ZShip
Docs/Value-added services
Value-added services

AI Provider Turnstile

Project-level Cloudflare Turnstile protection for AI Provider generation.

Last updated May 26, 2026

What it protects

AI Provider Turnstile adds a Cloudflare Turnstile challenge before users can start zship-provider1-service generation from the shared AI UI.

It applies to the common Nuxt AI layer, including:

  • AiPlayground
  • PolloAi
  • Any app that reuses the shared /api/provider/generate flow

The goal is to reduce scripted abuse of image, video, and other paid generation endpoints without adding per-app code.

Admin configuration

Open Admin → Projects → your project → AI Provider Turnstile.

Configure:

Setting Meaning
Enable Turnstile Turns the challenge on for this app_key.
Site key Public Cloudflare Turnstile site key used by the browser widget.
Secret key Private Cloudflare Turnstile secret key stored in t_project.settings; it is never returned to the browser.
Challenge scope Choose Guests only or All users.
Allow subscription bypass Lets only selected active subscription plans skip the challenge.
Subscription plans that can bypass Multi-select one or more subscription Price Config entries. The stored value is price_type, which is also the user's t_user_subscription.plan_id.

Settings are stored under settings.ai_provider_turnstile on the project record. No per-app project config file is required.

Cloudflare setup

In Cloudflare Dashboard:

  1. Open Turnstile.
  2. Create a widget.
  3. Choose Managed widget mode.
  4. Add your production domain and any preview domains.
  5. Copy the Site Key and Secret Key into the Project settings in Admin.

Cloudflare's server verification contract is the Turnstile Siteverify API. Tokens are short-lived and single-use, so the UI resets the widget after each generation attempt.

Runtime flow

  1. The Nuxt app fetches /api/site-config/ai-provider-turnstile.
  2. The common site config proxy asks node1-auth for the current project's Turnstile policy.
  3. node1-auth returns a secret-redacted config: whether Turnstile is enabled, whether this visitor must solve it, the site key, scope, and subscription-plan bypass rule.
  4. When required, the shared AI component renders the Turnstile widget and sends turnstile_token with the generate request.
  5. zship-provider1-service validates the normal request first, then asks node1-auth to verify the token against Cloudflare Siteverify.
  6. Only verified requests continue to credit deduction and provider execution.

The token is stripped from provider requests and from stored task user_request records.

For most public AI generation products:

  • Use Guests only first.
  • Enable subscription bypass only for paid tiers that should have lower friction.
  • Combine Turnstile with provider rate limits and API key blocks.
  • Use Cloudflare WAF or custom rules for IP, country, or bot-score policy.

This keeps friction low for paying users while still protecting free guest traffic and expensive upstream models.

AI Provider Service