The latest articles on DEV Community by B.Shahin (@bshahin). https://dev.to/bshahin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3963470%2F95492248-8420-4b01-bf99-4b8e08807eb7.jpg https://dev.to/bshahin en B.Shahin Wed, 03 Jun 2026 21:38:36 +0000 https://dev.to/bshahin/cloudflare-turnstile-in-playwright-why-your-tests-stall-and-how-to-solve-it-in-8-lines-c22 https://dev.to/bshahin/cloudflare-turnstile-in-playwright-why-your-tests-stall-and-how-to-solve-it-in-8-lines-c22 <h1> Cloudflare Turnstile in Playwright: Why Your Tests Stall and How to Solve It in 8 Lines </h1> <p>If you're running Playwright or Selenium against any site behind Cloudflare, you've already met Turnstile. It's the new "managed challenge" widget Cloudflare started shipping in 2023, and it now appears in front of login flows, contact forms, signup pages, and increasingly the entire site root.</p> <p>Here's the part most teams miss: <strong>Turnstile doesn't always show a checkbox.</strong> A lot of the time it just sits invisible, runs its scoring loop, and either issues a token silently or stalls forever. Your test doesn't crash. It just times out at the next <code>page.click("button[type=submit]")</code>. The CI log says "element not interactable." Nobody knows why.</p> <p>I work on CaptchaAI. I'm going to show you exactly what's happening, then drop in 8 lines that fix it.</p> <h2> The real scenario </h2> <p>You have a Playwright suite that runs every PR. One day a test starts failing on the signup flow. You re-run it. It fails again. Locally on your laptop it passes. On CI it doesn't.</p> <p>What's actually happening: Cloudflare flagged your CI runner's IP block (GitHub Actions, GitLab runners, Hetzner, OVH, DO — all of them are on Cloudflare's "elevated risk" list). Turnstile decides to switch from invisible mode to "managed challenge" mode. Now there's a widget in the DOM that needs a real token before the form submit will accept.</p> <p>Your test never interacted with the widget because last week it didn't exist.</p> <h2> Why retries don't help </h2> <p>The instinct is to add a <code>retry: 2</code> and move on. Don't. Cloudflare's scoring is per-IP-per-fingerprint, and each retry from the same runner makes the next challenge harder, not easier. After ~3 attempts you'll get full block pages instead of the widget.</p> <p>The right move is to <strong>solve the widget once, inject the token, and submit normally</strong> — exactly what a human user does, just faster.</p> <h2> How Turnstile actually issues a token </h2> <p>The widget renders an iframe pointing at <code>challenges.cloudflare.com</code>. Inside the iframe it runs a fingerprint/behavior scoring loop for 1–4 seconds. When it's satisfied, it calls back into the parent page via a hidden <code>&lt;input name="cf-turnstile-response"&gt;</code> and fills the value attribute with a JWT-shaped token. That token is what the backend validates against Cloudflare's <code>siteverify</code> endpoint.</p> <p>To solve Turnstile programmatically you need three things from the page:</p> <ol> <li>The <strong>sitekey</strong> — visible in the page source as <code>data-sitekey="0x4AAA..."</code> </li> <li>The <strong>page URL</strong> Turnstile was loaded on (Cloudflare validates this)</li> <li>A solver service that returns a valid token for that pair</li> </ol> <p>Then you inject the token into the hidden input and trigger the form submit. That's it.</p> <h2> Code </h2> <p>Here's a Playwright + Python integration. Endpoint and key:</p> <ul> <li>Submit: <code>https://ocr.captchaai.com/in.php</code> </li> <li>Poll: <code>https://ocr.captchaai.com/res.php</code> </li> <li>API key placeholder: <code>YOUR_API_KEY</code> (get one at <a href="https://captchaai.com/trial" rel="noopener noreferrer">https://captchaai.com/trial</a> — 3 days, 5 threads, no card). </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">time</span><span class="p">,</span> <span class="n">requests</span> <span class="kn">from</span> <span class="n">playwright.sync_api</span> <span class="kn">import</span> <span class="n">sync_playwright</span> <span class="n">API_KEY</span> <span class="o">=</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span> <span class="n">TARGET_URL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://example.com/signup</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">solve_turnstile</span><span class="p">(</span><span class="n">sitekey</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">page_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># 1. submit the task </span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com/in.