Cloudflare is working with the makers of Chrome, Edge, and Firefox on a new way for websites to tell whether incoming traffic is legitimate – without resorting to the usual mix of CAPTCHAs, logins, and extra tracking.
The system is called Private Access Control Tokens, or PACT, and it arrives at a time when bots have surpassed human traffic online.
Why do you assume it’s one static unchanging token? That’s not how cryptography works, you can issue virtually unlimited signatures or challenges/responses without the other party knowing your private key