In your test environment configuration, set the Turnstile sitekey to the always-pass test value: 1x00000000000000000000AA
Set the corresponding secret key in your backend token validation to the always-pass test secret: 1x0000000000000000000AA
Render the Turnstile widget with the test sitekey in your staging or test deployment — it will auto-complete without presenting a challenge to Playwright or Selenium
In your backend, call the siteverify endpoint with the dummy secret; it will return success: true for any token produced by the test sitekey
Add an environment variable guard (e.g. TURNSTILE_SITEKEY) so production deployments always use real keys from your Cloudflare dashboard
Optionally use sitekey 2x00000000000000000000AB (always-fail) in tests that verify your app's error handling when verification fails
Known gotchas
Dummy sitekeys are publicly documented and must never reach production; use a deployment-time secrets check or a pre-deployment CI gate to catch accidental promotion of test keys
The test sitekey still renders the widget iframe in the DOM; if your test asserts that no iframe is present, use a separate feature flag to hide the widget entirely in unit test environments
Cloudflare may change the canonical test sitekey values; always source them from the official Turnstile testing documentation rather than hardcoding values found in third-party blog posts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp