The "Payment" HTTP Authentication Scheme

The "Payment" HTTP Authentication Scheme Tempo Labs

brendan@tempo.xyz

Tempo Labs

jake@tempo.xyz

Tempo Labs

tom@tempo.xyz

Stripe

jweinstein@stripe.com

Stripe

stevekaliski@stripe.com

This document defines the "Payment" HTTP authentication scheme, enabling HTTP resources to require a payment challenge to be fulfilled before access. The scheme extends HTTP Authentication, using the HTTP 402 "Payment Required" status code. The protocol is payment-method agnostic, supporting any payment network or currency through registered payment method identifiers. Specific payment methods are defined in separate payment method specifications.

Introduction HTTP 402 "Payment Required" was reserved in HTTP/one-point-one but never standardized for common use. This specification defines the "Payment" authentication scheme that gives 402 its semantics, enabling resources to require a payment challenge to be fulfilled before access.

Relationship to Payment Method Specifications This specification defines the abstract protocol framework. Concrete payment methods are defined in payment method specifications that: Register a payment method identifier Define the request schema for that method Define the payload schema for that method Specify verification and settlement procedures

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology

Payment Challenge: A WWW-Authenticate header with scheme "Payment" indicating the payment requirements for accessing a resource.
Payment Credential: An Authorization header with scheme "Payment" containing payment authorization data.
Payment Method: A mechanism for transferring value, identified by a registered identifier.
Payment Intent: The type of payment request, identified by a registered value in the IANA "HTTP Payment Intents" registry. Intents are defined by separate intent specifications.
Request: Method-specific data in the challenge enabling payment completion. Encoded as base64url JSON in the request parameter.
Payload: Method-specific data in the credential proving payment.

Protocol Overview

Request Flow

│ │ │ │ (2) 402 Payment Required │ │ WWW-Authenticate: Payment id="..", │ │ method="..", intent="..", request=".." │ │<────────────────────────────────────────────────┤ │ │ │ (3) Client fulfills payment challenge │ │ (signs transaction, pays invoice, etc.) │ │ │ │ (4) GET /resource │ │ Authorization: Payment │ ├────────────────────────────────────────────────>│ │ │ │ (5) Server verifies and settles │ │ │ │ (6) 200 OK │ │ Payment-Receipt: │ │<────────────────────────────────────────────────┤ │ │ ]]>

Status Codes The following table defines how servers MUST respond to payment-related conditions. Condition Status Response Resource requires payment, no credential provided 402 Fresh challenge in WWW-Authenticate Malformed credential (invalid base64url, bad JSON) 402 Fresh challenge + malformed-credential problem Unknown, expired, or already-used challenge id 402 Fresh challenge + invalid-challenge problem Payment proof invalid or verification failed 402 Fresh challenge + verification-failed problem Payment verified, access granted 200 Resource + optional Payment-Receipt Payment verified, but policy denies access 403 No challenge (payment was valid) Servers MUST return 402 with a WWW-Authenticate: Payment header when payment is required or when a payment credential fails validation (see for details). Error details are provided in the response body using Problem Details rather than in the WWW-Authenticate header parameters.

Relationship to 401 Unauthorized This specification uses 402 (Payment Required) consistently for all payment-related challenges, including failed credential validation. This diverges from the traditional 401 pattern used by other HTTP authentication schemes. The distinction is intentional: 402 indicates a payment barrier (initial challenge or retry needed) 401 is reserved for authentication failures unrelated to payment 403 indicates the payment succeeded but access is denied by policy This design ensures clients can distinguish payment requirements from other authentication schemes that use 401.

Usage of 402 Payment Required

When to Return 402 Servers SHOULD return 402 when: The resource requires payment as a precondition for access The server can provide a Payment challenge that the client may fulfill Payment is the primary barrier to access (not authentication or authorization) Servers MAY return 402 when: Offering optional paid features or premium content Indicating that a previously-paid resource requires additional payment The payment requirement applies to a subset of request methods

When NOT to Return 402 Servers SHOULD NOT return 402 when: The client lacks authentication credentials (use 401) The client is authenticated but lacks authorization (use 403) The resource does not exist (use 404) No Payment challenge can be constructed for the request Servers MUST NOT return 402 without including a WWW-Authenticate header containing at least one Payment challenge.

Interaction with Other Authentication Schemes When a resource requires both authentication and payment, servers SHOULD: First verify authentication credentials Return 401 if authentication fails Return 402 with a Payment challenge only after successful authentication This ordering prevents information leakage about payment requirements to unauthenticated clients.

