Cloudflare, the leading cloud connectivity company, announced a landmark collaborative initiative alongside major web browser developers-including Mozilla Firefox, Google Chrome, and Microsoft Edge-to design, implement, and standardize a privacy-preserving internet protocol.
The open standard is engineered to help both human users and autonomous AI agents seamlessly verify the legitimacy of their web traffic without exposing personal identities or browsing histories. As the internet increasingly shifts from traditional, human-initiated clicks toward continuous AI agent automation, the framework provides website operators with a secure mechanism to block malicious bot attacks without deploying invasive user tracking tools or friction-heavy security checkpoints.
The AI Agent Boom and the Failure of Traditional Defenses
For decades, cybersecurity frameworks have relied on a patchwork of reactive perimeters to detect and mitigate automated web abuse. However, the rapid expansion of generative AI and autonomous agentic workflows has disrupted traditional bot detection models. Modern automated scrapers, credential stuffers, and rogue LLM crawlers mimic human behavior with extreme precision, driving up operational costs, straining server resources, and elevating risk metrics for online platforms.
Also Read: IBM Introduces New Security Innovations to Strengthen Critical Infrastructure Resilience
Such a transition has created confusion as far as distinguishing between human traffic and machine requests is concerned, thus posing a great challenge of privacy and user experience. In case contemporary web applications have to check the source of incoming packets, the existing defensive strategies, including obligatory logging in to accounts, cookie walls, and CAPTCHA tests, undermine customer confidence and create bad user experience.
Introducing Private Access Control Tokens (PACT)
To solve this systemic friction, the coalition is advancing Private Access Control Tokens (PACTs). The protocol enables trusted origin environments (such as a user’s primary operating system, device, or primary web portal) to generate mathematically secure, anonymous cryptographic tokens based on localized, high-integrity contextual relationships.
The architectural breakdown of the PACT framework includes:
Frictionless Verification: A user’s browser or authorized AI agent can present these pre-validated tokens to third-party web servers out-of-band, instantly proving a legitimate foundation without requiring manual intervention.
Zero Tracking Footprint: PACTs are cryptographically decoupled by design. Receiving websites can verify the token’s validity, but they cannot trace the token back to a specific individual, link user sessions, or compile a visitor’s cross-site browsing history.
High-Integrity Assurances: By routing PACT validations natively across Cloudflare‘s global edge network, digital merchants and public utilities can safely isolate abusive scraping and malicious bot nets while dedicating compute resources to valid audiences.
“The way we interact with the internet is undergoing a fundamental shift. Everyday tasks, like ordering food, used to require users to personally navigate menus and payment gateways. Now, autonomous agents are starting to manage these workflows on behalf of people,” said Dane Knecht, Chief Technology Officer at Cloudflare. “As AI-powered traffic becomes more widespread, existing tools to support its use are proving too generic and rudimentary. This collaboration now allows us to eliminate the hurdles posed by security protocols for all visitors-human or agent-without sacrificing privacy.”
“In the retail world, any additional difficulty, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but shoppers shouldn’t have to pay for them with unnecessary friction or invasive tracking. Shopify is proud to contribute to the development of PACT as an open, privacy-protecting standard that can help the millions of businesses on our platform distinguish legitimate shoppers and authorized agents from abusive traffic, while preserving shopper privacy.” – Ilya Grigorik, Senior Engineer at Shopify.
Global Ecosystem Commitment to Open Interoperability Standards
The technical specifications for PACT are currently being prepared for formal submission to international web standards bodies to guarantee cross-platform compatibility and native, vendor-agnostic implementation across the open web.
“The health of the web depends on effective, interoperable, and privacy-respecting tools that allow websites to combat abuse without causing unnecessary inconvenience to users. At Microsoft, we are delighted to collaborate on the development of new standards and help ensure their implementation across the open web.” — Erik Anderson, Director of Engineering for the Microsoft Edge Web Platform.
“Mozilla is committed to defending openness and user privacy on the web. A surge of automated traffic is forcing websites to adopt drastic defensive measures-paywalls, identity verification, CAPTCHAs, and invasive tracking-simply to determine if a request is from a human. We can create a better solution that maintains a high level of privacy while providing a far less intrusive experience for real users browsing the web. This project requires collaboration across the entire ecosystem, and we are excited to work with Cloudflare and other partners who share our vision to make it a reality.” — Bobby Holley, Technical Director of Firefox at Mozilla.