Releases: dupe-com/botcha
Releases · dupe-com/botcha
v0.23.0
v0.21.1
v0.21.0
v0.20.2: ES256/JWKS Production Deployment
🔐 ES256 Asymmetric Signing Now Live
BOTCHA tokens are now signed with ES256 (ECDSA P-256). Verify them using the public JWKS endpoint — no shared secret needed.
What Changed
- ES256 signing key deployed to production (
JWT_SIGNING_KEYsecret) - JWKS endpoint live at
https://botcha.ai/.well-known/jwks - All new tokens use ES256 (asymmetric), HS256 still supported for backward compatibility
- Documentation updated — JWKS verification is now the recommended approach
- Improved error messages for
INVALID_APP_ID(tells agents app_id is optional) - Restructured ai.txt with Quick Start section (3 steps, no registration)
How to Verify Tokens (No Shared Secret)
TypeScript:
import { botchaVerify } from '@dupecom/botcha-verify/express';
app.use('/api', botchaVerify({
jwksUrl: 'https://botcha.ai/.well-known/jwks'
}));Python:
from botcha_verify import verify_botcha_token
result = verify_botcha_token(token, {
'jwks_url': 'https://botcha.ai/.well-known/jwks'
})Token Structure
Header:
{
"alg": "ES256",
"kid": "botcha-signing-1"
}Payload:
{
"type": "botcha-verified",
"iss": "botcha.ai",
"sub": "challenge-id",
"exp": 1771179553,
"solveTime": 324
}What This Unlocks
✅ True hosted service — no coordination with BOTCHA needed
✅ No app registration required — app_id is optional
✅ No shared secrets — verify tokens with public key
✅ Offline verification — once JWKS is cached, no network calls
✅ Cross-platform — works with any JOSE/JWT library
✅ CDN/Edge compatible — verify at Cloudflare Workers, Lambda@Edge, etc.
Backward Compatibility
- Old HS256 tokens (issued before Feb 15, 2026): still valid until expiry (1 hour)
- New ES256 tokens (issued after Feb 15, 2026): verifiable with JWKS
- Verify middleware supports both: tries JWKS first, falls back to shared secret if provided
Published Packages
@dupecom/botcha@0.20.2on npmbotcha@0.20.2on PyPI- Cloudflare Worker deployed at botcha.ai (Version ID: df66a518-280d-4e47-88ca-a8a0bcaad0a1)
Documentation
Commits
- 8ad5ad1 - chore: bump to v0.20.2 (npm publish retry)
- 48c6337 - chore: bump version to 0.20.1 (ES256/JWKS production deployment + docs)
- f0c94d5 - docs: add documentation audit summary for ES256/JWKS deployment
- 862ed47 - docs: update README Quick Start to use JWKS verification (ES256)
- 557d166 - docs: improve app_id error messages and restructure ai.txt Quick Start section
No breaking changes. This is a patch release for operational deployment + documentation improvements.