# Vercel BotID vs Cloudflare Turnstile

**Author:** Vercel

---

[Vercel BotID](https://vercel.com/botid) and [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) both stop automated bots without showing visitors a traditional CAPTCHA. Each runs a client-side challenge in the browser, classifies the visitor, and confirms the result on your server before a sensitive action completes. They differ in where they run, how invisible they are to users, and how deeply they integrate with the rest of your stack.

Vercel BotID is bot protection built into the Vercel platform. It runs an invisible challenge in the browser, then your server calls `checkBotId()` to classify the request, with an optional machine learning layer powered by [Kasada](https://www.kasada.io/) for the most sophisticated bots. Cloudflare Turnstile is a portable widget you embed on any page. It runs adaptive challenges from Cloudflare's [Challenge Platform](https://developers.cloudflare.com/cloudflare-challenges/), issues a token, and your server validates that token through the Siteverify API.

Vercel BotID requires a project to be deployed on Vercel and protects specific high-value routes, such as checkout, signup, and API endpoints. Cloudflare Turnstile runs on any host or CDN and is free with unlimited verification for most use cases.

The right choice usually comes down to where you host, how invisible the challenge needs to be, and the kind of abuse you're trying to stop. This guide compares the two across those dimensions and closes with a scenario-by-scenario guide, so you can decide which one matches what you're building.

* * *

## Comparing Vercel BotID and Cloudflare Turnstile

Both tools share a goal of separating humans from bots without a visible puzzle. The differences are in deployment model, detection technology, and how the verification step fits into your code.

| Feature               | Vercel BotID                                                                 | Cloudflare Turnstile                                                           |
| --------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------ |
| Protection type       | Invisible bot detection on server routes and actions                         | Embeddable CAPTCHA-alternative widget                                          |
| User interaction      | None, fully invisible                                                        | Usually none. Managed mode shows a checkbox only when a risk is detected       |
| Hosting requirement   | Project deployed on Vercel                                                   | Any host or CDN, with or without Cloudflare                                    |
| Basic detection       | Validates challenge integrity and correctness                                | Cloudflare Challenge Platform (proof-of-work, proof-of-space, browser probing) |
| Advanced detection    | Deep Analysis machine learning by Kasada                                     | Device fingerprinting and ephemeral IDs on the Enterprise plan                 |
| Client setup          | `initBotId()` or the `<BotIdClient />` component                             | Embed the Turnstile widget script                                              |
| Server verification   | `checkBotId()` returns `isBot`                                               | POST the token to the Siteverify API                                           |
| Token handling        | Managed by the SDK and proxy; no token in your code                          | Token up to 2,048 characters, valid for 300s, single-use                       |
| Verified bot identity | Returned by `checkBotId()` from Vercel's directory                           | Cloudflare Radar directory, enforced via Bots and WAF                          |
| Analytics             | Vercel Firewall traffic filter and Observability Plus                        | Turnstile Analytics (7-day lookback on Free, 30-day on Enterprise)             |
| Pricing               | Basic free on all plans; Deep Analysis available on Pro and Enterprise plans | Free with unlimited verification (up to 20 widgets); Enterprise plan available |

### How users experience each challenge

Neither tool shows a traditional CAPTCHA, but the experience differs.

Vercel BotID is fully invisible and never renders a visible element. The browser solves a client-side challenge in the background, and the user sees nothing.

Cloudflare Turnstile offers three widget types, so the experience varies:

- **Managed**: shows an interactive checkbox when the visitor's risk level warrants it.
  
- **Non-interactive**: displays a widget that the visitor never interacts with.
  
- **Invisible**: hides the widget from the visitor entirely.
  