The Payment Authentication Scheme

Challenge (WWW-Authenticate) The Payment challenge is sent in the WWW-Authenticate header per . The challenge uses the auth-param syntax defined in Section 11 of :

Required Parameters id: Unique challenge identifier. Servers MUST bind this value to the challenge parameters (Section 5.1.3) to enable verification. Clients MUST include this value unchanged in the credential. realm: Protection space identifier per . Servers MUST include this parameter to define the scope of the payment requirement. method: Payment method identifier (). MUST be a lowercase ASCII string. intent: Payment intent type (). The value MUST be a registered entry in the IANA "HTTP Payment Intents" registry. request: Base64url-encoded JSON containing payment-method-specific data needed to complete payment. Structure is defined by the payment method specification. Padding characters ("=") MUST NOT be included. The JSON MUST be serialized using JSON Canonicalization Scheme (JCS) to ensure deterministic encoding across implementations. This is critical for challenge binding (): since the HMAC input includes the base64url-encoded request as it appears on the wire, different JSON serialization orders would produce different HMAC values, breaking cross-implementation interoperability.

Optional Parameters digest: Content digest of the request body, formatted per . Servers SHOULD include this parameter when the payment challenge applies to a request with a body (e.g., POST, PUT, PATCH). When present, clients MUST submit the credential with a request body whose digest matches this value. See Section 5.1.3 for body binding requirements. expires: Timestamp indicating when this challenge expires, formatted as an date-time string (e.g., "2025-01-15T12:00:00Z"). Servers SHOULD include this parameter. Clients MUST NOT submit credentials for expired challenges. description: Human-readable description of the resource or payment purpose. This parameter is for display purposes only and MUST NOT be relied upon for payment verification (see ). opaque: Base64url-encoded JSON containing server-defined correlation data (e.g., a payment processor intent identifier). The value MUST be a JSON object whose values are strings (a flat string-to-string map). Clients MUST return this parameter unchanged in the credential and MUST NOT modify it. The JSON MUST be serialized using JSON Canonicalization Scheme (JCS) before base64url encoding. Servers SHOULD include opaque in the challenge binding () to ensure tamper protection. Unknown parameters MUST be ignored by clients.

Challenge Binding Servers SHOULD bind the challenge id to the challenge parameters (Section 5.1.1 and Section 5.1.2) to prevent request integrity attacks where a client could sign or submit a payment different from what the server intended. Servers MUST verify that credentials present an id matching the expected binding. The binding mechanism is implementation-defined. Servers MAY use stateful storage (e.g., database lookup) or stateless verification (e.g., HMAC, authenticated encryption) to validate the binding.

Recommended: HMAC-SHA256 Binding Servers using HMAC-SHA256 for stateless challenge binding SHOULD compute the challenge id as follows: The HMAC input is constructed from exactly seven fixed positional slots. Required fields supply their string value; optional fields use an empty string ("") when absent. The slots are: Slot Field Value 0 realm Required. String value. 1 method Required. String value. 2 intent Required. String value. 3 request Required. JCS-serialized per , then base64url-encoded. 4 expires Optional. String value if present; empty string if absent. 5 digest Optional. String value if present; empty string if absent. 6 opaque Optional. JCS-serialized per , then base64url-encoded if present; empty string if absent. The computation proceeds as follows: Populate all seven slots as described above. Join all seven slots with the pipe character (|) as delimiter. Every slot is always present in the joined string; absent optional fields appear as empty segments (e.g., ...|expires||opaque_b64url when digest is absent). Compute HMAC-SHA256 over the resulting string using a server secret. Encode the HMAC output as base64url without padding ( Section 5).

Optional fields use fixed positional slots with empty strings when absent, rather than being omitted. This avoids ambiguity between combinations of optional fields — for example, (expires set, no digest) and (no expires, digest set) produce distinct inputs — and ensures that adding a new optional slot in a future revision does not change the HMAC for challenges that omit it.

Example Challenge

Decoded request example:

Request Body Digest Binding Servers SHOULD include the digest parameter when issuing challenges for requests with bodies. The digest value is computed per :

When verifying a credential with a digest parameter, servers MUST: Compute the digest of the current request body per Compare it with the digest value from the challenge Reject the credential if the digests do not match

Credentials (Authorization) The Payment credential is sent in the Authorization header using base64url encoding without padding per Section 5:

The base64url-nopad value is a base64url-encoded JSON object (without padding) containing: Field Type Required Description challenge object Yes Echoed challenge parameters source string No Payer identifier (RECOMMENDED: DID format per ) payload object Yes Method-specific payment proof The challenge object contains the parameters from the original challenge: Field Type Description id string Challenge identifier realm string Protection space method string Payment method identifier intent string Payment intent type request string Base64url-encoded payment request description string Human-readable payment purpose (if present in challenge) opaque string Base64url-encoded server correlation data (if present in challenge) digest string Content digest expires string Challenge expiration timestamp The payload field contains the payment-method-specific data needed to complete the payment challenge. Payment method specifications define the exact structure.

