DEV Community: Bassem Shahin The latest articles on DEV Community by Bassem Shahin (@bshahin). https://dev.to/bshahin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3963470%2F74fdd403-aea6-477d-9330-39bd578dbbf4.png DEV Community: Bassem Shahin https://dev.to/bshahin en Why your reCAPTCHA v3 score is low — and how to actually raise it Bassem Shahin Thu, 25 Jun 2026 08:14:51 +0000 https://dev.to/bshahin/why-your-recaptcha-v3-score-is-low-and-how-to-actually-raise-it-5554 https://dev.to/bshahin/why-your-recaptcha-v3-score-is-low-and-how-to-actually-raise-it-5554 <h1> Why your reCAPTCHA v3 score is low — and how to actually raise it </h1> <p>reCAPTCHA v3 is the one that never shows a checkbox or a puzzle. Instead it watches the whole session and hands the site a <strong>score from 0.0 to 1.0</strong> — roughly "how human does this look." The site then decides what to do with it (allow, step up, block) based on its own threshold. So when your automation "fails reCAPTCHA v3," there's nothing to click — you're just scoring too low. The fix is understanding what it scores.</p> <h2> What v3 is actually scoring </h2> <p>v3 doesn't test whether you can solve something. It builds a <strong>risk score</strong> from signals across the page load and session:</p> <ul> <li><p><strong>IP reputation</strong> — datacenter ranges score low almost by default; residential/mobile score higher.</p></li> <li><p><strong>Browser fingerprint</strong> — navigator.webdriver, headless/automation tells, missing or inconsistent client-hints, a TLS/JA3 that doesn't match the UA you claim.</p></li> <li><p><strong>Behavior + history</strong> — mouse movement, timing, whether you have Google cookies / a browsing history, how you arrived at the page.</p></li> <li><p><strong>The action parameter</strong> — v3 tags each execution with an action (e.g. login); a mismatch or a generic action looks off.</p></li> </ul> <p>The key mental model: <strong>a low score is a "you look automated" verdict, assembled before you ever submit.</strong> There's no token to "solve" your way past it — you raise the score or you produce a token that already scores high.</p> <h2> Why yours is low (the usual suspects) </h2> <ul> <li><p>Running from a <strong>datacenter IP</strong> (AWS/GCP/cloud) — the single biggest score killer.</p></li> <li><p><strong>Default Selenium/Playwright</strong> — leaks navigator.webdriver + CDP/headless artifacts.</p></li> <li><p>A <strong>cold session</strong> — no cookies, no history, straight to the protected action.</p></li> <li><p><strong>Machine-speed behavior</strong> — instant navigation/clicks, no human-ish timing.</p></li> <li><p><strong>Fingerprint mismatch</strong> — a Chrome UA over a Pythonrequests TLS fingerprint, or a geo/timezone that disagrees with the IP.</p></li> </ul> <h2> How to actually raise it </h2> <ol> <li><p><strong>Fix the IP first</strong> — residential/mobile, geo-consistent with the rest of the profile. This alone moves the score the most.</p></li> <li><p><strong>Kill the automation tells</strong> — a stealth/patched browser (or a real one) so navigator.webdriver is false, client-hints are consistent, and the TLS fingerprint matches the UA.</p></li> <li><p><strong>Warm the session</strong> — keep cookies, do a little real navigation before the scored action, don't jump straight to the endpoint.</p></li> <li><p><strong>Human-ish behavior</strong> — realistic timing and interaction, not perfect machine cadence.</p></li> <li><p><strong>Use the right action</strong> — match the action the site expects for that step.</p></li> </ol> <p>For automation that still scores too low after the fundamentals, the practical route is to <strong>fetch a token from a solving service</strong> that produces high-scoring v3 tokens, then submit it. One important nuance people miss: <strong>the minimum score is set by the target site, not by you or the solver</strong> — so you can't "request 0.9"; you produce the best token possible and the site's threshold decides. Getting the fundamentals right is what makes that token land above their cutoff.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">requests</span><span class="p">,</span> <span class="n">time</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="n">SITEKEY</span><span class="p">,</span> <span class="n">PAGEURL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">6Lc...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://target.example/login</span><span class="sh">"</span> <span class="n">rid</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">https://ocr.captchaai.com/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">userrecaptcha</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">v3</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">login</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">googlekey</span><span class="sh">"</span><span class="p">:</span> <span class="n">SITEKEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="n">PAGEURL</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}).</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="n">token</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">40</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">https://ocr.captchaai.com/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">rid</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">}).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">res</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">res</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">];</span> <span class="k">break</span> <span class="c1"># submit token as g-recaptcha-response for the matching action </span> </code></pre> </div> <h2> TL;DR </h2> <ul> <li><p>v3 gives a <strong>0.0–1.0 score</strong>, not a puzzle — a low score means "looks automated," assembled from IP + fingerprint + behavior.</p></li> <li><p>Biggest levers, in order: <strong>residential geo-matched IP → no automation fingerprint → warm session → human-ish behavior → correct action.</strong></p></li> <li><p>The <strong>site sets the min-score threshold</strong>, not you — so fix the fundamentals; a token only lands if the rest looks legit.</p></li> </ul> <p>If you want to test the token flow against your own target, CaptchaAI returns reCAPTCHA v3 tokens (with action) and is 2Captcha-API-compatible, so an existing client is mostly a base-URL change — <a href="https://captchaai.com/trial?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=why-recaptcha-v3-score-low-how-to-raise-it" rel="noopener noreferrer">the trial is free</a> (3 days, no card).