Skip to main content
TechnologyJun 23, 2026· 3 min read

Cloudflare Introduces PACT: Anonymous Tokens Instead of CAPTCHAs, with Chrome, Firefox, and Edge

On June 22, Cloudflare introduced PACT (Private Access Control Tokens), a protocol designed to separate legitimate web traffic from abusive traffic using anonymous tokens, without resorting to CAPTCHAs or tracking users' browsing behavior. The initiative also involves browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, and Shopify, and the partners have committed to moving the protocol towards formal standardization.

The problem that PACT seeks to address is not new for website managers. According to data from Cloudflare Radar, automated traffic now accounts for about 58% of HTTP requests to web content, compared to 42% of human users. This shift was highlighted by CEO Matthew Prince earlier in June, occurring about eighteen months earlier than forecasted due to the explosion of agents like ChatGPT and Gemini that browse on behalf of people.

How the Token Works

The mechanism shifts the burden of verification: a site that has a solid understanding of a visitor's identity can issue an anonymous token; the user's browser stores it and presents it to other sites as proof that behind the session is a real person or an agent authorized to act on their behalf. The goal is to reduce the need for CAPTCHAs and repeated logins while ensuring that the tokens are constructed in a way that they cannot be used to track the user or reconstruct their browsing history.

PACT extends Privacy Pass, the architecture published by the IETF as RFC 9576, expanding support to browsers and targeting agentic traffic generated by AI. A similar system is already in use at Apple, which uses Privacy Pass to leverage the device's secure enclave to attest to the user's identity, a signal that Cloudflare also employs in its own bot management products.

"An avalanche of automated traffic is pushing sites to adopt crude defenses, from paywalls to identity checks, from CAPTCHAs to invasive tracking, just to figure out if a request comes from a human being," said Bobby Holley, CTO of Firefox at Mozilla. The shared idea among partners is that the same result can be achieved while preserving privacy and reducing friction for genuine users. The aim is not to block all automation but to distinguish authorized agents from malicious scrapers and abusive bots.

Unresolved Issues

However, several technical details remain to be defined. Currently, it is still unclear what constitutes that 'strong knowledge of identity' on which the issuance of tokens is based, especially since the concept of a person seems to extend even to software authorized to act on someone's behalf. Additionally, there is no roadmap for the release: for now, the partners have only committed to development and standardization.

The context in which Cloudflare operates is not neutral. The company has embraced agentic AI to the extent of cutting 1,100 jobs in 2026, stating that now agents are performing tasks previously assigned to human staff. In this light, PACT attempts to set rules for a type of traffic that the provider itself considers now predominant, rather than opposing it outright.

For site managers, nothing changes in the immediate term: without a release date and without the definitive details of the protocol, PACT currently remains a mere statement of intent shared by significant players, to be verified in practice when it transitions from draft to standard.

Claude May Request an ID: Anthropic's New PolicyFinally Microsoft 365 Family on sale for €84.99: Complete Office, 1TB for 6 users, costs less than a coffee a month