Example Credential

Decoded credential:

Payment-Receipt Header Servers SHOULD include a Payment-Receipt header on successful responses:

The decoded JSON object contains: Field Type Description status string "success" — receipts are only issued on successful payment method string Payment method used timestamp string settlement timestamp reference string Method-specific reference (tx hash, invoice id, etc.) Payment method specifications MAY define additional fields for receipts.

Receipt Status Semantics The status field MUST be "success", indicating the payment was verified and settled successfully. Receipts are only issued on successful payment responses (2xx status codes). Servers MUST NOT return a Payment-Receipt header on error responses. Payment failures are communicated via HTTP status codes and Problem Details . Servers MUST return 402 with a fresh challenge and appropriate problem type when payment verification fails.

Payment Methods

Method Identifier Format Payment methods are identified by lowercase ASCII letters:

Method identifiers are case-sensitive and MUST be lowercase.

Method Registry Payment methods are registered in the HTTP Payment Methods registry (). Each registered method has an associated specification that defines the request and payload schemas.

Payment Intents Payment intents describe the type of payment being requested.

Intent Identifiers

Intent Specifications Payment intents are defined in separate intent specifications that: Define the semantic meaning of the intent Specify required and optional request fields Specify payload requirements Define verification and settlement semantics Register the intent in the Payment Intent Registry () See the Payment Intent Registry for registered intents.

Intent Negotiation If a server supports multiple intents, it MAY issue multiple challenges:

Clients choose which challenge to respond to. Clients that do not recognize an intent SHOULD treat the challenge as unsupported.

Client Payment Preferences Clients MAY send an Accept-Payment request header to declare which payment method and intent combinations they support. The header uses the same weighted-preference model as other HTTP negotiation fields: omitted q values are equivalent to q=1, and q=0 means "do not use".

Examples:

When Accept-Payment is present, servers SHOULD consider it when choosing which Payment challenges to return. Specifically, servers SHOULD: Filter challenges to those matching at least one declared range with q>0 Order matching challenges by descending client q value Preserve server preference order when multiple matches have the same q Prefer the most specific matching range when multiple ranges match the same challenge If Accept-Payment is absent, servers MUST behave as though the client accepts any method and intent combination. If Accept-Payment is malformed, servers MAY ignore it. If Accept-Payment is present but no available challenge matches a declared range with q>0, servers MAY ignore the header and return their normal set of challenges. The WWW-Authenticate: Payment challenge remains authoritative even when Accept-Payment is used. Clients MUST validate the returned challenge before authorizing payment.

Error Handling

Error Response Format Servers SHOULD return Problem Details error bodies with 402 responses:

The type URI SHOULD correspond to one of the problem types defined below, and the canonical base URI for problem types is https://paymentauth.org/problems/.

Error Codes Code HTTP Description payment-required 402 Resource requires payment payment-insufficient 402 Amount too low payment-expired 402 Challenge or authorization expired verification-failed 402 Proof invalid method-unsupported 400 Method not accepted malformed-credential 402 Invalid credential format invalid-challenge 402 Challenge ID unknown, expired, or already used

Retry Behavior Servers SHOULD use the Retry-After HTTP header to indicate when clients may retry:

Extensibility

Payment Method Specifications Payment method specifications MUST define: Method Identifier: Unique lowercase string Request Schema: JSON structure for the request parameter Payload Schema: JSON structure for credential payloads Verification Procedure: How servers validate proofs Settlement Procedure: How payment is finalized Security Considerations: Method-specific threats and mitigations

Versioning The Payment scheme uses a layered versioning strategy:

Core Protocol The Payment scheme name is the stable identifier. The core protocol does NOT carry a version on the wire, consistent with all deployed HTTP authentication schemes (Basic, Bearer, Digest). Evolution happens through adding optional parameters and fields; implementations MUST ignore unknown parameters and fields. If a future change is truly incompatible, a new scheme name (e.g., Payment2) would be registered.

