This week, the infrastructure of the internet took several big steps toward an agentic future β and in doing so, made the case for PCHP better than we could have ourselves.
Cloudflare, with AWS and Stripe, wired x402 into the edge so agents can pay for access to pages, datasets, APIs, and tools. Cloudflare, with Chrome, Firefox, and Edge, proposed PACT β Private Access Control Tokens β so a site can tell a legitimate human or authorized bot from an abuser without tracking anyone. OAuth for agents went generally available, so an agent can be granted scoped, revocable permission to an application. Agents can now even spin up temporary accounts and deploy code on their own.
Look at that list. Payment. Legitimacy. Application-authorization. Deployment. The internet is rapidly giving autonomous agents everything they need to act.
There is exactly one thing missing. Consent β the human owner's consent over their own private data.
Payment is not consent. Legitimacy is not consent.
It is worth being precise, because these are easy to conflate:
- x402 answers "has this been paid for?" β an economic question.
- PACT answers "is this visitor a legitimate human or authorized bot?" β an integrity question.
- OAuth answers "may this application act with these permissions?" β an application-authorization question.
None of them answers the question a person actually cares about when their financial life, their health record, or their identity is involved: "Did I agree to let this party read this slice of my data, for this long β and can I see it and take it back?"
That is not a payment. It is not a bot check. It is not an app grant. It is consent, and it belongs to a person. Today it is implemented β when it is implemented at all β as a checkbox inside each app, which means it does not travel, does not interoperate, and ends at each app's edge.
The stack has a human-shaped hole at the top
Think of the secure networking stack as handshakes:
Application data / agents
βββββββββββββββββββββββββββββββββββββββββββββ
PCHP β consent handshake (may this party read THIS person's data?)
TLS β encryption handshake (is the channel private? who is the server?)
TCP/IP β transport (do the packets arrive?)
TCP/IP got the packets there. TLS made the channel private and authenticated the server β and became invisible infrastructure precisely because it was a protocol, not a per-site feature. Every server can speak it; every browser expects it.
Consent deserves the same treatment. PCHP is proposed as the consent handshake β a peer to TLS, one layer up. It composes with everything shipping this week: an agent can be paid (x402), proven legitimate (PACT), and app-authorized (OAuth), and still be required to complete a PCHP handshake β a scoped, logged, revocable receipt β before it reads a single field of a person's private data.
Why now, and why open
The window is open right now. The agentic internet is being wired this quarter, and the layers are being decided. If consent is not proposed as a protocol now, it will calcify as ten thousand incompatible checkboxes, and the person will lose β again.
So we are proposing it as a protocol, and donating it to the commons under the most permissive license we can (CC0 for the text, Apache-2.0 for the schema and code). We are not trying to own the consent layer. We are trying to make sure there is one, that it is open, and that it puts the person in control β before the alternative sets.
Read the specification, and specifically Where PCHP Sits for how it composes with the rest of the stack. Then tell us what you would change. The best time to shape a protocol is while it is still a request for comments.
β Manish Sainani and π€« Research & Intelligence Team
