Cloudflare and the makers of Chrome, Firefox and Edge announced on June 22, 2026 that they are jointly building PACT, Private Access Control Tokens, a standard that lets a browser prove a session comes from a legitimate human or well-behaved bot without revealing who the user is. Think of it as a shareable, privacy-preserving CAPTCHA result. The reason it exists is blunt: automated traffic has officially overtaken people online, and the crude tools sites use to fight abuse, paywalls, identity checks, invasive tracking, are degrading the web for everyone.
- PACT is a joint effort by Cloudflare with Mozilla Firefox, Google Chrome and Microsoft Edge to standardize a privacy-preserving proof of legitimate traffic.
- Sites with strong signals of "personhood" issue anonymous tokens a browser can present elsewhere as proof, without exposing identity or browsing history.
- The trigger: bots now account for roughly 58% of HTTP requests worldwide against 42% from humans, a crossover accelerated about 18 months by agentic AI.
- PACT builds on Privacy Pass, published as IETF RFC 9576, extending it with broad browser support aimed at the agentic-AI era.
Why build this now?
Because the composition of web traffic flipped. Cloudflare Radar data shows automated systems now generate about 58% of all HTTP requests worldwide, against 42% from people, and CEO Matthew Prince noted that agentic AI browsing on behalf of assistants like ChatGPT and Gemini pulled that crossover forward by roughly 18 months. When most requests are machines, the old binary of "block bots, allow humans" breaks, because plenty of bots are legitimate and plenty of humans get caught in the crossfire. Sites reacted with blunt defenses, paywalls, identity walls, aggressive fingerprinting, and those tools punish real users while barely slowing sophisticated abuse.
RelatedInterop 2026 Makes Anchor Positioning Work Everywhere
How does a token prove you are legitimate without identifying you?
This is the clever part, and it is not new cryptography. An issuer that already has strong evidence of "personhood," a site where you have signed in and behaved like a human, mints an anonymous token. Your browser stores it and can present it to other sites as proof that this session is desirable traffic. Crucially, the token is designed so it cannot be used to track you or reconstruct your history; it asserts a property, "this is legitimate," not an identity. It reframes the test from "are you a human or a bot" to "is this traffic wanted," which is the more useful question in an agentic world.
| Approach | PACT tokens | Traditional CAPTCHA | Fingerprinting |
|---|---|---|---|
| User friction | Low, prove once | High, repeated puzzles | Invisible |
| Privacy | Anonymous by design | Moderate | Poor, tracks users |
| Handles good bots | Yes | No, blocks all | Crudely |
| Standardized | Building on RFC 9576 | Proprietary | Ad hoc |
| Browser support | Chrome, Firefox, Edge | Universal | Universal |
What is the catch?
Two things. First, no deployment timeline exists. The partners have committed to developing PACT and submitting it for standardization, but turning a spec into something that works across billions of browser sessions takes years, and the coalition is notably missing Apple's Safari as a named participant, though Apple already ships a related Privacy Pass system. Second, and more serious, is the gatekeeping risk. If your traffic needs a token to be treated as legitimate, then whoever issues tokens decides whose sites and software count as worthy. Critics warn the tokens could become an access barrier that smaller publishers and independent tools have to negotiate for, quietly centralizing who gets to be seen as a "real" visitor.
- Does Safari join? Apple's absence matters. Without it, coverage has a large hole on mobile.
- Who becomes an issuer. The list of trusted issuers is where the real power, and the gatekeeping risk, lives.
- Standardization pace. Committing to a spec is easy. Watch whether it clears the IETF and ships in stable browsers.
- Effect on small sites. The test is whether independent publishers benefit or get squeezed by token requirements.
Our take
PACT is aimed at a genuine crisis, the bot-versus-human arms race has made the open web measurably worse, and a privacy-preserving standard is a far better answer than the fingerprinting and paywalls sites reach for today. Building on Privacy Pass rather than inventing new machinery is the right instinct, and getting Chrome, Firefox and Edge to commit together is a real achievement. The worry is structural, not technical. Any system where legitimacy is something you must be granted concentrates power in whoever does the granting, and the history of the web is littered with well-intentioned gatekeepers that hardened into tolls. If the issuer set stays broad and the standard stays truly open, PACT could make the web less hostile for everyone. If it narrows, it risks becoming another checkpoint the big platforms control. The idea is sound. The governance is everything.
- OfficialCloudflare press release , the PACT announcement
- ReferenceIETF RFC 9576 , the Privacy Pass architecture PACT builds on
- BenchmarkCloudflare Radar , live bot-versus-human traffic data
Original analysis by GenZTech. Figures current as of July 2026. Source: cloudflare.com