Payment Methods Payment method specifications MAY include a version field in their methodDetails. The absence of a version field is implicitly version 1. When a breaking change is needed, the method specification adds a version field starting at 2. Compatible changes (adding optional fields, defining defaults) do not require a version change. Methods MAY also register a new identifier for changes fundamental enough to warrant a distinct name.

Payment Intents Payment intents do not carry a version. They evolve through the same compatibility rules as the core: adding optional fields with defined defaults is compatible, and breaking changes require a new intent identifier (e.g., charge-v2).

Custom Parameters Implementations MAY define additional parameters in challenges: Parameters MUST use lowercase names Unknown parameters MUST be ignored by clients

Size Considerations Servers SHOULD keep challenges under 8KB. Clients MUST be able to handle challenges of at least 4KB. Servers MUST be able to handle credentials of at least 4KB.

Internationalization Considerations

Character Encoding All string values use UTF-8 encoding : The request and credential payloads are JSON Payment method identifiers are restricted to ASCII lowercase The realm parameter SHOULD use ASCII-only values per

Human-Readable Text The description parameter may contain localized text. Servers SHOULD use the Accept-Language request header to determine the appropriate language.

Security Considerations

Threat Model This specification assumes: Attackers can observe all network traffic Attackers can inject, modify, or replay messages Attackers may control malicious servers or clients

Transport Security This specification REQUIRES TLS 1.2 or later for all Payment authentication flows. TLS 1.3 is RECOMMENDED. Implementations MUST use TLS when transmitting Payment challenges and credentials. Payment credentials contain sensitive authorization data that could result in financial loss if intercepted. Servers MUST NOT issue Payment challenges over unencrypted HTTP. Clients MUST NOT send Payment credentials over unencrypted HTTP. Implementations SHOULD reject Payment protocol messages received over non-TLS connections.

Credential Handling Payment credentials are bearer tokens that authorize financial transactions. Servers and intermediaries MUST NOT log Payment credentials or include them in error messages, debugging output, or analytics. Credential exposure could enable replay attacks or unauthorized payments. Implementations MUST treat Payment credentials with the same care as authentication passwords or session tokens. Credentials SHOULD be stored only in memory and cleared after use.

Challenge-Binding Secret Management Implementations that use a shared secret for stateless challenge binding (for example, HMAC) MUST keep that secret on trusted server-side systems only and MUST NOT disclose it to clients. Servers MUST NOT log the secret or include it in error messages, debugging output, or analytics. If a server rotates a challenge-binding secret, it SHOULD continue verifying challenges issued under the previous secret until those challenges expire, or use an equivalent migration strategy that avoids invalidating unexpired challenges.

Replay Protection Payment methods used with this specification MUST provide single-use proof semantics. A payment proof MUST be usable exactly once; subsequent attempts to use the same proof MUST be rejected by the payment method infrastructure.

Idempotency and Side Effects Servers MUST NOT perform side effects (database writes, external API calls, resource creation) for requests that have not been paid. The unpaid request that triggers a 402 challenge MUST NOT modify server state beyond recording the challenge itself. For non-idempotent methods (POST, PUT, DELETE), servers SHOULD accept an Idempotency-Key header to enable safe client retries. When a client retries a request with the same Idempotency-Key and a valid Payment credential, the server SHOULD return the same response as the original successful request without re-executing the operation.

Concurrent Request Handling Servers MUST ensure that concurrent requests with the same Payment credential result in at most one successful payment settlement and one resource delivery. Race conditions between parallel requests could otherwise cause double-payment or double-delivery. Implementations SHOULD use atomic operations or distributed locks when verifying and consuming Payment credentials. The credential verification and resource delivery SHOULD be performed as an atomic operation where possible.

Amount Verification Clients MUST verify before authorizing payment: Requested amount is reasonable for the resource Recipient/address is expected Currency/asset is as expected Validity window is appropriate Clients MUST NOT rely on the description parameter for payment verification. Malicious servers could provide a misleading description while the actual request payload requests a different amount.

Privacy Servers MUST NOT require user accounts for payment. Payment methods SHOULD support pseudonymous options where possible. Servers SHOULD NOT log Payment credentials in plaintext

Credential Storage Implementations MUST treat Authorization: Payment headers and Payment-Receipt headers as sensitive data.

Intermediary Handling of 402 HTTP intermediaries (proxies, caches, CDNs) may not recognize 402 as an authentication challenge in the same way they handle 401. While this specification uses WWW-Authenticate headers with 402 responses following the same syntax as , intermediaries that perform special processing for 401 (such as stripping credentials or triggering authentication prompts) may not apply the same behavior to 402. Servers SHOULD NOT rely on intermediary-specific handling of 402 responses. Clients MUST be prepared to receive 402 responses through any intermediary.

