How to Bypass Cloudflare Turnstile

Cloudflare Turnstile has replaced traditional CAPTCHAs on millions of websites since its launch in 2022. Unlike image-based challenges that ask you to pick traffic lights, Turnstile runs silent browser checks that block scrapers before they load a single page. HTTP-only clients like Python's requests library fail instantly because Turnstile requires a full JavaScript environment to generate a valid token.

In this guide, we'll cover what Turnstile is and how Turnstile detects bots, three bypass methods (browser automation, CAPTCHA solving services, and cloud browsers), common failure patterns, and success rates for each approach. Let's get started.

How to Bypass Cloudflare When Web Scraping in 2026Cloudflare offers one of the most popular anti scraping service, so in this article we'll take a look how it works and how to bypass it.

What Is Cloudflare Turnstile?

Cloudflare Turnstile is Cloudflare's CAPTCHA replacement, launched in 2022 and now widely deployed across the web. Turnstile aims to verify visitors without the friction of image-based puzzles. Instead, Turnstile runs background checks that combine browser fingerprinting, behavioral analysis, and cryptographic challenges to decide whether a visitor is human or an automated bot.

Turnstile differs from reCAPTCHA and hCaptcha in one key way. Turnstile doesn't always show a visible challenge. Traditional CAPTCHAs require user interaction on every visit. Turnstile only escalates to an interactive challenge when the initial trust score is too low.

Turnstile operates in three distinct modes:

• Managed (Invisible): Runs entirely in the background using browser fingerprinting and cryptographic proof-of-work. Visitors never see a challenge box. The verification happens silently through JavaScript execution
• Non-Interactive (Brief Check): Shows a "Verifying you are human" message for 1-2 seconds while running background checks. No user action is needed unless the trust score drops below threshold
• Interactive: Requires the visitor to click a checkbox, similar to reCAPTCHA v2. Turnstile triggers interactive mode when Managed and Non-Interactive checks can't confirm the visitor is human

For web scrapers, Turnstile creates a hard barrier. HTTP-only clients like Python's requests or httpx can't complete Turnstile challenges because they lack a JavaScript engine. Even headless browsers need stealth patches to pass. Without JavaScript execution, the client can't generate the cryptographic token that Turnstile requires to grant access.

How Turnstile Detects Bots

Turnstile combines multiple detection signals to build a trust score for each visitor. Failing one check doesn't always trigger a block, but failing several drops the trust score low enough to trigger an interactive challenge or outright denial.

Browser Environment Checks

Turnstile probes the browser environment to verify that the client is a real browser, not an automated tool. The checks include:

• Canvas fingerprinting: Turnstile renders hidden graphics and hashes the output. Each browser and GPU combination produces a unique hash. Headless browsers and virtual machines produce different hashes than real desktop browsers
• WebGL rendering: Turnstile queries the WebGL API for GPU vendor, renderer, and supported extensions. Automated browsers often expose generic or missing WebGL data
• API availability probing: Turnstile checks for browser APIs that real browsers have but automated tools often lack, such as AudioContext, MediaDevices, and Bluetooth

Behavioral Signals

Turnstile monitors how visitors interact with the page before and during the challenge:

• Mouse movement patterns: Turnstile tracks cursor movement, speed, and acceleration. Automated scripts that jump the cursor directly to the checkbox look different from natural hand movement
• Keystroke dynamics: On pages with input fields, Turnstile analyzes typing speed and rhythm
• Page interaction timing: Turnstile measures how long the visitor has been on the page and whether any scrolling or clicking happened before the challenge loaded

Network Signals

Turnstile also evaluates the connection itself:

• IP reputation: Datacenter IPs, flagged proxies, and IPs with high request rates lower the trust score
• TLS fingerprint correlation: Turnstile checks whether the TLS handshake fingerprint (JA3/JA4) matches the claimed browser. A connection that claims to be Chrome but has a Python TLS fingerprint triggers immediate detection

These signals feed into a single trust score. A residential IP with a real browser fingerprint and natural mouse movement passes without a visible challenge. A datacenter IP with a headless browser fingerprint and no mouse data gets blocked or forced into interactive mode.

Knowing how Turnstile builds its trust score helps you pick the right bypass strategy. The next section covers three methods, each targeting different signals.

How to Know What Anti-Bot Service a Website is Using?In this article we'll take a look at two popular tools: WhatWaf and Wafw00f which can identify what WAF service is used.

Methods to Bypass Turnstile

Three approaches work for bypassing Turnstile challenges. Each method fits different use cases depending on your scale, budget, and the Turnstile mode you're facing.

