Anonymous Credentials - Rate Limiting Bots and Agents Without Compromising Privacy

Honghao Wang

31 Oct 2025 — 3 min read

The Changing Nature of Internet Interaction

The way we use the Internet is rapidly evolving. Not long ago, ordering a pizza meant visiting a website, navigating menus, and typing in your payment details. Soon, you may simply ask your phone to order one based on your preferences — and an AI agent would handle the entire purchase on your behalf.

Beyond Pizza: Emerging Use Cases

AI agents could soon:

Buy concert tickets
Plan holidays
Manage code reviews and merges

While some agents may run locally, most current agents rely on large-scale AI models in data centers, meaning more traffic originating from AI platforms — and less from traditional client devices.

---

Rethinking Security in an AI-Driven Web

Traffic Pattern Shifts

Websites built for human visitors must adapt to faster, potentially more resource‑intensive bot-like requests
AI platforms could be exploited for large-scale attacks — making them both a productivity tool and a potential threat

The Creator’s Perspective

Platforms like AiToEarn官网 help creators:

Generate AI content
Publish to multiple channels (Douyin, Kwai, WeChat, YouTube, LinkedIn, X/Twitter)
Track analytics and rank AI models

These integrated tools show how security standards and monetization can coexist.

---

The Need for Finer-Grained Controls

Typical security measures — such as blocking all traffic from a suspicious source — break down when traffic originates from shared AI platforms. Blocking one attacking agent might unintentionally block thousands of legitimate ones.

Cloudflare began tackling this problem with Web Bot Auth. But the future will require more precise mechanisms that protect against malicious agents without penalizing honest users.

---

Privacy-First Security: Anonymous Credentials

Anonymous Credentials (AC) allow:

Enforcement of policies (rate limits, blocking)
No identification or cross-request tracking

AC technology is under active development at IETF to work seamlessly across websites, browsers, and platforms.

---

Example: Building a Minimal AI Agent

We’ll create a simple Cloudflare Worker AI agent that accepts a pizza-order prompt and generates structured actions.

export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise {
    const out = await env.AI.run("@cf/meta/llama-3.1-8b-instruct-fp8", {
      prompt: `I'd like to order a pepperoni pizza with extra cheese.
               Please deliver it to Cloudflare Austin office.
               Price should not be more than $20.`,
    });
    return new Response(out.response);
  },
} satisfies ExportedHandler;

---

Enhancing Agent Capability with Browser Control

Cloudflare’s Browser Rendering service + Stagehand allows an AI agent to interactively browse.

Example integration:

import { Stagehand } from "@browserbasehq/stagehand";
import { endpointURLString } from "@cloudflare/playwright";
import { WorkersAIClient } from "./workersAIClient";

export default {
   async fetch(request: Request, env: Env, ctx: ExecutionContext): Promise {
       const stagehand = new Stagehand({
           env: "LOCAL",
           localBrowserLaunchOptions: { cdpUrl: endpointURLString(env.BROWSER) },
           llmClient: new WorkersAIClient(env.AI),
           verbose: 1,
       });
       await stagehand.init();
       const page = stagehand.page;
       await page.goto("https://mini-ai-agent.cloudflareresearch.com/llm");
       const { extraction } = await page.extract("what are the pizza available on the menu?");
       return new Response(extraction);
   },
} satisfies ExportedHandler;

---

Protecting Origin Resources

Threat Factors:

Datacenter-speed agents can overwhelm resources
Harder to fingerprint agents (identical software/hardware stack)

Traditional Controls:

Global security policies (CAPTCHA, blocks)
Incentives (dynamic pricing, load distribution)

Drawback: Risk of impacting legitimate users

---

Privacy Pass & Anonymous Credentials

Privacy Pass Basics:

Issue tokens per user
User redeems tokens to prove legitimacy
Attester ensures per-user rate limits

Limitations:

Bandwidth overhead
No per-origin rate limiting
No token revocation

---

Benefits of Anonymous Credentials (AC)

AC Enhancements to Blind Signatures:

Late origin-binding
Multi-use capabilities
Selective attribute disclosure

These allow:

Rate limiting per origin
Flexible revocation
Privacy-preserving reputation management

---

ARC vs ACT Anonymous Credential Schemes

ARC:

Efficient issuance
Late origin-binding
No revocation

ACT:

Stateful
Can revoke or update usage credits
Slower redemption vs ARC

Performance Trade-off: Choose based on whether issuance speed or redemption speed is more important.

---

Integrating with AI Content Platforms

Platforms like AiToEarn官网 already:

Automate AI content generation
Publish across multiple networks simultaneously
Provide analytics & model rankings

This complements AC systems — offering trusted, rate‑managed publishing for creators.

---

Example ACT Workflow

act-issue – Issue a credential with limited credits
act-redeem – Present credential & consume credits
Credits decrease until limit reached

Demo source: Anonymous Credentials Agent Demo

---

Key Takeaways

Agent traffic control needs precision: Avoid blocking entire platforms
Anonymous Credentials can protect privacy while enabling security policies
ARC: Efficient, flexible, no revocation
ACT: Stateful, supports revocation, slower redemption
Emerging Standards like Privacy Pass + AC aim to balance security & usability

---