This site is not affiliated with or endorsed by Cloudflare, Inc. It simply showcases experiments built using Cloudflare services.
Cloudflare Experiments

Turnstile Verify

Verify Cloudflare Turnstile tokens via the siteverify API

Verify Cloudflare Turnstile tokens server-side by calling the siteverify API from a Worker. This experiment uses the TURNSTILE_SECRET_KEY environment secret - there is no Turnstile Worker binding.

API Reference

POST /verify

Validates a client Turnstile token against the Cloudflare siteverify endpoint and returns the verification result.

Prop

Type

Example Request

curl -X POST "https://your-worker.workers.dev/verify" \
  -H "Content-Type: application/json" \
  -d '{"token":"0.abc123..."}'

Success Response

success boolean

Whether Turnstile accepted the token

hostname string (optional)

Hostname associated with the token, when provided by siteverify

action string (optional)

Custom action name from the widget, when provided by siteverify

errorCodes string[] (optional)

Present when success is false; Turnstile error codes from siteverify

{
  "success": true,
  "hostname": "example.com",
  "action": "login"
}

When verification fails:

{
  "success": false,
  "errorCodes": ["invalid-input-response"]
}

Error Response

{
  "error": "Missing or invalid field: token",
  "code": "INVALID_TOKEN"
}

Error Codes

  • 400 - Invalid JSON body (INVALID_BODY)
  • 400 - Missing or invalid token (INVALID_TOKEN)
  • 502 - Turnstile secret key is not configured (MISSING_SECRET)
  • 502 - Siteverify request failed (VERIFY_ERROR)

Use Cases

  • Validate Turnstile tokens on form submission before processing requests
  • Protect login, signup, or contact endpoints from bots at the edge
  • Learn server-side Turnstile verification without a backend framework
  • Return structured siteverify results to your frontend or API gateway

Limitations

  • Requires a TURNSTILE_SECRET_KEY secret configured in the Worker
  • Server-side verification only; does not render the Turnstile widget
  • Turnstile tokens are single-use and expire quickly

Deployment

Click the deploy button

Deploy to Cloudflare Workers

Set the Turnstile secret

After deploy, set your Turnstile secret key as a Worker secret:

cd apps/experiments/turnstile-verify
npx wrangler secret put TURNSTILE_SECRET_KEY

Use the secret key from your Turnstile widget configuration in the Cloudflare dashboard.

Test your deployment

curl -X POST "https://your-worker.workers.dev/verify" \
  -H "Content-Type: application/json" \
  -d '{"token":"YOUR_TURNSTILE_TOKEN"}'

Local Development

cd apps/experiments/turnstile-verify
npm install
npx wrangler secret put TURNSTILE_SECRET_KEY
npm run dev

Test locally:

curl -X POST "http://localhost:8787/verify" \
  -H "Content-Type: application/json" \
  -d '{"token":"YOUR_TURNSTILE_TOKEN"}'

Cloudflare Features Used

Image Resizer

Resize remote images with Cloudflare Image Resizing at the edge

JWT Inspector

Decode, verify, and issue JWTs for experimentation using Web Crypto

On this page

API ReferencePOST /verifyExample RequestSuccess ResponseError ResponseError CodesUse CasesLimitationsDeploymentClick the deploy buttonSet the Turnstile secretTest your deploymentLocal DevelopmentCloudflare Features Used