Token validation
After a visitor successfully completes a Turnstile challenge, a token is generated and validated via the siteverify API. Token validation data provides crucial insights into your security posture.
For example, the token validation values in your analytics may look like this:
- Siteverify requests: The total number of requests made to the siteverify API in the given timeframe.
- Valid tokens: The number of siteverify requests with
success:trueresponses. - Invalid tokens: The number of siteverify requests with
success:falseresponses.
It is important to call the siteverify API. Without calling siteverify API to validate the tokens, your website or application is not protected. Skipping token validation means you cannot confirm the visitor's legitimacy.
- Tokens can only be redeemed once. Even valid tokens will return
success:falseif they are reused, preventing token theft and replay attacks. - Tokens expire after five minutes. Validation must occur within this window to be effective.
- Tokens can be invalid. Bots might complete challenges, but Cloudflare can detect bot-like signals and mark the token as invalid.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark