Jun 24, 2026 19:00:00

What is PACT, the human verification system that will change the web overflowing with CAPTCHAs?

On June 23, 2026, Mozilla revealed the design for ' Private Access Control Tokens (PACT), ' anonymous authentication credentials that will enable websites to protect against bots without collecting users' identities or device information.

PACT Air

https://pactworkshop.com/

PACT: Anonymous Credentials for the Web - Mozilla Hacks - the Web developer blog
https://hacks.mozilla.org/2026/06/pact-anonymous-credentials-for-the-web/

Keeping the Web Open and Private in the Bot Era
https://blog.mozilla.org/en/privacy-security/keeping-the-web-open-and-private-in-the-bot-era/

Browsers have evolved to protect user privacy through measures such as restricting third-party cookies, preventing fingerprinting, and protecting IP addresses. However, because website anti-fraud measures have used the same information to determine whether an access is 'suspicious,' users who are more concerned with their privacy are more likely to be treated like bots.

Furthermore, advancements in AI-generated CAPTCHAs mean that human authentication is no longer as reliable as it once was. To prevent attacks such as massive spam submissions, unauthorized logins using password lists, and disruptions due to high traffic, websites are increasingly requiring users to enter email addresses, log in using external services, and disable VPNs. As a result, this increases the burden on users, and websites end up driving away legitimate visitors they want to attract.

To address these issues, there are mechanisms like Privacy Pass that verify user behavior through CAPTCHA and issue tokens that can be presented later on other sites. However, Mozilla points out that relying on device attestations, where device manufacturers and OS vendors determine 'permitted environments,' risks allowing web access to be controlled by a small number of large corporations.

The problem with bots isn't that they're 'not human,' but rather that they can repeat the same actions on a scale that humans could never achieve. Therefore, PACT aims to create a system that only informs websites that a user is accessing them within a certain limit.

For usage limits to work, they need to be linked to something that attackers cannot easily create in large quantities. Mozilla gives phone numbers, email addresses, paid subscriptions, and long-used accounts as examples. For example, if you are a VPN service subscriber, the VPN provider only needs to guarantee that you are a 'user who is using the service without any issues as a subscriber,' and the visited site can apply usage limits per subscriber without knowing the user's name or subscription details.

In PACT, the party providing the guarantee is called an 'Anchor,' and the token issued by the Anchor for the guarantee is called an 'Endorsement.' First, users receive an Endorsement through their relationship with the services they normally use.

When a user visits another website, they use Endorsement to obtain anonymous authentication information called 'Credentials.' The role of managing these Credentials and determining access restrictions is called a 'Moderator.' For example, when a user visits a site, the browser presents the Credentials to the Moderator used by the visited site, and the Moderator determines whether the Credentials are valid and whether they exceed any access limits.

The system is also intended to be used in ways such as relaxing usage restrictions if a user's behavior appears to be normal browsing, and strengthening restrictions if suspicious activity continues.

The key point is that the Moderator doesn't need to know 'which Anchor endorsed the user.' If other sites knew that you were a subscriber to a specific service or had an account on a particular site, it would create new privacy issues. PACT aims to use cryptographic technology to only show the fact that it was 'issued by one of the trusted Anchors,' while concealing the specific issuer.

The ideal scenario for PACT is that the browser receives an endorsement during normal web browsing, exchanges it for a credential as needed, and only the minimum information indicating that it appears to be a legitimate use within the usage limit is transmitted to the website.

PACT also relates to AI agents that run in browsers. AI agents that make reservations and perform searches on behalf of users are convenient, but from a website's perspective, they can be difficult to distinguish from bots. PACT envisions a method where users operate AI agents using their credentials, taking responsibility for the agent's actions, and where the AI agent's operator acts as an Anchor to guarantee the agent's actions.

The PACT specification is still under consideration. Mozilla explains that 'designing PACT requires rigorous verification of privacy and security, and it is natural that the underlying cryptographic protocols should be discussed by the IETF, while the web API portion should be discussed by the W3C.' If successful, websites may gain clues about the number of attempts needed to combat bots, and users may have fewer opportunities to encounter CAPTCHAs or blocking screens without revealing their identity.