| Internet-Draft | Payment JSON-RPC & MCP Transport | April 2026 |
| Moxey & Ryan | Expires 23 October 2026 | [Page] |
This document defines how the Payment HTTP Authentication Scheme operates over JSON-RPC 2.0 transports. It specifies the mapping of payment challenges to JSON-RPC error responses using implementation-defined error codes, credential transmission via metadata fields, receipt delivery in successful responses, and error handling conventions. This specification applies to any transport carrying JSON-RPC 2.0 messages, including WebSocket, HTTP, stdio, and protocol frameworks such as the Model Context Protocol (MCP).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English.¶
JSON-RPC 2.0 [JSON-RPC] is a stateless, lightweight remote procedure call protocol using JSON [RFC8259]. Many modern protocols layer JSON-RPC over various transports including HTTP, WebSocket [RFC6455], and stdio. Protocol frameworks such as the Model Context Protocol (MCP) [MCP] also use JSON-RPC 2.0 as their message format. This document defines how the Payment HTTP Authentication Scheme [I-D.httpauth-payment] operates within JSON-RPC 2.0 messages, independent of the underlying transport.¶
This specification defines:¶
Error codes for payment signaling¶
Challenge structure in JSON-RPC error responses¶
Credential transmission via _meta metadata fields¶
Receipt delivery via _meta metadata fields¶
Error handling conventions¶
Notification behavior¶
Capability advertisement¶
This specification applies to any system that exchanges JSON-RPC 2.0 messages, including but not limited to:¶
WebSocket: JSON-RPC over persistent wss:// connections
for real-time APIs, streaming services, and subscriptions.¶
HTTP: JSON-RPC 2.0 over standard HTTP request-response exchanges.¶
stdio: JSON-RPC 2.0 over standard input/output streams for local process communication.¶
This specification also defines MCP-specific conventions for
the Model Context Protocol [MCP], which uses JSON-RPC 2.0
for tool invocations (tools/call), resource access
(resources/read), and prompt retrieval (prompts/get).¶
Transport-specific security requirements (e.g., TLS for WebSocket, process isolation for stdio) are addressed in Section 12.3.¶
Native JSON: Use JSON objects directly rather than base64url encoding, leveraging JSON-RPC's native capabilities.¶
Transport Independent: Define payment semantics at the JSON-RPC layer, applicable to any transport carrying JSON-RPC messages.¶
Minimal Overhead: Add payment data only when needed via
the _meta extension mechanism.¶
Multiple Options: Support servers offering multiple payment methods in a single challenge.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses terminology from [I-D.httpauth-payment]:¶
The payment flow follows three phases within JSON-RPC message exchanges:¶
Client Server
│ │
│ (1) JSON-RPC Request │
│ {method: "...", params: {...}} │
├─────────────────────────────────────────────────────>│
│ │
│ (2) JSON-RPC Error │
│ {code: -32042, data: {challenges: [...]}} │
│<─────────────────────────────────────────────────────┤
│ │
│ (3) Client fulfills challenge │
│ │
│ (4) JSON-RPC Request │
│ {method: "...", │
│ _meta: {credential: {...}}} │
├─────────────────────────────────────────────────────>│
│ │
│ (5) JSON-RPC Result │
│ {result: {...}, _meta: {receipt: {...}}} │
│<─────────────────────────────────────────────────────┤
¶
Servers and clients SHOULD advertise supported payment methods and intents before payment flows begin. The capability object SHOULD contain:¶
methods (REQUIRED): Object mapping payment method
identifiers (as registered in the IANA HTTP Payment Methods
registry) to their configuration. Each method object MUST
contain an intents array listing the supported payment
intent types (as registered in the IANA HTTP Payment Intents
registry) for that method.¶
Example capability object:¶
{
"methods": {
"tempo": { "intents": ["charge"] },
"stripe": { "intents": ["charge"] }
}
}
¶
The mechanism for advertising capabilities depends on the transport:¶
WebSocket: Servers MAY send a payment.capabilities
JSON-RPC notification after connection establishment.¶
MCP: See Section 5.1.¶
Clients MAY use capability information to determine compatibility before invoking paid methods. Clients MUST NOT rely solely on capability advertisement to determine payment support; malicious servers could claim capabilities they don't properly implement. Clients SHOULD validate challenge structure before fulfilling payment.¶
For MCP specifically, servers SHOULD advertise payment support
in the InitializeResult:¶
{
"protocolVersion": "2025-11-25",
"capabilities": {
"tools": {},
"resources": {},
"experimental": {
"payment": {
"methods": {
"tempo": { "intents": ["charge"] },
"stripe": { "intents": ["charge"] }
}
}
}
},
"serverInfo": {
"name": "example-server",
"version": "1.0.0"
}
}
¶
Clients SHOULD advertise in the InitializeRequest:¶
{
"protocolVersion": "2025-11-25",
"capabilities": {
"experimental": {
"payment": {
"methods": {
"tempo": { "intents": ["charge"] }
}
}
}
},
"clientInfo": {
"name": "example-client",
"version": "1.0.0"
}
}
¶
Servers MAY use client capabilities to filter which payment options to offer in challenges.¶
When a JSON-RPC method requires payment, the server MUST respond
with a JSON-RPC error using code -32042 (Payment Required).