</p> webscraping python automation captcha Migrating reCAPTCHA solving off 2Captcha: the one-line swap (and what changes at volume) Bassem Shahin Wed, 24 Jun 2026 08:56:41 +0000 https://dev.to/bshahin/migrating-recaptcha-solving-off-2captcha-the-one-line-swap-and-what-changes-at-volume-41pe https://dev.to/bshahin/migrating-recaptcha-solving-off-2captcha-the-one-line-swap-and-what-changes-at-volume-41pe <h1> Migrating reCAPTCHA solving off 2Captcha: the one-line swap </h1> <p>Most teams who solve reCAPTCHA at volume started on 2Captcha. What people don't realize is that the 2Captcha API has effectively become a shared interface — several providers implement the same in.php / res.php contract. So switching usually isn't a rewrite; it's a base-URL change.</p> <p>This matters because the main reason to switch is cost at volume (per-1,000 scales linearly; thread-based flattens it). If migrating were a big refactor the savings wouldn't be worth it. It isn't, so they are.</p> <h2> The actual diff </h2> <p>Typical 2Captcha reCAPTCHA code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">requests</span><span class="p">,</span> <span class="n">time</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_KEY</span><span class="sh">"</span> <span class="n">BASE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://2captcha.com</span><span class="sh">"</span> <span class="c1"># the only provider-specific line </span> <span class="n">submit</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE</span><span class="si">}</span><span class="s">/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">userrecaptcha</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">googlekey</span><span class="sh">"</span><span class="p">:</span> <span class="n">SITE_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="n">PAGE_URL</span><span class="p">})</span> <span class="n">task_id</span> <span class="o">=</span> <span class="n">submit</span><span class="p">.</span><span class="n">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">|</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE</span><span class="si">}</span><span class="s">/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task_id</span><span class="p">})</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span> <span class="o">==</span> <span class="sh">"</span><span class="s">CAPCHA_NOT_READY</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="k">continue</span> <span class="n">token</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">|</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">break</span> </code></pre> </div> <p>Migrating to a 2Captcha-compatible provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="n">BASE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com</span><span class="sh">"</span> <span class="c1"># changed </span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_NEW_KEY</span><span class="sh">"</span> <span class="c1"># changed </span> <span class="c1"># everything else is byte-for-byte identical </span> </code></pre> </div> <p>method=userrecaptcha, googlekey, pageurl, the OK| response, CAPCHA_NOT_READY polling, the token — all the same. Wrapped it in a client class? Change one constant. Used an SDK? Point it at the new base URL.</p> <h2> What stays identical </h2> <ul> <li><p>The reCAPTCHA flow: v2 checkbox, v2 invisible, v3 version=v3 + min_score) — same call shape.</p></li> <li><p>Token handling, your retry/timeout/polling logic — untouched.</p></li> </ul> <h2> What changes </h2> <ol> <li><p>The pricing model (the point): per-1,000 → per-<em>thread</em> with unlimited solves. Size for peak concurrency, not monthly total.</p></li> <li><p>Latency / success-rate are provider-specific — so measure, don't assume.</p></li> </ol> <h2> How to migrate without betting the pipeline on it </h2> <ol> <li><p>Keep 2Captcha wired in; add the new provider behind the same interface (same calls — trivial).</p></li> <li><p>Route ~10% of traffic to the new one.</p></li> <li><p>Compare on your targets: success rate, median latency, cost per 1,000.</p></li> <li><p>Holds up? Ramp. Doesn't? You've lost nothing.</p></li> </ol> <p>Because the API is identical, that A/B harness is a few lines and a flag.</p> <h2> The honest version </h2> <p>A compatible provider is a drop-in at the API level — that part is a one-line swap. Whether it's the right swap depends on your numbers: run the A/B on real traffic and let the data decide. Compatibility just makes that test cheap.</p> webscraping python automation captcha The real cost of solving reCAPTCHA at scale (per-1,000 vs thread-based) Bassem Shahin Tue, 23 Jun 2026 16:23:28 +0000 https://dev.to/bshahin/the-real-cost-of-solving-recaptcha-at-scale-per-1000-vs-thread-based-379j https://dev.to/bshahin/the-real-cost-of-solving-recaptcha-at-scale-per-1000-vs-thread-based-379j <h1> The real cost of solving reCAPTCHA at scale </h1> <p>If you automate anything on the public web for long enough, reCAPTCHA is the wall you hit most. It's on far more sites than Turnstile, hCaptcha, or the enterprise bot vendors combined. So when you wire in a solving service, the interesting question usually isn't "can it solve reCAPTCHA" (most can). It's what does it cost when you're doing this 100,000 times a month — or 10 million?</p> <p>That's where the pricing model matters more than the per-solve price.</p> <h2> Two ways solvers bill you </h2> <ol> <li><p>Per-1,000 solves (usage-based). 2Captcha, Anti-Captcha, CapSolver, CapMonster — most of the market — charge per solve, quoted per 1,000 (~$1–$3 for reCAPTCHA). Your bill scales linearly with volume. Double the traffic, double the cost. Forever.</p></li> <li><p>Thread-based (concurrency-based). A "thread" is one concurrent in-flight solve. You buy N threads and get unlimited solves per thread per month. Cost scales with peak concurrency, not total volume — so once sized, pushing more solves through is free.</p></li> </ol> <h2> The math </h2> <p>reCAPTCHA v2 at ~$2 per 1,000 vs thread-based tiers (illustrative — check current pricing):</p> <p>| Monthly solves | Per-1,000 (~$2/1k) | Thread plan | Thread cost | Effective per-1k |</p> <p>|---|---|---|---|---|</p> <p>| 10,000 | ~$20 | 5 threads | ~$15 | ~$1.50 |</p> <p>| 100,000 | ~$200 | 5 threads | ~$15 | ~$0.15 |</p> <p>| 1,000,000 | ~$2,000 | 50 threads | ~$90 | ~$0.09 |</p> <p>| 10,000,000 | ~$20,000 | 200 threads | ~$300 | ~$0.015 |</p> <p>The usage column grows in a straight line. The thread column barely moves. At a million/month the effective per-1,000 is single-digit cents; at ten million it's a rounding error.</p> <h2> When each wins </h2> <ul> <li><p>Low/bursty volume → usage-based (or a free tier). A few thousand a month with idle gaps? Pay per solve; you're not paying for concurrency you don't use.</p></li> <li><p>Sustained/high volume → thread-based. Solving continuously? Flat per-thread wins, and the gap widens the more you push.</p></li> </ul> <p>The one ask of thread-based: size threads to peak concurrency, not total volume. Watch your live concurrency for a day, buy ~that many, done.