Browsers and Cloudflare Create PACT to Authenticate Human Traffic and Combat Bots

What happened?

Cloudflare has announced a joint initiative with major browsers —Google Chrome, Mozilla Firefox, and Microsoft Edge— to develop a new internet protocol called Private Access Control Tokens (PACT). The goal is to verify whether access to a website is legitimate (human or authorized agent) or malicious, without resorting to CAPTCHAs or invasive tracking systems. The news was published by TechRadar and confirmed by Cloudflare's own press release.

According to Cloudflare Radar data, bot traffic has officially surpassed human HTTP requests on the web, prompting the search for more effective and privacy-friendly solutions. Participating browsers account for approximately 77% of the market according to StatCounter, ensuring widespread adoption of the protocol.

Why is it important?

The balance between security and user experience is a constant challenge. CAPTCHAs and other verification methods create friction, affect conversion rates, and can be vulnerable to advanced attacks. PACT proposes an approach based on anonymous "personhood" tokens generated in the user's browser from trusted contexts, such as prior interaction with authenticated services, but without revealing personal information.

Additionally, the protocol is designed to also recognize legitimate bot traffic, such as authorized AI agents, which is crucial at a time when automation is growing exponentially. As noted by Ilya Grigorik, distinguished engineer at Shopify, in Cloudflare's announcement: "In commerce, every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but shoppers shouldn't pay for them with unnecessary friction or invasive tracking."

How does PACT work?

PACT is based on private access control tokens. The user's browser issues an anonymous token certifying that the access comes from an entity with an authentic relationship with a service (e.g., having previously logged in or using a verified device). This token is presented to the website without revealing the user's identity or browsing data. Cloudflare will act as one of the trusted issuers, but the protocol is open and any entity could implement it.

According to Cloudflare, the protocol "raises the standard of trust and integrity online without the traditional costs." No additional login or user interaction is required; the token is generated transparently in the background.

Consequences and outlook

If PACT is successfully implemented, it could drastically reduce the use of CAPTCHAs and other annoying verification methods, improving browsing experience and conversion rates on e-commerce sites. It could also hinder malicious bots, as tokens require an indirect "proof of humanity" that is not easy to fake at scale.

However, questions remain about adoption by other browsers and potential centralization if only a few issuers control token issuance. Privacy is a strong point, but it will be crucial to audit the protocol's open source code to ensure no covert tracking vectors are created.

For readers, the main recommendation is to stay informed about PACT's evolution, as it could change how we interact with the web. Companies, especially e-commerce and online services, should prepare to integrate this protocol if they seek to reduce friction in authenticating legitimate users.

"PACT represents a step forward toward a more secure and less intrusive web, where humanity verification does not compromise privacy or user experience."