Invalid turnstile validation on 127.0.0.1 using flask

Hello,

I try to avoid javascript as much as possible, self-taught pythonista, so go easy please.
I’m trying to incorporate turnstile into my flask app (currently in dev) using flask-turnstile extension (see ~70 lines implementation https://github.com/Tech1k/flask-turnstile).

It injects widget when I use {{ turnstile }} in html with config from flask app config (following along extension).

I got it working with test keys (both fail, success and forced challenge). I want to have as little surprises when app is eventually deployed, but trying with real turnstile keys fails. I have: allowlisted “127.0.0.1” in CF turnstile widget settings, so my app running on 127.0.0.1:9000 should work fine(?).

my flask login route:

def login():
    if current_user.is_authenticated:
        flash('You are already logged in', category='is-link')
        return redirect(url_for('main_bp.index'))
    form: LoginForm = LoginForm()

    if form.validate_on_submit():
        if not turnstile.verify():
            warn_msg = 'Timed-out or rejected by anti-spam protection. Please retry or contact system administrator'
            flash(warn_msg, category='is-danger')
            return redirect(url_for('auth_bp.login'))

        username = str(form.username.data)
        password = form.password.data
...```

in html:


{{ turnstile }}


console does not show anything suspicious apart from 401 /pat thing... Would appreciate any hints.

Sorry for messed up formatting, apparently there’s no edit and preview was hidden with suggestions…

html part got cut; in html:

      ...
      {{ turnstile }}
      <input class="button is-info is-fullwidth" type="submit" value="Login">
    </form>

Will make request myself on form submission, will see what response is. Preventing auto-close (3day inactivity bump).

Solved it. Stupid mistake of mixing up keys. Late night coding…