094f9edadee0dd672aa86803ccb559acd45af58e
max
  Mon Jul 14 12:18:56 2025 -0700
supressing captcha on hgRenderTracks, refs #36077

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index a12d1a9b6b1..7c7b106b887 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1547,30 +1547,34 @@
     return;
 
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
 
+// hgRenderTracks should not show the captcha - it was made to be used from other websites
+if (sameWord(cgiScriptName(), "/cgi-bin/hgRenderTracks"))
+    return;
+
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be able to force the captcha
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // when the captcha is solved, our JS code does a full page-reload, no AJAX. That saves us one round-trip.
 // After the reload, the new page URL has the captcha token in the URL argument list, so now we need to validate it
 // and remove it from the cart
 char *token = cgiOptionalString("token");
 if (token)
 { 
     if (isValidToken(token))
         {
         cartRemove(cart, "token");
         return;