Logo of «2Captcha»To home page
Captcha bypass tutorials

Was this helpful?

How to solve Cloudflare Turnstile on copilot.microsoft.com

Kate Push

Technical engineer

Introduction

If you are integrating automatic Cloudflare Turnstile captcha solving for copilot.microsoft.com and receiving tokens that the site rejects, this guide is for you.

The 2Captcha service supports solving Turnstile via API v2 with a minimal set of parameters. For the standard implementation on copilot.microsoft.com, it is enough to pass websiteKey and websiteURL, but it is critical to synchronize the User-Agent between requests.

This material provides general recommendations for configuring the task, analyzing the page, and debugging the integration.

General Information

Cloudflare Turnstile is a tokenized protection system that replaces traditional captchas with invisible or interactive widgets. The widget generates a token after checking user behavior and the browser environment.

Turnstile Features on copilot.microsoft.com

Parameter Value Note
websiteKey 0x4AAAAAAAg146IpY3lPNWte Extracted from the data-sitekey attribute
websiteURL https://copilot.microsoft.com/chats/... Full link to the page with the captcha
Task type TurnstileTask Standard mode, not Challenge
Additional parameters Not required pagedata, action, data can be omitted

Why the Token Might Be Rejected by the Site

Even with a correctly obtained token, the site may reject the request. Main reasons:

Reason How to check Solution
User-Agent mismatch Compare UA in the request and in the API response Use the userAgent from the 2Captcha response
Session desynchronization Check cookies and headers Reuse the browser context
IP blocking Test without a proxy or with a different geo Use a residential proxy
Premature sending Check if the form is loaded Add a wait for the element before injection
Incorrect token submission method Solve the captcha manually and study network requests with developer tools Implement this method in your solution

Environment Setup

Before you start, make sure you have:

  • Access to the 2Captcha API - an API key from your account dashboard
  • Browser automation tools - Playwright, Puppeteer, or Selenium
  • An up to date User-Agent - a string from a real browser that is making the request
  • Proxy (optional) - residential, with geolocation matching the target site

Proxy Requirements (if used)

Requirement Description
Type Residential or mobile
Protocol HTTP or HTTPS
Geolocation Matches the target site (US, EU)
Authentication By login and password or by IP
Stability Minimal response time, no frequent disconnects

Page Analysis and Parameter Extraction

Detecting the Captcha

On copilot.microsoft.com, the Turnstile captcha appears when sending a message in chat. Visually, it is a widget with the Cloudflare logo or an invisible check.

Finding the websiteKey

  1. Open DevTools (F12) on the target page
  2. Go to the "Elements" tab
  3. Find the element with class cf-turnstile or attribute data-sitekey

Example tag:

html Copy 
<div class="cf-turnstile" data-sitekey="0x4AAAAAAAg146IpY3lPNWte"></div>

The value of the data-sitekey attribute is your websiteKey.

Checking the Widget Type

Make sure a standard widget is used, not a Challenge page:

  • Standard mode: the .cf-turnstile element is present, iframe from challenges.cloudflare.com is absent
  • Challenge mode: iframe with the Cloudflare Challenges endpoint is present

For copilot.microsoft.com, the standard mode is used in most cases, which does not require additional parameters.

Implementation

TurnstileTask Structure

The task is sent via the createTask method to the endpoint https://api.2captcha.com/createTask.

Required task fields:

Field Type Description
type String TurnstileTask or TurnstileTaskProxyless
websiteURL String Full URL of the page with the captcha
websiteKey String Value from the data-sitekey attribute

Recommended fields:

Field Type Description
userAgent String Browser User-Agent string. Recommended to pass for session synchronization
proxyType String Proxy type: http, https, socks4, socks5
proxyAddress String Proxy IP address or host
proxyPort Integer Proxy port
proxyLogin String Login for proxy authentication (if required)
proxyPassword String Password for proxy authentication (if required)

Example Request Body (JSON)

json Copy 
{
  "clientKey": "YOUR_API_KEY",
  "task": {
    "type": "TurnstileTaskProxyless",
    "websiteURL": "https://copilot.microsoft.com/chats/example",
    "websiteKey": "0x4AAAAAAAg146IpY3lPNWte",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
  }
}

