Why Stack Overflow and Cloudflare launched a pay-per-crawl model

Summary of Why Stack Overflow and Cloudflare launched a pay-per-crawl model

by The Stack Overflow Podcast

19mFebruary 19, 2026
Listen to Episode

Overview of The Stack Overflow Podcast — Why Stack Overflow and Cloudflare launched a pay-per-crawl model

This episode of Leaders of Code (a segment of The Stack Overflow Podcast) brings together Stack Overflow product leader Janice Manningham, SRE Josh Zhang, and Will Allen (VP at Cloudflare) to explain why Stack Overflow and Cloudflare are piloting a pay-per-crawl (PaperCrawl) model. The conversation covers the shift from “open vs block” bot policies to a more nuanced approach that lets site owners categorize crawlers, signal payment-required (HTTP 402), and enable programmatic or commercial access for crawlers (especially AI training bots). The goal: protect publisher value, reduce unwanted cost/traffic, and experiment with monetization beyond large licensing deals.

Key takeaways

  • The old model—open access for crawlers with ad-hoc blocking—no longer scales due to sophisticated AI crawlers and scraping for model training.
  • PaperCrawl uses Cloudflare’s bot categorization and an HTTP 402 “Payment Required” response to signal crawlers that paid access or a business conversation is required.
  • Cloudflare provides registration, categorization, dashboarding and enforcement tools; Stack used those to quickly pilot 402 responses and observe behavioral changes from crawlers.
  • PaperCrawl complements (not replaces) traditional licensing: it lets crawlers request only what they need and pays on those terms, enabling lower-friction business models and machine-to-machine transactions.
  • Early results: enabling 402 responses was simple to turn on and caused some crawlers to stop or surface themselves, creating opportunities for conversion or negotiation.

Why this change was needed

  • Bot behavior evolved: from low-sophistication scrapers and DDoS actors to sophisticated headless-browser crawlers that mimic real users, consume ad impressions, and scrape massive amounts of content for commercial model training.
  • Traditional defenses (blocklists, fingerprinting, manual whack-a-mole) became unwieldy and reactive.
  • Publishers bear traffic and infrastructure costs without commensurate attribution or revenue when bots extract data without sending meaningful traffic back.
  • There’s growing demand from AI projects and other commercial actors to use high-quality datasets—publishers want options to monetize and control these uses.

How PaperCrawl works (technical & workflow overview)

  • Identification & categorization: Cloudflare classifies crawlers (search engines, business crawlers, unknown/unauthorized agents, etc.) and provides pre-populated lists.
  • Actions: For each category an operator can allow, block, rate-limit, or return an HTTP 402 Payment Required response to the requester.
  • 402 Response: Not a hard “no”—it signals “you can access this if you pay” and can trigger:
    • machine-to-machine payment flows (programmatic),
    • or human follow-up (BD/procurement outreach) after seeing the logs.
  • Dashboarding & analytics: Cloudflare surfaces traffic, who’s requesting what, and effects of policy changes—this was highlighted as very helpful operationally.
  • Future/ongoing work: supporting programmatic payment protocols (e.g., X402 concepts) so publishers aren’t limited to crawlers that identify themselves by operator.

Stack Overflow’s implementation & results

  • Historically: Stack relied on Cloudflare for DDoS mitigation and used manual blocklists and other defenses to manage malicious bots.
  • Transition: Migrated bot handling to Cloudflare’s tooling for categorization and rule-based enforcement, reducing operational burden.
  • PaperCrawl pilot: Turning on the 402 response was simple via UI rules and dashboards. Some previously noisy crawlers stopped requesting content after receiving 402s (i.e., the message was effective).
  • Business fit: PaperCrawl is attractive as a middle ground between free public access and full bulk licensing—allows smaller, targeted, pay-per-use access for specific needs (vs. 100% bulk licensing deals).

Cloudflare’s perspective

  • Philosophy: Publishers should be “in the driver’s seat”—able to decide how their content is accessed and monetized.
  • Product approach: Provide identity, categorization, analytics, and enforcement tools so customers can choose their policy (allow/block/charge/rate-limit).
  • Real-world uses: Some customers will use machine payment flows; others will get human follow-ups based on 402 logs and strike direct deals. Cloudflare aims to support both and evolve payment protocols for programmatic use.

Benefits and limitations / risks

Benefits

  • Gives publishers control and new monetization pathways for scraped/public data.
  • Reduces wasteful traffic and infrastructure cost from unidentified scraping.
  • Enables lower-friction, pay-per-use access models for smaller customers who don’t want large licensing deals.
  • Centralized categorization and network-wide intelligence helps identify new crawlers faster.

Limitations & risks

  • Arms race continues: malicious actors may adapt to evade detection or pretend to pay.
  • Charging relies on registries/identification; anonymous or stealthy crawlers remain hard to enforce against.
  • Must avoid accidental blocking of legitimate crawlers (e.g., search engines) — requires careful rules and monitoring.
  • Adoption depends on crawler operators supporting programmatic payments or responding to 402s.

Recommendations / action items for publishers

  • Audit your bot traffic: volume, types, and intent—use Cloudflare (or similar) analytics to understand patterns.
  • Categorize crawlers: separate search engines and legitimate indexers from business/AI scrapers.
  • Pilot pay-per-crawl: start with a small set of categories and monitor the impact (traffic reductions, conversion inquiries).
  • Use dashboards to iterate: measure how many 402s lead to payments, human outreach, or behavior change.
  • Preserve positive flows: ensure SEO crawlers and beneficial partners remain allowed.
  • Coordinate BD/legal: prepare commercial terms for programmatic and manual licensing triggered by 402s.

Notable quotes

  • Janice Manningham: “With the rise of AI crawlers, they’ve fundamentally broken what I believe is the old internet, which is open versus block models.”
  • Will Allen (Cloudflare): “You as an incredible business and partner, you should be in the driver's seat over sort of what happens to the content and sort of how that content is being accessed.”

Where to learn more / contacts

  • Cloudflare: cloudflare.com (product pages and docs for bot management and PaperCrawl features).
  • Stack Overflow data licensing and commercial usage: stackoverflow.co (Stack Overflow’s commercial/data licensing info).
  • Podcast contact: podcast@stackoverflow.com
  • Hosts/guests: Janice Manningham and Josh Zhang (Stack Overflow), Will Allen (Cloudflare) — available via LinkedIn and Cloudflare/Stack Overflow channels.

This episode is a practical look at how publishers and infrastructure providers can shift from reactive bot blocking to nuanced, monetizable policies that preserve publisher value in an era of large-scale AI scraping.