Skip to main content

Verification challenge overview

In this article

Verification challenge overview

The verification challenge is a small widget you'll see on the sign-in, forgot-password, and reset-password pages that confirms you're a real person rather than an automated bot. We use Cloudflare Turnstile in managed mode — most of the time the widget verifies you invisibly the moment you focus the form; occasionally Cloudflare may ask you to tick a checkbox or complete a short visual or audio task. Your email, password, and reset tokens stay on our servers and are never sent to Cloudflare.

This page is a hub. If you're encountering the widget for the first time and want to understand what it is and why we use it, read on. If you're already in the middle of a specific scenario, jump to the right article from "Where to next?" below.

Why we use it

The widget sits in front of three sensitive paths — login, password-reset request, and password-reset submission — that an attacker would otherwise hammer with automated credential-stuffing or reset-spam traffic. It complements (it does not replace) the per-account rate limit already protecting those endpoints. Bots cannot acquire a fresh, single-use Turnstile token for every attempt, so the cost of large-scale automation goes up dramatically; real users almost never notice the widget is there. This is a sibling defense layer to Two-Factor Authentication (MFA) — both protect the account-access surface from different angles.

What to expect during sign-in

Focus the email or password field and the widget begins evaluating in the background. You'll briefly see a "Verifying..." indicator and then a green checkmark, with no clicks required. The Sign in (or Send reset link / Set new password) button stays disabled until the green checkmark appears. If Cloudflare decides to ask you to confirm by ticking a checkbox or completing a short task, that interaction appears directly in the widget — there is no separate popup or modal.

What data Cloudflare receives

Turnstile does not use the third-party tracking cookies or behavioural fingerprinting that older CAPTCHA services rely on. Your browser sends Cloudflare basic request metadata — your IP, user-agent, and a small amount of browser-environment information — so it can decide whether to trust the session. Your email address, password, reset token, and any other form fields stay on our servers and are never sent to Cloudflare.

Where to next?

  • How to solve a verification challenge — what each variant of the widget looks like (invisible, checkbox, image, audio) and how to complete it. Read this if the widget is asking you to do something and you're not sure what.
  • Troubleshooting verification failures — what to do when the widget will not appear, will not complete, or keeps failing on submit. Almost every report is one of the first three checks.
  • Verification challenge FAQ — short answers to the most common questions, including why the widget appeared again when you've already passed it, whether it works without JavaScript, and what to do if your IP looks suspicious.
  • Two-Factor Authentication (MFA) Overview — the second layer of account protection: a 6-digit code from your authenticator app at sign-in. Set this up once you have an account.

Where the challenge appears

You'll only encounter the widget on /login, /forgot-password, and /reset-password. You will not see it on any authenticated page. Once you're signed in, your session cookie carries you through the rest of the app without further challenges.

← Back to sign in