Nobody enjoys CAPTCHAs. Squinting at traffic lights and fire hydrants to prove you are human is a tax on every honest visitor, and the data those puzzles feed back to advertising networks is its own concern. Cloudflare Turnstile replaces all of that with a smart, mostly invisible check that confirms a visitor is human without the puzzles, without tracking them, and without costing you anything. In 2026 it is the cleanest way to protect a form from bots.

This guide walks through what Turnstile is, why it beats reCAPTCHA for most sites, and exactly how to add it to any form, including the all-important server-side verification step that a lot of tutorials skip.

TL;DR

  • Turnstile is Cloudflare’s free, privacy-friendly CAPTCHA alternative with no visual puzzles
  • It is free with generous limits and works on any website, not just sites already on Cloudflare
  • Setup is two parts: a widget on your form and a server-side verification call you must not skip
  • It offers managed, non-interactive and invisible widget modes to suit different forms
  • It is a drop-in replacement for reCAPTCHA on contact forms, signups, logins and comment boxes

What Cloudflare Turnstile Is

Cloudflare Turnstile is a CAPTCHA replacement that verifies visitors are human using a series of lightweight, non-intrusive browser challenges run in the background. Instead of asking the user to solve a puzzle, it analyses signals from the browser and, in most cases, confirms the visitor silently. When it does need interaction, it is usually a single checkbox, never an image grid.

Crucially, Turnstile is built to respect privacy. It does not profile users to sell advertising, and it does not depend on tracking a person across the web. You get bot protection without turning your visitors into a data product, which is increasingly important for GDPR-conscious sites.

It also works on any site. You do not need to proxy your domain through Cloudflare to use Turnstile; the widget and verification API work from anywhere.

Why Replace reCAPTCHA

The case for switching is straightforward:

  • Better user experience. No puzzles for legitimate visitors, which means fewer abandoned forms.
  • Privacy. Turnstile is designed not to track users for advertising, unlike the dominant alternative.
  • Free and generous. Turnstile is free to use with limits high enough for the vast majority of sites.
  • Works everywhere. It is not tied to having your DNS on Cloudflare.
  • Simple integration. A script tag, a widget, and one server-side check.

For most contact forms, signups and comment systems, there is little reason to keep paying the usability cost of traditional CAPTCHAs.

Step 1: Create a Turnstile Widget

In the Cloudflare dashboard, open Turnstile and add a new site. You provide a name and the hostname(s) the widget will run on. Cloudflare gives you two keys:

  • A site key (public) that goes in your HTML
  • A secret key (private) that stays on your server and is used for verification

You also choose a widget mode:

ModeBehaviour
ManagedCloudflare decides whether to show a checkbox based on risk (recommended default)
Non-interactiveRuns silently with no checkbox
InvisibleFully hidden; runs entirely in the background

Managed mode is the sensible starting point for most forms.

Step 2: Add the Widget to Your Form

Include the Turnstile script and drop the widget element into your form. Replace YOUR_SITE_KEY with the site key from the dashboard:

 1<form action="/submit" method="POST">
 2  <input type="email" name="email" required />
 3
 4  <!-- Turnstile widget -->
 5  <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>
 6
 7  <button type="submit">Send</button>
 8</form>
 9
10<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

When the widget runs, it adds a hidden field named cf-turnstile-response to your form containing a one-time token. That token is what your server verifies in the next step.

Step 3: Verify on the Server (Do Not Skip This)

This is the step that actually provides protection, and it is the one tutorials most often leave out. The widget on its own proves nothing; an attacker can submit your form directly. You must take the token from the form and validate it server-side against Cloudflare’s siteverify endpoint before you trust the submission.

Send the token and your secret key to https://challenges.cloudflare.com/turnstile/v0/siteverify:

 1// Example: Cloudflare Worker or any server-side handler
 2async function verifyTurnstile(token, ip, secret) {
 3  const formData = new FormData();
 4  formData.append("secret", secret);
 5  formData.append("response", token);
 6  if (ip) formData.append("remoteip", ip);
 7
 8  const result = await fetch(
 9    "https://challenges.cloudflare.com/turnstile/v0/siteverify",
10    { method: "POST", body: formData }
11  );
12
13  const outcome = await result.json();
14  return outcome.success === true;
15}

Only proceed with the form action (send the email, create the account, post the comment) when outcome.success is true. If it is false, reject the submission. Never expose your secret key in client-side code.

A handy detail for development: Cloudflare provides test keys that always pass, always block, or always force an interactive challenge, so you can test every path before going live.

Common Cloudflare Turnstile Use Cases

Turnstile slots into anything a bot might abuse:

  • Contact forms to stop spam submissions
  • Signup and registration to block fake account creation (it pairs well with a Cloudflare Pages user system )
  • Login forms to slow credential-stuffing attacks
  • Comment boxes to cut down on spam without annoying real readers
  • Newsletter signups to keep your list clean

If you want bot protection set up correctly across your site, including server-side verification done properly, that is part of what I cover in my website security service .

Key Takeaways

  • Turnstile is a free, privacy-friendly CAPTCHA replacement with no visual puzzles
  • It works on any website, not only sites with DNS on Cloudflare
  • Integration is a widget on the form plus a mandatory server-side verification call
  • Managed mode is the best default; non-interactive and invisible modes exist for specific needs
  • Always verify the token server-side; the widget alone provides no real protection
  • It is a clean drop-in replacement for reCAPTCHA on forms, signups, logins and comments

Frequently Asked Questions

Is Cloudflare Turnstile free? Yes. Turnstile is free to use with limits generous enough for the vast majority of websites. There is no charge for the standard widget and verification flow.

Do I need my site on Cloudflare to use Turnstile? No. Turnstile works on any website regardless of where your DNS or hosting is. You only need a Cloudflare account to create the widget and obtain your site and secret keys.

Is Turnstile a good replacement for reCAPTCHA? For most sites, yes. It offers a better user experience with no puzzles, is designed to respect privacy rather than track users for advertising, and is free. It covers the same use cases: contact forms, signups, logins and comments.

Do I have to verify the token on the server? Yes, always. The client-side widget alone does not protect you because a bot can submit the form directly. You must send the token to Cloudflare’s siteverify endpoint with your secret key and only trust submissions that return success.

What widget modes does Turnstile offer? Three: managed (Cloudflare decides whether to show a checkbox based on risk), non-interactive (silent, no checkbox), and invisible (fully hidden). Managed mode is the recommended default for most forms.

Can I test Turnstile before going live? Yes. Cloudflare provides test keys that always pass, always block, or always force an interactive challenge, so you can verify each outcome path in development before deploying real keys.