Document undocumented siteverify fields#28259
Conversation
Co-authored-by: elithrar <elithrar@users.noreply.github.com>
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
/bonk good.
e.g. |
…ce quality - Replace numbered list with mermaid sequence diagram showing success/failure paths - Add response fields table with Type, Always present, and Description columns - Add copy-pastable TypeScript TurnstileResponse interface - Add curl quick-test example using test keys - Fix PHP code: escaped underscores, indentation, and four-backtick fences - Fix four-backtick fences in Python, Java, and C# examples - Fix retry example: remove incorrect response.ok check (Siteverify always returns HTTP 200) - Remove CommonJS require in favor of global crypto.randomUUID() - Tighten caution box and token characteristics to reduce redundancy - Rename vague Implementation heading to Full implementation example - Fix blank line in testing.mdx shell code block
|
All changes are committed. Here is a summary of what was done: Changes made to
|
|
/bonk Great. For any multi language code examples - e.g. JavaScript, Python, PHP: add a TypeScript tab and make it the primary. validate the code is correctly typed, adheres to best practices, and shows concise but good error handling on failure paths. |
|
|
||
| const result = await response.json(); | ||
|
|
||
| if (response.ok) { |
There was a problem hiding this comment.
/bonk validate this is correct re: “always returning HTTP 200” - reference this claim
|
All changes committed. Here is a summary of what was done: Changes made
|
|
The Turnstile team does not want to document additional fields. |
|
CI run failed: build logs |
|
Here is a summary of the investigation and changes:
API Validation Results
I tested the live Turnstile Siteverify API (
POST https://challenges.cloudflare.com/turnstile/v0/siteverify) with all three test secret keys and various token combinations. Here is what I found:Confirmed undocumented fields
metadata.result_with_testing_keytrue. Not present with production or invalid keys.messages[], but contains a descriptive string forbad-requesterrors (e.g., wrong Content-Type).tokenIdChanges made
src/content/docs/turnstile/get-started/server-side-validation.mdx:messagesandmetadata.result_with_testing_keyto the response fields tablemessagesfield (matching real API output)src/content/docs/turnstile/troubleshooting/testing.mdx:metadata.result_with_testing_keyandmessageshostnamefromlocalhosttoexample.comin success response (matching actual API output)result_with_testing_keyis only present with test keys and should not be relied upon for application logicRegarding
tokenIdI was unable to reproduce this field. It may be returned only under specific production conditions that cannot be triggered with test keys. I recommend the Turnstile team confirm whether this field is intentional API behavior before documenting it.
Closes #28249
github run