Cryptographic Trust Over Tracking: Inside the PACT Protocol

The web is undergoing a structural transition. For decades, security teams have separated legitimate users from malicious actors by analyzing behavior. If a request moved too fast, lacked mouse movements, or originated from a data center IP address, security tools flagged it as a bot.

The rise of agentic AI breaks this model. When autonomous agents orchestrate workflows like ordering food, comparing prices, or purchasing inventory on behalf of humans, the traffic is automated by definition. Blocking all automated traffic blocks legitimate customers, while allowing it invites malicious scraping and credential stuffing.

To address this, Cloudflare has partnered with major browser engines, including Mozilla Firefox, Google Chrome, and Microsoft Edge, alongside Shopify, to develop Private Access Control Tokens (PACT). This proposed protocol shifts the security model from behavioral heuristics and invasive fingerprinting to decentralized, cryptographic trust delegation.

Cryptographic Trust Delegation

PACT relies on a separation of concerns. Instead of every website trying to determine if a client is human through invasive tracking or CAPTCHAs, PACT delegates this verification to entities that already have an established relationship with the user. These entities, such as identity providers, device manufacturers, or platforms like Shopify, issue anonymous tokens. The user's browser then presents these tokens to other websites.

The core cryptographic mechanism relies on blind signatures. The issuer verifies the user's identity but does not know which third-party sites the user is visiting. The verifier (the destination website) receives a cryptographically signed token proving the client has been vetted, but the verifier cannot link this token back to a specific user identity or browsing history. This breaks the linkability that ad networks and trackers rely on, preserving privacy while establishing trust.

sequenceDiagram
    autonumber
    actor User as User / Agent
    participant Issuer as Trusted Issuer (e.g., Shopify)
    participant Browser as Browser (e.g., Firefox)
    participant Verifier as Destination Website

    User->>Issuer: Authenticate / Prove Personhood
    Issuer->>Browser: Issue Blinded Token
    Browser->>Verifier: Present Unblinded Token
    Verifier->>Verifier: Cryptographically Verify Token
    Verifier->>User: Grant Access

This architecture builds on prior work like the IETF Privacy Pass standard. By formalizing this into a browser-supported protocol, the initiative aims to make cryptographic trust verification a native feature of the web platform.

The Agentic AI Challenge

Traditional bot mitigation is an arms race of fingerprinting and behavioral heuristics. As generative AI agents become common, distinguishing between a malicious bot and an authorized human-delegated agent is nearly impossible using traditional methods. If a user deploys an AI agent to find and buy a product, that agent will execute requests programmatically.

Advertisement

Shadow GPS — know where it is, always Real-time GPS tracking for vehicles, gear and loved ones. No monthly contracts.

If a merchant blocks the agent, they lose a sale. If they allow all programmatic traffic, they get overwhelmed by scrapers. PACT aims to solve this by allowing platforms to issue tokens that prove a human is in the loop or that the agent is authorized. This allows merchants to filter out abusive traffic without imposing friction on legitimate automated buyers.

How Developers Will Integrate PACT

Currently, developers rely on third-party JavaScript snippets to calculate risk scores or render CAPTCHAs. These scripts slow down page loads, complicate content security policies, and raise privacy concerns.

With PACT, token verification moves to the network edge or the web server configuration. When a client makes a request, it includes a PACT token in the HTTP headers.

Here is how an edge middleware might handle this verification conceptually:

// Conceptual edge middleware verifying a PACT token
export async function handleRequest(request: Request): Promise<Response> {
  const pactToken = request.headers.get("Sec-PACT-Token");

  if (!pactToken) {
    // Fallback to traditional verification or challenge
    return redirectToAlternativeVerification(request);
  }

  const isValid = await verifyPactToken(pactToken);
  if (!isValid) {
    return new Response("Invalid security token", { status: 403 });
  }

  // Proceed to origin with verified trust status
  return fetch(request);
}

async function verifyPactToken(token: string): Promise<boolean> {
  // Cryptographic verification of the token signature against the public key of trusted issuers
  try {
    const parsedToken = parseToken(token);
    const publicKey = await getIssuerPublicKey(parsedToken.issuerId);
    return await crypto.subtle.verify(
      "Ed25519",
      publicKey,
      parsedToken.signature,
      parsedToken.signedData
    );
  } catch {
    return false;
  }
}

This approach shifts the security boundary. Instead of executing heavy client-side scripts, the verification is a fast, cryptographic check at the CDN edge or origin server.

However, developers must plan for several trade-offs:

• Trust Centralization: The system relies on a small set of trusted issuers. If only giant platforms can issue tokens, smaller identity providers might be locked out, centralizing control over web access.
• Fallback Mechanisms: Not all clients will support PACT immediately. Developers will need to maintain legacy bot-detection pipelines for older browsers and non-browser clients, leading to dual-path maintenance.
• Token Exhaustion and Abuse: If malicious actors find a way to harvest or buy valid tokens from compromised devices, the system's integrity drops. Rate-limiting token redemption at the verifier level will still be necessary.

The Path to Standardization

PACT represents a shift away from behavioral surveillance toward cryptographic proof. While the collaboration between Cloudflare, Mozilla, Google, and Microsoft provides the necessary industry backing, the protocol must go through the rigorous IETF or W3C standardization process before widespread adoption.

For now, developers should monitor the draft specifications. The transition will not happen overnight, but preparing application architectures to ingest and verify cryptographic tokens at the edge is a design pattern that will pay dividends as the web becomes increasingly populated by autonomous agents.