Distil maintain a distinct traffic records for a given fingerprint per domain configured in the Distil Portal. A fingerprint is a Distil cookie or SDK token typically. The sub-domains for a given Distil domain will all share the same traffic record for a fingerprint for the domain. The traffic record includes information about what fingerprint has successfully completed a captcha. This means that if api.domain.com and www.domain.com are separate domains in the Distil Portal and the API calls from the browser are going to api.domain.com, then the www and api domains will have distinct traffic records for a given client even if the same identifier is used. This scenario is very important when designing single page web applications and the captcha workflow. See the following article for more information on designing single page web applications with Distil, https://help.distilnetworks.com/hc/en-us/articles/360036574073-Setting-up-CAPTCHA-with-Single-Page-Apps.
Let's assume that www and api are configured as sub-domains to domain.com within the Distil Portal. If the user clears captcha at www.domain.com in this scenario, then Distil acknowledge that the captcha was cleared for the users fingerprint at api.domain.com. If www and api are configured as sub-domains to domain.com, then the Distil traffic record is available for both sub-domains, www and api.
Now let's assume that www.domain.com and api.domain.com are both distinct domains in the Distil Portal. If the user is in violation for AJAX calls to api.domain.com, but the captcha clear event occurs at www.domain.com, then Distil will never mark the client as clearing captcha for requests going to api.domain.com. This behavior may appear to be a captcha loop to the client. In this type of workflow, the client must be instructed to solve the captcha at api.domain.com.