Supabase Cloudflare Turnstile: hostname matching doesn’t cover Vercel preview deployment subdomains

We’re using Supabase’s built-in CAPTCHA support with Cloudflare Turnstile. Works fine on our production domain but fails on every Vercel preview deployment.

Vercel preview deployments get unique hostnames like my-app-abc123-team.vercel.app. According to Turnstile’s hostname management docs, adding a parent domain covers all subdomains. So we added vercel.app as an allowed hostname — but verification still fails with invalid-input-response.

Adding the specific deployment hostname (e.g. my-app-abc123-team.vercel.app) fixes it immediately, confirming the issue is hostname matching. But since every deployment gets a unique hostname, this isn’t viable.

Because Supabase’s CAPTCHA enforcement is global (once enabled, all auth calls require a valid token), there’s no way to have CAPTCHA on production while letting preview deployments work. The only workarounds are disabling Supabase’s built-in CAPTCHA entirely and handling verification server-side, or not testing auth on previews.

Has anyone found a better solution? This seems like it would affect many Supabase + Vercel users.

frustrating, i know. there is no clear cut solution for this. can i know why you are using supabase’s solution and not some other one that might work ?

This is a security feature of Turnstile, because a malicious party can spin up a preview site using your Turnstile site key, generate valid captcha tokens, and then send them directly to your Supabase project’s auth APIs.

Alternative is to use a different Supabase project for your testing environment. This will also keep your production data separate from your testing workflows.