</p> <h2> The token flow (so this isn't just pricing) </h2> <p>reCAPTCHA v2/v3 is the same three steps regardless of vendor — and on a 2Captcha-compatible API it's identical calls:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="kn">import</span> <span class="n">requests</span><span class="p">,</span> <span class="n">time</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_KEY</span><span class="sh">"</span> <span class="n">BASE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com</span><span class="sh">"</span> <span class="c1"># 2Captcha-compatible </span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE</span><span class="si">}</span><span class="s">/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">userrecaptcha</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">googlekey</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SITE_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">https://target.example/login</span><span class="sh">"</span><span class="p">})</span> <span class="n">task_id</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">|</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">res</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">BASE</span><span class="si">}</span><span class="s">/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task_id</span><span class="p">})</span> <span class="k">if</span> <span class="n">res</span><span class="p">.</span><span class="n">text</span> <span class="o">==</span> <span class="sh">"</span><span class="s">CAPCHA_NOT_READY</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="k">continue</span> <span class="n">token</span> <span class="o">=</span> <span class="n">res</span><span class="p">.</span><span class="n">text</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">|</span><span class="sh">"</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="k">break</span> <span class="c1"># inject token into g-recaptcha-response, submit the form </span> </code></pre> </div> <p>For v3 the same flow returns a token, but v3 returns a score driven by the session's reputation, not a puzzle — a separate rabbit hole; the cost model is the same either way.</p> <h2> The takeaway </h2> <p>For reCAPTCHA, don't ask the headline per-1,000 rate — ask what your bill looks like at 10× your volume. Usage-based 10×'s with you; thread-based is roughly flat. Size threads to peak concurrency, run the math on your real volume, and pick the model that matches your curve.</p> webscraping python automation captcha What DataDome actually checks — and why your Cloudflare playbook doesn’t transfer Bassem Shahin Thu, 18 Jun 2026 13:54:13 +0000 https://dev.to/bshahin/what-datadome-actually-checks-and-why-your-cloudflare-playbook-doesnt-transfer-24b5 https://dev.to/bshahin/what-datadome-actually-checks-and-why-your-cloudflare-playbook-doesnt-transfer-24b5 <h1> What DataDome actually checks — and why your Cloudflare playbook doesn’t transfer </h1> <p>You’ve got your Cloudflare setup dialed in — clean residential IPs, a real browser, a solver for the Turnstile widget — and then you hit a site that blocks you anyway, with a challenge that looks nothing like Cloudflare’s. Odds are it’s <strong>DataDome</strong>, and the reason your playbook stops working is that DataDome isn’t primarily a captcha. It’s a request-analysis and device-fingerprinting engine that <em>sometimes</em> shows a captcha. Treat it like Cloudflare and you’ll spin.</p> <p>Here's how to recognize it, what it's really doing, and how to approach it honestly.</p> <h2> How to know it’s DataDome (not Cloudflare) </h2> <p>Read the response — the markers are distinct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="c1"># often 403 </span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">datadome</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">set-cookie</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">).</span><span class="nf">lower</span><span class="p">())</span> <span class="c1"># a `datadome` cookie </span><span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">x-datadome</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">x-dd-b</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># DataDome response headers </span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">captcha-delivery.com</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># DataDome's challenge/captcha host </span><span class="nf">print</span><span class="p">(</span><span class="sh">'"</span><span class="s">dd</span><span class="sh">"'</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># a {"dd": {...}} JSON block in the 403 body </span></code></pre> </div> <ul> <li>A <strong><code>datadome</code> cookie</strong>, an <strong><code>x-datadome</code></strong> header, references to <strong><code>captcha-delivery.com</code></strong> / <strong><code>ct.captcha-delivery.com</code></strong>, or a <code>{"dd": {...}}</code> JSON block in a <code>403</code> → that’s DataDome.</li> <li>Cloudflare’s tells are different: <code>cf-mitigated</code>, <code>cdn-cgi/challenge-platform</code>, <code>cf_clearance</code>. If you see those, it’s Cloudflare, and a different guide applies.</li> </ul> <p>Getting the vendor right is the whole first step, because the fix is not the same.</p> <h2> Why it’s harder than “solve the captcha” </h2> <p>DataDome decides whether to even <em>show</em> a captcha based on a risk score it builds from:</p> <ul> <li> <strong>Request fingerprint</strong> — TLS/JA3, HTTP/2 settings, header order. A raw client (or an obvious headless browser) scores badly before any challenge.</li> <li> <strong>Device signals</strong> — a heavy client-side JS payload reads canvas/WebGL/fonts/timing/sensors; inconsistencies (a “desktop Chrome” with mobile-ish signals, or a timezone that disagrees with the IP) flag instantly.</li> <li> <strong>Behavior</strong> — mouse movement, timing, navigation patterns.</li> </ul> <p>So the captcha is the <em>last</em> gate, not the first. This is why people who “solve the DataDome captcha” still get blocked on the next request: the captcha token doesn’t fix a fingerprint that already looks automated. The defense is mostly upstream of the challenge.</p> <h2> How to handle it </h2> <ol> <li> <strong>Confirm it’s DataDome first</strong> (above) — don’t apply Cloudflare clearance logic to it.</li> <li> <strong>Look for a way around the wall.</strong> Often the cheapest win: check whether the site exposes the same data via an official API or a backing JSON endpoint the page itself calls (devtools → Network → XHR). That can skip DataDome entirely.</li> <li> <strong>If you must go through the front, fix the layers in order:</strong> <ul> <li> <strong>IP</strong> — residential/mobile, geo-matched to your profile. Datacenter IPs score poorly with DataDome.</li> <li> <strong>Fingerprint</strong> — a real or patched-stealth browser whose values are <em>internally consistent</em> (and consistent with the IP’s geo). DataDome is stricter than Cloudflare on automation tells, so default Selenium/Playwright usually won’t survive.