### Framework and platform support

Cloudflare Turnstile is framework-agnostic because it's a script plus a server call, so it works with any frontend. Vercel BotID provides first-class configuration for Next.js, Nuxt, and SvelteKit, plus a universal `initBotId()` function for any other JavaScript environment, but it requires hosting on Vercel.

| Capability       | Vercel BotID                                              | Cloudflare Turnstile                       |
| ---------------- | --------------------------------------------------------- | ------------------------------------------ |
| Hosting          | Requires deployment on Vercel                             | Any host, with or without Cloudflare's CDN |
| Next.js          | First-class (`withBotId`, `initBotId`, `<BotIdClient />`) | Script embed                               |
| Nuxt             | First-class (`botid/nuxt` module)                         | Script embed                               |
| SvelteKit        | First-class (`initBotId` in a client hook)                | Script embed                               |
| Other frameworks | Universal `initBotId()` for any JavaScript environment    | Framework-agnostic script                  |

### How server-side verification works

Both tools confirm the result on your server, but the mechanics differ. Vercel BotID attaches signals to the request on the client, then `checkBotId()` reads them and returns whether the request is a bot. You don't handle a token or call a separate verification endpoint.

`import { checkBotId } from 'botid/server'; import { NextResponse } from 'next/server'; export async function POST() { const verification = await checkBotId(); if (verification.isBot) { return NextResponse.json({ error: 'Access denied' }, { status: 403 }); } // Handle the verified request return NextResponse.json({ success: true }); }`

Cloudflare Turnstile generates a token when the visitor completes a challenge. Your server sends that token to the Siteverify API with your secret key, and the response confirms whether the token is valid. Tokens expire after 300 seconds and can be validated only once.

`const formData = new FormData(); formData.append('secret', env.TURNSTILE_SECRET_KEY); formData.append('response', token); const result = await fetch( 'https://challenges.cloudflare.com/turnstile/v0/siteverify', { method: 'POST', body: formData }, ); const outcome = await result.json(); if (!outcome.success) { // Reject the request }`

Never expose your secret key in client-side code, as that would allow attackers to bypass the check. If you’re using a Cloudflare Worker, you can securely store and access it with a [secret binding](https://developers.cloudflare.com/workers/configuration/secrets/).

* * *

## Where Vercel BotID goes deeper

BotID's distinctive strengths stem from its depth and tight platform integration: it remains fully invisible, uses machine learning to detect bots that mimic real users, and provides per-route control in your Vercel project.

### Fully invisible detection

Vercel BotID never renders any visible elements. There are no checkboxes or widgets, and no challenge for the user to complete, even when the system is actively classifying a request. Cloudflare Turnstile's managed mode can show an interactive checkbox when it detects elevated risk, so BotID eliminates that option entirely for flows where you want zero visible friction.

### Deep Analysis with machine learning

[Deep Analysis](https://vercel.com/docs/botid#deep-analysis) is BotID's machine learning layer, powered by Kasada, and it targets bots designed to mimic real users. Tools like Playwright and Puppeteer can run JavaScript, solve CAPTCHAs, and navigate interfaces like a person, making them hard to catch with integrity checks alone. Deep Analysis counters them by:

- Collecting thousands of signals that distinguish humans from bots on each request.
  
- Changing its detection methods on every page load to resist reverse engineering.
  
- Streaming attack data to a global model that improves protection for every customer.
  

Deep Analysis runs only after the basic integrity check passes. It protects against credential stuffing, data scraping, API abuse, spam, fraud, and bots that consume expensive infrastructure or inventory.

In one incident, Deep Analysis identified a [500% increase in traffic](https://vercel.com/blog/botid-deep-analysis-catches-a-sophisticated-bot-network-in-real-time) [from a new bot network](https://vercel.com/blog/botid-deep-analysis-catches-a-sophisticated-bot-network-in-real-time) by linking similar browser fingerprints that moved through proxy nodes and blocked these sessions. The system also maintained inference for Nous Research during a [3,000% spike in chat app traffic](https://vercel.com/blog/how-nous-research-used-botid-to-block-automated-abuse-at-scale). To learn how to safeguard your agentic app and AI budget, check out [How to protect your AI endpoints with Vercel BotID](https://vercel.com/kb/guide/protect-ai-endpoints-with-vercel-botid).