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">turnstile</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sitekey</span><span class="sh">"</span><span class="p">:</span> <span class="n">sitekey</span><span class="p">,</span> <span class="sh">"</span><span class="s">pageurl</span><span class="sh">"</span><span class="p">:</span> <span class="n">page_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">1</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">submit failed: </span><span class="si">{</span><span class="n">r</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">task_id</span> <span class="o">=</span> <span class="n">r</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># 2. poll for the token (typical solve: 8-20s) </span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">30</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">3</span><span class="p">)</span> <span class="n">rr</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://ocr.captchaai.com/res.php</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">:</span> <span class="n">API_KEY</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">get</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">task_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">rr</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="k">return</span> <span class="n">rr</span><span class="p">[</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># the cf-turnstile-response token </span> <span class="k">if</span> <span class="n">rr</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">request</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">CAPCHA_NOT_READY</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">solve failed: </span><span class="si">{</span><span class="n">rr</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">TimeoutError</span><span class="p">(</span><span class="sh">"</span><span class="s">turnstile solve timed out</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">sync_playwright</span><span class="p">()</span> <span class="k">as</span> <span class="n">p</span><span class="p">:</span> <span class="n">browser</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">()</span> <span class="n">page</span> <span class="o">=</span> <span class="n">browser</span><span class="p">.</span><span class="nf">new_page</span><span class="p">()</span> <span class="n">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="n">TARGET_URL</span><span class="p">)</span> <span class="n">sitekey</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="sh">"</span><span class="s">[data-sitekey]</span><span class="sh">"</span><span class="p">).</span><span class="n">first</span><span class="p">.</span><span class="nf">get_attribute</span><span class="p">(</span><span class="sh">"</span><span class="s">data-sitekey</span><span class="sh">"</span><span class="p">)</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">solve_turnstile</span><span class="p">(</span><span class="n">sitekey</span><span class="p">,</span> <span class="n">TARGET_URL</span><span class="p">)</span> <span class="c1"># inject the token where Cloudflare expects it </span> <span class="n">page</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span> <span class="sh">"</span><span class="s">(t) =&gt; { document.querySelector(</span><span class="sh">'</span><span class="s">[name=cf-turnstile-response]</span><span class="sh">'</span><span class="s">).value = t }</span><span class="sh">"</span><span class="p">,</span> <span class="n">token</span><span class="p">,</span> <span class="p">)</span> <span class="n">page</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="sh">"</span><span class="s">button[type=submit]</span><span class="sh">"</span><span class="p">)</span> <span class="n">page</span><span class="p">.</span><span class="nf">wait_for_url</span><span class="p">(</span><span class="sh">"</span><span class="s">**/welcome</span><span class="sh">"</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">15000</span><span class="p">)</span> <span class="n">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <p>Same flow in Node.js with Playwright:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">chromium</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">playwright</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">YOUR_API_KEY</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TARGET_URL</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://example.com/signup</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">solveTurnstile</span><span class="p">(</span><span class="nx">sitekey</span><span class="p">,</span> <span class="nx">pageUrl</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">submit</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://ocr.captchaai.com/in.php</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">API_KEY</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">turnstile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">sitekey</span><span class="p">,</span> <span class="na">pageurl</span><span class="p">:</span> <span class="nx">pageUrl</span><span class="p">,</span> <span class="na">json</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">}).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">submit</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="mi">1</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit failed: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">submit</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">id</span> <span class="o">=</span> <span class="nx">submit</span><span class="p">.</span><span class="nx">request</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">3000</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">poll</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`https://ocr.captchaai.com/res.php?key=</span><span class="p">${</span><span class="nx">API_KEY</span><span class="p">}</span><span class="s2">&amp;action=get&amp;id=</span><span class="p">${</span><span class="nx">id</span><span class="p">}</span><span class="s2">&amp;json=1`</span><span class="p">,</span> <span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="nx">poll</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="nx">poll</span><span class="p">.