key exists in DragonFly with a remaining quota greater than zero, and the cap:sess-ip:{id} key matches the current trusted client IP (CF-Connecting-IP). If DragonFly is temporarily unavailable, returns false as a safe default — the client will re-verify on the next vote attempt rather than failing with a 500.
Cache-Control: no-store is set on every response. Session validity changes within seconds (votes consume quota; TTL expires), so proxy or browser caching must be avoided.

Behavior matrix

Session validation internals

The endpoint calls isSessionValid(id, ip) from src/lib/captcha.ts, which executes a single MGET against two DragonFly keys:
DragonFly keyContainsTTL
cap:sess:{id}Remaining vote quota (integer string)max(30, CAP_SESSION_TTL_SECONDS) (default 120 s)
cap:sess-ip:{id}Trusted client IP bound at session creationSame TTL
The session is considered valid only when storedIp === callerIp && quota > 0. The entire MGET is wrapped in a hard timeout (REDIS_COMMAND_TIMEOUT_MS, default 2 000 ms); a timeout throws and valid is set to false.

Environment variables

VariableDefaultEffect
CAP_API_URL(unset)Enables captcha. Must be set alongside DragonFly for required to be true.
REDIS_URL / DRAGONFLY_HOSTlocalhost:6379Required for session lookups. If absent, captcha is disabled regardless of CAP_API_URL.
REDIS_COMMAND_TIMEOUT_MS2000Hard timeout (ms) for the DragonFly MGET.

Build docs developers (and LLMs) love