The web does not need gatekeepers (Cloudflare)

Do you register with Google, Amazon or Microsoft to use the web? Cloudflare’s new “signed agents” pitch sounds like safety but it’s a wolf in sheep’s clothing. They’ve built an allowlist for the open web and told builders to apply for permission. That’s not how the internet works. An application form is not a standard. Yes, identity for agents is a real problem. But Cloudflare is solving it like a border checkpoint. Get on their list or get treated like a trespasser. That’s vendor approval not an internet protocol. An allowlist run by ONE company? Authentication for that world isn’t “ask Cloudflare for a hall pass.” It’s verifiable chains of delegation and request-level proof: open, portable, and independent of any one company. The Web Must Remain Open The web thrived because no one owned it. In the 90s, Microsoft tried to “embrace and extend” the web, but failed. And that failure was a blessing. Because no single company controlled it, anyone could publish, anyone could innovate, and protocols carried more weight than corporate policies. We’ve seen this movie before. Open standards beat closed plug-ins. HTML5 and the Open Web Platform displaced proprietary runtimes like Flash (Adobe) and Silverlight (Microsoft). Flash was formally ended in 2020 and Silverlight in 2021, while HTML5 became a W3C Recommendation back in 2014. The pattern is consistent: when the commons defines the interface, innovation compounds; when a vendor hands out permission slips, it stalls. Agents Are Inevitable Agents are inevitable. They will be the next major users of the web: retrieving information, automating workflows, making purchases, negotiating contracts. Sometimes ai agents will be explicitly directed by humans, other times they’ll act as subroutines inside bigger tasks. The line between human and agent action will blur. When I’m driving, I hand my phone to a friend and say, “Reply ‘on my way’ to my Mom.” They act on my behalf, through my identity, even though the software has no built-in concept of delegation. That is the world we are entering. Authentication vs. Authorization Authentication asks: who is acting? Authorization asks: what are they allowed to do? They are not the same. Yet Cloudflare treats them as if a single passport could solve both. It can’t. In the real world, showing a passport is not enough to open a bank account, the actual person must be present!. The same is true online. A cryptographic signature that claims “I am acting on behalf of X” means nothing unless it is tied to something real, like a verifiable infrastructure or a range of IPs. Without that, I can simply hand the passport to another agent, and they can act as if they were me. The passport becomes nothing more than a token anyone can pass around. This is why the whole idea of a “bot passport” is deeply flawed. Authentication and authorization matter more than ever but they must be rethought for the era of agents and for an authentic web. Authentication And here’s the truth: on the internet, nobody knows you’re a dog. A single signature proves nothing if it can simply be passed along. What we need is a way to prove both the chain of delegation and the authenticity of each request. The chain is like a certificate : User X on Service Y delegated to Agent Z, who delegated to Agent K. But when Agent K actually makes a request to Service Y, it must add its own signature to prove it is truly Agent K. Without both pieces, authentication collapses. The system must have a few key features: Verifiable : you can check the claim independently. Composable : it works across chains of delegation. Decentralized: no single gatekeeper decides who is “valid.” Public key cryptography already gives us a model. Companies prove ownership today through DNS; they could publish public keys in the same way. That would let a service authenticate a third party simply by checking DNS (without anyone filling forms, asking permission, or registering with a central directory). Sites could still blacklist or whitelist as they choose, but the default is open. This is what authentication for the agentic era should look like: open, verifiable, and decentralized. Authorization Until now, software usually had a narrow scope. Think a weekly cron job that emails a “new signups” report: it gets read-only access to the analytics DB, nothing else. Or a finance app via Plaid to fund your trading account: it can initiate transfers within limits but can’t browse your transaction history. OAuth scopes worked because the software had a clear, predictable purpose. Agents are different. They are general-purpose. The same agent might book a flight, pay for dinner, and then summarize your bank statement. They may also be short-lived, spun up for a single task and gone after it. One way to make this work is to give the agent an “admin key”: full access to everything It’s convenient, but dangerous. We must resist this pattern. Agents should not hold permanent credentials, authorizations must be per-task, not per-agent. Think of a bank account: I might tell my agent “pay for dinner.” That token should allow payment. But when I ask “show me three months of spending,” the agent should not be able to move money. Same agent, different task, different token. Credentials must follow tasks, not agents. Fortunately, cryptography and authorization models have evolved a lot in the last last years. We now have tools that allow us to issue tokens with constraints: granular, short-lived, and delegable (like macaroons or biscuits) and Open policy engines (like OPA or AWS Cedar) can also be used for RBAC/ABAC for this use case. Imagine: User X on Service Y holds an admin token. They derive a narrower token for Agent Z to perform one task. Agent Z can then derive an even narrower token for a sub-agent, all without bothering the service. Each request can be verified against the chain. Coupled with the authentication model above, this approach gives us a foundation for managing agents without creating new gatekeepers. Protocols, Not Gatekeepers This challenge is bigger than Cloudflare, Google, Microsoft or any single company. The future of the web cannot hinge on who controls the keys. We need protocols, not gatekeepers. Authentication, authorization, and monetization must remain open, interoperable, and standardized. Cloudflare’s launch is useful only because it exposes the danger. If we let a handful of companies decide which agents are “valid,” the agentic web will collapse into walled gardens. We’ve seen this movie before. Here’s the line in the sand: I’m open-sourcing a first cut of these ideas chains of delegation, request-level authorization , and task-scoped authorization so anyone can implement them, today. If this resonates with you, if you want to collaborate, criticize, or help shape the protocols that will keep the web open for agents, please reach out [email protected] The future should not be about who holds the gates. It should be about protocols that let everyone build, share, and innovate.