</span><span class="nx">request</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">poll</span><span class="p">.</span><span class="nx">request</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">CAPCHA_NOT_READY</span><span class="dl">'</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">poll</span><span class="p">));</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">turnstile solve timed out</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">(</span><span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newPage</span><span class="p">();</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="nx">TARGET_URL</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sitekey</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">locator</span><span class="p">(</span><span class="dl">'</span><span class="s1">[data-sitekey]</span><span class="dl">'</span><span class="p">).</span><span class="nf">first</span><span class="p">().</span><span class="nf">getAttribute</span><span class="p">(</span><span class="dl">'</span><span class="s1">data-sitekey</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">solveTurnstile</span><span class="p">(</span><span class="nx">sitekey</span><span class="p">,</span> <span class="nx">TARGET_URL</span><span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">evaluate</span><span class="p">(</span> <span class="p">(</span><span class="nx">t</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">[name=cf-turnstile-response]</span><span class="dl">'</span><span class="p">).</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">t</span><span class="p">;</span> <span class="p">},</span> <span class="nx">token</span><span class="p">,</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">click</span><span class="p">(</span><span class="dl">'</span><span class="s1">button[type=submit]</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">waitForURL</span><span class="p">(</span><span class="dl">'</span><span class="s1">**/welcome</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">15000</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">})();</span> </code></pre> </div> <p>Expected output: the form submits, you land on <code>/welcome</code>, your test passes. Typical end-to-end overhead is 8–20 seconds for the solve.</p> <h2> Troubleshooting </h2> <p>A few real gotchas I've watched teams hit:</p> <ul> <li> <strong>Wrong sitekey.</strong> If the page lazy-loads Turnstile (some React/Next sites do this), <code>[data-sitekey]</code> won't be in the DOM at <code>page.goto</code>. Wait for it: <code>page.wait_for_selector('[data-sitekey]', timeout=10000)</code>.</li> <li> <strong>Multiple Turnstile widgets.</strong> Login + reset-password + signup pages can all render the widget. Use a more specific selector (parent form + <code>[data-sitekey]</code>) so you don't solve the wrong one.</li> <li> <strong>Token expired.</strong> Turnstile tokens are valid for ~300 seconds. If your test does a long DB seed step between solving and submitting, re-solve right before the click.</li> <li> <strong>Site uses Turnstile in <code>invisible</code> mode.</strong> Look for <code>data-size="invisible"</code>. The flow is identical — you still inject the token into the hidden input. The only difference is there's no widget UI rendered at all.</li> <li> <strong>Backend uses a non-default secret.</strong> That's a Cloudflare configuration on the site owner's side; the token is still valid, your code is fine. If the backend rejects, the failure is at their <code>siteverify</code> step, not yours.</li> </ul> <h2> How this fits into a real CI pipeline </h2> <p>What I do in my own setup:</p> <ol> <li>Run Playwright suites against a staging environment that's also behind Turnstile (don't whitelist your CI IPs at Cloudflare — that just hides the bug from yourself).</li> <li>Set the solver as a thin module: one <code>solve_turnstile</code> function imported across every test that needs it.</li> <li>Keep concurrency aligned with your thread allocation. If your plan gives you 5 threads and you run 12 parallel Playwright workers, 7 of them will queue. The BASIC plan ($15/mo) gives 5 threads with unlimited solves — fine for one repo. For monorepos with many parallel suites, STANDARD (15 threads, $30/mo, or $27 on /lp/new-year-deals) is the realistic floor.</li> <li>Add a single retry on solver timeout — but not on Cloudflare block. The two failure modes need different handling.</li> </ol> <p>Pricing for context (current as of 2026-06-02): unlimited solves on every plan, you pay only for thread concurrency. Trial is at <a href="https://captchaai.com/trial" rel="noopener noreferrer">https://captchaai.com/trial</a> (3 days, 5 threads, no card). If you want a discount, /lp/new-year-deals has up to 17% off on STANDARD through ENTERPRISE.</p> <h2> What to do next </h2> <p>If you have a flaky test that times out at form submit on a Cloudflare-fronted page: drop the 8-line solver above into a helper, swap the sitekey lookup, and run it from a clean CI runner.</p> <p>— Bassem</p> <p>(disclosure: CaptchaAI maintainer)</p> webscraping python automation captcha