Method 1: Browser Automation

Browser automation tools run a real browser that can execute Turnstile's JavaScript challenges natively. The key is using a stealth-patched browser that doesn't leak automation flags.

SeleniumBase UC Mode is one of the most effective tools for Turnstile bypass. UC Mode patches Chrome's automation flags and provides built-in methods for clicking Turnstile checkboxes automatically.

Installation

First, install SeleniumBase:

pip install seleniumbase

Turnstile Bypass Code

Then use UC Mode to open a Turnstile-protected page and click the challenge:

from seleniumbase import SB

# launch Chrome in UC Mode with stealth patches
with SB(uc=True, test=True) as sb:
    url = "https://2captcha.com/demo/cloudflare-turnstile-challenge"
    # open URL and reconnect after 4 seconds to avoid detection
    sb.uc_open_with_reconnect(url, 4)

    # automatically detect and click the Turnstile checkbox if present
    sb.uc_gui_click_captcha()

    # verify the page loaded after the challenge
    print(sb.get_page_title())

    html = sb.get_page_source()
    print(f"Page length: {len(html)} bytes")
    status = sb.execute_script("""
        const entries = window.performance.getEntriesByType('navigation');
        return entries.length ? entries[0].responseStatus : null;
    """)
    print(f"Page status: {status}")

The uc_open_with_reconnect method opens the URL, waits for the specified seconds, then reconnects to the browser. This disconnect-reconnect pattern prevents Turnstile from detecting the WebDriver connection during the challenge. The uc_gui_click_captcha method uses pyautogui to simulate a real mouse click on the Turnstile checkbox.

Camoufox is another strong option. Camoufox injects fingerprint data at Firefox's C++ level, making spoofed values invisible to JavaScript checks. But Camoufox doesn't have built-in Turnstile clicking like SeleniumBase, so you'd need to locate and click the challenge iframe manually.

Guide to SeleniumBase — A Better & Easier SeleniumSeleniumBase streamlines browser automation with simple syntax, cross-browser support, and robust features, perfect for testing and web scraping.

Method 2: CAPTCHA Solving Services

CAPTCHA solving services handle Turnstile challenges remotely and return a valid token for your scraper to inject. This approach works when you don't want to run a full browser.

The workflow for CAPTCHA solving services follows three steps:

1. Extract the Turnstile sitekey from the target page's HTML
2. Send the sitekey and page URL to the solving service API
3. Receive a solved token and inject the token into your request

CAPTCHA Solver Code

First, install the requests library:

pip install requests

Then send the Turnstile challenge to a solving service and retrieve the token:

import requests
import time

API_KEY = "your_2captcha_api_key"
SITE_KEY = "0x4AAAAAAAB..."  # from target page HTML
PAGE_URL = "https://2captcha.com/demo/cloudflare-turnstile-challenge"

def solve_turnstile(api_key, site_key, page_url):
    # step 1: submit the Turnstile challenge to 2Captcha
    submit = requests.post("https://2captcha.com/in.php", data={
        "key": api_key,
        "method": "turnstile",
        "sitekey": site_key,
        "pageurl": page_url,
        "json": 1,
    }).json()
    task_id = submit["request"]

    # step 2: poll for the solved token
    for _ in range(30):
        time.sleep(5)
        result = requests.get("https://2captcha.com/res.php", params={
            "key": api_key,
            "action": "get",
            "id": task_id,
            "json": 1,
        }).json()
        if result["status"] == 1:
            return result["request"]
    return None

token = solve_turnstile(API_KEY, SITE_KEY, PAGE_URL)
print(f"Solved token: {token[:50]}...")

The code submits the Turnstile challenge parameters to 2Captcha's API, then polls for the result every 5 seconds. Once solved, the service returns a token string that you inject into the target page's form or request headers.

The main drawback of CAPTCHA solving services is speed. Solving takes 10-30 seconds per challenge, and tokens expire quickly (usually within 5 minutes). For high-volume scraping, the cost adds up at roughly $1.45 per 1,000 solves.

Best CAPTCHA Solving APIs in 2026Compare the best CAPTCHA solving services including 2Captcha, CapSolver, Anti-Captcha, and browser-integrated solutions. Learn when to solve CAPTCHAs versus preventing them with anti-bot bypass.

Method 3: Cloud Browsers

Cloud browsers provide the highest bypass success rates because they combine fingerprint rotation, TLS matching, proxy management, and challenge solving into a single managed service. You don't need to configure stealth settings or manage browser instances.

Cloud browsers work by running real, pre-configured browsers on remote infrastructure. Each session gets a fresh fingerprint profile with matching TLS signatures, consistent canvas and WebGL data, and residential IPs. Turnstile can't distinguish these sessions from real users because every signal aligns.

