Cloudflare Turnstile cData/action Tutorial

When a target website uses Cloudflare Turnstile, the API field that carries the verification result may be named turnstileToken, cf-turnstile-response, X-Turnstile-Response, or something else defined by the application. With Scrapingbypass API, keep that target field in place and put [cf_token] where the Turnstile token should go. Scrapingbypass will replace the placeholder with a valid Turnstile token before forwarding the request.

If the Turnstile widget also uses cData or action, pass those values to Scrapingbypass through request headers:

x-cb-sitekey: <TURNSTILE_SITEKEY>
x-cb-cdata: <CDATA>
x-cb-action: <ACTION>

When to use these headers

  • The target site triggers a Turnstile widget during form submission.
  • The target API expects a token field such as turnstileToken or cf-turnstile-response.
  • The page initializes Turnstile with sitekey plus optional action or cData.

Step 1: Find sitekey, cData, and action

Open browser developer tools and inspect how the Turnstile widget is initialized. A JavaScript initialization may look like this:

turnstile.render('#turnstile-widget', {
  sitekey: '0x4AAAA...',
  action: 'login',
  cData: 'user-cdata'
})

The same values may also appear as HTML attributes:

<div class="cf-turnstile"
     data-sitekey="0x4AAAA..."
     data-action="login"
     data-cdata="user-cdata"></div>

If the page does not define action or cData, you can omit the corresponding Scrapingbypass header. If the target backend validates these fields, keep the values exactly aligned with the widget configuration.

Step 2: Send cData and action to Scrapingbypass

For Scrapingbypass V2, include your API key, target host, version, proxy, and Turnstile sitekey. Add x-cb-cdata and x-cb-action when the widget requires them:

curl -X POST "https://api.scrapingbypass.com/api/login"   -H "x-cb-apikey: YOUR_APIKEY"   -H "x-cb-host: target.com"   -H "x-cb-version: 2"   -H "x-cb-proxy: http://user:pass@proxy-host:port"   -H "x-cb-sitekey: 0x4AAAA..."   -H "x-cb-cdata: user-cdata"   -H "x-cb-action: login"   -H "content-type: application/json"   --data '{"username":"[email protected]","password":"demo-password","turnstileToken":"[cf_token]"}'

The important distinction is simple: x-cb-cdata and x-cb-action are used while generating the Turnstile token. The target API field, such as turnstileToken, should still contain [cf_token].

Python example

import requests

url = "https://api.scrapingbypass.com/api/login"

headers = {
    "x-cb-apikey": "YOUR_APIKEY",
    "x-cb-host": "target.com",
    "x-cb-version": "2",
    "x-cb-proxy": "http://user:pass@proxy-host:port",
    "x-cb-sitekey": "0x4AAAA...",
    "x-cb-cdata": "user-cdata",
    "x-cb-action": "login",
    "content-type": "application/json",
}

payload = {
    "username": "[email protected]",
    "password": "demo-password",
    "turnstileToken": "[cf_token]",
}

resp = requests.post(url, headers=headers, json=payload, timeout=60)
print(resp.status_code, resp.headers.get("x-cb-status"))
print(resp.text)

Where should [cf_token] go?

The field name depends on the target website. Scrapingbypass only replaces the [cf_token] placeholder. Common examples include:

{ "turnstileToken": "[cf_token]" }
{ "cf-turnstile-response": "[cf_token]" }
{ "accessToken": "[cf_token]" }

If the target site expects the token in a request header, use the same placeholder there:

X-Turnstile-Response: [cf_token]
Authorization: Bearer [cf_token]

Notes and limits

  • x-cb-cdata maps to Turnstile cData; x-cb-action maps to Turnstile action.
  • Cloudflare Turnstile typically limits action to 32 characters and cData to 255 characters.
  • Use letters, numbers, underscores, and hyphens where possible.
  • Scrapingbypass V2 requires a working proxy. For Turnstile flows, a sticky or stable proxy IP is recommended.
  • Do not replace [cf_token] locally. Send it to the Scrapingbypass API as a placeholder.

Troubleshooting

  • If the target API reports an invalid token, confirm the token field name. Some APIs expect cf-turnstile-response instead of turnstileToken.
  • If the backend validates action or cData, make sure x-cb-action and x-cb-cdata exactly match the page configuration.
  • If the request times out or returns a proxy error, check the proxy format, availability, region, and sticky-session duration.
  • If you receive a parameter error, verify that x-cb-sitekey contains the Turnstile sitekey, not the page URL or an unrelated business ID.

Summary

For a target field such as turnstileToken, put [cf_token] in that field. If the Turnstile widget uses cData or action, pass them with x-cb-cdata and x-cb-action. Scrapingbypass will generate the matching Turnstile token and replace the placeholder before the request reaches the target site.