Cloudflare offers two distinct protection mechanisms — Challenge (full-page interstitial) and Turnstile (embedded widget). They are often confused, but they work differently, return different responses, and require different CaptchaAI methods. Using the wrong one will always fail.
Quick comparison
| Feature | Cloudflare Challenge | Cloudflare Turnstile |
|---|---|---|
| Type | Full-page interstitial | Embedded widget |
| Where it appears | Blocks entire page before content | Inside forms, alongside content |
| CaptchaAI method | cloudflare_challenge |
turnstile |
| What it returns | cf_clearance cookie |
Token string |
| Proxy required | Yes (mandatory) | No (recommended) |
| User-Agent required | Yes (mandatory) | No |
| Sitekey needed | No | Yes |
| Typical solve time | 15–30 seconds | 5–15 seconds |
| Token/cookie lifetime | 15–30 minutes | ~5 minutes |
Cloudflare Challenge — how it works
Cloudflare Challenge is a full-page interstitial. When Cloudflare determines a visitor is suspicious (based on IP reputation, request patterns, or WAF rules), it shows a "Checking your browser" page before allowing access.
What happens:
- User visits the site
- Cloudflare intercepts and shows the challenge page
- JavaScript runs browser checks (canvas, WebGL, fonts, navigator)
- If passed, Cloudflare sets a
cf_clearancecookie - The browser redirects to the original page with the cookie
Key characteristics:
- Blocks the entire page — no content is visible until solved
- The
cf_clearancecookie is bound to the IP and User-Agent - No sitekey — Cloudflare controls everything server-side
- Proxy is mandatory because the cookie is IP-bound
Solving with CaptchaAI:
data = {
"key": "YOUR_API_KEY",
"method": "cloudflare_challenge",
"pageurl": "https://example.com",
"proxy": "host:port:user:pass", # Mandatory
"proxytype": "HTTP", # Mandatory
"userAgent": "Mozilla/5.0 ...", # Mandatory
"json": 1
}
# Response: cf_clearance cookie value
# Set this cookie + use same proxy + same User-Agent for all subsequent requests
Cloudflare Turnstile — how it works
Turnstile is an embedded widget, similar to reCAPTCHA. It sits inside a form and returns a verification token. The page content is already visible — Turnstile protects specific actions (login, registration, checkout).
What happens:
- Page loads normally — content is visible
- A Turnstile widget renders inside a form
- The widget runs client-side challenges (transparent to the user)
- On success, a token is generated and placed in a hidden form field
- The form submits the token to the server for verification
Key characteristics:
- Content is visible — Turnstile only protects form submissions
- Returns a token, not a cookie
- Each widget has a sitekey (like reCAPTCHA)
- Tokens are single-use and expire in ~5 minutes
- No proxy or User-Agent binding
Solving with CaptchaAI:
data = {
"key": "YOUR_API_KEY",
"method": "turnstile",
"sitekey": "0x4AAAAAAADnPIDROz1234", # Required
"pageurl": "https://example.com/login",
"json": 1
}
# Response: token string
# Inject into cf-turnstile-response form field
When sites use each
Cloudflare Challenge is used for:
- Protecting entire domains from bots and scrapers
- Blocking access based on IP reputation
- DDoS mitigation (Under Attack Mode)
- Geographic access restrictions
- WAF rule triggers (suspicious request patterns)
Turnstile is used for:
- Login form protection
- Registration pages
- Contact forms
- Checkout flows
- Any action requiring user verification without blocking the page
Implementation differences
| Step | Cloudflare Challenge | Cloudflare Turnstile |
|---|---|---|
| Parameters | pageurl, proxy, proxytype, userAgent |
sitekey, pageurl |
| Response | Cookie value | Token string |
| After solving | Set cookie in session, use same proxy/UA | Inject token into form field |
| Reuse | Cookie valid for 15–30 min on domain | Token single-use, expires in ~5 min |
| Multi-page | One solve covers entire domain | One solve per form submission |
| Error if wrong method | N/A | ERROR_BAD_PARAMETERS |
Cost and speed
| Metric | Cloudflare Challenge | Turnstile |
|---|---|---|
| Average solve time | 15–30 seconds | 5–15 seconds |
| Cost per solve | Higher (browser simulation) | Lower |
| Additional costs | Proxy required (proxy cost) | No proxy cost |
Can a site use both?
Yes. A common pattern:
- Cloudflare Challenge protects initial access to the domain
- Turnstile protects the login form on the same site
In this case, you must:
- Solve the Cloudflare Challenge first → get
cf_clearancecookie - Navigate to the login page using the cookie
- Solve the Turnstile widget → get token
- Submit the login form with the token
FAQ
Which is more common?
Cloudflare Challenge is more common for scraping protection. Turnstile is growing rapidly as a reCAPTCHA replacement for form protection.
Can I solve Cloudflare Challenge without a proxy?
No. The cf_clearance cookie is bound to the solving IP. Without a proxy, CaptchaAI uses its own IP, and the cookie will not work from your IP.
Why does Turnstile not need a proxy?
Turnstile tokens are not IP-bound. The token works regardless of which IP submits it to the server.
My solve works but the site still blocks me. Why?
For Challenge: check User-Agent match, proxy IP match, and cookie expiry. For Turnstile: check that you are injecting the token into the correct field (cf-turnstile-response).
Solve Cloudflare protections with CaptchaAI
Handle both Challenge and Turnstile at captchaai.com.
Discussions (0)
Join the conversation
Sign in to share your opinion.
Sign InNo comments yet.