Cloud Browser Code

First, install the Scrapfly SDK:

pip install scrapfly-sdk

Then scrape a Turnstile-protected page with automatic challenge solving:

from scrapfly import ScrapeConfig, ScrapflyClient

# initialize the client with your API key
scrapfly = ScrapflyClient(key="Your ScrapFly API key")

# scrape with anti-bot bypass and cloud browser
response = scrapfly.scrape(ScrapeConfig(
    url="https://2captcha.com/demo/cloudflare-turnstile-challenge",
    asp=True,  # enable anti-scraping protection bypass
    render_js=True,  # run a full cloud browser
    country="US",  # route through a US
    proxy_pool="public_residential_pool", # use the residential network for a higher success rate
    rendering_wait=5000,    
))

html = response.scrape_result["content"]
print(f"Scraped {len(html)} bytes")

The asp=True parameter enables Scrapfly's Anti-Scraping Protection, which handles Turnstile challenges automatically. The render_js=True parameter runs a full cloud browser that executes JavaScript, generates valid fingerprints, and completes any challenges that appear.

Cloud browsers are the best option for production scraping at scale. You don't need to maintain stealth patches, rotate fingerprints, or handle token expiration. The trade-off is cost, but the time saved on maintenance and debugging often outweighs the API expense.

Turnstile Bypass Success Rates

Success rates vary by Turnstile mode and bypass method. The table below shows approximate rates based on common scraping scenarios:

Managed challenges are the easiest to bypass because they rely on passive checks. A stealth browser with proper fingerprints passes most Managed challenges without any visible interaction.

Non-Interactive challenges add a brief verification step. Browser automation tools handle Non-Interactive challenges well, but the extra JavaScript execution time can slow down scraping. CAPTCHA solvers work but token expiration becomes a factor at scale.

Interactive challenges are the hardest because they require a visible click on the checkbox. SeleniumBase's uc_gui_click_captcha handles Interactive mode, but the click simulation must look natural. CAPTCHA solving services struggle with Interactive mode because they can't simulate the mouse movement that Turnstile expects.

Common Turnstile Bypass Failures

Even with the right tools, Turnstile bypass can fail. Here are the most common failure patterns and how to fix them:

Challenge Loops

The Turnstile challenge keeps reappearing after each click. Challenge loops happen when the browser fingerprint has inconsistencies. For example, a Chrome User-Agent paired with Firefox WebGL data triggers a low trust score that forces repeated challenges.

Fix: Use a stealth browser that keeps all fingerprint signals consistent. Camoufox and SeleniumBase UC Mode handle fingerprint consistency automatically.

Token Expiration

The solved token expires before your scraper uses the token. Turnstile tokens are single-use and typically valid for 300 seconds. Slow CAPTCHA solving services or delays in your scraping pipeline can cause tokens to expire.

Fix: Reduce the time between solving and token submission. If using a CAPTCHA solving service, submit the token immediately after receiving the solution.

Detection of Solving Service Signatures

Some anti-bot configurations detect patterns from CAPTCHA solving services. Repeated submissions from the same IP range or identical behavioral patterns across solves can flag your scraping requests.

Fix: Rotate residential proxies when using solving services. Combine the solved token with realistic headers and a proper TLS fingerprint.

5 Proven Ways to Bypass CAPTCHA in PythonCaptchas can ruin web scrapers but we don't have to teach our robots how to solve them - we can just get around it all!

Bypass Turnstile with Scrapfly

Scrapfly's Anti-Scraping Protection (ASP) handles Turnstile challenges automatically across all three modes. ASP combines residential proxy rotation, real browser fingerprints, TLS matching, and automatic challenge solving in a single API call. You don't need to manage stealth patches, rotate fingerprints, or handle token expiration.

For Turnstile-protected pages, set asp=True and render_js=True in your scrape configuration. Scrapfly's cloud browsers execute the Turnstile JavaScript, generate valid cryptographic tokens, and return the fully rendered page content. The bypass works for Managed, Non-Interactive, and Interactive Turnstile modes.

Summary

Cloudflare Turnstile combines browser fingerprinting, behavioral analysis, and cryptographic proof-of-work to block automated traffic. Three methods work for bypassing Turnstile: browser automation with stealth tools like SeleniumBase UC Mode, CAPTCHA solving services for token-based flows, and cloud browsers for production reliability.

Start with browser automation for small-scale scraping. If you need higher success rates or want to avoid maintaining stealth configurations, cloud browsers like Scrapfly handle Turnstile bypass automatically across all three challenge modes.