</li> <li> <strong>Behavior</strong> — human-ish timing and interaction, not machine-perfect.</li> </ul> </li> <li> <strong>The interactive captcha, when it appears</strong> (DataDome’s image/slider), is solvable like other image/interactive captchas — but only <em>after</em> the fingerprint/behavior look legitimate; otherwise a solved challenge just bounces on the next request. And the <code>datadome</code> cookie you earn is bound to the IP + UA + fingerprint that earned it (much like <code>cf_clearance</code>), so pin the session and don’t rotate mid-flow.</li> </ol> <p>The honest summary: DataDome is a fingerprint/behavior problem with a captcha on top, not a captcha problem. Spend your effort on the IP + fingerprint + behavior stack; the challenge is the easy 20%.</p> <h2> TL;DR </h2> <ul> <li> <strong>Identify by the response</strong>: <code>datadome</code> cookie / <code>x-datadome</code> header / <code>captcha-delivery.com</code> / <code>{"dd":...}</code> 403 → DataDome (not Cloudflare).</li> <li>It scores <strong>fingerprint + device + behavior</strong> before showing a captcha, so a solved challenge alone won’t save a bad fingerprint.</li> <li>Order of fixes: residential geo-matched IP → internally-consistent real/stealth browser → human-ish behavior → (only then) the interactive challenge.</li> <li>Pin the session — the <code>datadome</code> cookie is bound to IP+UA+fingerprint.</li> </ul> <p>For the everyday captcha types you hit alongside this — reCAPTCHA v2/v3, Cloudflare Turnstile, GeeTest, image — CaptchaAI is 2Captcha-API-compatible, so an existing client is mostly a base-URL change, and <a href="https://captchaai.com/trial?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=what-datadome-checks-and-how-to-handle-it" rel="noopener noreferrer">the trial is free</a> (3 days, no card).</p> webscraping python datadome automation Managed vs interactive Cloudflare challenge: how to tell, and why it changes your fix Bassem Shahin Thu, 18 Jun 2026 13:53:15 +0000 https://dev.to/bshahin/managed-vs-interactive-cloudflare-challenge-how-to-tell-and-why-it-changes-your-fix-3in0 https://dev.to/bshahin/managed-vs-interactive-cloudflare-challenge-how-to-tell-and-why-it-changes-your-fix-3in0 <h1> Managed vs interactive Cloudflare challenge: how to tell, and why it changes your fix </h1> <p>You send a request, Cloudflare blocks it, and you reach for “a Turnstile solver.” But half the time that’s the wrong tool — because what stopped you wasn’t a Turnstile widget at all, it was a <em>managed challenge</em>. They look similar from the outside and get lumped together as “Cloudflare captcha,” but they’re different mechanisms that need opposite handling. Picking the wrong one is why people burn hours (and solver credits) getting nowhere.</p> <p>Here's how to tell which one you hit, straight from the response, and what each actually needs.</p> <h2> The two things people conflate </h2> <p><strong>Interactive Turnstile widget.</strong> An embedded <code>cf-turnstile</code> widget sitting on an otherwise-normal page — usually a login or signup form. The page loads fine; the widget produces a token (<code>cf-turnstile-response</code>) that you submit with the form. The site verifies that token server-side.</p> <p><strong>Managed challenge.</strong> Cloudflare’s full-page interstitial — the “Checking your browser before you access…” screen — that gates the <em>entire</em> page before any real content loads. It runs a JavaScript challenge, scores the browser, and on success issues a <code>cf_clearance</code> cookie that lets subsequent requests through.</p> <p>The confusion is understandable: a managed challenge can itself <em>render</em> a Turnstile widget as part of the interstitial. But the unit of work is completely different — a standalone widget gives you a <strong>token to submit</strong>; a managed challenge gives you a <strong>clearance cookie to carry</strong>.</p> <h2> How to tell them apart (from the response) </h2> <p>Don't guess from the screenshot — read what comes back.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cf-mitigated</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># "challenge" =&gt; managed challenge layer </span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">cf-turnstile</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># a widget present in the DOM </span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">challenge-platform</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># CF interstitial script =&gt; managed </span></code></pre> </div> <ul> <li> <strong>Interactive widget:</strong> the page returns <code>200</code> with real content, and the HTML contains a <code>cf-turnstile</code> element with a <code>sitekey</code>. The captcha is <em>part of a form</em>, not the whole page.</li> <li> <strong>Managed challenge:</strong> the response is the interstitial itself — typically <code>403</code>/<code>503</code>, a <code>cf-mitigated: challenge</code> header, a body containing <code>cdn-cgi/challenge-platform</code> scripts, and <strong>no real page content</strong>. You never reach the actual HTML until you clear it.</li> <li> <strong>Neither (rule this out first):</strong> a flat <code>403</code> carrying a Cloudflare error code like <code>1020</code> (firewall rule) or <code>1006/1007</code> (IP ban) is a WAF/IP decision — no token or clearance fixes that; you need a different egress IP or to stop tripping the rule.</li> </ul> <h2> Why it changes your fix </h2> <p><strong>Interactive widget → token flow.</strong> Read the sitekey off the <em>rendered</em> widget + the page URL, get a token, inject it into the response field, and submit immediately (tokens are single-use and short-lived). You do <strong>not</strong> need a full browser session for the rest — just a valid token at submit time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span><span class="p">,</span> <span class="n">time</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="n">SITEKEY</span><span class="p">,</span> <span class="n">PAGEURL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0x4AAAAA...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://target.example/login</span><span class="sh">"</span> <span class="n">rid</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="sh">"</span><span class="s">https://ocr.captchaai.com/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">turnstile</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sitekey</span><span class="sh">"</span><span class="p">:</span> <span class="n">SITEKEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="n">PAGEURL</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">}).