Caching Payment challenges contain unique identifiers and time-sensitive payment data that MUST NOT be cached or reused. To prevent challenge replay and stale payment information: Servers MUST send Cache-Control: no-store with 402 responses; this ensures no shared cache reuse. Responses containing Payment-Receipt headers MUST include Cache-Control: private to prevent shared caches from storing payment receipts.

Cross-Origin Considerations Clients (particularly browser-based wallets) SHOULD: Clearly display the origin requesting payment Require explicit user confirmation before authorizing payments Not automatically respond to Payment challenges

Denial of Service Servers SHOULD implement rate limiting on challenges issued and credential verification attempts.

IANA Considerations

Authentication Scheme Registration This document registers the "Payment" authentication scheme in the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" established by : Authentication Scheme Name: Payment Reference: This document, Notes: Used with HTTP 402 status code for proof-of-payment flows

Header Field Registration This document registers the following header fields: Field Name Status Reference Accept-Payment permanent This document, Payment-Receipt permanent This document,

Payment Method Registry This document establishes the "HTTP Payment Methods" registry. This registry uses the "Specification Required" policy defined in . Registration requests must include: Method Identifier: Unique lowercase ASCII letters (a-z) Description: Brief payment-method description Specification pointer: Reference to the specification document Registrant Contact: Contact information for the registrant

Payment Intent Registry This document establishes the "HTTP Payment Intents" registry. This registry uses the "Specification Required" policy defined in . Registration requests must include: Intent Identifier: Unique lowercase ASCII string Description: Brief description of the intent semantics Specification pointer: Reference to the specification document Registrant Contact: Contact information for the registrant The registry is initially empty. Intent specifications register their identifiers upon publication.

&RFC2119; &RFC3339; &RFC3629; &RFC4648; &RFC5234; &RFC5246; &RFC8126; &RFC8174; &RFC8259; &RFC8446; &RFC8785; &RFC9110; &RFC9111; &RFC9457; &RFC9530; Decentralized Identifiers (DIDs) v1.0 W3C Payment Method Identifiers W3C

ABNF Collected

Examples

One-Time Charge A client requests a resource, receives a payment challenge, fulfills the payment, and receives the resource with a receipt.

│ │ │ │ (2) 402 Payment Required │ │ WWW-Authenticate: Payment ... │ │<─────────────────────────────────────┤ │ │ │ (3) Fulfill payment challenge │ │ (method-specific) │ │ │ │ (4) GET /resource │ │ Authorization: Payment ... │ ├─────────────────────────────────────>│ │ │ │ (5) 200 OK │ │ Payment-Receipt: ... │ │<─────────────────────────────────────┤ │ │ ]]> Challenge:

Decoded request:

Credential:

Decoded credential:

Success:

Challenge Negotiation with Accept-Payment The client can pre-declare its supported payment capabilities and let the server tailor the 402 response:

If the server supports all four combinations, it SHOULD prefer the higher-ranked tempo challenges, then stripe/charge, then solana/charge:

When multiple entries omit q, they are equally preferred. In that case, the server MAY order the returned challenges according to its own policy:

Clients can also use wildcards to express broader support. In the following example, the client prefers any tempo payment method, then any solana method, and least prefers stripe/charge:

If the server can offer tempo/session, tempo/charge, solana/charge, and stripe/charge, it SHOULD rank the tempo offers first, then solana/charge, then stripe/charge:

Clients can set q=0 to declare that a capability is not acceptable. In this example, the client is able to use tempo/session, but does not wish to receive that challenge for this request:

If the server would otherwise offer tempo/charge, tempo/session, solana/charge, and stripe/charge, it SHOULD omit tempo/session from the ranked set:

Signed Authorization A payment method using cryptographic signatures: Challenge:

Decoded request:

Credential:

Multiple Payment Options Servers MAY return multiple Payment challenges in a single 402 response, each with a different payment method or configuration:

When a server returns multiple challenges, clients SHOULD select one based on their capabilities and user preferences. Clients MUST send only one Authorization: Payment header in the subsequent request, corresponding to the selected challenge. Servers receiving multiple Payment credentials in a single request SHOULD reject with 400 (Bad Request).

Failed Payment Verification

The server returns 402 with a fresh challenge, allowing the client to retry with a new payment credential.

Acknowledgements TBD