Skip to content

Pre-clearance support

You can integrate Cloudflare challenges on single-page applications (SPAs) by allowing Turnstile to issue a clearance cookie. The clearance level is set upon widget creation or widget modification using the Turnstile API's clearance_level. Possible values for the configuration are no_clearance, jschallenge, managed, or interactive. All widgets are set to no_clearance by default.

For Enterprise customers eligible to toggle off domain checks, Cloudflare recommends issuing clearance cookies on widgets where at least one domain is specified.

Refer to the blog post for an example of pre-clearance implementation.

Pre-clearance level options

  • Interactive: Interactive Pre-clearance allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules
  • Managed: Managed allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules
  • Non-interactive: Non-interactive allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules

Duration

Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the WAF documentation.

Enable pre-clearance on a new site

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Turnstile > Add widget.
  3. Under Would you like to opt for pre-clearance for this site? select Yes.
  4. Choose the pre-clearance level from the select box.
  5. Select Create.

Enable pre-clearance on an existing site

  1. Log in to the Cloudflare dashboard and select your account.
  2. Go to Turnstile.
  3. Go to the existing widget or site and select Settings.
  4. Under Would you like to opt for pre-clearance for this site? select Yes.
  5. Choose the pre-clearance level from the select box.
  6. Select Update.

Verified bots

If a verified bot encounters a page where a Turnstile widget is implemented, the challenge will fail and the verified bot will see a 403 error from the Turnstile endpoint.

However, if a verified bot is excluded from the rule which pre-clearance will grant clearance for, it will pass. Users can create a WAF custom rule to exclude verified bots.