Cloudflare publishes dummy sitekeys and secret keys you can drop into local environments and CI without ever talking to the real challenge endpoint. The keys are public, documented, and intentionally permissive — they exist so your tests don't trigger real risk scoring. They also fail in ways that surprise people the first time, so it's worth understanding the contract before pasting them into a config file.
What the Turnstile test keys actually do
The dummy sitekeys come in three flavours: always-passes, always-blocks, and force-interactive. Pair each with one of two test secrets — always-passes or always-fails — on the server side. The combinations let you exercise every branch of your form code without depending on the real challenge service.
| Sitekey | Behaviour |
|---|---|
1x00000000000000000000AA | Always passes (visible widget) |
2x00000000000000000000AB | Always blocks |
1x00000000000000000000BB | Always passes (invisible) |
2x00000000000000000000BB | Always blocks (invisible) |
3x00000000000000000000FF | Forces an interactive challenge |
The matching test secret keys are 1x0000000000000000000000000000000AA (always passes) and 2x0000000000000000000000000000000AA (always fails). Crucially, test secrets only validate dummy tokens, and production secrets only validate real tokens. Mixing them returns a verification error, which is a common cause of "but it works locally" reports.
Where to use them
The intended uses are local development, end-to-end tests, and Storybook-style component galleries. They work from any domain — including localhost, 127.0.0.1, and your CI runner — without domain whitelisting. That removes the most annoying part of testing real CAPTCHA flows: every PR branch, preview deploy, and laptop hostname has to be added to the allowlist.
A typical setup splits configuration by environment:
const TURNSTILE_SITE_KEY =
process.env.NODE_ENV === "production"
? process.env.TURNSTILE_SITE_KEY
: "1x00000000000000000000AA";The same pattern on the server, swapping the secret. Production reads from a secret manager; everywhere else uses the dummy.
The gotchas
Dummy tokens never expire — but real tokens do. Real Turnstile tokens are single-use and expire after 300 seconds. If your tests run slowly or your form keeps a token across multiple submissions, you'll see passes locally and failures in production. Add an integration test that exercises real keys against a real endpoint at least once before release.
Test keys don't exercise risk logic. The whole point is to bypass scoring. That means a test passing with 1x00000000000000000000AA proves the form wires up the token correctly, not that real users will get through. Score thresholds, action binding, and challenge escalation only matter with real keys.
Don't ship dummy keys to production by accident. Several teams have shipped 1x... to production for weeks before noticing — the form looks fine because the widget renders and the server accepts the token. The only signal is that bot traffic isn't being filtered. A linter rule that fails CI on hardcoded 1x0000... strings outside test directories is cheap insurance.
Preview deploys still need the test secret on the server. If your preview environment uses production secrets but dummy sitekeys, every form submission will fail server validation. Match the pair.
How this maps to other vendors
The pattern is industry standard. Google's reCAPTCHA also publishes test keys (6LeIxAcTAAAA...) with the same caveat — they bypass real scoring and only work with the matching test secret. hCaptcha exposes a 10000000-ffff-ffff-ffff-000000000001 test sitekey. CaptchaLa provides a demo_app app key for the same purpose, plus a separate sandbox secret that accepts dummy pass_token values.
The thing to internalise: test keys prove wiring, not security. Run them on every PR. Run real keys in staging. Don't conflate the two.
Recap
Cloudflare's test sitekeys and secrets are the right way to develop and test Turnstile integrations without domain noise or real challenge calls. Use the always-pass key for happy-path tests, the always-block key for error handling, the interactive key to verify your UI handles the challenge frame, and never let a dummy key reach production. The full reference and exact key strings live at the official Turnstile testing docs.