Cloudflare Turnstile Siteverify API

Name: Cloudflare Turnstile Siteverify API API
Brand: Cloudflare Turnstile Siteverify API
Availability: InStock

✓ Official Vendor SpecSecurityThreat DetectionapiKey1 EndpointsREST

For Agents

Verify Cloudflare Turnstile tokens server-side to confirm visitors passed the invisible challenge. Returns pass/fail status with error codes for bot detection without visual CAPTCHAs.

Quickstart

Get started with Cloudflare Turnstile Siteverify API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"verify a Cloudflare Turnstile token"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloudflare Turnstile Siteverify API API.

Validate Turnstile challenge tokens to confirm a visitor completed the invisible verification widget

Detect automated traffic by checking token validity, expiration, and replay attempts

Retrieve challenge metadata including hostname, timestamp, and action tags from verified tokens

Differentiate between managed, non-interactive, and invisible challenge modes via response fields

GET STARTED

Start building with Cloudflare Turnstile Siteverify API API

Explore with Jentic

View OpenAPI Document

Use Cases

Patterns agents use Cloudflare Turnstile Siteverify API API for, with concrete tasks.

★ AI Agent Bot Detection Verification

AI agents use the Turnstile Siteverify API through Jentic to validate challenge tokens before processing form submissions or API requests. An agent receives a Turnstile token from a client-side widget, sends it to the siteverify endpoint with the site secret key, and checks the success field. This prevents automated abuse while maintaining a frictionless user experience without visual puzzles.

Send a POST request to /siteverify with the Turnstile response token and secret key, then check if the success field is true and the hostname matches the expected domain

Form Submission Protection

Protect web forms against automated submissions by requiring Turnstile token validation before processing user input. The siteverify endpoint confirms that the token was generated by a genuine browser interaction on the correct hostname. Failed verifications return error codes identifying whether the token was missing, expired, already redeemed, or associated with a different site.

Validate a Turnstile token from a contact form submission, verify the hostname matches 'example.com', and return the error codes if validation fails

Token Replay Prevention

Prevent replay attacks by verifying that each Turnstile token is only used once. The siteverify endpoint tracks previously validated tokens and rejects duplicate submissions with a specific error code. This ensures that captured tokens cannot be reused by attackers to bypass bot detection, providing defense-in-depth for sensitive operations like account creation and payment processing.

Submit the same Turnstile token twice to /siteverify and verify that the second request returns success: false with a timeout-or-duplicate error code

Key Endpoints

1 endpoints — validate turnstile challenge tokens server-side to verify that visitors are genuine humans without presenting visual captchas.

METHOD

PATH

DESCRIPTION

POST

/siteverify

Validate a Turnstile challenge response token

POST

/siteverify

Validate a Turnstile challenge response token

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

The Turnstile site secret key is stored encrypted in the Jentic vault (MAXsystem). Agents pass tokens to the siteverify endpoint through Jentic without the secret key entering the agent's context window.

Intent-based discovery

Agents search by intent (e.g., 'verify a bot detection token') and Jentic returns the Turnstile siteverify operation with its request schema, including required fields for secret and response token.

Time to first call

Direct Turnstile integration: 1-2 hours for widget embedding and server-side validation code. Through Jentic: under 15 minutes — the agent calls siteverify with the token and secret, receiving a structured pass/fail response.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Google reCAPTCHA Enterprise

reCAPTCHA Enterprise offers risk scoring while Turnstile provides binary pass/fail without visual challenges

Choose reCAPTCHA Enterprise when you need granular risk scores (0.0-1.0) for adaptive security decisions. Choose Turnstile when you want a privacy-focused, invisible challenge with no user friction.

Complementary

Netlify API

Netlify deploys the frontend that embeds the Turnstile widget while siteverify validates tokens server-side

Use Netlify alongside Turnstile when deploying a static site with serverless form handling that needs bot protection. Netlify serves the widget; your backend calls siteverify.

Complementary

DigitalOcean API

DigitalOcean hosts the backend server that calls siteverify to validate Turnstile tokens

Use DigitalOcean alongside Turnstile when your validation backend runs on Droplets or App Platform. The backend receives form submissions with Turnstile tokens and calls siteverify before processing.

FAQs

Specific to using Cloudflare Turnstile Siteverify API API through Jentic.

What response fields does the Turnstile siteverify endpoint return?

The response includes: success (boolean pass/fail verdict), challenge_ts (ISO timestamp of when the challenge was solved), hostname (the domain where the widget was rendered), error-codes (array of error identifiers if validation failed), and action (the action name if configured in the widget). These fields enable both validation and audit logging.

What authentication does the Cloudflare Turnstile Siteverify API use?

The siteverify endpoint requires your Turnstile site secret key passed as the 'secret' parameter in the POST body. This is a per-site key generated in the Cloudflare dashboard, separate from your global API key. Through Jentic, the secret key is stored encrypted in the MAXsystem vault so agents never handle it directly.

Can I verify a Turnstile token through the API without the client-side widget?

No. The siteverify endpoint validates tokens that are generated by the Turnstile client-side widget embedded in your HTML page. The widget runs a challenge in the visitor's browser and produces a token. Your server then sends this token to /siteverify for validation. Without a client-side token, there is nothing to verify.

What error codes does the Turnstile siteverify endpoint return?

Common error codes include: missing-input-secret (secret key not provided), invalid-input-secret (secret key is wrong), missing-input-response (token not provided), invalid-input-response (token is malformed), timeout-or-duplicate (token has expired or was already used), and internal-error (Cloudflare service issue). The error-codes array in the response lists all applicable errors.

How do I validate a Turnstile token through Jentic?

Search Jentic for 'verify a Turnstile token'. The agent receives the POST /siteverify schema requiring the secret key and response token fields. Send the token received from your frontend form, and check the success boolean in the response. The hostname and challenge_ts fields confirm where and when the challenge was completed.

Does the Turnstile siteverify endpoint have rate limits?

Cloudflare does not publish explicit rate limits for the siteverify endpoint, but it is designed for per-form-submission validation rather than bulk querying. Each token can only be verified once — subsequent attempts for the same token return a timeout-or-duplicate error. For high-traffic sites, validate only on form submissions, not on page loads.