Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.esperr.com/llms.txt

Use this file to discover all available pages before exploring further.

When to choose Turnstile

  • You want a familiar browser challenge with a hosted verification service.
  • You prefer Cloudflare’s risk and anti-abuse controls over local proof-of-work.
  • You are comfortable depending on an external provider for challenge solves.
Best fitTurnstile is usually the better starting point for public-facing login, checkout, or account-recovery experiences where low client-side CPU usage matters more than eliminating third-party challenge infrastructure.

What the customer configures

You now configure the provider in two places:
  1. In the console, create or edit a mitigation with Mode = Challenge.
  2. Select Turnstile as the challenge provider for that mitigation.
Esper’s runtime still needs Turnstile credentials available to the server:
  • ESPER_TURNSTILE_SITE_KEY
  • ESPER_TURNSTILE_SECRET_KEY
  • optional ESPER_TURNSTILE_EXPECTED_HOSTNAME
Provider selectionThe mitigation-level provider selector decides which challenge flow Esper uses when that mitigation is triggered. The runtime configuration decides whether the provider is actually available.

How to verify the setup

Open Settings > Challenge in the console and run Test challenge setup. Green means:
  • Turnstile credentials are configured on the runtime
  • your enabled Challenge mitigations that use Turnstile are valid
Red means one or more of the following:
  • the Turnstile keys are missing
  • a challenge mitigation is missing its provider selection
  • the tenant has no enabled challenge mitigations to validate

What users experience

When a policy resolves to a Challenge mitigation using Turnstile:
  • Esper creates a challenge session
  • the user is redirected to the Esper-managed challenge page
  • Turnstile is rendered in the browser
  • a successful solve issues an Esper proof token and returns the user to the original URL
Integration noteIf your application starts the managed challenge flow from a mitigation result, make sure it passes the mitigation identifier through so Esper can honor the provider selected on that challenge mitigation.

Tradeoffs

  • Pros: low client CPU usage, familiar UX, managed verification
  • Cons: external dependency, provider credentials required, third-party network round-trip during verification