By the way, a very similar API has apparently been implemented in Safari since 2022. Seems like better marketing does wonders, as I haven't seen any discussion of this.

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

Some interesting bits:

> [...] We don’t actually need or want the underlying data that’s being collected for this process, we just want to verify if a visitor is faking their device or user agent. [...]

> [...] In the example above, a visitor opens the Safari browser on their iPhone and tries to visit example.com.

> * Since Example uses Cloudflare to host their Origin, Cloudflare will ask the browser for a token.

> * Safari supports PATs, so it will make an API call to Apple’s Attester, asking them to attest.

> * The Apple attester will check various device components, confirm they are valid, and then make an API call to the Cloudflare Issuer (since Cloudflare acting as an Origin chooses to use the Cloudflare Issuer).

> * The Cloudflare Issuer generates a token, sends it to the browser, which in turn sends it to the origin.

> * Cloudflare then receives the token, and uses it to determine that we don’t need to show this user a CAPTCHA. [...]

Sounds an awful lot like WAI to me, but at least it's called a "Privacy Access Tokens" so it surely must be good...?

EDIT: turns out there was an HN thread about this a few days ago, I just missed it: https://news.ycombinator.com/item?id=36862494