### Verified bot identification

Deep Analysis can tell you which known bot is behind a request, not just whether the request is automated. It draws on Vercel's [verified bot directory](https://bots.fyi/) to return fields such as `isVerifiedBot`, `verifiedBotName`, and `verifiedBotCategory` in the same `checkBotId()` call. This lets you allow automated traffic that helps your business, such as agentic bots that use the [Universal Commerce Protocol](https://ucp.dev/) to purchase on behalf of users, while blocking the rest. If you operate a bot, you can [submit it for verification](https://bots.fyi/new-bot).

Cloudflare maintains a comparable [verified bots directory](https://radar.cloudflare.com/bots/directory) on Cloudflare Radar, and you can [request verification](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/) through [Web Bot Auth](https://datatracker.ietf.org/wg/webbotauth/about/) or IP validation. The difference is where that identity surfaces: BotID returns it inline in the response your route handler already reads, while Cloudflare enforces verified bots through its [Bot Management product](https://developers.cloudflare.com/bots/reference/bot-management-variables/), such as filtering on `cf.verified_bot_category` in WAF rules, rather than through the Turnstile token-verify flow.

### Route-by-route check levels

You can set the detection level per route rather than applying a single setting across the project. The `advancedOptions.checkLevel` option accepts `basic` or `deepAnalysis`, and a per-route setting takes precedence over the project-level configuration in your dashboard. The `checkLevel` must match between your client and server configurations for each route, or verification fails.

`import { initBotId } from 'botid/client/core'; initBotId({ protect: [{ path: '/api/checkout', method: 'POST', advancedOptions: { checkLevel: 'deepAnalysis' }, }, { path: '/api/contact', method: 'POST', advancedOptions: { checkLevel: 'basic' }, }, ], });` ### Integration with Vercel Firewall BotID is part of Vercel's [bot management](https://vercel.com/security/bot-management), so its results flow into the rest of the platform's security tools. You can inspect BotID checks using the [BotID filter in the Firewall traffic view](https://vercel.com/docs/botid#botid-observability), track metrics in [Observability Plus](https://vercel.com/docs/observability/observability-plus), and add a [bypass rule in the Vercel WAF](https://vercel.com/docs/vercel-firewall/firewall-concepts#bypass) to allow traffic that would otherwise be flagged. Teams already running on Vercel get this without setting up a separate service.

* * *

## Where Cloudflare Turnstile goes deeper

Turnstile's distinctive strengths stem from its portability and flexibility: it runs on any stack, lets you control the challenge's visibility, and remains free for most use cases.

### Runs on any host or CDN

Cloudflare Turnstile is an independent service that works on any website, whether or not your traffic is proxied through Cloudflare. The client-side widget and server-side validation are self-contained, allowing you to deploy Turnstile across multi-cloud environments, on-premises infrastructure, or sites using other CDNs. By contrast, Vercel BotID requires a project deployed on Vercel.

### Control over challenge visibility

Turnstile lets you choose how visible the challenge is, from a managed checkbox that appears only under elevated risk, to a non-interactive widget, to a fully invisible mode. This gives you per-widget control over the balance between user friction and assurance, and you can assign different widgets to different forms or environments.

### Drop-in replacement for other CAPTCHAs

If you already use reCAPTCHA or hCaptcha, Turnstile is a drop-in replacement. You can copy and paste the Turnstile script where your existing CAPTCHA script is currently used, and Cloudflare provides migration guidance. Vercel BotID is a new integration rather than a CAPTCHA replacement because it uses a different server-side model.

### Free with unlimited verification

Turnstile's Free plan includes unlimited challenges and verification requests, covering most production applications. It supports up to 20 widgets and 10 hostnames per widget, with a 7-day analytics lookback. The Enterprise plan adds device fingerprinting, ephemeral IDs, removal of Cloudflare branding, up to 200 hostnames per widget, any-hostname widgets, and a 30-day analytics lookback. For comparison, Vercel BotID's Basic tier is free across all plans, while Deep Analysis is available to Pro and Enterprise customers.

