Skip to main content

How to Solve Cloudflare Turnstile with CaptchaAI. Step-by-Step Tutorial

Learn how to solve Cloudflare Turnstile captchas instantly using CaptchaAI’s high-accuracy, unlimited, and automated solution.

Irina Dobreva avatar
Written by Irina Dobreva
Updated this week

Note: This tutorial assumes you're using CaptchaAI API to bypass Cloudflare Turnstile challenges programmatically (e.g., in a script or automated tool).

Prerequisites

  • A CaptchaAI API key.

  • HTTP client (e.g., curl, Postman, Python requests, etc.).

  • Target website with Cloudflare Turnstile.

  • Basic understanding of HTML/JavaScript.

Step 1: Identify the Turnstile Site Key

  1. Open the target website in your browser (e.g., https://examples.captchaai.com/turnstile.html).

  2. Right-click → Inspect Element.

  3. Search for the Turnstile widget (usually in an <iframe> or a <div> with class cf-turnstile).

  4. Locate the sitekey attribute.

    <div class="cf-turnstile" data-sitekey="0x4XXXXXXXXXXXXXXXXXXxFF"></div>

Save this sitekey — you’ll need it for the API request.

Step 2: Submit Turnstile Task to CaptchaAI

Use the CaptchaAI API to request solving.

API Request (POST)

POST https://ocr.captchaai.com/in.php

Form Data:

key=YOUR_API_KEY method=turnstile sitekey=0x4XXXXXXXXXXXXXXXXXXxFF pageurl=https://examples.captchaai.com/turnstile.html

Replace:

  • YOUR_API_KEY with your actual CaptchaAI API key

  • sitekey with the value from Step 1

  • pageurl with the full URL where the Turnstile appears

Example (curl)

curl -F "key=YOUR_API_KEY" \      -F "method=turnstile" \      -F "sitekey=0x4XXXXXXXXXXXXXXXXXXxFF" \      -F "pageurl=https://examples.captchaai.com/turnstile.html" \      https://ocr.captchaai.com/in.php

Expected Response

If successful, you’ll get a response like:

OK|1234567890

Save the numeric ID (1234567890) — it’s your task ID.

Step 3: Poll for the Solved Token

CaptchaAI needs a few seconds to solve the challenge. Poll the result endpoint:

API Request (GET)

GET https://ocr.captchaai.com/res.php?key=YOUR_API_KEY&action=get&id=1234567890

Polling Logic

  • Send this request every 5 seconds.

  • If response is CAPCHA_NOT_READY, wait and retry.

  • If response starts with OK|, you’ve got your token!

Example Response

OK|0.Wiz8DS9z-8gXu0cjISfLJ0oxDnOYVFEYps1gvAiVVGtZVNUWgh2Ison2oEtDjkZ2T6IDoN07cF7GZrboZJT7-NINDdVMXOkgr6WLafNGw2-YrRYeWEIDNq7XE_wvX_dRYX-BgDDrOBzyXA9o6Rv2-q-_I3-1ywTwElJQACSulF08rwZZTbbuGvYr8m3607fc3tB6ENXJvRor1jawfUh0nmVNWGY7aFaBxWlMGASA6iaGuS3_MY23q9SMEiih9mtBk1lGQamOdz_oSLLylM4q99zX8kDWijx3m4X2rsMD1O955cdinpv1TlaJlpvOfwlm7w9F51r_Lcn9mXG1jYDLxFsgJtHK597fhV3Lsi0oikNSQ3HYqtaxkG4CJUKnuqs0gSpiIb6VshwQNffZHFM9arfYpGZzmpnOrsevOngsXwedJs2QFs9Vefjj_pMynoJ_1VDIe2G1o4GOe3avwwHd8v1XlTymGfv05PUA_l5kOEb72V4KYlIyu2_IxpQpt_2smeQFMWz-fcyLNHnhSEAzj10KubcaxUQ_3VTjvUY1f-hRhIx_XAG0jLTaIE_qp7U2zTg_lWtTKU41eM6Feb8m5H6l-oxaWUJCymPo3IEUGeoZh6Fgk3OQezqxryA3v0ZhJh_dnf-Cvqe1p1SLx95iNbnzm3_fqUMbOexkmDoIEAAcpTQY3ob4httIBM2Slr7ZC53irAIJdVppBWjyUC69eMbK7AxozG4-iC59TFCpcztvXasFRX6Y-Y29Y_qmM7ugjRPyCb9JZxpQuM6X_BNOYoR0BSrPCTWiiIqVpNobydrRsnzpsivUCpRsTTyk1Hce5coPbEBvuBeYv-LgWFbb1Voq4Vlj8dfwqhNN1Hv1k94xMNbw7VANMh40A7OWypl2-lis92YBZSTpgXZaNOftdWr0Y09BE0ICa1U-nqPLdJzs4QDfPWPRZ9t1bzf70zUL3b2QhGtkqRB7fB3nn0GD1Q.yAwqs6KllWp5oX--F4zaOA.e263d5bc817850200df723dcde8046c725512014fe1ca60041e5f15f6a3005cd

The part after OK| is your Turnstile response token.

Step 4: Submit Token to Target Website

Option A (Token Injection): Inject the token into the field before form submission.

On the target site, the Turnstile token is usually submitted via a hidden input:

<input type="hidden" name="cf-turnstile-response" id="cf-chl-widget-xxxxx_response" value>

For the purposes of this demo, we use JavaScript to set the value of the hidden field and click the Verify button.

document.querySelector('[name="cf-turnstile-response"]').value = 'YOUR_TOKEN_HERE';

If the site uses reCAPTCHA compatibility mode, cf-turnstile-response must be replaced with g-recaptcha-response. To detect this, see if the turnstile script in the page <head> includes compat=recaptcha (e.g., <script src="https://challenges.cloudflare.com/turnstile/v0/api.js?compat=recaptcha" async defer></script>)

This method works on most sites. If it didn't work for you, try option B.

Option B (Automation Cycle): Submit the token using the callback function:

To get the callback function and the required parameters you can inject the following JavaScript on page before the Turnstile widget is loaded.

const i = setInterval(()=>{ if (window.turnstile) {     clearInterval(i)     window.turnstile.render = (a,b) => {     let p = {         method: "turnstile",         sitekey: b.sitekey,         pageurl: window.location.href,         userAgent: navigator.userAgent     }     console.log(JSON.stringify(p))     window.tsCallback = b.callback     return 'captchaai'     } } },10)

Then when you get the token from our API use the following code to submit the token using the callback function

window.tsCallback('YOUR_TOKEN_HERE');

Step 5: Verify Success

  • If the server accepts your request → success!

  • If you get another challenge → token may be expired or invalid. Repeat from Step 2.

Tips

  • Turnstile tokens expire quickly (usually < 1 min). Use immediately.

  • Always respect CAPCHA_NOT_READY — don’t poll faster than every 3 sec.

  • It's always recommended to use HTTPS for all API calls.

Did this answer your question?