Cloudflare & browser rivals back privacy token standard

Cloudflare has teamed up with Mozilla Firefox, Google Chrome, and Microsoft Edge to develop a protocol for verifying that internet traffic is not malicious. The group also plans to submit the protocol for standardisation.

The initiative centres on Private Access Control Tokens, or PACT. The system is intended to let websites or platforms with an established relationship to a user issue anonymous tokens that can then be presented elsewhere through a browser. The aim is to help websites distinguish between legitimate human users, authorised automated agents, and abusive traffic without relying on CAPTCHAs, forced logins, or tracking cookies.

The effort also includes Shopify, reflecting interest from online commerce groups facing growing pressure from bot traffic and fraud controls that can disrupt purchases. The work comes as website operators try to adapt to a sharp rise in automated activity, including software agents acting on behalf of users as well as malicious bots.

The companies involved are trying to address a problem that has become more urgent as generative AI tools spread across consumer and business services. Sites have long used a mix of account checks, challenge screens, and tracking systems to block abuse, but those tools can create friction for genuine visitors and raise privacy concerns.

PACT is designed around a model in which a browser can present proof that a human is involved in a transaction or browsing session while limiting the personal information disclosed to the receiving site. The system is intended to avoid revealing a user's identity or browsing history.

Dane Knecht, Chief Technology Officer at Cloudflare, said the current set of internet controls is no longer well suited to a shift towards software agents carrying out routine tasks for users.

"The way we interact with the internet is facing a fundamental shift. Normal everyday tasks like ordering food previously required a user to personally navigate menus and payment gateways. Now, autonomous agents are starting to orchestrate these workflows on behalf of people," said Dane Knecht, Chief Technology Officer at Cloudflare.

"As AI-powered traffic becomes widespread, existing tools to support its use are too generic and coarse. This collaboration lets us eliminate the friction caused by security protocols for every visitor-whether human or agent-without sacrificing privacy," Knecht said.

Commerce concerns

Retail and payments platforms have a particular interest in reducing false positives in fraud and abuse systems because each interruption can lead customers to abandon a transaction. Shopify said merchants need stronger ways to identify real shoppers and approved software agents without adding unnecessary barriers at checkout.

"In commerce, every extra challenge, delay, or false positive can turn a purchase into an abandoned cart. Merchants need effective protections against automated abuse, but buyers shouldn't have to pay for them with unnecessary friction or invasive tracking. Shopify is proud to help develop PACT as an open, privacy-preserving standard that can help the millions of businesses on our platform distinguish legitimate shoppers and authorised agents from abusive traffic while preserving buyer privacy," said Ilya Grigorik, Distinguished Engineer at Shopify.

Browser backing

Support from browser makers could be important if the protocol is to gain broad use across the web. Browser vendors sit at a key point between users and websites, and any system that depends on token exchange and privacy controls will need their co-operation to work at scale.

Microsoft framed the work as part of a wider effort to keep anti-abuse tools interoperable across the open web rather than locked into isolated systems.

"The health of the web depends on effective, interoperable, privacy-preserving tools that enable sites to combat abuse without unnecessary user friction. Microsoft is excited to collaborate on developing new standards and helping ensure their deployment across the open web," said Erik Anderson, Director of Engineering, Web Platform, at Microsoft Edge.

Mozilla also pointed to growing pressure on websites to use blunter methods to separate people from bots. Those methods include identity checks, paywalls, and CAPTCHA systems that can frustrate users and drive more data collection.

"Mozilla is committed to defending openness and user privacy on the web. An avalanche of automated traffic is pushing sites to adopt blunt defences-paywalls, identity checks, CAPTCHAs, and invasive tracking-simply to tell whether a request comes from a human. We can build a better solution that maintains strong privacy and provides a much less annoying experience for real humans using the web. This project requires collaboration across the ecosystem, and we're thrilled to work with Cloudflare and other like-minded partners to bring it to life," said Bobby Holley, Chief Technology Officer for Firefox at Mozilla.

The companies have presented PACT as a standards-based response to a changing internet, where software agents are likely to become more common in search, shopping, and other routine tasks. If widely adopted, the approach could give websites another way to vet traffic without tying trust decisions to persistent user tracking or account-based checks.

For Cloudflare, which sits in front of a large volume of global web traffic, the project also highlights how internet infrastructure groups are trying to shape the rules for distinguishing between legitimate automation and abuse as that line becomes harder to draw.