Skip to content

Troubleshooting FAQ

What happens if the user takes longer than five minutes?

The Turnstile widget needs to be refreshed to generate a new token. This can be done using the turnstile.reset function.

Can the front end use siteverify?

The siteverify API must not be called by the front end as this may reveal the secret key used to authenticate. An attacker may simply modify the front end to not perform the siteverify check at all, rendering Turnstile ineffective.

What is challenges.cloudflare.com, and why does my application connect to this origin?

Turnstile is hosted under challenges.cloudflare.com.

I am seeing a 401 error in your console during a Turnstile security check, is this a problem?

You can safely ignore the error. It is requesting a Private Access Token (PAT) that your device or browser does not support yet.

How can I obtain the Ray ID or QR code for troubleshooting?

You will need to provide a Ray ID or QR code when debugging issues. The Ray ID is found at the end of the challenge page. You can obtain the QR code by clicking the success/failure/spinner logo on the widget four times.

Can I use Turnstile on URI schemes such as file://?

No, Turnstile only works on http:// and https:// URI schemes. Other protocols such as file:// are not supported.

Why do I see a challenge on my proxied hostnames?

If your hostname is proxied through Cloudflare, visitors may experience challenges on your webpages.

Cloudflare issues challenges through the Challenge Platform, which is the same underlying technology powering Turnstile.

In contrast to our Challenge page offerings, Turnstile allows you to run challenges anywhere on your site in a less-intrusive way without requiring the use of Cloudflare’s CDN.