</span><span class="nf">json</span><span class="p">()[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="n">token</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">40</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="n">res</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">https://ocr.captchaai.com/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">rid</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">}).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">res</span><span class="p">[</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">res</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">];</span> <span class="k">break</span> <span class="c1"># submit token in cf-turnstile-response immediately </span></code></pre> </div> <p><strong>Managed challenge → clearance flow.</strong> A bare token is <em>not enough</em>. You need to actually pass the interstitial — in a real browser or a solver that runs the JS challenge — to mint <code>cf_clearance</code>, then reuse that cookie with the <strong>same IP + User-Agent + TLS fingerprint</strong> that earned it. Change any of those and Cloudflare re-challenges. So the pattern is: mint clearance once, pin the session (one sticky IP, one UA, a browser-matching TLS fingerprint like <code>curl_cffi</code>'s <code>impersonate</code>), and re-mint when you see <code>cf-mitigated: challenge</code> again rather than replaying a dead cookie.</p> <p>The expensive mistake is mixing them up:</p> <ul> <li>Trying to “get a Turnstile token” for a <strong>managed challenge</strong> — there’s often no standalone widget token to fetch; you needed clearance.</li> <li>Spinning up a full browser + clearance handling for a <strong>standalone widget</strong> — overkill; a token would have done it.</li> </ul> <p>So the first move on any Cloudflare block is the 30-second classification above. It tells you whether you’re in token-land or clearance-land, and everything downstream depends on that.</p> <h2> TL;DR </h2> <ul> <li> <strong>Read the response first</strong>: <code>cf-mitigated</code> header + <code>challenge-platform</code> in body + no real content → managed challenge. A <code>cf-turnstile</code> sitekey on an otherwise-loaded page → interactive widget. <code>1006/1007/1020</code> → IP/WAF, not solvable with a token.</li> <li> <strong>Interactive widget</strong> → solve sitekey+pageurl, inject token, submit immediately (single-use, short TTL).</li> <li> <strong>Managed challenge</strong> → mint <code>cf_clearance</code> via a real browser/solver, pin IP+UA+TLS, re-mint on re-challenge.</li> <li>Classify before you reach for a tool — the wrong path is why “Cloudflare won’t solve” turns into a lost afternoon.</li> </ul> <p>If you want to test either path against your own target, CaptchaAI handles both (Turnstile tokens and the full managed-challenge clearance flow) and is 2Captcha-API-compatible, so an existing client is mostly a base-URL change — <a href="https://captchaai.com/trial?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=cloudflare-managed-vs-interactive-challenge" rel="noopener noreferrer">the trial is free</a> (3 days, no card).</p> webscraping python cloudflare automation Cloudflare cf_clearance: why it expires and how to stop the re-challenge loop Bassem Shahin Tue, 16 Jun 2026 20:58:13 +0000 https://dev.to/bshahin/cloudflare-cfclearance-why-it-expires-and-how-to-stop-the-re-challenge-loop-do9 https://dev.to/bshahin/cloudflare-cfclearance-why-it-expires-and-how-to-stop-the-re-challenge-loop-do9 <h1> Cloudflare cf_clearance: why it expires and how to stop the re-challenge loop </h1> <p>You solve the Cloudflare challenge, get a <code>cf_clearance</code> cookie, make your next request — and Cloudflare throws you straight back to the challenge. You solve it again, same thing. The scraper is technically "working," it's just stuck in a loop, burning a solve on every request and never getting to the actual page.</p> <p>This is one of the most common Cloudflare problems, and it's almost never the challenge itself. It's how <code>cf_clearance</code> is issued and what it's tied to. Once you understand that, the loop has a clean fix.</p> <h2> What cf_clearance actually is </h2> <p>When you pass a Cloudflare challenge (managed challenge, JS challenge, or interactive Turnstile), Cloudflare issues a <code>cf_clearance</code> cookie. That cookie is your proof of passage — present it on subsequent requests and Cloudflare lets you through without re-challenging.</p> <p>The catch is that <code>cf_clearance</code> is <strong>not a portable token you can reuse anywhere</strong>. It carries two constraints that cause the loop:</p> <h3> 1. It has a TTL </h3> <p><code>cf_clearance</code> expires. The window varies by site configuration (often tens of minutes, sometimes shorter under stricter settings or "Under Attack" mode). When it expires, the next request gets challenged again — expected behavior. The bug is when your code keeps replaying an expired cookie instead of noticing it's dead and minting a fresh one.</p> <h3> 2. It's bound to your IP + User-Agent + TLS fingerprint </h3> <p>This is the one that traps people. Cloudflare binds the clearance to the <strong>exact context that solved the challenge</strong>:</p> <ul> <li>the <strong>IP</strong> that passed it,</li> <li>the <strong>User-Agent</strong> string presented, and</li> <li>the <strong>TLS/JA3 fingerprint</strong> of the client.</li> </ul> <p>Change any of those between getting the cookie and using it, and Cloudflare treats the cookie as invalid and re-challenges. That's why these patterns loop forever:</p> <ul> <li> <strong>Rotating proxies mid-session</strong> — you solve on IP A, your next request goes out IP B, cookie rejected.</li> <li> <strong>Solving in a real browser, then submitting from <code>requests</code></strong> — the browser's TLS fingerprint and UA don't match your HTTP client, so the cookie you carefully obtained is dead on the first reuse.</li> <li> <strong>Spoofing a UA that doesn't match the fingerprint</strong> — claiming Chrome while sending a Python-<code>requests</code> JA3 is itself a mismatch.</li> </ul> <h2> How to confirm it's the loop and not something else </h2> <p>Before fixing, log what you're actually getting back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">cf_clearance</span><span class="sh">"</span><span class="p">:</span> <span class="n">clearance</span><span class="p">})</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">status_code</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cf-mitigated</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># "challenge" =&gt; you got re-challenged </span><span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">cf_clearance</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">cookies</span><span class="p">)</span> <span class="c1"># did this response set a NEW one? </span></code></pre> </div> <ul> <li> <code>cf-mitigated: challenge</code> (or a challenge-page body) → you're in the re-challenge loop; the cookie was rejected.