### Ephemeral IDs for fraud detection

Turnstile derives a short-lived ephemeral ID for each visitor from browser signals, not from IP addresses or cookies. Because the ID reflects the client rather than its IP, you can group repeated abuse from one source even as it rotates through IP pools, including a single real person creating hundreds of fake accounts that IP-based rules miss. Turnstile Enterprise and Bot Management Enterprise customers can read the field from the [Siteverify response](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) to build their own fraud logic, such as alerting on signup thresholds. BotID also detects IP-rotating bots through its own signals, but returns a verdict rather than an identifier that you use to group requests yourself.

* * *

## When to choose BotID or Turnstile

The right tool depends on where you host, how invisible you need the challenge to be, and how well the verification fits your stack.

| If your workload looks like...                                                          | Choose               | Why                                                                                                              |
| --------------------------------------------------------------------------------------- | -------------------- | ---------------------------------------------------------------------------------------------------------------- |
| Protecting high-value routes on a Vercel app (e..g, checkout, signup, and AI endpoints) | Vercel BotID         | Invisible server-side checks that integrate with your Vercel deployment and firewall                             |
| Stopping bots that already pass CAPTCHAs (e..g, Playwright and Puppeteer)               | Vercel BotID         | Deep Analysis machine learning targets human-mimicking automation                                                |
| Zero visible friction, with no widget under any condition                               | Vercel BotID         | Fully invisible, never renders an interactive element                                                            |
| Allowing specific verified bots while blocking the rest                                 | Vercel BotID         | BotID returns the verified-bot identity inline in `checkBotId()`; Turnstile defers it to Cloudflare Bots and WAF |
| Hosting outside Vercel (e..g, multi-cloud or on-premises)                               | Cloudflare Turnstile | Runs anywhere without routing traffic through Cloudflare                                                         |
| Replacing reCAPTCHA or hCaptcha                                                         | Cloudflare Turnstile | Drop-in script replacement with migration guidance                                                               |
| Adding a free, drop-in challenge to a plain HTML form (e..g, contact us)                | Cloudflare Turnstile | Drop-in widget for native HTML forms on any host                                                                 |
| Blocking automated abuse without a traditional CAPTCHA                                  | Both                 | Neither shows a conventional visible puzzle                                                                      |

The choice comes down to where you run and how invisible you need to be. Teams building on Vercel that want to protect high-value endpoints get the tightest integration and the strongest defense against human-like bots with Vercel BotID, including invisible challenges and machine learning via Deep Analysis. Teams that need a portable, free, accessible challenge that runs on any infrastructure, or a direct replacement for an existing CAPTCHA, will find Cloudflare Turnstile a good fit.

* * *

## Resources and next steps

- Add BotID to a Vercel project with the [BotID getting started guide](https://vercel.com/docs/botid/get-started), or read the [BotID overview](https://vercel.com/docs/botid) for how the validation flow and check levels work.
  
- Create a Turnstile widget, validate tokens using the [Turnstile getting started guide](https://developers.cloudflare.com/turnstile/get-started/), and compare tiers in [Turnstile plans](https://developers.cloudflare.com/turnstile/plans/).
  
- To put BotID into production, walk through enabling and testing it with [Deploying and testing BotID](https://vercel.com/kb/guide/deploying-and-testing-botid), then gate an AI route end-to-end with [How to protect your AI endpoints with Vercel BotID](https://vercel.com/kb/guide/protect-ai-endpoints-with-vercel-botid).
  
- For the wider picture, see how BotID fits alongside managed rulesets and custom rules in [Vercel's bot management features](https://vercel.com/kb/guide/how-to-utilize-vercels-bot-management-features).

---

[View full KB sitemap](/kb/sitemap.md)
