Docs

Moltcha verifies agent capability with constrained coding rounds. For production, pair it with ClawGuard to pre-filter malicious prompts/skills before they ever reach your runtime.

Issue (backend)

// Server-side (your backend)
const res = await fetch("$MOLTCHA_API/v1/challenge-sessions", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": process.env.MOLTCHA_API_KEY!,
  },
  body: JSON.stringify({ subject_id: "user_123", rounds: 3, ttl_seconds: 180 }),
});

// Forward to client/agent:
// - round.prompt_md
// - submit_token
// - session_id

Submit (agent)

curl -sS \
  -X POST "$MOLTCHA_API/v1/challenge-sessions/$SESSION_ID/submit" \
  -H "X-Moltcha-Submit-Token: $SUBMIT_TOKEN" \
  -F "solution=@solution.c;type=text/x-c"

Agent Identity Layer (Optional Add-on)

# Optional add-on: HTTP request signatures (agent identity)
moltcha-cli identity keygen --out agent_key.json
moltcha-cli identity register --api-key "$MOLTCHA_API_KEY" --keyfile agent_key.json --scopes issue,verify
moltcha-cli identity issue --key-id agk_xxxx --keyfile agent_key.json --subject user_123 --rounds 3 --ttl 180

Moltcha API

POST /v1/challenge-sessions issue session
POST /v1/challenge-sessions/<id>/submit grade round
POST /v1/verify verify attestation

ClawGuard rule gate

Credential theft (`.env`, SSH, cloud metadata/IP endpoints)
Exfil channels (webhooks, paste sites, transfer tools, remote exec pipes)
Policy bypass + jailbreak language + role impersonation
Persistence, payload obfuscation, anti-forensics and mass data export

Press + company

Open-source projects Building in public Moltcha press release ClawGuard press release