Getting the Result

After creating the task, use the getTaskResult method to poll the status:

json Copy 
{
  "clientKey": "YOUR_API_KEY",
  "taskId": 123456789
}

Possible values for the status field:

Value Description
processing Task is in progress, keep polling
ready Solution is ready, token is in solution.token
error An error occurred, check errorDescription

Injecting the Token into the Page

After receiving the token:

  1. Wait for the input[name="cf-turnstile-response"] field to appear
  2. Set the token value in this field
  3. Trigger change and input events to activate site triggers
  4. If needed, update the User-Agent in the session if the API returned a different value

Example logic (pseudocode):

Copy 
wait for cf-turnstile-response field
set token value
trigger change and input events
if API returned userAgent:
    update User-Agent header in session
submit form or continue interaction

Parameter Explanations

Minimal Parameter Set

  • For standard Turnstile on copilot.microsoft.com, websiteKey and websiteURL are enough
  • The userAgent parameter is recommended to pass for session synchronization
  • pagedata, action, data can be omitted if the site does not explicitly require them

User-Agent Synchronization

  • The 2Captcha API may return a solution.userAgent field with the current agent string
  • Use this value in subsequent requests to the target site
  • User-Agent mismatch is a common reason for rejecting valid tokens

Token Injection

  • The token is passed to the cf-turnstile-response field
  • After setting the value, it is important to trigger change and input events for site triggers
  • If the site uses a callback function, it needs to be called separately (rare for standard mode)

Feedback on Solving Results

After testing the token on the target site, it is recommended to send feedback.

If the Site Rejected the Solution

Send a POST request to the reportIncorrect endpoint:

Endpoint: https://api.2captcha.com/reportIncorrect

Method: POST

Content-Type: application/json

Example request:

json Copy 
{
   "clientKey": "YOUR_API_KEY",
   "taskId": 74455221488
}

Example response:

json Copy 
{
    "errorId": 0,
    "status": "success"
}

Important: Do not use this method if your success rate is close to 0 percent. This may indicate an error in your code, not in the captcha solutions.

If the Site Accepted the Solution

Send a POST request to the reportCorrect endpoint:

Endpoint: https://api.2captcha.com/reportCorrect

Method: POST

Content-Type: application/json

Example request:

json Copy 
{
   "clientKey": "YOUR_API_KEY",
   "taskId": 74455221488
}

Example response:

json Copy 
{
    "errorId": 0,
    "status": "success"
}

Refund Policy

  • Each case is reviewed individually
  • For standard captchas, the correctness of the response is checked
  • For token based captchas, worker statistics are analyzed
  • Refunds are not guaranteed for every complaint
  • The final refund amount may differ from the number of claims

Send reports honestly and only after real verification on the target site.

Common Errors and How to Fix Them

Error Possible cause Solution
Token exists but site does not allow access User-Agent mismatch Use the userAgent from the API response in subsequent requests
Widget does not disappear after injection Token not accepted or form not updated Check that the token is injected before form submission, add a delay

Debugging Recommendations

  • Enable detailed logging of requests and responses
  • Save the taskId for each request, this will simplify support inquiries
  • Test the integration in non-headless mode before launching in production
  • Check the target site response after sending the token
  • Compare the User-Agent in the API request and in the browser

Additional Resources

Checklist

  • websiteKey extracted from the data-sitekey attribute
  • websiteURL contains the full link to the page with the captcha
  • userAgent in the request matches the real browser
  • The returned userAgent from the API response is used for subsequent requests
  • Token is injected into the cf-turnstile-response field with event triggers
  • Proxy (if used) is residential and matches the target site geo
  • Logging is enabled for debugging parameters and API responses
  • Sending reportIncorrect and reportCorrect reports is implemented

Conclusion

For the standard Cloudflare Turnstile implementation on copilot.microsoft.com, it is enough to pass two required parameters: websiteKey and websiteURL. Additional parameters are not needed in this case.

The main reason a token might not be accepted by the site is a User-Agent mismatch between the API request and subsequent browser requests. Always use the userAgent value from the 2Captcha response to synchronize the session.

Correct token injection requires setting the value in the cf-turnstile-response field and triggering change and input events to activate site triggers.

Do not forget to send feedback via reportIncorrect and reportCorrect. This helps improve service quality and get refunds for incorrect solutions.

Automate any captchas with the 2Captcha API.