Is this just CAPTCHA for Eloqua forms?

No. It is a managed marketing-operations protection layer that combines Turnstile verification, server-side Worker validation, review workflow, safe forwarding, and reporting.

Does the public page expose the dashboard?

No. Client dashboards are protected, client-specific workspaces. Public pages describe the capability without exposing private URLs, tokens, credentials, or internal routes.

Is AI used in the first version?

The first version is deterministic and rules-based. AI-assisted scoring, spam memory, campaign-fit checks, and reporting are planned future layers.

Where are suspicious submissions held before review?

Suspicious or failed submissions can be stored in Cloudflare KV as a pending review queue or rejected spam evidence, keeping them out of Eloqua until a routing or review decision is made.

Managed Eloqua protection

Cloudflare Turnstile protection for Eloqua forms

Q: What role does Cloudflare KV play?

Cloudflare KV acts as the operational datastore for pending review records, rejected spam evidence, form routing configuration, and future client-specific spam memory. This helps keep suspicious submissions out of Eloqua until a routing or review decision is made.

Secure form validation, exception review, and controlled forwarding for enterprise marketing automation teams using Oracle Eloqua.

Built for Eloqua form spam review using Cloudflare Turnstile, Workers, KV, and Access. Suspicious submissions enter a secured review layer, and approved records can be forwarded to the original Eloqua form.

View solution architecture

Managed protection layer

Build status

Pilot-ready

Turnstile + Worker + KV

Review mode

Protected queue

Routing

Pass / hold / reject

Storage

Cloudflare KV

Destination

Oracle Eloqua

Routing strip

Clean forward

Suspicious hold

Rejected retain evidence

Illustrative UI only. Client dashboards are protected and client-specific.

01

Eloqua form

02

Turnstile

03

Cloudflare Worker

04

Review dashboard

05

Safe Eloqua forwarding

Proof of concept

Built from an enterprise Eloqua proof of concept.

A working proof of concept has been built for an enterprise Eloqua use case. It demonstrates secured reviewer access, simulation testing, review queue logic, and controlled forwarding into Eloqua.

The current proof of concept demonstrates the full operational loop: protected form submission, verification, exception routing, secured reviewer dashboard, accept/reject handling, and approved forwarding into Eloqua.

Demonstrated loop

Protected submission and verification

Exception routing into a review queue

Secured reviewer dashboard access

Accept/reject handling and Eloqua forwarding

Private dashboard links, Worker URLs, Access policy details, tokens, and secrets are not exposed on this public page.

Simulation lab

Controlled defensive testing for review routing.

The system includes a controlled spam simulation lab for defensive testing. Some simulation scenarios are caught by Cloudflare Turnstile verification, while others are caught by review-layer rules and routed into the exception queue.

Missing Turnstile token

Verification failure scenario.

Invalid token

Verification failure scenario.

Unknown form ID

Review-layer routing scenario.

Malformed email

Review-layer validation scenario.

URL-heavy message

Review routing scenario.

Honeypot-style fields

Exception queue scenario.

Repeated submissions

Controlled defensive testing for repeated patterns, review routing, and submission history.

Database and evidence

KV creates an operational evidence trail.

Cloudflare KV gives the protection layer a lightweight operational database for the pending queue, review status, forwarding status, simulation metadata, submission history, and evidence trail potential.

Later production versions can add CSV or export workflows for client review and reporting. That supports operational visibility without overclaiming compliance.

Pending queue and review status

Forwarding status and submission history

Simulation metadata and evidence trail potential

CSV and export potential later

Solution architecture

How the protection layer fits together

The architecture uses Cloudflare Turnstile for front-end verification, a Cloudflare Worker for server-side validation and routing, Cloudflare KV for review queues and spam evidence, and a protected dashboard for client review before accepted records are safely forwarded into Oracle Eloqua.

Forwarding preserves the exact captured HTML field names from the original form submission.

Cloudflare KV acts as the lightweight operational datastore for the protection layer. It can hold pending review records, rejected spam evidence, routing configuration, and future client-specific spam memory.

Cloudflare KV gives the protection layer somewhere safe to hold suspicious records before they touch Eloqua. Clean submissions can be forwarded directly, while failed or suspicious submissions can be stored for review, accepted, rejected, or retained as evidence.

Architecture preview - click to enlarge

Includes Cloudflare KV

Illustrative solution view for the managed protection layer.

Security and compliance foundation

Built on Cloudflare. Designed for enterprise review.

The protection layer is built on Cloudflare Turnstile, Workers, KV, and Access. Turnstile handles front-end verification, Workers handle server-side validation and routing, KV stores operational review and evidence records, and Cloudflare Access can protect client dashboards.

Cloudflare provides a strong infrastructure foundation, but client-specific compliance depends on configuration, data handling, retention, access control, and governance.

The final client implementation still needs review for data retention, access control, governance, legal basis, and client security requirements. pl8ypus does not claim this solution is ISO certified.

Compliance-aligned building blocks

Cloudflare infrastructure foundation

Cloudflare Turnstile

Front-end verification before a form submission is trusted.

