How Turnstile works
Turnstile loads a small JavaScript widget from `challenges.cloudflare.com`. The widget runs a battery of checks: it inspects browser APIs (canvas, WebGL, audio, navigator properties), measures small behavioral signals (mouse movement timing, focus events, timing jitter), and runs a small proof-of-work computation in the background. The results are sent to Cloudflare, which scores the visitor and — if the score is high enough — returns a token. The token is included as a hidden form field when the page submits, and Cloudflare verifies it server-side via a sibling API call. Bots either fail one of the checks outright or score low enough that Turnstile holds them at the widget.
Turnstile vs Cloudflare Bot Management — what's the difference
This is the most common point of confusion. Cloudflare ships two distinct bot-protection products that get spoken about interchangeably:
| Turnstile | Bot Management | |
|---|---|---|
| What it is | A CAPTCHA replacement widget | An ML-driven scoring system |
| Where it fires | On specific forms / endpoints you choose | On every request to your zone |
| Tier | Free | Enterprise add-on |
| Cookie evidence | cf_clearance after solve | __cf_bm on every request |
| Header evidence | Widget script from challenges.cloudflare.com | cf-mitigated: challenge when blocked |
| Bypass approach | Solve the widget (real browser or solver service) | Pass the underlying fingerprint score |
A site can run both — Bot Management scores every request, and only when the score is borderline does it surface a Turnstile widget as a friction-light challenge. Solving Turnstile alone won't help if the underlying score is already block-grade.
Why Turnstile is harder for scrapers than old CAPTCHAs
Old CAPTCHAs were image puzzles — solving them was a single discrete task you could outsource. Turnstile is continuous: it scores the entire browser environment, not just an interaction. A scraper that produces a valid token but does so from a Playwright instance with a leaky fingerprint will see Turnstile return a low score and the form will reject the token. The challenge is also tightly bound to the page — a token solved on `challenges.cloudflare.com` won't work on `example.com` because Cloudflare validates the sitekey and origin. This means token-reselling solvers have to operate at the right scope, with the right fingerprint, in the right session.
How scrapers handle Turnstile
The serious approach has two parts. First, present a real browser with consistent fingerprint signals — `--headless=new` Chrome with stealth patches, or a real headful instance running under display virtualization. Second, use a Turnstile-aware solver that runs the widget in that browser, lets it score naturally, and returns the resulting token. Pure API solvers that don't run in a real browser produce low-score tokens that the target rejects. Integrated scraping APIs that bundle browser, proxy, and Turnstile solving in one service produce the most consistent success rates because every layer is co-tuned.