Configure Cloudflare Turnstile for User Verification
This article describes how Turnstile provides a seamless, privacy-first method of confirming that a user is human, eliminating the need for traditional CAPTCHA challenges such as puzzles or image selections.
Overview
Turnstile is a next-generation bot-detection and validation service designed to replace traditional CAPTCHA solutions such as Google reCAPTCHA. Unlike traditional CAPTCHA challenges, Turnstile provides a frictionless, privacy-focused method of verifying that a user is human, without requiring puzzle solving, image selections, or user interaction.
Developed with modern security and usability in mind, Turnstile offers a seamless experience that protects applications while improving conversion and customer satisfaction.
Zenoti Webstore enables Turnstile by default for all customers, with the option to continue using reCAPTCHA if preferred.
Zero-Interaction User Experience : Traditional CAPTCHA solutions often prompt the user to select images, type distorted text, or perform other puzzle-like actions. Turnstile eliminates this friction. Users are never asked to solve puzzles, and validation happens unobtrusively in the background.
Stronger Security : Turnstile uses advanced security signals, including behavioral analysis, machine learning models, and multiple vendor integrations (not limited to one identity provider like Google). This creates a multi-layered, more resilient defense against automated bots.
Privacy-First Approach: One of Turnstile’s biggest advantages is its commitment to privacy:
Does not track users across websites
Does not require interaction with Google or other advertising networks
Fully compliant with modern privacy standards
Fast and Lightweight: Turnstile is optimized for performance:
Minimal JavaScript footprint
Low latency
Faster page loading compared to reCAPTCHA
This helps improve website performance and reduces drop-offs during authentication or checkout flows.
Increased Conversion Rates: Reduced friction, especially during login, account creation, and checkout. This means fewer abandoned sessions and higher guest conversion.
How Turnstile Works
Turnstile provides a small widget embedded on web pages. Unlike reCAPTCHA, the widget mostly works silently. Turnstile evaluates:
Browser environment and behavior
Network attributes
Non-intrusive challenge-response interactions behind the scenes
Based on this analysis, it classifies the request as human or suspicious and returns a validation token to the backend.
How to enable turnstile
Note
Turnstile is currently enabled for all organizations except those using custom domain webstores, as it is not yet compatible in that setup.
If a customer configures a custom domain webstore, they must manually turn off Turnstile using the steps provided in this article. They can then enable Google reCAPTCHA, which remains fully supported until Turnstile is launched for custom domains. This ensures their webstore continues to stay secure. Failing to disable Turnstile before setting up a custom domain webstore will prevent users from being able to log in.
At the organization level, click Configuration.
Navigate to Online booking > Online booking settings > Webstore V2.
Click Integrations.
Switch on the Enable Cloudflare Turnstile toggle.
This ensures guests can complete actions like login or booking without being interrupted by image puzzles.
Switch on the Enable Cloudflare Turnstile for Payments toggle.
It helps prevent fraudulent or automated payment attempts while keeping the payment flow smooth and uninterrupted for genuine guests.
Click Publish.