Cloudflare operates two distinct bot-protection mechanisms that developers commonly encounter: Turnstile, a CAPTCHA replacement widget embedded in forms, and Challenge pages, the interstitial "Checking your browser" pages that gate access to entire Cloudflare-protected sites. They work differently, require different solver approaches, and should not be confused.
Cloudflare Turnstile
What Is Turnstile?
Cloudflare Turnstile is a CAPTCHA-replacement widget that sites embed in forms as an alternative to reCAPTCHA or hCaptcha. It was released in 2022 and positions itself as privacy-preserving with no image puzzles for legitimate users.
Turnstile operates in three modes:
| Mode | User Experience | Automation Impact |
|---|---|---|
| Managed | Shows a small widget, may prompt a click | Requires solver API call |
| Non-interactive | Invisible; passes automatically for clean sessions | Still generates a signed token |
| Invisible | Fully background; no visible widget at all | Token still required for form submission |
In all modes, the output is a cf-turnstile-response token that must be submitted with the form. The token is verified by Cloudflare on the server side.
How Turnstile Works Technically
- The page loads
https://challenges.cloudflare.com/turnstile/v0/api.js. - The JS initializes using a sitekey (e.g.
0x4AAAAAAA...— a Cloudflare-format key). - The widget runs a browser environment assessment and, for managed mode, may show a checkbox or brief animation.
- On success, the JS writes
cf-turnstile-responseto a hidden form field and calls an optional callback. - Form submission includes the token; Cloudflare verifies it with the site's secret key.
Token lifetime: Turnstile tokens expire within ~5 minutes. Shorter than reCAPTCHA in high-traffic deployments.
Sitekey format: Turnstile sitekeys start with 0x4 and are about 30 characters long. They are embedded in the HTML as data-sitekey on the Turnstile <div>.
Cloudflare Challenge Pages
What Are Challenge Pages?
Challenge pages (historically called "IUAM" — "I'm Under Attack Mode") are interstitial pages Cloudflare serves before allowing access to a protected site. They are not embedded in a form — they block the entire page.
Modern Cloudflare challenge pages take two forms:
- Managed Challenge: Cloudflare's adaptive challenge. For most users it passes automatically; for flagged IPs it shows a visible puzzle or Turnstile widget.
- JS Challenge: A pure JavaScript browser fingerprinting check (no visible challenge, just a "Checking your browser..." delay).
For automation purposes, the challenge page problem is different from Turnstile: you need to pass the challenge to receive the site's actual content, not just submit a form field.
Solving Challenge Pages vs. Turnstile
| Aspect | Turnstile | Challenge Page |
|---|---|---|
| Where it appears | Inside a form | Full-page interstitial |
| Solver mechanism | Submit task → get token → inject in form | Browser automation or specialized solver |
| Output | cf-turnstile-response token |
Session cookies (cf_clearance) |
| Token/cookie lifetime | ~5 min | Hours to days |
Challenge page solving typically requires a solver that can execute JavaScript in a real browser environment and return valid cf_clearance cookies. Not all solver APIs support this — it is a different product category than standard CAPTCHA solving.
Solver Support
Turnstile Solvers
| Solver | Turnstile Support | Success Rate | Avg Solve Time | Notes |
|---|---|---|---|---|
| CaptchaAI | ✅ Full | ~96–98% | 6–12s | Fastest Turnstile solver in CaptchaRank benchmark |
| 2Captcha | ✅ Full | ~91–94% | 12–20s | Reliable; 2Captcha-format compatible |
| Anti-Captcha | ✅ Full | ~90–93% | 10–18s | Consistent at scale |
| CapSolver | ✅ Full | ~93–96% | 8–15s | Strong Turnstile implementation |
| CapMonster Cloud | ✅ Full | ~88–93% | 10–20s | Cost-effective |
| NopeCHA | ✅ Partial | ~85–90% | 15–30s | Works but not a primary use case |
Challenge Page Solvers
Challenge page solving (returning cf_clearance cookies) is supported by fewer providers and is often a separate, higher-cost product:
| Solver | Challenge Page Support | Notes |
|---|---|---|
| CapSolver | ✅ | CloudflareChallengeTask product |
| 2Captcha | ✅ | turnstile task type with browser mode |
| Anti-Captcha | ✅ | Browser session mode |
| CaptchaAI | ✅ | Contact support for challenge page mode |
For most developer use cases involving forms, Turnstile token solving is what's needed. Challenge page solving is a separate, more complex integration.
