API Reference Complete Crovly API endpoint documentation.
Base URL: https://api.crovly.com
For interactive API documentation with request builder, visit the Scalar API Reference .
Request a new PoW challenge. The widget calls this automatically.
IP Binding: The challenge is bound to the requesting IP. The subsequent /verify call must come from the same IP address.
Header Required Description X-Site-KeyYes Your public site key
{ "nonce" : "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" , "difficulty" : 18 , "algorithm" : "sha256" , "expiresAt" : 1709251200000 } Field Type Description noncestring 32-char hex nonce to solve difficultyinteger Leading zero bits required (16–28, adaptive) algorithmstring Always sha256 expiresAtnumber Expiry timestamp (Unix ms)
60 requests/min per IP (global)
30 requests/min per IP per site key
Code Description 400Invalid or missing X-Site-Key header 403Site key invalid, site inactive, or origin not allowed 429Rate limit exceeded 503Service temporarily unavailable
Submit the PoW solution with browser signals. Returns a verification token if the challenge passes.
IP Binding: Must be called from the same IP that requested the challenge. Mismatched IPs return 403.
Header Required Description X-Site-KeyYes Your public site key Content-TypeYes application/json
{ "nonce" : "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" , "counter" : 182637 , "solveTimeMs" : 245 , "fingerprintHash" : "e3b0c44298fc1c149afbf4c8996fb924..." , "environment" : { "webdriver" : false , "chromeAbsent" : false , "swiftShader" : false , "noPlugins" : false , "notificationDenied" : false , "zeroScreen" : false , "noLanguages" : false } } Field Type Required Description noncestring Yes 32-char hex nonce from /challenge counterinteger Yes Counter value that solves the PoW solveTimeMsnumber No Client-reported solve time (ms) fingerprintHashstring Yes SHA-256 of browser signals environmentobject No Headless detection signals
{ "token" : "1709424000|a1b2c3d4...|182637|e3b0c442...|hmac..." , "passed" : true , "expiresAt" : 1709424300000 } { "token" : null , "passed" : false , "expiresAt" : null } Note: If the site has IP rules configured (Pro plan), blocked IPs or IPs not on the allowlist receive an immediate passed: false response without going through the full scoring pipeline.
Field Type Description tokenstring | null Verification token for your backend. Null if failed. passedboolean Whether verification passed the site threshold expiresAtnumber | null Token expiry (Unix ms, 5 min TTL). Null if failed.
30 requests/min per IP (global)
20 requests/min per IP per site key
Code Description 400Invalid body, expired nonce, or missing fields 403IP mismatch, invalid site key, or origin not allowed 429Rate limit exceeded 503Service temporarily unavailable
Server-side token verification. Call this from your backend only — this endpoint does not support CORS.
Tokens are single-use and expire after 5 minutes.
Header Required Description AuthorizationYes Bearer YOUR_API_KEYContent-TypeYes application/json
{ "token" : "1709424000|a1b2c3d4...|182637|e3b0c442...|hmac..." , "expectedIp" : "203.0.113.42" } Field Type Required Description tokenstring Yes Token from /verify expectedIpstring No IP to match against. Recommended for security.
{ "success" : true , "score" : 0.85 , "ip" : "203.0.113.42" , "solvedAt" : 1709424000000 } { "success" : false , "error" : "Token already used" } Field Type Description successboolean Whether the token is valid scorenumber Confidence score (0.0 = bot, 1.0 = human) ipstring IP that solved the challenge solvedAtnumber When the challenge was solved (Unix ms) errorstring Error message (only when success: false)
100 requests/min per IP (global, fail-closed)
200 requests/min per API key (fail-closed)
Code Description 400Invalid token, expired, site mismatch, or already used 401Missing or invalid Authorization header 429Rate limit exceeded 503Service temporarily unavailable (fail-closed)
Endpoint CORS GET /challengeYes (*) POST /verifyYes (*) POST /verify-tokenNo — backend only
The /challenge and /verify endpoints accept requests from any origin. The /verify-token endpoint is server-to-server only and does not include CORS headers.