> ## Documentation Index
> Fetch the complete documentation index at: https://docs.esperr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Turnstile Challenge

> Managed challenge option that hands off human verification to Cloudflare Turnstile when a mitigation resolves to Challenge.

## When to choose Turnstile

* You want a familiar browser challenge with a hosted verification service.
* You prefer Cloudflare's risk and anti-abuse controls over local proof-of-work.
* You are comfortable depending on an external provider for challenge solves.

<Tip>
  **Best fit**

  Turnstile is usually the better starting point for public-facing login,
  checkout, or account-recovery experiences where low client-side CPU usage
  matters more than eliminating third-party challenge infrastructure.
</Tip>

## What the customer configures

You now configure the provider in two places:

1. In the console, create or edit a mitigation with `Mode = Challenge`.
2. Select `Turnstile` as the challenge provider for that mitigation.

Esper's runtime still needs Turnstile credentials available to the server:

* `ESPER_TURNSTILE_SITE_KEY`
* `ESPER_TURNSTILE_SECRET_KEY`
* optional `ESPER_TURNSTILE_EXPECTED_HOSTNAME`

<Info>
  **Provider selection**

  The mitigation-level provider selector decides which challenge flow Esper uses
  when that mitigation is triggered. The runtime configuration decides whether the
  provider is actually available.
</Info>

## How to verify the setup

Open `Settings > Challenge` in the console and run `Test challenge setup`.

Green means:

* Turnstile credentials are configured on the runtime
* your enabled `Challenge` mitigations that use Turnstile are valid

Red means one or more of the following:

* the Turnstile keys are missing
* a challenge mitigation is missing its provider selection
* the tenant has no enabled challenge mitigations to validate

## What users experience

When a policy resolves to a `Challenge` mitigation using Turnstile:

* Esper creates a challenge session
* the user is redirected to the Esper-managed challenge page
* Turnstile is rendered in the browser
* a successful solve issues an Esper proof token and returns the user to the
  original URL

<Tip>
  **Integration note**

  If your application starts the managed challenge flow from a mitigation result,
  make sure it passes the mitigation identifier through so Esper can honor the
  provider selected on that challenge mitigation.
</Tip>

## Tradeoffs

* Pros: low client CPU usage, familiar UX, managed verification
* Cons: external dependency, provider credentials required, third-party network
  round-trip during verification
