Cloudflare and the three major commercial browser makers have committed to developing Private Access Control Tokens (PACTs), a new protocol designed to help websites distinguish legitimate traffic from abusive requests without relying on CAPTCHAs or invasive identity checks. The initiative includes Google Chrome, Microsoft Edge, and Mozilla Firefox, with technical specifications still being finalized across related proposals.

The protocol allows websites with what developers call "strong knowledge of personhood" to issue anonymous digital tokens that users and authorized bots can present when visiting other sites. These tokens function similarly to a shareable CAPTCHA result, but focus on verifying the legitimacy of traffic intent rather than simply distinguishing humans from bots. The system aims to reduce friction for both human visitors and AI-powered agents while maintaining security controls.

Technical details remain under development, particularly regarding the criteria for determining legitimate "personhood." The definition appears to extend beyond human users to include software authorized to act on behalf of legitimate users for approved purposes. Past discussions among Google and Mozilla developers suggest the system will not intentionally exclude specific hardware platforms, browsers, or user agents, though the final implementation details have not been disclosed.

Cloudflare positions PACTs as a response to the growing volume of automated traffic that forces websites to deploy blunt defensive measures like paywalls, invasive tracking, and repeated identity verification. The company's CTO Dane Knecht stated the protocol will eliminate friction caused by security protocols for legitimate visitors while accommodating AI-powered traffic. Website operators struggling with unwanted crawler traffic may benefit from the ability to focus resources on traffic they consider valuable.

Privacy advocates note that while PACT tokens will not contain personal details, they do not address existing browser fingerprinting and tracking methods. The protocol fundamentally creates a system for categorizing internet traffic as welcome or unwelcome, potentially introducing new access barriers. Critics warn that poorly implemented versions could require site visitors or software operators to negotiate with publishers to have their traffic deemed worthy of legitimate status, raising concerns about maintaining an open web.

Source: https://www.theregister.com/software/2026/06/22/cloudflare-teams-up-with-big-browsers-to-help-websites-tell-welcome-from-unwelcome-visitors/5259782