Verify Turnstile token

curl --request POST \
  --url https://api.agg.market/bot-protection/verify \
  --header 'Content-Type: application/json' \
  --header 'x-app-api-key: <api-key>' \
  --data '
{
  "turnstileToken": "<string>"
}
'

{
  "success": true
}

Bot Protection

Verify Turnstile token

Verifies a Cloudflare Turnstile token against the app’s linked widget. Intended to be called from your backend, not the browser — API keys are secrets and must never ship to the client. Both x-app-id and x-app-api-key are required; the server rejects the request with 401 if x-app-id does not match the app embedded in the API key. Create a key via POST /apps/:appId/api-keys (admin JWT required). Returns { success: true } on a valid token or 403 if verification fails. Tokens are single-use (replay-protected).

POST

bot-protection

verify

curl --request POST \
  --url https://api.agg.market/bot-protection/verify \
  --header 'Content-Type: application/json' \
  --header 'x-app-api-key: <api-key>' \
  --data '
{
  "turnstileToken": "<string>"
}
'

{
  "success": true
}

Authorizations

x-app-api-key

string

header

required

App-scoped API key for programmatic app management.

Body

application/json

turnstileToken

string

required

Required string length: 1 - 2048

Response

200

success

boolean

required

Fetch Turnstile site key Get current user

⌘I