Cloudflare has announced a partnership with Google Chrome, Microsoft Edge, and Mozilla Firefox to develop Private Access Control Tokens (PACTs), a new protocol aimed at distinguishing genuine web traffic from unwanted network requests.
The system is designed to allow websites to generate digital tokens that confirm a browsing session is being conducted by a human or an authorized bot with legitimate intent.
The technical details are still being finalized and aligned across related proposals. Cloudflare sees PACTs as a way to reduce friction for real users and authorized bots while maintaining privacy.
How PACTs Work and Why They’re Being Developed Now
PACTs enable websites with a strong understanding of personhood to issue anonymous tokens. These tokens can then be presented by browser users and designated bots at other sites, reducing the need for repeated identity verification.
They serve as a shareable, privacy-preserving CAPTCHA result. Instead of testing whether a visitor is human or a bot at each site, the system tests once and generates a token that other sites can accept.
The specific criteria for what qualifies as “strong knowledge of personhood” have not been fully explained. Personhood appears to include software authorized to act on behalf of a legitimate person, such as AI agents performing tasks like booking tickets or shopping.
Previous technical discussions by developers from Google and Mozilla suggest that the system does not aim to exclude particular hardware, platforms, or user agents.
The web is seeing a rise in automated traffic, much of it driven by AI agents. Some of these agents serve legitimate purposes for users, such as the recent integration of Visa and ChatGPT for autonomous retail purchases.
However, there’s also automated traffic from disrespectful crawlers and malicious bots that scrape content or attempt fraud.
Dane Knecht, CTO of Cloudflare, explained: “As AI-powered traffic becomes more common, the tools we have to support its use are too basic and broad.
This collaboration allows us to reduce the friction caused by security measures for all visitors, whether human or automated, without compromising privacy.”
Bobby Holley, CTO of Firefox at Mozilla, highlighted the user experience: “An increase in automated traffic is causing sites to adopt blunt defenses like paywalls, identity checks, CAPTCHAs, and invasive tracking methods just to distinguish human visitors from bots.”
Privacy Concerns, What Users Should Know, and What Comes Next
While Cloudflare emphasizes the privacy aspects of PACTs, the system doesn’t cover all browser tracking and fingerprinting methods. PACT tokens themselves do not contain personal information.
However, existing infrastructure for tracking users through fingerprinting, IP addresses, and other browser signals remains in place.
The system also raises questions about the open web. PACTs effectively create a tiered system of trusted and untrusted traffic. Websites that implement PACTs may treat traffic lacking valid tokens as suspicious, which could create a barrier to access.
Smaller bot operators, independent developers, and users on less common browsers or platforms might find it harder if their software can’t easily obtain tokens.
The Cloudflare announcement states that the protocol is designed to help businesses identify genuine visitors, positioning it as an anti-fraud measure.
This framing makes it clear that PACTs are intended to distinguish between legitimate and unwanted traffic, rather than simply differentiating humans from automated bots.
For most end users, the introduction of PACTs is likely to go unnoticed. Users browsing with Chrome, Edge, or Firefox will automatically receive tokens when their browser sessions are recognized as legitimate. This should lead to fewer CAPTCHA prompts and fewer identity requests across the web.
For those on less common browsers, privacy-focused options like Tor, or users employing specific bot frameworks for legitimate reasons, the system might create additional obstacles if their setup doesn’t qualify for token issuance.
Mozilla has said that its involvement demonstrates a commitment to maintaining openness and protecting user privacy online. The choices Mozilla and other browser developers make regarding the implementation will influence how widely the token system becomes accessible.
The technical specification for PACTs is currently being developed through collaboration between Cloudflare and the three main browser makers.
There is no announced timeline for when PACTs will be available in production browsers. Those interested in tracking the development should keep an eye on the relevant standards processes at the IETF and W3C, where similar privacy-focused identity proposals have been discussed in the past.
The specific venue for PACT standardization has not yet been confirmed.
