Cloudflare Turnstile
Invisible human-presence challenge powered by Cloudflare's Turnstile service. Verifies that the client is a real browser controlled by a human, without requiring the user to solve a visual puzzle.
How it works
- The ClaimUI (or integrator's frontend) loads the Turnstile widget using the public site key
- Turnstile runs background checks (browser fingerprint, behavior analysis) and issues a token
- The client includes the token in the claim request as
captchaToken - The server verifies the token against Cloudflare's
siteverifyendpoint - If verification passes, the claim proceeds; if it fails, the claim is denied
Configuration
| Env var | Default | Description |
|---|---|---|
FAUCET_TURNSTILE_SITE_KEY | (unset = disabled) | Public site key from Cloudflare dashboard |
FAUCET_TURNSTILE_SECRET | (unset) | Server-side secret for verification |
Setting FAUCET_TURNSTILE_SITE_KEY enables the layer. Both the site key and secret are required.
Getting credentials
- Go to Cloudflare Dashboard > Turnstile
- Add a site and configure the widget type (managed, non-interactive, or invisible)
- Copy the site key and secret key
Decision logic
- No token provided:
denywith reason "captcha token required" - Token verification fails:
denywith reason "captcha verification failed" - Token valid:
allowwith score 0
Trade-offs
- Free tier available (up to 1M verifications/month)
- Privacy-friendly — no visual puzzle, runs in background
- Requires Cloudflare account and network call per verification (~50-100ms)
- Mutually exclusive with hCaptcha — pick one, not both
SDK support
All frontend SDKs (TypeScript, React, Vue) include built-in Turnstile widget components. The captchaToken is passed automatically when using useFaucetClaim hooks.