Turnstile returns 401 for challenges.cloudflare.com

So, I’ve decided to take Turnstile for a spin. As my goal is to have completely invisible challenges, I’ve setup the HTML embed code like this:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit&onload=turnstileCb" async defer>

In my JS file I have the following code to initiate Turnstile:

window.turnstileCb = function () {
    console.log("Turnstile CB called");

    var turnstileOptions = {
        sitekey: "0x4AAAAAAAAmexU2tbOk3hg6",
        callback: function (token) {
            console.log(`Challenge Success ${token}`);

    turnstile.render(".cf-turnstile", turnstileOptions);

In HTML file I have an empty div with .cf-turnstile class like so:

<div class="cf-turnstile"></div>

Also, I am testing the integration using one of the websites hosted on Google Firebase so I’ve added web.app in the domains for Turnstile config. According to the docs, this should cover all the subdomains of web.app such as mywebsite.web.app.

After deployment to Firebase I launch the website in Safari and here is what I see in the console:

The first two errors are Safari-specific. It turns out that Safari does not support custom Feature-Policy and Permissions-Policy headers. A quick and hacky remedy to the problem is to explicitly set allowfullscreen from the JS file like so:

form.querySelector("iframe").setAttribute("allowfullscreen", true);

That is suboptimal because personally I’d prefer not to tamper with mechanisms put in place to protect our forms.

The biggest problem that I can not resolve no matter what I do is the 401 response from challenges.cloudflare.com. Even though we get a valid result logged in the console (challenge success: 0.TO6cNWgkpuesKUYtCcs1Qt...) the 401 error is bugging me and we can’t have that in production.

I’ve also tested the same integration in Chrome and FF on MacOS (12.4) with the exact same results. Those browsers are not whining about Fullscreen feature policies but give 401 for challenges.cloudflare.com

Is this a beta-specific behaviour that’s supposed to go away when Turnstile is in GA or are we missing something with our integration?

I believe the HTTP 401 and the feature policy probes are simply part of the regular operation of Turnstile. This behavior can also be seen on pages that are protected by managed challenge (see: Cloudflare challenges · Cloudflare Fundamentals docs and the similarity of paths used for managed challenges and Turnstile.)

The Private Access Token challenge returns a 401 response, and I can confirm this is the expected behavior (across all browsers).

We don’t use fullscreen, so I’m not sure where this error is coming from. Any chance something specific to your website is causing this?

1 Like

GET 401: My response is “J”. And you?

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.