CLOUDFLARE’S post, dated 21 April 2026, argues that the traditional bots vs. humans distinction is increasingly unhelpful as the line between different clients fades, with human interaction and AI-assisted automation both driving web traffic and requiring privacy-preserving, accountable signals.
It stresses that protecting sites goes beyond simply blocking bots or identifying humans, emphasising intent and behaviour and the need for a flexible client-server model that can handle distributed traffic while preserving user privacy. The piece highlights Privacy Pass, a system rooted in RFC 9576, as a way for clients to present unlinkable proofs of prior checks, enabling privacy-preserving interactions without creating stable identifiers.
It also discusses the rate-limit trilemma and the goal of an open issuer ecosystem, exploring Anonymous Rate-Limit Credentials (ARC) and Anonymous Credit Tokens (ACT) as primitives to prove good behaviour without revealing identity. Examples are given of platforms that sign requests to prove provenance, such as OpenAI, Google, Cloudflare, and AWS, while noting that open, privacy-preserving credentials are not a panacea and must be carefully designed to avoid gating access to the Web.
The article concludes by arguing that in a future where AI assistants and distributed traffic proliferate, a privacy-preserving yet accountable approach is preferable to a brittle, gate-driven Internet.