Clearance
A cf-clearance cookie proves to Cloudflare that the visitor is a verified human and has passed the Challenge presented to them.
If a visitor passes an Interactive Challenge (highest security level), then the cf-clearance cookie indicates this to the origin and allows the visitor to bypass any other Challenge on the website, whether it is another Interactive Challenge, a Managed Challenge, or a non-interactive JavaScript Challenge for as long as the cookie is valid.
If a visitor receives a cf-clearance cookie on a page that uses a WAF rule with Managed or JavaScript Challenge (lower security levels), then encountering a different page with a higher security clearance level Challenge will prompt them to solve the Challenge again.
The original cf-clearance cookie that was issued to the visitor from a lower security clearance level Challenge will be replaced with the new cf-clearance cookie from a higher security clearance level Challenge.
Pre-clearance in Turnstile allows websites to streamline user experiences by using cf-clearance cookies. The cf-clearance cookie enables visitors to bypass WAF Challenges downstream, based on the security clearance level set by the customer. This can be particularly useful for trusted visitors, enhancing usability while maintaining security.
By default, Turnstile issues a one-time use token to the visitor when they solve a Challenge via the widget. The token goes to your website's backend that needs to be validated by Siteverify API.
| Challenge type | Issued clearance |
|---|---|
| Challenge Page | cf-clearance cookie (default) |
| Turnstile widget | Token (default) cf-clearance cookie (optional addition) |
When you enable pre-clearance support on Turnstile, a cf-clearance cookie is issued to the visitor in addition to the default Turnstile token.
You can integrate Cloudflare Challenges by allowing Turnstile to issue a cf-clearance cookie as pre-clearance to your visitor. The pre-clearance level is set upon widget creation or widget modification using the Turnstile API's clearance_level. Possible values for the configuration are:
interactivemanagedjschallengeno_clearance
All widgets have pre-clearance mode set to false and the security clearance is set to no_clearance by default.
For Enterprise customers eligible to enable widgets without any pre-configured hostnames, Cloudflare recommends issuing pre-clearance cookies on widgets where at least one hostname is specified and is the same as the zone that you want to integrate with Turnstile.
Refer to the blog post ↗ for more details on how pre-clearance works with WAF.
Interactive (High) interactive
Allows a user with a clearance cookie to not be challenged by Interactive, Managed Challenge, or JavaScript Challenge Firewall Rules.
Managed (Medium) managed
Allows a user with a clearance cookie to not be challenged by Managed Challenge or JavaScript Challenge Firewall Rules.
Non-interactive (Low) jschallenge
Allows a user with a clearance cookie to not be challenged by JavaScript Challenge Firewall Rules.
Clearance cookies generated by the Turnstile widget will be valid for the time specified by the zone-level Challenge Passage value. To configure the Challenge Passage setting, refer to the Cloudflare Challenges documentation.
To set up pre-clearance cookies for Turnstile, refer to Enable pre-clearance cookies.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark