Cloudflare Turnstile is Cloudflare’s modern replacement for traditional CAPTCHA. Instead of forcing most real users to solve awkward image puzzles, it handles spam protection quietly in the background for the majority of legitimate visitors.
For agencies, this matters because public-facing forms are some of the easiest places for bots to create fake signups, junk opt-ins, and spam submissions.
What it protects
Once enabled, Turnstile protects the public-facing forms across the white-label app where unauthenticated visitors can submit information.
- Customer registration pages
- Campaign opt-in pages
- Website contact forms
What you need before starting
- A free Cloudflare account
- The domain or domains your white-label app uses
- A few minutes to create the Turnstile widget and copy the keys
Create a Turnstile widget in Cloudflare
Log in to the Cloudflare dashboard, open the `Turnstile` area, and create a new widget. Add every hostname where your white-label app or public pages can appear.
This includes primary branded domains and any fallback domains or secondary domains that still need protection.
| Field | What to enter |
|---|---|
| Widget name | A label you will recognize later |
| Hostnames | Every domain where Turnstile should run |
| Widget mode | Managed is usually the best default |
Managed mode is the usual recommendation because it gives strong protection without making normal users jump through unnecessary hoops.
Copy the site key and secret key
After you create the widget, Cloudflare gives you a public site key and a private secret key. Both are needed in the white-label settings.
The site key is safe to expose publicly in the frontend. The secret key should be treated like a credential.
Add the keys in white-label settings
Go to `Settings -> White-Label Configuration`, open the `Advanced` tab, find the `Cloudflare Turnstile` section, and paste the site key and secret key into their fields.
Then turn protection on and save the change.
Verify it is working
Open a public page in a private or incognito window and test one of the protected forms. In most cases you will either see nothing happen visibly or see only a light-touch verification experience.
That is the point. Legitimate users should barely notice it while bots fail silently or get blocked.
What your customers and visitors experience
Most legitimate visitors never notice Turnstile. Suspicious traffic may see a simple challenge, but the experience is much lighter than old-style CAPTCHA systems.
- Real users usually pass quietly in the background
- Suspicious traffic may see a lightweight challenge
- Bots are blocked from creating noise in your public-facing forms
Common issues
If Turnstile does not appear or verification fails unexpectedly, the most common cause is a hostname mismatch. The domain being used by the app must exist in the Turnstile widget configuration in Cloudflare.
Other common causes include browser extensions, VPNs, or networks that interfere with the challenge script.
- Check every hostname in the Cloudflare widget settings
- Test from an incognito window
- Temporarily disable script-blocking browser extensions if needed
- Use Cloudflare test keys for temporary safe testing if necessary
Why this matters for agencies
Spam is not just cosmetic. Fake registrations, junk opt-ins, and bot form submissions distort reporting, waste follow-up effort, and can create noise around provider usage and operations.
Turnstile is one of the easiest ways to raise the floor on the quality of the traffic reaching your public forms.