Note
Replay is the awkward bit of challenge tokens
Challenge tokens are tempting because they move some abuse cost to the edge without putting a puzzle in front of every customer.
The awkward part is replay. If a token can be copied across clients, identifiers, networks or time windows, the downstream system needs to know what the verdict actually means.
A useful design scopes the token, propagates the verdict, watches for reuse patterns, and has a safe answer when the challenge machinery is unavailable.