What is the cf_clearance cookie?

cf_clearance is the session cookie Cloudflare WAF issues once a visitor passes its JavaScript or interactive challenge. The cookie binds the session to the visitor's IP, user agent and TLS fingerprint, and is required on every subsequent request to the protected domain until it expires (typically 30 minutes to 2 hours).

How do I get a cf_clearance cookie via API?

POST to https://api.meshprivacy.com/v1/tasks/submit with service: 'cloudflare_waf', the target url, your proxy_config in http://user:pass@ip:port format, and the user_agent you will retry with. Poll /v1/tasks/result/{task_id} for 3-8 seconds. The response returns cookies.cf_clearance ready to attach to downstream requests.

Why does my cf_clearance cookie return 403 on the next request?

Cloudflare binds cf_clearance to the original IP and user agent. Re-using the cookie from a different proxy, a different browser fingerprint, or after expiry returns 403. Always solve from the exact proxy and user agent you will retry with, and refresh the cookie when it expires.

How is Cloudflare WAF different from Turnstile?

Turnstile is the visible captcha widget that issues a single-use token (cf-turnstile-response). Cloudflare WAF is the broader firewall layer that issues a session-long cf_clearance cookie after a managed or interactive challenge. They use different services on MeshPrivacy: turnstile vs cloudflare_waf.

How fast does MeshPrivacy resolve Cloudflare WAF challenges?

Standard managed challenges resolve in 3-8 seconds. Interactive challenges (503 with extra steps) can take 5-10 seconds. Upstream timeout is 120 seconds. We do not advertise sub-second numbers — the Cloudflare challenge script requires real compute time on every solve.

How much does Cloudflare WAF solving cost?

Pricing is per-credit at 1 USD = 1,000 credits. Credit cost per request varies per service and may change — see meshprivacy.com/pricing for current rates. New accounts get 20 free credits with no credit card required.

Can I reuse the same cf_clearance cookie across multiple requests?

Yes, within its lifetime and from the same IP and user agent. Cloudflare permits a session of requests until cf_clearance expires (commonly 30 minutes to 2 hours, configurable per zone). Refresh the cookie when you hit a 403 or 503 again.

Looking for the Turnstile widget instead? See /docs/cloudflare — this page covers the WAF challenge flow (cf_clearance), not the Turnstile sitekey widget.

Resolving Cloudflare WAF Challenges

Cloudflare WAF intercepts requests with managed and interactive challenges, returning a challenge page until the visitor obtains a valid cf_clearance cookie. MeshPrivacy completes the challenge server-side and returns the cookie ready for use with your proxy and user agent.

Error Codes

Code	Meaning	Resolution
403	Challenge not solved	Solve via API to obtain `cf_clearance`
503	Interactive challenge served	Submit task with the same proxy you'll use for follow-up requests

Service Schema

Field	Type	Required	Description
`url`	string	Yes	Protected URL showing Cloudflare challenge
`proxy_config`	string	Yes	Proxy in `http://user:pass@ip:port` format — must match downstream IP
`user_agent`	string	No	Custom user agent string

Service ID: cloudflare_waf · Status: Stable

Cookies & Headers

Returned Cookies

cf_clearance — Primary challenge clearance cookie (IP + UA bound)

__cf_bm — Bot management session cookie

Both cookies are bound to the IP and user agent used during the solve. Reuse them only with the same proxy and UA.

Integration Example

cloudflare-waf.js

// Submit Cloudflare WAF task to MeshPrivacy
const response = await fetch('https://api.meshprivacy.com/v1/tasks/submit', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', 'X-API-Key': API_KEY },
  body: JSON.stringify({
    service: 'cloudflare_waf',
    url: 'https://target-site.com/',                          // required
    proxy_config: 'http://user:pass@ip:port',                 // required
    user_agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)...'// optional
  })
});
const { task_id } = await response.json();

const result = await fetch(`https://api.meshprivacy.com/v1/tasks/result/${task_id}`, {
  headers: { 'X-API-Key': API_KEY }
});
const { cookies } = await result.json();
// Use cookies.cf_clearance in your downstream requests

FAQ

Turnstile is a sitekey-based widget you embed on a form. Cloudflare WAF is the network-edge challenge that gates a URL before any form. They are distinct services in MeshPrivacy: turnstile vs cloudflare_waf.

Related Services

Cloudflare Turnstile|Akamai|AWS WAF|DataDome