Cloudflare has announced a partnership with google chrome, Microsoft Edgeand Mozilla Firefox develop Private Access Control Tokens (PACT), a new protocol aimed at distinguishing genuine web traffic from unwanted network requests.
The system is designed to allow websites to generate digital tokens that confirm that a browsing session is conducted by a human or an authorized bot with legitimate intentions.
Technical details are still being finalized and aligned in related proposals. Cloudflare sees PACTs as a way to reduce friction between real users and authorized bots, while maintaining privacy.
How PACTs work and why they are being developed now
PACTs allow websites with strong personality knowledge to issue anonymous tokens. These tokens can then be presented by browser users and by designated bots on other sites, reducing the need for repeated identity verification.
They serve as a shareable, privacy-preserving CAPTCHA result. Instead of testing whether a visitor is a human or a robot on each site, the system tests once and generates a token that other sites can accept.
The specific criteria for what is considered a “solid understanding of personality” have not been fully explained. Personhood appears to include software authorized to act on behalf of a legitimate person, such as artificial intelligence agents that perform tasks such as booking tickets or purchasing.
Previous technical discussions between Google and Mozilla developers suggest that the system is not intended to exclude particular hardware, platforms, or user agents.
The web is seeing an increase in automated traffic, much of it driven by artificial intelligence agents. Some of these agents serve legitimate purposes for users, such as the recent integration of Visa and ChatGPT for autonomous retail purchases.
However, there is also automated traffic coming from disrespectful crawlers and malicious bots that scrape content or attempt to commit fraud.
Dane Knecht, CTO at Cloudflare, explained: “As AI-powered traffic becomes more common, the tools we have to support its use are too basic and broad.
“This collaboration allows us to reduce friction caused by security measures for all visitors, whether human or automated, without compromising privacy.”
Bobby Holley, CTO of Firefox at Mozilla, highlighted the user experience: “An increase in automated traffic is causing sites to adopt strong defenses such as paywalls, identity checks, CAPTCHAs and invasive tracking methods just to distinguish human visitors from bots.”
Privacy concerns, what users should know and what comes next
While Cloudflare emphasizes the privacy aspects of PACTs, the system does not cover all browser tracking and fingerprinting methods. PACT tokens themselves do not contain personal information.
However, the existing infrastructure to track users using fingerprints, IP addresses, and other browser signals remains in place.
The system also raises questions about the open web. PACTs effectively create a tiered system of trusted and untrusted traffic. Websites that implement PACT may treat traffic lacking valid tokens as suspicious, which could create a barrier to access.
Smaller bot operators, independent developers, and users of less common browsers or platforms may struggle if their software cannot easily obtain tokens.
Cloudflare’s announcement claims that the protocol is designed to help businesses identify genuine visitors, positioning it as an anti-fraud measure.
This framework makes it clear that PACTs are intended to distinguish between legitimate and unwanted traffic, rather than simply differentiating humans from automated robots.
For most end users, the introduction of PACT is likely to go unnoticed. Users browsing with Chrome, Edge, or Firefox will automatically receive tokens when their browser sessions are recognized as legitimate. This should result in fewer CAPTCHA messages and fewer identity requests on the web.
For those using less common browsers, privacy-focused options like Tor, or users employing specific bot frameworks for legitimate reasons, the system could create additional hurdles if your setup doesn’t qualify for token issuance.
Mozilla has said its participation demonstrates a commitment to maintaining openness and protecting user privacy online. Decisions made by Mozilla and other browser developers regarding implementation will influence the accessibility of the token system.
The technical specification for PACT is currently being developed through collaboration between Cloudflare and the three major browser manufacturers.
There is no announced timeline for when PACTs will be available in production browsers. Those interested in following development should keep an eye on the relevant standards processes at the IETF and W3C, where similar privacy-focused identity proposals have been discussed in the past.
The specific location for PACT standardization has not yet been confirmed.
