Skip to main content

Cloudflare Turnstile CAPTCHA

Community-contributed integration

This integration is community-maintained. Reference: ory/integrates/fraud-bot-protection/cloudflare-turnstile.

Cloudflare Turnstile is a non-interactive CAPTCHA alternative that uses browser signals, ML, and proof-of-work. It is free with no per-call limit and is privacy-preserving.

How it works

  1. Registration / login UI embeds the Turnstile client widget; the widget runs the challenge invisibly and returns a token (cf-turnstile-response).
  2. Form submits to Ory's flow with the token.
  3. Ory Action on registration.before / login.before (with can_interrupt: true) calls the handler.
  4. Handler POSTs to https://challenges.cloudflare.com/turnstile/v0/siteverify with the token + Secret Key; checks success == true.
  5. On fail, handler returns an error and Ory blocks.

Notable

  • Two keys: Site Key (public, client widget) and Secret Key (server verify). Never expose Secret.
  • Tokens are one-time use and expire ~5 minutes after issue.
  • Optional remoteip field in siteverify enables IP-binding; pass the client IP through your reverse proxy.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free