CAPTCHA: Turnstile

Cloudflare Turnstile with pass/block/interactive test keys, server-verified

What you will learn

Pierce Turnstile's encapsulation and wait for the cf-turnstile-response token
Exercise pass / block / interactive test keys to cover positive AND negative branches
Handle the block key as a real failure path, not a hang

Cloudflare Turnstile

A privacy-first CAPTCHA alternative that encapsulates its entire UI inside a cross-origin iframe, verified server-side via siteverify

Turnstile renders a self-contained widget. When it succeeds it hands your callback a token, which we POST to /api/captcha/vendor. Our server calls Cloudflare's siteverify endpoint and returns the verdict.

Three published TEST sitekeys let you drive each branch deterministically:

pass — always issues a passing token → human
block — the widget never yields a valid token → bot (the negative branch)
interactive — forces a visible challenge before it will issue a token

Pairs with the Shadow DOM lesson: Turnstile wraps its controls in its own iframe (and shadow tree), so you cannot reach inside from the top frame — assert on the token and on #captcha-result instead.

Mode: practice — the test keys are deterministic; great for wiring up your automation end to end.

Pick a test sitekey

Switching re-renders the widget so you can drive the pass / block / interactive branches

Active key: 0x4AAAAAADp4E7yXAQRmVpJ8

Verify you're human

The widget loads asynchronously — wait for it to render before interacting

Waiting for the widget to issue a token…

Testing Tips

Automation hints

✓ The widget lives inside a cross-origin iframe — drop into it with a frame locator (Playwright frameLocator, Cypress iframe plugin) rather than querying the top frame, just like the Shadow DOM lesson
✓ With the pass key, wait for the hidden <input name="cf-turnstile-response"> to become non-empty — that value IS the token passed to your callback
✓ Assert #captcha-result[data-verdict="human"] after the auto-POST to /api/captcha/vendorresolves — don't just check that any result appeared
✓ Switch to the block key (#turnstile-key-block) to drive the negative branch and assert #captcha-result[data-verdict="bot"]
✓ #turnstile-active-key[data-key-type] tells your test which branch is armed; the interactivekey forces a click, and a real prod sitekey (env) has no deterministic bypass — you'd need a solver service

Related Challenges

Cloudflare Turnstile

A privacy-first CAPTCHA alternative that encapsulates its entire UI inside a cross-origin iframe, verified server-side via siteverify

Three published TEST sitekeys let you drive each branch deterministically:

pass — always issues a passing token → human
block — the widget never yields a valid token → bot (the negative branch)
interactive — forces a visible challenge before it will issue a token

Mode: practice — the test keys are deterministic; great for wiring up your automation end to end.

Testing Tips

Automation hints

✓ The widget lives inside a cross-origin iframe — drop into it with a frame locator (Playwright frameLocator, Cypress iframe plugin) rather than querying the top frame, just like the Shadow DOM lesson
✓ With the pass key, wait for the hidden <input name="cf-turnstile-response"> to become non-empty — that value IS the token passed to your callback
✓ Assert #captcha-result[data-verdict="human"] after the auto-POST to /api/captcha/vendorresolves — don't just check that any result appeared
✓ Switch to the block key (#turnstile-key-block) to drive the negative branch and assert #captcha-result[data-verdict="bot"]
✓ #turnstile-active-key[data-key-type] tells your test which branch is armed; the interactivekey forces a click, and a real prod sitekey (env) has no deterministic bypass — you'd need a solver service

CAPTCHA: Turnstile

What you will learn

Cloudflare Turnstile

Pick a test sitekey

Verify you're human

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop

CAPTCHA: Turnstile

What you will learn

Cloudflare Turnstile

Pick a test sitekey

Verify you're human

Testing Tips

Timer

Need Help?

Related Challenges

iFrames

Shadow DOM

Drag & Drop