Integrate Cloudflare Turnstile widget and validate tokens with the siteverify API

Verified steps

1. Register a Turnstile widget in the Cloudflare dashboard under Turnstile; choose a widget type (Managed, Non-Interactive, or Invisible) and note your Site Key and Secret Key.
2. Embed the Turnstile widget on the client side by loading https://challenges.cloudflare.com/turnstile/v0/api.js and adding a div with class cf-turnstile and data-sitekey=YOUR_SITE_KEY; the widget renders automatically and populates a hidden input named cf-turnstile-response with a token.
3. When your form is submitted, send the cf-turnstile-response token to your backend; never validate tokens in client-side code.
4. On your backend, make a POST request to https://challenges.cloudflare.com/turnstile/v0/siteverify with a URL-encoded or JSON body containing secret=YOUR_SECRET_KEY and response=TOKEN_FROM_CLIENT; optionally include remoteip for additional signal.
5. Parse the JSON response: if success is true, allow the action; if false, inspect the error-codes array and reject the request. Tokens expire after 300 seconds and can only be validated once—do not cache or reuse tokens.
6. For Cloudflare Workers deployments, use the Turnstile Workers integration which can call siteverify internally using the secret from an environment variable, avoiding exposure of the secret in client-reachable code.