www.it-connect.fr
Cloudflare’s PACT Aims to Replace CAPTCHA on the Web
What if CAPTCHA were living out their last years? On June 22, 2026, Cloudflare announced PACT (Private Access Control Tokens), a protocol designed to distinguish legitimate visitors from malicious bots. No challenge to solve, no login, no tracking. The project is being developed with Mozilla, Google, Microsoft and Shopify, and will be submitted for standardization. Here’s what we know.
Table of Contents
An anonymous token to prove a human is in the loop
For many years, CAPTCHA have been the technique used by millions of websites and services to fight malicious bots. But they could be replaced by a new protocol called PACT, whose idea is to delegate proof of legitimacy to a trusted site, then reuse it elsewhere without revealing anything.
Personhood is the term Cloudflare uses to explain this mechanism. In practice, PACT relies on a service that can reasonably tell it is dealing with a real user in order to issue an anonymous token. The browser can then present this token to other sites to attest that a human, or an authorized agent, is indeed behind the request.
According to Cloudflare, privacy is at the heart of PACT since it reveals neither the user's identity, nor their browsing history, nor even the origin of the token. "The PACT system is designed so that sites cannot use it to track or identify users, nor their browsing history.", we read.
It reveals only one thing: the request most likely comes from a legitimate human or an authorized agent. The protocol is designed so it cannot be used to track or identify internet users.
Why now: agentic AI is blurring the human-bot line
If several tech giants are working on an alternative to CAPTCHA, that is probably no coincidence. Website owners are facing a wave of automated traffic coming from AI agents, scraping tools, not to mention malicious bots.
CAPTCHA break the user experience (even if this depends on the version used), while nobody wants fingerprinting. And on the other hand, bots are becoming increasingly sophisticated, especially with the rise of agentic AI.
In reality, not all automated traffic is malicious, and not all legitimate actions are now carried out directly by a human. The line is blurring: in early June, Cloudflare estimated that robots had officially overtaken humans in Internet traffic.
"Mozilla is committed to defending openness and user privacy on the Web. An avalanche of automated traffic is pushing sites to adopt radical defense measures - paywalls, identity checks, CAPTCHA and intrusive tracking - simply to determine whether a request comes from a human being.", Bobby Holley, Firefox CTO, explains in the Cloudflare press release.
Don't expect PACT tomorrow
This privacy-first protocol is not yet a Web standard. In reality, it is a project currently under development, with standardization planned but not yet finalized. In other words, nobody should expect CAPTCHA to disappear tomorrow, but PACT is likely to become a reality.
Beyond Cloudflare and Mozilla, other major players are involved in the project, especially the teams behind browsers such as Google Chrome and Microsoft Edge, joined by Shopify on the e-commerce side.
It is definitely worth watching.
