When a target website uses Cloudflare Turnstile, the API field that carries the verification result may be named turnstileToken, cf-turnstile-response, X-Turnstile-Response, or something else defined by the application. With Scrapingbypass API, keep that target field in place and put [cf_token] where the Turnstile token should go. Scrapingbypass will replace the placeholder with a valid Turnstile token before forwarding the request.
If the Turnstile widget also uses cData or action, pass those values to Scrapingbypass through request headers:
x-cb-sitekey: <TURNSTILE_SITEKEY>
x-cb-cdata: <CDATA>
x-cb-action: <ACTION>
When to use these headers
- The target site triggers a Turnstile widget during form submission.
- The target API expects a token field such as
turnstileTokenorcf-turnstile-response. - The page initializes Turnstile with
sitekeyplus optionalactionorcData.
Step 1: Find sitekey, cData, and action
Open browser developer tools and inspect how the Turnstile widget is initialized. A JavaScript initialization may look like this:
turnstile.render('#turnstile-widget', {
sitekey: '0x4AAAA...',
action: 'login',
cData: 'user-cdata'
})
The same values may also appear as HTML attributes:
<div class="cf-turnstile"
data-sitekey="0x4AAAA..."
data-action="login"
data-cdata="user-cdata"></div>
If the page does not define action or cData, you can omit the corresponding Scrapingbypass header. If the target backend validates these fields, keep the values exactly aligned with the widget configuration.
Step 2: Send cData and action to Scrapingbypass
For Scrapingbypass V2, include your API key, target host, version, proxy, and Turnstile sitekey. Add x-cb-cdata and x-cb-action when the widget requires them:
curl -X POST "https://api.scrapingbypass.com/api/login" -H "x-cb-apikey: YOUR_APIKEY" -H "x-cb-host: target.com" -H "x-cb-version: 2" -H "x-cb-proxy: http://user:pass@proxy-host:port" -H "x-cb-sitekey: 0x4AAAA..." -H "x-cb-cdata: user-cdata" -H "x-cb-action: login" -H "content-type: application/json" --data '{"username":"[email protected]","password":"demo-password","turnstileToken":"[cf_token]"}'
The important distinction is simple: x-cb-cdata and x-cb-action are used while generating the Turnstile token. The target API field, such as turnstileToken, should still contain [cf_token].
Python example
import requests
url = "https://api.scrapingbypass.com/api/login"
headers = {
"x-cb-apikey": "YOUR_APIKEY",
"x-cb-host": "target.com",
"x-cb-version": "2",
"x-cb-proxy": "http://user:pass@proxy-host:port",
"x-cb-sitekey": "0x4AAAA...",
"x-cb-cdata": "user-cdata",
"x-cb-action": "login",
"content-type": "application/json",
}
payload = {
"username": "[email protected]",
"password": "demo-password",
"turnstileToken": "[cf_token]",
}
resp = requests.post(url, headers=headers, json=payload, timeout=60)
print(resp.status_code, resp.headers.get("x-cb-status"))
print(resp.text)
Where should [cf_token] go?
The field name depends on the target website. Scrapingbypass only replaces the [cf_token] placeholder. Common examples include:
{ "turnstileToken": "[cf_token]" }
{ "cf-turnstile-response": "[cf_token]" }
{ "accessToken": "[cf_token]" }
If the target site expects the token in a request header, use the same placeholder there:
X-Turnstile-Response: [cf_token]
Authorization: Bearer [cf_token]
Notes and limits
x-cb-cdatamaps to TurnstilecData;x-cb-actionmaps to Turnstileaction.- Cloudflare Turnstile typically limits
actionto 32 characters andcDatato 255 characters. - Use letters, numbers, underscores, and hyphens where possible.
- Scrapingbypass V2 requires a working proxy. For Turnstile flows, a sticky or stable proxy IP is recommended.
- Do not replace
[cf_token]locally. Send it to the Scrapingbypass API as a placeholder.
Troubleshooting
- If the target API reports an invalid token, confirm the token field name. Some APIs expect
cf-turnstile-responseinstead ofturnstileToken. - If the backend validates
actionorcData, make surex-cb-actionandx-cb-cdataexactly match the page configuration. - If the request times out or returns a proxy error, check the proxy format, availability, region, and sticky-session duration.
- If you receive a parameter error, verify that
x-cb-sitekeycontains the Turnstile sitekey, not the page URL or an unrelated business ID.
Summary
For a target field such as turnstileToken, put [cf_token] in that field. If the Turnstile widget uses cData or action, pass them with x-cb-cdata and x-cb-action. Scrapingbypass will generate the matching Turnstile token and replace the placeholder before the request reaches the target site.