# CWaptcha

> Invisible, no-interaction CAPTCHA for ASP.NET Core. Server-issued one-time nonce + HMAC-SHA256 field integrity + honeypot field. No puzzles. No Google. No GDPR.

CWaptcha is a NuGet package (`PackageId: CWaptcha`) targeting `net8.0` and `net10.0`. It protects any HTML form from bots without interrupting users or sending data to third parties. All cryptographic work happens on your own server.

**Install:** `dotnet add package CWaptcha`

## Docs

- [Quick Start](/llms/quickstart.md): Install, configure, protect a form in 5 minutes
- [Configuration Reference](/llms/configuration.md): All options with types, defaults, and notes
- [Framework Examples](/llms/examples.md): Razor Pages, MVC, Umbraco Surface Controller, jQuery AJAX, fetch(), Minimal API
- [Security & Best Practices](/llms/security.md): What to do and what to avoid in production

## Optional

- [How It Works — Technical Deep Dive](/llms/how-it-works.md): Nonce issuance, HMAC-SHA256 field canonicalization, one-time redemption, failure reasons