How to Solve Cloudflare Turnstile in Python
Step 1 — Find the Sitekey
import re
import requests
def get_turnstile_sitekey(page_url: str) -> str:
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"}
html = requests.get(page_url, headers=headers).text
# Turnstile sitekeys start with 0x4
patterns = [
r'data-sitekey=["\'](\dx[0-9A-Za-z_\-]+)["\']',
r'"sitekey"\s*:\s*"(\dx[0-9A-Za-z_\-]+)"',
]
for pattern in patterns:
match = re.search(pattern, html, re.IGNORECASE)
if match:
return match.group(1)
raise ValueError("Turnstile sitekey not found on page")
Step 2 — Solve via CaptchaAI
import requests
import time
def solve_turnstile(
api_key: str,
page_url: str,
sitekey: str,
) -> str:
"""
Solve Cloudflare Turnstile using CaptchaAI (2Captcha-compatible API).
Returns the cf-turnstile-response token.
"""
payload = {
"key": api_key,
"method": "turnstile",
"sitekey": sitekey,
"pageurl": page_url,
"json": 1,
}
r = requests.post("https://ocr.captchaai.com/in.php", data=payload, timeout=30)
r.raise_for_status()
result = r.json()
if result.get("status") != 1:
raise RuntimeError(f"Submit failed: {result}")
task_id = result["request"]
time.sleep(5)
for _ in range(24):
r = requests.get(
"https://ocr.captchaai.com/res.php",
params={"key": api_key, "action": "get", "id": task_id, "json": 1},
timeout=30,
)
data = r.json()
if data.get("status") == 1:
return data["request"] # cf-turnstile-response token
time.sleep(5)
raise TimeoutError("Turnstile solve timed out")
Step 3 — Inject Token and Submit
from playwright.sync_api import sync_playwright
def submit_form_with_turnstile(
page_url: str,
sitekey: str,
api_key: str,
) -> None:
token = solve_turnstile(api_key, page_url, sitekey)
with sync_playwright() as p:
browser = p.chromium.launch(headless=True)
page = browser.new_page()
page.goto(page_url, wait_until="networkidle")
# Inject token into hidden field
page.evaluate(f"""
const fields = document.querySelectorAll(
'input[name="cf-turnstile-response"], textarea[name="cf-turnstile-response"]'
);
fields.forEach(f => f.value = '{token}');
""")
page.click('button[type="submit"]')
page.wait_for_load_state("networkidle")
browser.close()
Common Errors and Fixes
"Invalid Turnstile token" on form submission - Token expired (> 5 minutes). Generate the token immediately before submitting. - Sitekey mismatch — the sitekey used with the solver must match the page's sitekey exactly. - The domain bound to the sitekey does not match your request origin (not typically your issue unless proxying).
Turnstile widget shows but token injection does not unlock submit
Some Turnstile integrations use a JS callback (onSuccess) to enable the submit button. After injecting the token, trigger the callback:
page.evaluate(f"""
if (window.turnstile && window.turnstile._callbacks) {{
Object.values(window.turnstile._callbacks)
.forEach(cb => typeof cb === 'function' && cb('{token}'));
}}
""")
Solver returns token but the page still shows the challenge
You are dealing with a Challenge page (not Turnstile). The solver API returning a cf-turnstile-response token cannot clear a full-page interstitial. You need a challenge page solver that returns cf_clearance cookies.
High failure rate on managed mode Managed Turnstile in strict mode is harder when originating from flagged ASNs (datacenters, VPNs). Use a residential proxy for the browser session.
Turnstile vs hCaptcha — Which Is Harder to Solve?
Turnstile is generally faster to solve than hCaptcha because it has no image challenge for most sessions. However, Turnstile's managed mode in high-enforcement configurations can be more resistant to automation than standard hCaptcha, because the browser environment fingerprint plays a larger role.
| Dimension | Turnstile | hCaptcha |
|---|---|---|
| Typical solve time | 6–12s | 8–20s |
| Image challenge | Rare (managed mode) | Common |
| Browser fingerprint weight | High | Medium |
| Token field name | cf-turnstile-response |
h-captcha-response |
When to Use Which Solver
| Scenario | Recommended Solver | Reason |
|---|---|---|
| Turnstile in forms | CaptchaAI | Fastest Turnstile in CaptchaRank benchmark |
| High-volume Turnstile | 2Captcha or CapSolver | Proven at scale |
| Challenge pages (cf_clearance) | CapSolver | Most mature challenge page product |
| Lowest price per Turnstile solve | CapMonster Cloud | Competitive pricing on Turnstile |
Explore More in This Hub
- Best Cloudflare Turnstile Solver — full solver ranking with pricing
- CAPTCHA Solver API Integration Guide — language-agnostic patterns
- CAPTCHA Solving in Python: Quick Start — 30-minute full setup
- Best CAPTCHA Solvers Ranked — full leaderboard across all CAPTCHA types
Benchmark data sourced from CaptchaRank live performance monitoring. Success rates reflect current data and are updated as solver performance changes.
