Migrate from reCAPTCHA to Cloudflare Turnstile in 2026

Drop in Turnstile, keep your server code, ship the privacy win in one afternoon. Step by step with the gotchas.

1. STEP 1

   Create a Turnstile site key in the Cloudflare dashboard

   Sign in to dash.cloudflare.com, open the Turnstile product (no account upgrade needed, no domain attachment required), and create a new site. Set the widget mode to Managed for the best balance of UX and security, or Non-interactive if you want zero user friction. Add every domain that will host the widget, including localhost and any preview domains. Copy the site key and the secret key , the site key is public, the secret key goes only in your server config.

2. STEP 2

   Replace the reCAPTCHA script tag and form widget

   Remove the recaptcha/api.js script and replace it with https://challenges.cloudflare.com/turnstile/v0/api.js (async, defer). Where you had a g-recaptcha div, use cf-turnstile with data-sitekey set to your site key. The widget renders the same way and adds a hidden input named cf-turnstile-response to the form, which is the equivalent of g-recaptcha-response. Most forms work without further client-side changes.

3. STEP 3

   Update the server-side verification call

   Change your server endpoint URL from https://www.google.com/recaptcha/api/siteverify to https://challenges.cloudflare.com/turnstile/v0/siteverify. The request body fields are the same names (secret, response, optionally remoteip) and the response is the same JSON shape (success boolean, error-codes array). For most server-side code, this is a one-line diff. If you used reCAPTCHA Enterprise's risk score, note that Turnstile returns success or failure, not a 0.0-1.0 score , the equivalent of a low score is a hard challenge, which Turnstile handles internally.

4. STEP 4

   Update the privacy policy and remove the reCAPTCHA badge

   Remove the reCAPTCHA-related disclosure from your privacy policy (data shared with Google, Google Terms of Service mention) and add a sentence about Turnstile if your jurisdiction requires disclosing third-party processors. Cloudflare's data minimization story is much simpler. Remove the reCAPTCHA branding badge (the floating bottom-right widget) and any 'protected by reCAPTCHA' text. Verify your contact form actually submits after the swap, and keep the reCAPTCHA secret key around for a week in case you need to roll back.

5. STEP 5

   Test in production, then turn off the reCAPTCHA project

   After 48 hours of clean form submissions and no abuse complaints, you can delete the reCAPTCHA site in the Google admin console. Cloudflare logs every challenge in the Turnstile analytics tab , verify your traffic looks normal and the challenge success rate is above 95%. If you see legitimate users failing, switch the widget mode from Managed to Non-interactive temporarily to gather more data.