.png)
Cloudflare Turnstile
Explore all Turnstile widget modes, test server-side validation, and understand how this privacy-preserving CAPTCHA alternative protects your applications.
Managed Challenge
Cloudflare automatically determines if a challenge is needed based on visitor behavior. Most visitors pass without interaction, but suspicious traffic may see an interactive challenge.
Server Response
How Managed Mode Works
Managed mode uses machine learning to analyze visitor signals. Low-risk visitors pass automatically, while suspicious traffic receives an interactive challenge. This provides the best balance between security and user experience.
Non-Interactive Challenge
Visitors see a widget with a loading spinner while challenges run in the background. Users are never required to interact with the widget, making it ideal for frictionless experiences.
Server Response
Non-Interactive Benefits
This mode prioritizes visitor experience by never requiring user interaction. The widget shows a loading state while browser challenges execute in the background.
Invisible Challenge
No visible widget at all. The challenge runs completely in the background without any visual indication to the user. Perfect for seamless protection.
Server Response
Invisible Mode Use Cases
Ideal for protecting APIs, login endpoints, or any flow where visual elements would disrupt the user experience. The challenge executes without any UI.
Offlabel Mode
Remove Cloudflare branding from the widget. Useful for white-label solutions or when you want the widget to blend seamlessly with your brand.
Server Response
Offlabel Configuration
Offlabel mode removes Cloudflare branding from the widget. This requires Enterprise plan and must be enabled in your Cloudflare dashboard widget settings.
Realistic Sign Up Form
See how Turnstile integrates into a real-world sign up flow. The widget protects against automated account creation while maintaining a smooth user experience.
Server Response
Form Integration
Turnstile seamlessly integrates with HTML forms. The token is automatically included in form submissions. Always validate the token server-side before processing the form data.
Mobile App Integration
Turnstile works in mobile apps via WebView. This mockup shows how the widget appears in a native mobile application context.
Server Response
Mobile Implementation
For native mobile apps, embed Turnstile in a WebView. The widget renders normally and returns a token that your app can send to your backend for validation. Works on iOS and Android.
Ephemeral IDs
Advanced device fingerprinting that persists even when attackers change IP addresses. Ephemeral IDs are short-lived identifiers that link visitor behavior to specific devices without cookies.
Server Response
How Ephemeral IDs Work
Ephemeral IDs use advanced analysis to create unique identifiers without cookies or local storage. They're scoped to your Cloudflare account, expire within days, and cannot identify individual users. Perfect for detecting credential stuffing and fake account attacks. Requires Enterprise plan.
Always Fail (Testing)
Test your error handling with a widget that always fails server-side validation. This demonstrates how your application should respond to failed Turnstile challenges.
Server Response
Development Testing Keys
This widget uses Cloudflare's official development testing keys that are designed to always fail validation. These keys are useful for testing error handling, retry logic, and user feedback flows in your application.
Cloudflare provides several test keys for different scenarios - learn more in the Turnstile Testing Documentation.