</li> <li>A flat <code>403</code> with a Cloudflare <code>1006/1007</code> error code → that's an <strong>IP ban</strong>, not a clearance problem; no cookie fixes it (you need a different egress IP).</li> <li>A clean <code>200</code> → you're through; the cookie is valid for now.</li> </ul> <h2> The fix </h2> <p>The loop breaks when you stop reusing a stale/mismatched cookie and instead <strong>evict-and-re-mint on the challenge signal, with a pinned context</strong>:</p> <ol> <li> <strong>Pin one IP + one UA + one TLS fingerprint per session.</strong> Don't rotate the proxy mid-session. If you're submitting from Python, send a browser-matching TLS fingerprint (e.g. <code>curl_cffi</code> with <code>impersonate</code>) and the <em>same</em> UA you solved with — not the default <code>requests</code> fingerprint.</li> <li> <strong>Detect re-challenge by the response, not a timer.</strong> Cloudflare can invalidate early, so don't trust a fixed "valid for N minutes" assumption. When you see <code>cf-mitigated: challenge</code>, treat the stored clearance as dead, evict it, and re-mint.</li> <li> <strong>Re-mint with the same context that will reuse it.</strong> Whatever solves the challenge (a real browser or a solver) must produce a cookie usable by the same IP+UA+fingerprint that makes the real requests.</li> <li> <strong>Optionally refresh proactively</strong> just before the known TTL to avoid a user-facing stall.</li> </ol> <p>A minimal session loop that respects all of this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">curl_cffi.requests</span> <span class="k">as</span> <span class="n">cc</span> <span class="n">session</span> <span class="o">=</span> <span class="n">cc</span><span class="p">.</span><span class="nc">Session</span><span class="p">(</span><span class="n">impersonate</span><span class="o">=</span><span class="sh">"</span><span class="s">chrome</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># browser-matching TLS fingerprint </span><span class="n">UA</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/124.0 Safari/537.36</span><span class="sh">"</span> <span class="n">session</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">User-Agent</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">UA</span> <span class="n">PROXY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">http://user:pass@residential-ip:port</span><span class="sh">"</span> <span class="c1"># one sticky IP for the session </span><span class="n">session</span><span class="p">.</span><span class="n">proxies</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">:</span> <span class="n">PROXY</span><span class="p">,</span> <span class="sh">"</span><span class="s">https</span><span class="sh">"</span><span class="p">:</span> <span class="n">PROXY</span><span class="p">}</span> <span class="k">def</span> <span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">clearance</span><span class="p">):</span> <span class="n">r</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">cf_clearance</span><span class="sh">"</span><span class="p">:</span> <span class="n">clearance</span><span class="p">}</span> <span class="k">if</span> <span class="n">clearance</span> <span class="k">else</span> <span class="p">{})</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">cf-mitigated</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">challenge</span><span class="sh">"</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">challenge-platform</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">text</span><span class="p">:</span> <span class="n">clearance</span> <span class="o">=</span> <span class="nf">mint_clearance</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">UA</span><span class="p">,</span> <span class="n">PROXY</span><span class="p">)</span> <span class="c1"># re-mint with the SAME UA+IP </span> <span class="n">r</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">cookies</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">cf_clearance</span><span class="sh">"</span><span class="p">:</span> <span class="n">clearance</span><span class="p">})</span> <span class="k">return</span> <span class="n">r</span><span class="p">,</span> <span class="n">clearance</span> </code></pre> </div> <p>The point isn't the exact library — it's that the cookie, the UA, the IP, and the fingerprint all stay consistent, and a challenge response triggers a re-mint instead of another doomed retry.</p> <p>If you offload the challenge to a solving service, the same rule applies: it has to mint the clearance against the IP+UA you'll reuse, or hand back a token you submit immediately in a matched context. CaptchaAI handles the Cloudflare challenge flow this way and is 2Captcha-API-compatible, so an existing client is mostly a base-URL change — and if you want to test it against your own target, <a href="https://captchaai.com/trial?utm_source=devto&amp;utm_medium=article&amp;utm_campaign=cf-clearance-expiry-rechallenge-loop" rel="noopener noreferrer">the trial is free</a> (3 days, no card).</p> <h2> TL;DR checklist </h2> <ul> <li>[ ] One IP + one UA + one TLS fingerprint, pinned for the whole session</li> <li>[ ] Don't rotate the proxy mid-session</li> <li>[ ] Submit with a browser-matching TLS fingerprint (not raw <code>requests</code>) if you solved in a browser</li> <li>[ ] Detect re-challenge via <code>cf-mitigated</code> / challenge body, evict + re-mint — don't replay a dead cookie</li> <li>[ ] Rule out a 1006/1007 IP ban first (different problem, needs a new IP)</li> </ul> <p>Get those right and the loop turns into a single solve followed by clean <code>200</code>s — which is how it's supposed to behave.</p> webscraping python cloudflare automation Cloudflare Turnstile in Playwright: Why Your Tests Stall and How to Solve It in 8 Lines Bassem Shahin Wed, 03 Jun 2026 21:38:36 +0000 https://dev.to/bshahin/cloudflare-turnstile-in-playwright-why-your-tests-stall-and-how-to-solve-it-in-8-lines-c22 https://dev.to/bshahin/cloudflare-turnstile-in-playwright-why-your-tests-stall-and-how-to-solve-it-in-8-lines-c22 <h1> Cloudflare Turnstile in Playwright: Why Your Tests Stall and How to Solve It in 8 Lines </h1> <p>If you're running Playwright or Selenium against any site behind Cloudflare, you've already met Turnstile. It's the new "managed challenge" widget Cloudflare started shipping in 2023, and it now appears in front of login flows, contact forms, signup pages, and increasingly the entire site root.</p> <p>Here's the part most teams miss: <strong>Turnstile doesn't always show a checkbox.</strong> A lot of the time it just sits invisible, runs its scoring loop, and either issues a token silently or stalls forever. Your test doesn't crash. It just times out at the next <code>page.click("button[type=submit]")</code>. The CI log says "element not interactable." Nobody knows why.