[Turnstile] Analytics: Challenge Outcomes (#20387)

* Turnstile Analytics: Challenge Outcomes

* fixes

* fixes and disclaimers

* component

* fix alt text

* wording

* Update src/content/docs/turnstile/turnstile-analytics/index.mdx

Co-authored-by: Jun Lee <[email protected]>

---------

Co-authored-by: Jun Lee <[email protected]>

Author: patriciasantaana

src/assets/images/turnstile/challenge-outcomes.png

@@ -0,0 +1,48 @@
+---
+title: Challenge outcome
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+import { Render } from "~/components"
+
+When a visitor encounters Turnstile, it assesses whether they are human or bot-like based on various signals. These outcomes help you evaluate how effectively Turnstile is protecting your application.
+
+## Metrics
+
+A "solved" Turnstile challenge does not automatically confirm the visitor is human. You must [call the siteverify API](#call-siteverify) to validate the token and proceed only if the response returns `success:true`.
+
+For example, the challenge outcome values in your analytics may look like this: 
+
+![Challenge outcome example values](~/assets/images/turnstile/challenge-outcomes.png "Challenge outcome example")
+
+- **Challenges issued**: The total number of challenges presented to visitors within a specific timeframe.
+- **Challenges solved**: The number of challenges successfully completed by visitors in that period.
+- **Challenges unsolved**: Challenges that were abandoned or failed in that period.
+- **Likely human**: The total number of challenges solved or the total number of challenges issued.
+- **Likely bot**: The total number of challenges unsolved or the total number challenges issued.
+
+By analyzing these metrics, you can identify trends such as high failure rates in specific regions, device types, or traffic sources, which may indicate bot activity or misconfigurations.
+
+### Call siteverify
+
+<Render file="siteverify" />
+
+## Solve rates
+
+Turnstile's solve rate is a critical metric that helps gauge how many legitimate visitors are passing a challenge. Solve rates can be broken down into the total number of challenges solved and whether they are interactive, non-interactive, or pre-clearance solves. 
+
+If you are using [managed mode](/turnstile/concepts/widget/#widget-types), you can monitor how many of your visitors were prompted interactivity to check the box on the widget (interactive solves) and how many were verified without any disruptions to their experience (non-interactive solves). 
+
+For example, the solve rate values in your analytics may look like this: 
+
+![Solve rate example values](~/assets/images/turnstile/solve-rates.png "Solve rate example")
+
+### Metrics
+
+- **Non-interactive solves**: Challenges solved without requiring the visitor to click a checkbox.
+- **Interactive solves**: Challenges solved that required visitor interaction to be solved.
+- [**Pre-clearance solves**](/turnstile/concepts/pre-clearance-support/): Challenges solved that issued the `cf-clearance` cookie along with the Turnstile token.
+
+A low solve rate might indicate increased bot activity attempting to bypass Turnstile or anomalous traffic patterns that require further investigation.

src/assets/images/turnstile/solve-rates.png

@@ -0,0 +1,36 @@
+---
+title: Turnstile Analytics
+pcx_content_type: how-to
+sidebar:
+  order: 6
+description: Use Turnstile Analytics to view the number of challenges issued,
+  the challenge solve rate, and the metrics of issued challenges.
+
+---
+
+import { Render, DirectoryListing } from "~/components"
+
+Turnstile Analytics provides you with a view of the top widget statistics across different metadata dimensions to understand where your traffic is coming from, which environments have the highest challenge activity, and whether certain sources are disproportionately failing or bypassing challenges, allowing you to fine-tune your security settings, apply more granular mitigations, and proactively respond to evolving threats.
+
+## Available statistics
+
+- **Top Hostnames**: If the Turnstile widget is placed across multiple hostnames, this will display the highest traffic hostnames where challenges are being issued.
+- **Top Browsers**: A breakdown of browsers that are most commonly encountering Turnstile challenges, helping customers spot trends in visitor traffic.
+- **Top Countries**: View the top originating countries for visitors completing challenges, which can help identify regional traffic anomalies.
+- **Top User Agents**: Identify which user agents are generating the most Turnstile challenge requests.
+- [**Top ASNs**](https://cloudflare.com/learning/network-layer/what-is-an-autonomous-system): Displays the highest volume of challenges issued from specific Autonomous System Numbers (ASNs), helping customers detect potential bot activity.
+- **Top Operating Systems**: Shows which operating systems are most common among visitors passing or failing challenges.
+- [**Top Source IPs**](https://cloudflare.com/learning/ddos/glossary/ip-spoofing): Identify the highest-volume IP addresses issuing Turnstile challenges, which can be useful in identifying attack sources or repeated challenge failures.
+
+## View widget metrics
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **Turnstile** and then navigate to your widget to see an overview of its analytics.
+  
+The metrics show changes in the solve rate, widget traffic, and top actions for your widget.
+
+![Turnstile Analytics overview](~/assets/images/turnstile/top-actions.png)
+
+Refer to the pages below for more information about Turnstile Analytics: 
+
+<DirectoryListing />

src/assets/images/turnstile/token-validation.png

@@ -0,0 +1,24 @@
+---
+title: Token validation
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+import { Render } from "~/components"
+
+After a visitor successfully completes a Turnstile challenge, a token is generated and validated via the siteverify API. Token validation data provides crucial insights into your security posture.
+
+For example, the token validation values in your analytics may look like this: 
+
+![Token validation example values](~/assets/images/turnstile/token-validation.png "Token validation example")
+
+## Metrics
+
+- **Siteverify requests**: The total number of requests made to the siteverify API in the given timeframe.
+- **Valid tokens**: The number of siteverify requests with `success:true` responses.
+- **Invalid tokens**: The number of siteverify requests with `success:false` responses.
+
+### Call siteverify
+
+<Render file="siteverify" />

src/assets/images/turnstile/top-actions.png

@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+It is important to [call the siteverify API](/turnstile/get-started/server-side-validation/). Without calling siteverify API to validate the tokens, your website or application is not protected. Skipping token validation means you cannot confirm the visitor's legitimacy.
+
+- Tokens can only be redeemed once. Even valid tokens will return `success:false` if they are reused, preventing token theft and replay attacks.
+- Tokens expire after five minutes. Validation must occur within this window to be effective.
+- Tokens can be invalid. Bots might complete challenges, but Cloudflare can detect bot-like signals and mark the token as invalid.