Cloudflare CAPTCHA beginning today

(Adi Fairbank) #1

It seems a CAPTCHA was added today, returning HTML instead of JSON immediately after the user clicks “Allow.” It is returned from the POST to


  1. Does this is conform to the OAuth2 spec? The response to the /oauth/v2/token should be returning JSON not HTML. This is breaking my integration.
  2. Shouldn’t the CAPTCHA be placed earlier in the workflow, like either before the user logs in, or before they click “Allow” ?
  3. Why was this change not announced anywhere?

(Andrew Toivonen) #2

Hello - We have recently enhanced our border security that may cause challenges to your client or networks. As we work to continually enhance our defenses please contact us directly at and we will work with you to whitelist your environment. We apologize for any inconveniences this has caused.

(Adi Fairbank) #3

Alright, I e-mailed support. However, you didn’t answer my other questions about why this shouldn’t have simply been added earlier in the direct onboarding workflow, specifically when the user is actually interacting with your site, i.e. before/after logging in, or clicking “Allow”. These are already HTML pages and are rendered to the user.

Putting the CAPTCHA where you did is going to break a lot of integrations, and I’m pretty sure violates the OAuth2 spec. That step, the POST to get the OAuth2 tokens, is meant to be a server to server JSON request, NOT a human. So putting a CAPTCHA there to see if it’s a human is by definition never going to work.

You can specifically whitelist by IP address, by request, but then you’re going to have to document that in your API docs, and shoulder all the requests. It just seems a lot easier to add the CAPTCHA where the end user actually sees it.

Forbidden Error
(Ben Schmitt) #4

Hi Adi - The HTML response (CAPTCHA) when JSON for API users is expected is something we are actively evaluating and seeking to improve as we recognize there are other (better) ways to do this. In the interim, whitelisting your environment will hopefully minimize the frustration.

(Rahul Singh) #5

I think this is a bad idea. Our app is hosted at heroku and the IP address is never static. Even if I am to give you list of IP addresses it will not work because heroku keeps adding new IP addresses.

(Kirill Vasiliskov) #6

Seems like CAPTCHA issues are happening from time to time. In Sep-Oct 2015 I had a similar issue with your API. It is quite unexpected behavior for APIs to return a CAPTCHA challenge which is almost impossible to proceed. Me and I believe a lot of other developers that use your API would really appreciate if you add whitelisting function to app settings using CloudFlare API. Most of API providers do this if they need to limit abusive access.

btw it’s already second day of waiting for to get this address/range of addresses white-listed today (quoted from support response). Please dedicate more time for processing whitelisting support requests.