</p> <p>I work on CaptchaAI. I'm going to show you exactly what's happening, then drop in 8 lines that fix it.</p> <h2> The real scenario </h2> <p>You have a Playwright suite that runs every PR. One day a test starts failing on the signup flow. You re-run it. It fails again. Locally on your laptop it passes. On CI it doesn't.</p> <p>What's actually happening: Cloudflare flagged your CI runner's IP block (GitHub Actions, GitLab runners, Hetzner, OVH, DO — all of them are on Cloudflare's "elevated risk" list). Turnstile decides to switch from invisible mode to "managed challenge" mode. Now there's a widget in the DOM that needs a real token before the form submit will accept.</p> <p>Your test never interacted with the widget because last week it didn't exist.</p> <h2> Why retries don't help </h2> <p>The instinct is to add a <code>retry: 2</code> and move on. Don't. Cloudflare's scoring is per-IP-per-fingerprint, and each retry from the same runner makes the next challenge harder, not easier. After ~3 attempts you'll get full block pages instead of the widget.</p> <p>The right move is to <strong>solve the widget once, inject the token, and submit normally</strong> — exactly what a human user does, just faster.</p> <h2> How Turnstile actually issues a token </h2> <p>The widget renders an iframe pointing at <code>challenges.cloudflare.com</code>. Inside the iframe it runs a fingerprint/behavior scoring loop for 1–4 seconds. When it's satisfied, it calls back into the parent page via a hidden <code>&lt;input name="cf-turnstile-response"&gt;</code> and fills the value attribute with a JWT-shaped token. That token is what the backend validates against Cloudflare's <code>siteverify</code> endpoint.</p> <p>To solve Turnstile programmatically you need three things from the page:</p> <ol> <li>The <strong>sitekey</strong> — visible in the page source as <code>data-sitekey="0x4AAA..."</code> </li> <li>The <strong>page URL</strong> Turnstile was loaded on (Cloudflare validates this)</li> <li>A solver service that returns a valid token for that pair</li> </ol> <p>Then you inject the token into the hidden input and trigger the form submit. That's it.</p> <h2> Code </h2> <p>Here's a Playwright + Python integration. Endpoint and key:</p> <ul> <li>Submit: <code>https://ocr.captchaai.com/in.php</code> </li> <li>Poll: <code>https://ocr.captchaai.com/res.php</code> </li> <li>API key placeholder: <code>YOUR_API_KEY</code> (get one at <a href="https://captchaai.com/trial" rel="noopener noreferrer">https://captchaai.com/trial</a> — 3 days, 5 threads, no card). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">time</span><span class="p">,</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">playwright.sync_api</span> <span class="kn">import</span> <span class="n">sync_playwright</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span> <span class="n">TARGET_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://example.com/signup</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">solve_turnstile</span><span class="p">(</span><span class="n">sitekey</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">page_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># 1. submit the task </span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">turnstile</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sitekey</span><span class="sh">"</span><span class="p">:</span> <span class="n">sitekey</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="n">page_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">submit failed: </span><span class="si">{</span><span class="n">r</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">task_id</span> <span class="o">=</span> <span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># 2. poll for the token (typical solve: 8-20s) </span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">30</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="n">rr</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">rr</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="k">return</span> <span class="n">rr</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># the cf-turnstile-response token </span> <span class="k">if</span> <span class="n">rr</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">CAPCHA_NOT_READY</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">solve failed: </span><span class="si">{</span><span class="n">rr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">TimeoutError</span><span class="p">(</span><span class="sh">"</span><span class="s">turnstile solve timed out</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">sync_playwright</span><span class="p">()</span> <span class="k">as</span> <span class="n">p</span><span class="p">:</span> <span class="n">browser</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">()</span> <span class="n">page</span> <span class="o">=</span> <span class="n">browser</span><span class="p">.</span><span class="nf">new_page</span><span class="p">()</span> <span class="n">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="n">TARGET_URL</span><span class="p">)</span> <span class="n">sitekey</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="sh">"</span><span class="s">[data-sitekey]</span><span class="sh">"</span><span class="p">).</span><span class="n">first</span><span class="p">.</span><span class="nf">get_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">data-sitekey</span><span class="sh">"</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">solve_turnstile</span><span class="p">(</span><span class="n">sitekey</span><span class="p">,</span> <span class="n">TARGET_URL</span><span class="p">)</span> <span class="c1"># inject the token where Cloudflare expects it </span> <span class="n">page</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span> <span class="sh">"</span><span class="s">(t) =&gt; { document.querySelector(</span><span class="sh">'</span><span class="s">[name=cf-turnstile-response]</span><span class="sh">'</span><span class="s">).value = t }</span><span class="sh">"</span><span class="p">,</span> <span class="n">token</span><span class="p">,</span> <span class="p">)</span> <span class="n">page</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="sh">"</span><span class="s">button[type=submit]</span><span class="sh">"</span><span class="p">)</span> <span class="n">page</span><span class="p">.