TL;DR: Cloudflare, Mozilla, Google, Microsoft, and Shopify are jointly developing PACT (Private Access Control Tokens), a protocol designed to prove a visitor is human or an authorized agent, without CAPTCHAs, forced logins, or reconstructing their browsing history.
The web just crossed a symbolic line. Cloudflare Radar data shows automated HTTP requests now account for roughly 58% of global traffic, compared with 42% from people. Cloudflare CEO Matthew Prince had predicted the crossover; the rise of AI agents (assistants like ChatGPT and Gemini browsing on users' behalf) reportedly pulled it forward by about 18 months.
Against that backdrop, Cloudflare announced a joint initiative with Firefox, Chrome, and Edge to build a new internet standard. The goal: verify whether access is legitimate without relying on today's defaults (visual challenges, login walls, covert browser fingerprinting) that frustrate users and raise serious privacy concerns.
For teams collecting web data at scale, the shift matters. It redraws the line between legitimate automation and abuse, a topic at the center of Piloterr's anti-bot bypass and WebUnlocker products.
Anonymous tokens instead of CAPTCHAs
PACT works from a simple premise: a site that already has strong knowledge of a visitor (for example after robust authentication) can issue an anonymous token. The browser stores it and can present it to other sites as proof that a real person, or an agent they explicitly authorized, sits behind the session.
The design is meant to be non-trackable: the token cannot follow users across sites or rebuild their browsing history. That is the opposite of fingerprinting techniques and extension scanning that became the default when platforms tried to separate humans from scripts.
In practice, PACT could reduce friction on sensitive journeys (checkout flows, gated content, public services) while still letting publishers filter clearly abusive traffic.
Who is involved, and why now
The announcement spans the stack:
- Cloudflare, which sees a huge share of HTTP traffic and already runs bot-management products;
- Mozilla (Firefox), Google (Chrome), and Microsoft (Edge), together around 77% of browsers by StatCounter's count;
- Shopify, where every false positive or extra delay can mean an abandoned cart.
Cloudflare CTO Dane Knecht frames the problem bluntly: the internet is changing as AI-driven traffic grows, and today's security tools are too coarse to treat humans, authorized agents, and malicious scrapers differently.
Browser vendors argue for the open web. Mozilla's Bobby Holley points to an "avalanche of automated traffic" pushing sites toward blunt defenses: paywalls, identity checks, invasive tracking. Microsoft's Erik Anderson stresses the need for tools that fight abuse without punishing every visitor.
On the commerce side, Shopify distinguished engineer Ilya Grigorik notes that in e-commerce, every extra hurdle can turn a purchase into an abandoned cart. An open, privacy-preserving standard that separates real shoppers and mandated agents from abusive bots addresses a concrete need for millions of merchants.
Not a war on all bots
Worth stating clearly: PACT is not meant to shut down automation. Cloudflare itself is betting on AI agents. The aim is to separate legitimate requests (an assistant fetching a price for you, an allowed indexing crawler, a contracted B2B enrichment pipeline) from aggressive scraping campaigns, credential stuffing, and application-layer abuse.
Developers and data teams know the distinction well. Not every project needs a WebUnlocker to pull public HTML; but when a site hardens defenses, knowing whether your traffic might one day qualify for a PACT token or will still be treated as suspicious changes the calculus around compliance, success rates, and infrastructure cost.
Standing on Privacy Pass
PACT does not start from scratch. Apple already runs a related system called Privacy Pass, using a device's secure enclave to attest identity without exposing it. Cloudflare uses Privacy Pass as a signal in its bot-management stack.
In 2024 the IETF published the Privacy Pass Architecture as RFC 9576. PACT extends that foundation with broader browser support and an explicit focus on the agentic traffic that reshaped the web over the past year.
Timeline and open questions
No deployment date has been announced. Partners committed to mature the protocol and submit it for standardization, but turning a specification into billions of browser sessions takes time: technical negotiation, implementation, publisher adoption.
The challenge is not only technical. PACT offers publishers less data about visitors, not more. In an ecosystem long shaped by measurement and ad targeting, uptake will depend as much on publisher appetite as on standards-body speed.
What this means for scraping and data collection
In the short term, nothing flips overnight. CAPTCHAs, Turnstile, and WAFs remain the norm on thousands of domains, including a large share protected by Cloudflare itself.
Medium term, PACT could:
- Reduce challenges for sessions already attested, especially on e-commerce and SaaS flows;
- Create a formal lane for authorized AI agents, with clearer rules than blind blocking;
- Accelerate the retreat from the most invasive fingerprinting, under regulatory and technical pressure.
For serious web scraping projects, the lesson is unchanged: favor authorized sources, respect terms of use, and architect pipelines that separate legitimate collection from abusive circumvention. PACT will not replace a well-designed API or a contractual agreement with a source, but it may one day offer cryptographic proof that your agent operates inside a recognized framework.
The web is searching for balance between authenticity and privacy. PACT is the latest attempt to codify it. Whether the standard lands fast enough to ride the AI-agent wave, or sites keep hardening their walls in the meantime, is still an open bet.
