Well, having an API that posts to "/api/v1/whitelist" with a SHA256 hash of the challenge and salt to the whitelist endpoint really isn't a reverse-captcha and a human with the technical knowhow can write a bot to abuse it.

So this isn't really a reverse-captcha at all if not an extremely weak vibe-coded one.

It's really just meant to remove the standard human UI so non-technical folks can't just click a signup button. If a human has the technical know-how to write a script (or employ an agent) to solve the handshake, they are exactly the kind of developer we want on the waitlist anyway