Bots now generate roughly 57% of all internet traffic, according to Cloudflare CEO Matthew Prince, peaking at 62% during one recent week — a crossover that arrived earlier than anyone predicted. The tools built to fight back: CAPTCHAs, behavioral fingerprinting, IP blocking. They were designed for an era of dumb spam bots and crude scrapers, not AI agents that browse, shop, and fill out forms the way a real person would. Cloudflare, Google Chrome, Microsoft Edge, Mozilla Firefox, and Shopify are now collaborating on a proposed protocol called Private Access Control Tokens (PACT) that aims to replace that entire friction-heavy apparatus.
How Anonymous Tokens Replace Puzzle Grids
PACT lets trusted sites vouch for your browser — without revealing who you are.
Instead of every website running its own CAPTCHA gauntlet, PACT works like a reusable, invisible proof of legitimacy. Sites that already know you’re a real person — because you’ve logged in or established trust — issue anonymous tokens. Your browser stores them. Other sites accept those tokens as evidence that the traffic is genuine. No puzzle grids. No tracking breadcrumbs left behind.
The cryptographic design uses blind signatures, meaning the site that issues your token can’t see where you spend it, and the site that accepts it can’t trace it back to you. Think of it like a concert wristband that proves you paid but doesn’t carry your name. Tokens are anonymous and unlinkable by design — issuers cannot see where tokens are redeemed, and PACT covers human-authorized AI agents, not just humans directly. “Eliminate the friction caused by security protocols for every visitor — whether they are human or agent — without sacrificing privacy.” — Cloudflare CTO Dane Knecht.
Your AI assistant booking a flight on your behalf? PACT is designed to recognize that as “welcome traffic.” A credential-stuffing bot hammering a login page? No token, no entry. That distinction matters: PACT asks “is this traffic desirable?” rather than the blunter “is this a human?”
The Fine Print Cloudflare Isn’t Shouting About
PACT solves one specific problem — not every privacy concern already living in your browser.
The privacy claims deserve some scrutiny. PACT ensures its tokens don’t contain personal data, but it doesn’t neutralize browser fingerprinting or other tracking vectors that already exist alongside it. The Register characterizes PACT as “essentially an anti-fraud initiative” — a more grounded read than the privacy-forward marketing might suggest. These concerns echo broader issues seen with tools like a surveillance app built to track specific groups without their knowledge.
Analysts also flag a harder question PACT sidesteps: what happens when fully autonomous agents — with no human in the loop at all — become the dominant traffic type? That’s reportedly where web traffic is trending next. Who qualifies as a trusted token issuer carries real power over who gets treated as legitimate online, and that governance question remains entirely unsettled.
Nothing changes for you today. PACT is a proposal headed toward standards bodies, with no live implementation, no browser support, and no confirmed timeline. But if it lands, the web’s least dignified ritual — clicking fire hydrants to prove your humanity — might finally get the quiet exit it deserves, replaced by something that works without making you feel like a suspect. For those tired of frustrating computer problems, that day can’t come soon enough.
