If you're moving away from Cloudflare or just want a CAPTCHA that doesn't require a Cloudflare account, this is straightforward.
Most commonly: Turnstile is genuinely good if you're already a Cloudflare customer, but it's a strange fit if you're not. The widget loads from Cloudflare's CDN. The verify endpoint sits inside Cloudflare's infrastructure. The dashboard is part of the broader Cloudflare console. For teams who want a CAPTCHA that's just a CAPTCHA — independent, EU-resident, with predictable EUR pricing — moving makes sense.
Other reasons: explicit accessibility requirements (Turnstile's audio fallback is limited compared to its visual challenge), data-residency constraints (Turnstile's processing happens across Cloudflare's global network), and the desire to reduce the number of upstream dependencies in your stack.
You'll need: an existing Turnstile integration, ten minutes, and access to deploy environment variables. There's no need to make any changes in your Cloudflare account during the migration — your Turnstile site key remains valid, and you can keep both running in parallel during testing if you want.
Create an account at trustedcaptcha.com/signup. Add your site, list production hostnames, copy the sitekey and secret.
<!-- OLD -->
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<!-- NEW -->
<script src="https://cdn.trustedcaptcha.com/widget/v1/api.js" async defer></script><!-- OLD -->
<div class="cf-turnstile" data-sitekey="0x4AAAAA..."></div>
<!-- NEW -->
<div class="trustedcaptcha" data-sitekey="0x..."></div>The widget will fill any existing cf-turnstile-response hidden input on success — so server-side code that reads $_POST['cf-turnstile-response'] keeps working without changes.
Turnstile's data attributes (data-theme, data-size, data-callback, data-expired-callback, data-error-callback, data-action, data-cdata) all work as expected. The one exception is data-appearance — Turnstile's "execute" appearance maps to TrustedCaptcha's data-size="invisible", and the data-execution attribute maps to our explicit-render mode.
// OLD
$endpoint = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
// NEW
$endpoint = 'https://challenges.trustedcaptcha.com/api/v1/siteverify';POST body: secret, response, remoteip (and optional idempotency_key) — identical to Turnstile. Response JSON shape is API-compatible. The action, cdata, challenge_ts, and hostname fields all behave equivalently.
Local test, dashboard verification, production deploy. Same as the others.
Pre-clearance tokens. If you'd been using Turnstile's pre-clearance feature (challenge once, use the token across multiple form submissions in a session), the closest TrustedCaptcha equivalent is to verify the token server-side once and store an internal session flag. Pre-clearance as a primitive isn't part of the API.
Idempotency keys. Turnstile supports an idempotency_key on siteverify; we accept it for compatibility but the underlying token in TrustedCaptcha is single-use by default, so the idempotency key doesn't change behaviour.
cdata field. Turnstile's cdata field for passing custom data through the verify response is supported.
Cloudflare-only IPs. If your application was reading CF-Connecting-IP as the source of remoteip in your verify call, you'll want to fall back to X-Forwarded-For or your platform's equivalent in production once you're not behind Cloudflare. This is unrelated to TrustedCaptcha but is a common cleanup task during migrations away from Cloudflare.
Same as the others — reversible by undoing Steps 2 and 4. Cloudflare account untouched.