Skip to content
Glossary entry

Cloudflare Turnstile

Cloudflare Turnstile is an invisible CAPTCHA alternative built into the Cloudflare bot-shield. Free for site operators, lower friction than hCaptcha or reCAPTCHA.

Definition

Cloudflare Turnstile is a privacy-preserving CAPTCHA replacement embedded in Cloudflare's bot-management product. It runs as a non-interactive challenge by default β€” the visitor sees a small checkbox that resolves automatically when the browser passes Cloudflare's scoring layer. Turnstile is free for site operators and replaces hCaptcha as Cloudflare's recommended challenge.

How it works

Turnstile embeds a JS challenge that scores the visitor across a handful of signals: TLS fingerprint (JA3/JA4), browser environment entropy, timing, and Cloudflare's known-IP reputation. Sessions that score high pass instantly with no challenge; medium scores get a quick interactive nudge; low scores get the managed-challenge interstitial. The widget writes the cf-turnstile-response token into a hidden input on success. Backends verify via challenges.cloudflare.com/turnstile/v0/siteverify with their secret key.

Where you see it

Cloudflare-protected login, signup, and high-value endpoints. Replaces hCaptcha on most Cloudflare-fronted sites since 2023. Often invisible β€” visitors don't realize they completed a CAPTCHA at all.

Try the API See pricing

Frequently asked questions

Yes. The non-interactive scoring layer can be solved out-of-band by submitting the right (websiteURL, websiteKey) tuple from a clean fingerprint. A solver returns the cf-turnstile-response token that the verify endpoint accepts.

Turnstile is the visible widget version. The WAF challenge is the interstitial page Cloudflare shows when scoring tanks. Both flow through the same managed-challenge backend and accept the same token.

About 5 minutes per origin. Tokens are single-use on the verify endpoint, so submit the form immediately after receiving one.

Related terms & guides