Turnstile replaces traditional image-based CAPTCHAs with a non-interactive challenge that runs JavaScript in the background. It evaluates the browser environment, executes a proof-of-work computation, and checks Cloudflare's reputation signals for the visitor's IP and ASN. If confidence is high, the widget issues a signed token with no user interaction required; if confidence is lower, it may show a simple checkbox or fallback to a visual challenge.
From a scraping perspective, Turnstile is difficult to bypass because it requires a real JavaScript engine, access to browser APIs (canvas, WebGL, AudioContext), and a valid IP reputation. Headless browsers can execute Turnstile's JavaScript, but they must also pass the fingerprinting checks that Turnstile runs alongside the proof-of-work.
Turnstile tokens expire quickly (typically 5 minutes) and are single-use, so scrapers cannot cache and replay them across requests. AlterLab's Tier 3 and Tier 4 engines manage Turnstile resolution automatically as part of the website compatibility layer.