Cloudflare Workers

Server-side token validation, routing logic, and forwarding decisions.

Cloudflare KV

Operational storage for pending review records, rejected spam evidence, routing configuration, and future spam memory.

Cloudflare Access

Protected dashboard access for authorised client users.

Oracle Eloqua forwarding

Accepted records are forwarded only after the defined validation and routing logic has run.

pl8ypus controls

Retention, review workflow, decision logging, onboarding, and client-specific operating rules.

KV should be treated as an operational review and evidence store, not the long-term system of record. Oracle Eloqua remains the destination for accepted marketing submissions.

AI-assisted scoring is not part of the security claim today. The current implementation is based on deterministic Turnstile, Worker, KV, Access, and Eloqua forwarding architecture.

The problem

Eloqua teams need review, not just blocking.

Oracle Eloqua spam protection can block form submissions, but review workflows are often limited. Marketing operations teams still need visibility into suspicious submissions and a clear record of why a submission was held, rejected, or approved.

Enterprise teams often need a controlled way to inspect exceptions before forwarding data into Eloqua, especially when a campaign form is business-critical and every false positive has a cost.

The solution

A managed review layer before data reaches Eloqua.

This is not a generic captcha page. It is a marketing-operations protection layer designed around validation, routing, review, and controlled handoff into the right Eloqua form.

The first implementation is focused on Oracle Eloqua. The same architecture can later support other marketing forms where data quality, protected review, and campaign-level visibility matter.

Cloudflare KV stores the pending review queue, rejected spam evidence, form routing configuration, and client-specific spam memory. This keeps suspicious data out of Eloqua while still giving the client a controlled review and audit trail.

Approved records can be forwarded to the original Eloqua endpoint while preserving the exact captured HTML field names from the original form submission.

After protection

Clean submissions forward safely

Suspicious submissions held

Rejected records retained as evidence

Campaign data stays cleaner

Review decisions become visible

Workflow

How the protection layer works

01

Protect the form

Apply the managed layer to selected Eloqua forms and campaign pages.

02

Verify with Cloudflare Turnstile

Confirm the interaction before the submission can continue.

03

Validate server-side in the Worker

Check the verification response and route the record through controlled logic.

04

Route suspicious records

Hold risky or failed submissions outside Eloqua for review.

05

Review, approve, or reject

Give authorised users a protected queue for campaign-safe decisions.

06

Forward approved records to Eloqua

Approved records reach the original Eloqua endpoint using the exact captured HTML field names. Rejected patterns become evidence for reporting.

Future layer

Built for AI-assisted review

The first version is deterministic and rules-based: Turnstile verification, Worker validation, review queue, and safe Eloqua forwarding. The future layer adds AI-assisted scoring for suspicious submissions, lead-quality checks, spam-pattern detection, and campaign-level reporting.

Cloudflare AI is the natural future layer for this workflow, but AI is planned as an assistant to review and reporting. It is not the first line of defence.

Over time, the KV-backed review history can become the foundation for client-specific spam memory and future AI-assisted scoring.

Future AI signals

Planned layer

Message quality score

Planned

Fake lead likelihood

Review aid

Campaign-fit signal

Context

Repeated pattern match

Evidence

Client-specific spam memory

Monthly summary generation

AI assists review. Turnstile and server-side validation remain the foundation.

Protected client area

Client-specific dashboards, not public demos.

Each client can have a protected dashboard in the pl8ypus client area for form review, accepted and rejected submissions, form-level routing, monthly reporting, and a campaign protection view.

Public pages describe the capability only. Live client review dashboards are protected workspaces and are not linked from this solution page.

View client area context

Protected workspace

Enterprise Form Protection

Client login

Queue Accepted Rejected Forms Reports

Pending review queue

Exception review

Accepted/rejected submissions

Decision history

Original Eloqua endpoint

Controlled forwarding

Pilot-ready roadmap

From proof of concept to controlled production.

The proof of concept currently keeps more records visible for demonstration. Production routing can be configured so clean passed submissions forward directly and only exceptions enter review.

Multi-form support

Extend the same validation and routing pattern across priority Eloqua forms.

Pilot focus

Secured client dashboard

Client-specific Cloudflare Access policies, exception review, and protected operational views.

Review history and export

Review status, forwarding status, optional evidence reporting, and export paths.

Role-based permissions

Future reviewer roles, access boundaries, governance support, and audit-friendly operating rules.

Pilot scope can include exception-only production routing, client-specific access policies, optional evidence reporting, and a rollout plan for additional Eloqua forms.

Why pl8ypus

Why this belongs with pl8ypus

This sits at the intersection of Eloqua implementation, Cloudflare Workers, protected client apps, and marketing data quality.

Eloqua-first implementation knowledge

Form routing and campaign handoff context

Practical marketing automation constraints

Data quality before lead follow-up

Cloudflare-native product architecture

Worker validation and routing patterns

Protected app thinking from the start

Safe public pages with private operations

Marketing operations workflow thinking

Review queues that match real team behaviour

Reporting built around campaign confidence

Rollout paths from pilot to managed service