How to trigger Cloudflare Turnstile validation callback after token injection with Puppeteer?

Mike71 · June 22, 2025, 9:42pm

I’m working on automating a site that has Cloudflare Turnstile protection using Puppeteer. I can get the token from external services and set it in the cf-turnstile-response field, but I’m stuck on how to trigger the validation callback.

Background

With reCAPTCHA v2, I could access the global config object and execute callbacks directly:

await page.waitForFunction(() => typeof ___grecaptcha_cfg !== 'undefined' && ___grecaptcha_cfg.clients);
const trigger_validation = await page.evaluate((captcha_token) => {
    const client_list = ___grecaptcha_cfg.clients;
    for (const client_instance of client_list) {
        if (typeof client_instance.callback === 'function') {
            client_instance.callback(captcha_token);
        }
    }
}, captcha_token);

Current Issue

I can successfully set the Turnstile token using:
document.querySelector('[name="cf-turnstile-response"]').value = 'MY_TOKEN';

The token gets populated correctly, but the page doesn’t proceed because there’s no form submission or button click involved. The site just waits for the challenge to be completed automatically.

Does anyone know how to access Turnstile’s internal configuration or trigger its completion callback programmatically? I need to simulate the successful challenge completion after injecting the token.

Tom01_Wonder · June 30, 2025, 11:38am

I’ve hit this same problem. Turnstile uses a callback function that gets registered when the widget loads. After you inject your token, you have to find and run this callback yourself. Check window.turnstile or look for callbacks in the widget’s DOM data attributes. Sometimes it’s stored as _cf_chl_opt.callback. What worked for me was firing a custom event on the Turnstile container after injecting the token - the widget usually listens for specific events. You can also try window.turnstile.render() if it exists. If all else fails, watch the network tab to see what requests happen during normal completion, then trigger those same calls in your code.

Alex_Thunder · June 30, 2025, 3:04am

try dispatching a change event on the turnstile element after you set the token - element.dispatchEvent(new Event('change')) might trigger their internal handlers. also check if there’s a window.turnstile object with refresh/reset methods.

Nate_91Surf · June 26, 2025, 9:11am

Had the same problem with Turnstile automation. Here’s what works: Turnstile uses a hidden iframe that talks to the parent through postMessage events. You can’t just inject the token - you need to fake the completion flow by sending the right postMessage sequence. Find the Turnstile iframe (look for challenges.cloudflare.com in the src) and send a completion message to the parent window. The message needs your token plus a success status. Run it normally first and intercept the messages to see the exact format they expect. Alternatively, hunt down the callback function. Turnstile doesn’t store callbacks like reCAPTCHA - check for _turnstileLoad or similar global functions. Sometimes it’s right in the widget’s data-callback attribute. If they’re using implicit rendering, call window.turnstile.execute() after injecting your token instead of just updating the hidden field.