How do you prove a user is human without making them click traffic lights for two minutes?
Traditional CAPTCHAs hurt your conversion rate, annoy real users, and increasingly get solved by cheap third-party services. Visually impaired users are punished disproportionately. And the popular alternatives ship browsing data to ad-tech companies. You need something that proves humanity without the friction — and without selling out your visitors.
How it fits together
Diagram coming soon
Architecture diagram for this solution will be added here.
How Cloudflare solves it
- Invisible challenges for most users. Turnstile evaluates browser signals (TLS fingerprint, canvas, behavioral hints) and silently passes the vast majority of real visitors. They never see a checkbox, never solve a puzzle.
- Privacy-first by design. No tracking cookies, no fingerprinting that follows users across sites, no ad-tech monetization. Cloudflare doesn't need (or want) your visitors' data.
- Drop-in replacement for reCAPTCHA. Same widget-on-page + server-side verify flow. Migration is typically a couple of hours: swap the script tag and update your verify endpoint.
- Works on any site, not just Cloudflare. Turnstile is free and works on any origin — Cloudflare-hosted or not. Use it on forms, sign-ups, login screens, comment boxes, password resets.
- Server-side verification. Every token is verified against Cloudflare's siteverify endpoint before you trust it. Tokens are single-use and expire fast, preventing replay.
Common questions
Is Turnstile really free, even at high volume?
What if a visitor still gets challenged? What do they see?
Does Turnstile prevent every bot?
Can I use Turnstile on a mobile app?
Try it live
Submit the form below. Your Turnstile token is verified against Cloudflare's siteverify endpoint on the server. The site key on this page is Cloudflare's public demo key; in production you'd use your own.
Fill out the form below. The Turnstile widget issues a token; on submit,
the server calls Cloudflare's siteverify endpoint to confirm
the token before accepting the submission. The site key is loaded from
the server config so it can be rotated without rebuilding.