Note

Replay is the awkward bit of challenge tokens

Challenge tokens are tempting because they move some abuse cost to the edge without putting a puzzle in front of every customer.

The awkward part is replay. If a token can be copied across clients, identifiers, networks or time windows, the downstream system needs to know what the verdict actually means.

A useful design scopes the token, propagates the verdict, watches for reuse patterns, and has a safe answer when the challenge machinery is unavailable.