Get Turnstile Keys from Cloudflare
Turnstile is free and unlimited on Cloudflare. You do not need to move your DNS or buy any paid plan. You just need two keys.
Time required
3 minutes. No credit card needed.
What You Will Get
| Key | What It Looks Like | Where It Goes | Safe to Share? |
|---|---|---|---|
| Site Key | Starts with 0x4AAA... | Paste into WooCommerce → Turnstile Settings → API Settings → Site Key | Yes — goes on the frontend |
| Secret Key | Starts with 0x4AAA... | Paste into WooCommerce → Turnstile Settings → API Settings → Secret Key | No — never commit to git or share publicly |
Step 1 — Sign Up for Cloudflare
- Open https://dash.cloudflare.com/sign-up in a new tab
- Enter your email and a password
- Click Sign Up
- Verify your email (check inbox for the confirmation)
You now have a Cloudflare account on the Free plan. That is all you need — Turnstile is free forever on every plan.
Step 2 — Open the Turnstile Dashboard
- In the Cloudflare dashboard left sidebar, click Turnstile
- You land on the Turnstile widgets overview
- Click Add widget
Step 3 — Configure the Widget
Fill in these fields:
| Field | What to Enter |
|---|---|
| Widget name | Any friendly name, e.g., My WooCommerce Store |
| Hostname Management | Your store domain — e.g., yourstore.com. You can list multiple domains, one per line. Include both yourstore.com and www.yourstore.com if you use both |
| Widget Mode | Managed (recommended) — Cloudflare decides when to show an interactive challenge. Most visitors see nothing |
Three Widget Modes Explained
| Mode | Behavior | Good For |
|---|---|---|
| Managed | Cloudflare picks — invisible for most, interactive for suspicious | Default. Use this unless you have a reason |
| Non-interactive | Always invisible. Runs silently in the background | Highest UX, slightly lower protection |
| Invisible | Always runs a challenge, but without user interaction | Extra protection without a checkbox |
You can change mode any time from the widget settings page.
Click Create.
Step 4 — Copy Your Keys
After creating, Cloudflare shows the two keys on one page.
- Site Key — Click Copy next to it. Keep it in a safe place (a password manager or a notes app is fine)
- Secret Key — Click Copy next to this one too. Treat it like a password — never paste it into a public place
Both keys are long strings that look like:
0x4AAAAAAABB-CC-DDDDDDDDDDD
Step 5 — Paste Them Into the Plugin
- Go to your WordPress admin
- WooCommerce → Turnstile Settings → API Settings tab
- Paste the Site Key into Site Key
- Paste the Secret Key into Secret Key
- Click Save Changes
- Click Test Connection — you should see "API keys are valid"
Full tab reference: API Settings.
If You Need to Find Your Keys Again
- In Cloudflare dashboard, click Turnstile
- Click your widget name in the list
- Scroll to Site Key and Secret Key
- Site Key is always visible. Secret Key is masked — click Rotate secret key to generate a fresh one (this invalidates the old one)
Using Multiple Stores
You can run the same widget across multiple stores by adding all hostnames to the one widget. Or you can create one widget per store — your call.
One widget for staging + production
Add both staging.yourstore.com and yourstore.com to the same widget. You then use the same keys in both environments and Cloudflare accepts challenges from both.
Widget Analytics in Cloudflare
Cloudflare also shows its own stats for each widget:
- Dashboard → Turnstile → your widget
- Click Analytics
- See interactive vs non-interactive challenges, pass rates, and top sources
The plugin's own Analytics page shows the same events but from your server's point of view (which is more accurate for measuring form-level impact).
Widget Rotation (Advanced)
If you suspect your Secret Key leaked:
- Cloudflare dashboard → Turnstile → your widget
- Click Rotate secret key
- Copy the new Secret Key
- Paste into plugin → API Settings → Secret Key → Save
There is no downtime — existing tokens finish processing with the old key and new ones use the new key.
The Site Key does not rotate (it is public, not a secret).
Troubleshooting
| Problem | Fix |
|---|---|
| "Invalid sitekey" in browser console | Your domain is not listed in Cloudflare Turnstile widget's Hostname Management |
| "invalid-input-secret" in plugin logs | Secret Key was typed/copied wrong. Copy again, paste, save |
| "missing-input-secret" in plugin logs | Secret Key field is empty. Paste and save |
| Widget visible on local dev but not production | Add production hostname to the Cloudflare widget config |
| "timeout-or-duplicate" | Page was cached and re-used an old token. Clear caching plugin |
Related Pages
- API Settings — Where to paste the keys
- First-Time Setup — Full setup walkthrough
- Troubleshooting — Fixes for common key issues