Cloudflare has introduced PACT (Private Access Control Tokens), a browser-based initiative designed to help websites identify legitimate traffic without relying on CAPTCHA, forced logins, or invasive tracking.
The protocol is being developed with Mozilla, Google, Microsoft, and Shopify, with Cloudflare saying the work will be submitted for standardization. The participating browser vendors include leading names, including Mozilla Firefox, Google Chrome, and Microsoft Edge.
As you can guess, the timing is not accidental. This initiative arrives as website operators face increasing automated traffic from AI agents, scraping tools, spam, and credential-stuffing. Existing defenses, such as the CAPTCHA we’re all familiar with, frequently disrupt user experience by interrupting browsing, forcing logins that require unwanted accounts, and raising privacy concerns through fingerprinting.
PACT tackles all these by allowing a site or service to issue an anonymous token when it is confident a user is genuine. Browsers can then present this token to other sites as proof of human involvement, without disclosing identity or browsing history.
Importantly, the receiving website does not learn the user’s identity, browsing history, or the token’s origin, only that the request likely comes from a legitimate human or authorized agent.
The protocol also addresses the rise of agentic AI, which blurs the boundary between human and automated activity, as not all automated traffic is malicious and not all legitimate actions are performed directly by users.
However, PACT is not yet a finalized web standard, and users should not expect immediate replacement of CAPTCHA. Currently, it remains a promising initiative under development by Cloudflare and its partners, with standardization planned.
But if adopted, PACT will have considerable impact. A widely supported protocol for anonymous legitimacy signals would offer websites an alternative to either inaction or increased user burden, and may influence how browsers and security providers manage automated traffic as AI becomes more prevalent.
For additional details, see Cloudflare’s announcement.
