Skip to main content

Overview

Turnkey supports Cloudflare Turnstile captcha protection to help prevent automated abuse of authentication endpoints. When enabled, captcha tokens are required for Signup and InitOtp requests made through the Auth Proxy. Captcha is enabled per-organization in the Turnkey Dashboard under the Wallet Kit settings page.
Once captcha is enabled in the dashboard, all Signup and InitOtp requests will require valid captcha tokens. Make sure your application is updated to a supported SDK version and has captcha integrated before enabling this setting.

Supported SDKs

React Wallet Kit

@turnkey/react-wallet-kitv.x.x.x+

Core SDK

@turnkey/corev.x.x.x+

How It Works

  1. Enable captcha in the Turnkey Dashboard under Wallet Kit settings.
  2. The SDK automatically receives a turnstileSiteKey from the Auth Proxy via the getWalletKitClientParams request.
  3. Your application renders a Cloudflare Turnstile widget that generates captcha tokens.
  4. Captcha tokens are attached to Signup and InitOtp requests as an X-Captcha-Token header.
For detailed integration guides, see the SDK-specific pages linked above.
1

Update your SDK

Upgrade to a captcha-supported version of the SDK (see table above).
2

Integrate captcha in your app

Follow the setup guide for your SDK. The captcha widget will idle silently in the background until captcha is enabled — there is no impact to your users.
3

Enable captcha in the dashboard

Once your app is deployed with captcha support, toggle the Captcha option in the Turnkey Dashboard. From this point on, all Signup and InitOtp requests will require valid tokens.
You can verify that your app is ready by checking for the presence of turnstileSiteKey in the SDK config. If the key is present, captcha is enabled and your app should be providing tokens with each request.