Skip to content

Testing

Dummy sitekeys and secret keys

The following sitekeys and secret keys are available for testing. It is recommended that you use these keys in your development environment to ensure the challenges running in Turnstile do not conflict with your developer tools.

To test locally with real keys, you need to add your testing hostnames (like localhost) to your domain allowlist.

Dummy sitekeys can be used from any domain, including on localhost.

Cloudflare recommends that sitekeys used in production do not allow local domains (localhost, 127.0.0.1), but users can choose to add local domains to the list of allowed domains.

SitekeyDescriptionVisibility
1x00000000000000000000AAAlways passesvisible
2x00000000000000000000ABAlways blocksvisible
1x00000000000000000000BBAlways passesinvisible
2x00000000000000000000BBAlways blocksinvisible
3x00000000000000000000FFForces an interactive challengevisible

These dummy sitekeys will produce the XXXX.DUMMY.TOKEN.XXXX dummy response token.

Production secret keys will reject this token. You must also use a dummy secret key for testing purposes.

Secret keyDescription
1x0000000000000000000000000000000AAAlways passes
2x0000000000000000000000000000000AAAlways fails
3x0000000000000000000000000000000AAYields a "token already spent" error

Dummy secret keys will only accept the XXXX.DUMMY.TOKEN.XXXX dummy response token.

If you pass a real response, it will fail to prevent common misconfigurations.