[chocalot]

There's a few comments asking for further info on the motivation.

I'll explain my understanding.

Consider what problem CAPTCHA aims to solve (abuse) and how that's ineffective in an age of AI agents: it cannot distinguish "bot that is trying to buy a pizza" vs "bot that is trying to spider my site".

I don't understand Cloudflare's solution enough to explain that part.

I'm glad to see research here, because if we don't have innovation solutions, we might end up with microtransactions for browsing.

[shakir_amarri]

They appear to just want to rate limit by having you go through a hassle to set up an account with some service and then be given 100 tokens per hour which you can use to conduct 100 rate limited actions per hour.

Think SMS verification but with cryptographic sorcery to make it private.

Depending on the level of hassle the service may even use SMS verification at setup. SMS verification is typically easy to acquire for as little as a few cents, but if the goal is to prevent millions of rate limited requests a few cents can add up.