Cloudflare, Google, Microsoft and Mozilla Build Token System to Replace CAPTCHAs Without Tracking Users

Cloudflare has partnered with the developers of Google Chrome, Microsoft Edge and Mozilla Firefox to build a token-based verification system designed to block bots and AI scrapers without exposing user data or triggering repeated CAPTCHA checks.

The company announced the collaboration on its official news page, describing a system called Private Access Control Tokens, or PACTs.

How PACTs Work

The core concept is straightforward. Trusted websites that already have confidence in a visitor’s legitimacy issue that visitor an anonymous digital token — a cryptographic credential that proves human presence without revealing identity.

That user can then present the token to other participating websites, bypassing repeated verification prompts entirely.

Cloudflare CTO Dane Knecht said existing tools are too blunt for today’s abuse patterns, where automated traffic — including AI-powered scraping agents — is increasingly difficult to distinguish from real users at speed.

Mozilla CTO Bobby Holley said automated traffic pushes websites toward heavy-handed defenses such as paywalls, which punish legitimate visitors along with bots.

The Problem PACTs Target

Bot mitigation is a growing operational cost for web publishers. Traditional defenses — CAPTCHAs, IP blocklists, browser fingerprinting — either frustrate real users or fail against sophisticated automated systems that now mimic human behavior closely.

AI-driven scraping compounds the problem. Automated agents can harvest site content at scale without authorization, and conventional security tools often block legitimate traffic while trying to stop them.

PACTs attempt to thread that needle by shifting verification upstream. A site with a strong trust signal about a user vouches for that user cryptographically, sparing downstream sites the cost of re-verification.

Because the tokens carry no personally identifiable information, the system avoids the privacy trade-offs typically associated with cross-site user tracking — a design choice that brings the browser makers into alignment with their own stated privacy commitments.

What Remains Unresolved

The technical specification is not final. Cloudflare has not announced a public rollout date, and the exact mechanism for how sites earn the authority to issue tokens — and how widely they will be accepted — remains under development.

That gap draws scrutiny. The Register, which reported on the announcement separately, cautioned that incomplete implementation could introduce new access barriers rather than remove them.

If the token system fails to recognize legitimate users — due to mismatched trust hierarchies or implementation errors — those users face denial of access with no clear recourse. The Register also said the security benefits may be overstated relative to what current bot-mitigation tools already achieve.

The breadth of real-world impact will depend on adoption. A token that only a handful of high-trust sites issue, and only a small subset of sites accept, offers limited value to the average user navigating the open web.

Cloudflare sits in a structurally strong position to drive adoption. The company provides network services to a significant share of global web infrastructure, giving it direct relationships with both the issuing and accepting sides of any token exchange.