</span><span class="nf">wait_for_url</span><span class="p">(</span><span class="sh">"</span><span class="s">**/welcome</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">15000</span><span class="p">)</span> <span class="n">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>Same flow in Node.js with Playwright:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">chromium</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">playwright</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">YOUR_API_KEY</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TARGET_URL</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://example.com/signup</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">solveTurnstile</span><span class="p">(</span><span class="nx">sitekey</span><span class="p">,</span> <span class="nx">pageUrl</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">submit</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://ocr.captchaai.com/in.php</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">API_KEY</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">turnstile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">sitekey</span><span class="p">,</span> <span class="na">pageurl</span><span class="p">:</span> <span class="nx">pageUrl</span><span class="p">,</span> <span class="na">json</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">submit</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="mi">1</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit failed: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">submit</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">submit</span><span class="p">.</span><span class="nx">request</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">3000</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">poll</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://ocr.captchaai.com/res.php?key=</span><span class="p">${</span><span class="nx">API_KEY</span><span class="p">}</span><span class="s2">&amp;action=get&amp;id=</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">&amp;json=1`</span><span class="p">,</span> <span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">poll</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nx">poll</span><span class="p">.</span><span class="nx">request</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">poll</span><span class="p">.</span><span class="nx">request</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">CAPCHA_NOT_READY</span><span class="dl">'</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">poll</span><span class="p">));</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">turnstile solve timed out</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newPage</span><span class="p">();</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="nx">TARGET_URL</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sitekey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="dl">'</span><span class="s1">[data-sitekey]</span><span class="dl">'</span><span class="p">).</span><span class="nf">first</span><span class="p">().</span><span class="nf">getAttribute</span><span class="p">(</span><span class="dl">'</span><span class="s1">data-sitekey</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">solveTurnstile</span><span class="p">(</span><span class="nx">sitekey</span><span class="p">,</span> <span class="nx">TARGET_URL</span><span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span> <span class="p">(</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">[name=cf-turnstile-response]</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">t</span><span class="p">;</span> <span class="p">},</span> <span class="nx">token</span><span class="p">,</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="dl">'</span><span class="s1">button[type=submit]</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">waitForURL</span><span class="p">(</span><span class="dl">'</span><span class="s1">**/welcome</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">15000</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">})();</span> </code></pre> </div> <p>Expected output: the form submits, you land on <code>/welcome</code>, your test passes. Typical end-to-end overhead is 8–20 seconds for the solve.</p> <h2> Troubleshooting </h2> <p>A few real gotchas I've watched teams hit:</p> <ul> <li> <strong>Wrong sitekey.</strong> If the page lazy-loads Turnstile (some React/Next sites do this), <code>[data-sitekey]</code> won't be in the DOM at <code>page.goto</code>. Wait for it: <code>page.wait_for_selector('[data-sitekey]', timeout=10000)</code>.</li> <li> <strong>Multiple Turnstile widgets.</strong> Login + reset-password + signup pages can all render the widget. Use a more specific selector (parent form + <code>[data-sitekey]</code>) so you don't solve the wrong one.</li> <li> <strong>Token expired.</strong> Turnstile tokens are valid for ~300 seconds. If your test does a long DB seed step between solving and submitting, re-solve right before the click.</li> <li> <strong>Site uses Turnstile in <code>invisible</code> mode.</strong> Look for <code>data-size="invisible"</code>. The flow is identical — you still inject the token into the hidden input. The only difference is there's no widget UI rendered at all.</li> <li> <strong>Backend uses a non-default secret.</strong> That's a Cloudflare configuration on the site owner's side; the token is still valid, your code is fine. If the backend rejects, the failure is at their <code>siteverify</code> step, not yours.</li> </ul> <h2> How this fits into a real CI pipeline </h2> <p>What I do in my own setup:</p> <ol> <li>Run Playwright suites against a staging environment that's also behind Turnstile (don't whitelist your CI IPs at Cloudflare — that just hides the bug from yourself).</li> <li>Set the solver as a thin module: one <code>solve_turnstile</code> function imported across every test that needs it.</li> <li>Keep concurrency aligned with your thread allocation. If your plan gives you 5 threads and you run 12 parallel Playwright workers, 7 of them will queue. The BASIC plan ($15/mo) gives 5 threads with unlimited solves — fine for one repo. For monorepos with many parallel suites, STANDARD (15 threads, $30/mo, or $27 on /lp/new-year-deals) is the realistic floor.</li> <li>Add a single retry on solver timeout — but not on Cloudflare block. The two failure modes need different handling.</li> </ol> <p>Pricing for context (current as of 2026-06-02): unlimited solves on every plan, you pay only for thread concurrency. Trial is at <a href="https://captchaai.com/trial" rel="noopener noreferrer">https://captchaai.com/trial</a> (3 days, 5 threads, no card). If you want a discount, <a href="https://captchaai.com/lp/new-year-deals" rel="noopener noreferrer">https://captchaai.com/lp/new-year-deals</a> has up to 17% off on STANDARD through ENTERPRISE.</p> <h2> What to do next </h2> <p>If you have a flaky test that times out at form submit on a Cloudflare-fronted page: drop the 8-line solver above into a helper, swap the sitekey lookup, and run it from a clean CI runner.</p> <p>— Bassem</p> <p>(disclosure: CaptchaAI maintainer)</p> webscraping python automation captcha