401 Error For Turnstile Challenge

Hi. I know this has been talked about a number of times, but I’m still unclear why a legitimate user would generate a 401 error when “Request for the Private Access Token challenge.” runs? This results is “cf-turnstile-response” being empty. If “cf-turnstile-response” is empty, how do we validate the user server side? Documentation says that “cf-turnstile-response” is “required”. So if it’s required, what do we do when “Request for the Private Access Token challenge.” doesn’t populate “cf-turnstile-response”?


I don’t know the specifics of the HTTP 401 error but if you don’t get a response token back, I would interpret that in one of two ways:

  1. The browser challenges failed. Even though you think the visitor is legitimate, Turnstile wasn’t able to determine that through the challenges. Things like ad blockers or some other browser plugin(s) can interfere with the challenges, causing a failure.

  2. There was a communication issue and the Turnstile script couldn’t communicate with Cloudflare’s server(s), which prevent the challenges from running successfully. Or maybe the challenges worked but the response token couldn’t be fetched, due to some communication issue.

Just guessing here. :slight_smile:

Thank you for replying.

Just testing it on my browser, it would generate a response token about 6 out of 10 times. Then a 401 error showed up in “developer tools>console”. I thought maybe it was just me, but then I got an email from a customer visiting our site having issues submitting her form as well. So, it wasn’t me or my connection.

I tried switching it from the “invisible” option to the “non-interactive”, and I would see the same behavior. About 6 out of 10 times would work. When it worked, I would see the “SUCCESS” message. When it wasn’t working, the widget/loading bar would just spin and hang. Never did anything.

So, it should ALWAYS generate a response token for a legitimate site visitor?


Yes, I think so. The fact it works 6 out of 10 times for you tells me it’s working. When I was testing our implementation of Turnstile, I would repeatedly submit the form to “force” a failure to make sure my failure logic was working. If Turnstile somehow determines the visitor isn’t a human, it will require additional verification, depending on which mode it’s configured to operate in. So, if customers are experiencing problems, you’ll have to troubleshoot this with them by having them disable extensions, namely ad and tracker blockers. Personally, I keep my ad blocker running all the time and haven’t had any issues with Turnstile BUT I’m not using one of the more popular ad blockers, like Ad Block Plus or uBlock Origin, etc.

In order to test where Turnstile is working the way it should, you’ll have to mimic more “normal” browsing traffic. Submit your form only once, not 20 times. Try using different browsers on different computers with different connections to the internet. If you’re at home or at the office, try a browser on your computer AND on your smart phone, using your data plan. That sort of stuff.

If you find Turnstile works reliably using “normal” browser behavior, it’s safe to assume it IS working. In the cases of it not working, you’ll need to find out what would be interfering with the browser challenges.

I do test these changes on different internet connections, browsers, phones, pcs, etc…I think I would have been fine with the results had I not gotten the emails from the customer. I have turned it back on and will monitor it. Thanks again.

The thing about a given customer is you’ll have no idea which browser and browser configuration they will be using. So, if their browser or browser configuration interferes with the Turnstile challenges, they will have issues. Maybe someone from the Cloudflare Turnstile team will respond and provide better advice/guidance.

Good luck!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

On the HTTP 401 status code for that request, it’s expected and not an issue, see: FAQ · Cloudflare Turnstile docs

1 Like