Cloudflare Turnstile
Invisible bot protection across every public form — reservations, newsletter, OAuth consent. No traffic-light captchas, more privacy-friendly than reCAPTCHA.
As soon as a restaurant accepts public bookings through the widget or the AI connector, it becomes a bot target. Cloudflare Turnstile checks in the background whether the caller is a real browser run by a real human — usually without the guest noticing. Onboard runs Turnstile on every public endpoint without slowing down conversion.
Cloudflare's alternative to reCAPTCHA. Mostly passive, prompts a click only on suspicion. No image grids, no Google tracking cookie.
Where Turnstile is active
- Public reservations —
/api/reservations/publicverifies the token before every insert. - Newsletter subscription —
/api/subscribe-newsletterverifies before sending the double-opt-in email. - OAuth consent — the Approve button on
/oauth/authorizeverifies so ChatGPT connectors can't be authorized from bot accounts.
Environment variables
Two variables enable Turnstile:
NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_KEY— Site key for the widget. Shipped to the frontend.CLOUDFLARE_TURNSTILE_SECRET— Secret key for server-side verification. Never leaks to the frontend.
Restaurants embedding the widget
When the restaurant embeds the booking widget on its own site, Onboard's widget handles rendering the Turnstile challenge. The restaurant doesn't need to do anything extra. Verification runs against Onboard's secret — the restaurant operator never sees a raw Turnstile token.
Why Turnstile, not reCAPTCHA
- No Google tracking cookies. Important for a GDPR-fair setup.
- Passive by default — the guest sees nothing while the browser looks fine.
- Fast resolution — typically under 100 ms against the Cloudflare endpoint.
- Free at most volume tiers.