This code is within the JSON-RPC implementation-defined server
error range (-32000 to -32099) per [JSON-RPC]:¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [
{
"id": "qB3wErTyU7iOpAsD9fGhJk",
"realm": "api.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "1000",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z",
"description": "API call fee"
}
],
"problem": {
"type": "https://paymentauth.org/problems/payment-required",
"title": "Payment Required",
"status": 402,
"detail": "Payment required for access."
}
}
}
}
¶
The error.data.httpStatus field SHOULD be included with value
402 to indicate the corresponding HTTP status code for
transports that bridge to HTTP (e.g., MCP Streamable HTTP).¶
The error.data object MUST contain:¶
challenges (REQUIRED): Array of one or more challenge objects.¶
problem (OPTIONAL): An RFC 9457 Problem Details object providing
additional error context. When present, contains type, title,
status, detail, and optionally challengeId.¶
Each challenge object MUST contain:¶
id (REQUIRED): Unique challenge identifier. Servers MUST
cryptographically bind this value to at minimum the following
parameters: realm, method, intent, request (canonical hash),
and expires. Clients MUST include this value unchanged in the
credential.¶
realm (REQUIRED): Protection space identifier defining the scope
of the payment requirement.¶
method (REQUIRED): Payment method identifier as registered in
the IANA HTTP Payment Methods registry.¶
intent (REQUIRED): Payment intent type as registered in the
IANA HTTP Payment Intents registry.¶
request (REQUIRED): Method-specific payment request data
as a native JSON object. Servers MUST NOT base64url-encode the
request when using JSON-RPC transport. For challenge binding
and challenge ID verification, both parties MUST canonicalize
request using JSON Canonicalization Scheme (JCS) [RFC8785]
and hash the canonicalized bytes. The schema is defined by the
payment method specification.¶
Each challenge object MAY contain:¶
expires (OPTIONAL): Timestamp in [RFC3339] format after which
the challenge is no longer valid. Clients SHOULD NOT attempt to
fulfill challenges past their expiry. If absent, servers define the
validity period.¶
description (OPTIONAL): Human-readable description of what the
payment is for.¶
When multiple challenges are present, they represent alternative payment options. Clients MUST select exactly one challenge to fulfill. Servers MUST NOT require multiple simultaneous payments via this mechanism.¶
Servers MAY offer multiple payment options by including multiple
challenge objects in the challenges array:¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [
{
"id": "pT7yHnKmQ2wErXsZ5vCbNl",
"realm": "api.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "1000",
"currency": "usd"
}
},
{
"id": "mF8uJkLpO3qRtYsA6wDcVb",
"realm": "api.example.com",
"method": "stripe",
"intent": "charge",
"request": {
"amount": "1000",
"currency": "usd"
}
}
]
}
}
}
¶
Clients SHOULD select one challenge based on their capabilities and user preferences. Clients MUST send only one credential corresponding to a single selected challenge.¶
This specification defines two placement strategies for the
_meta field, depending on the protocol:¶
Root-level _meta (Generic JSON-RPC): The _meta field
is placed at the root of the JSON-RPC message object. This
approach works with any JSON-RPC method regardless of whether
params is an object or an array:¶
{
"jsonrpc": "2.0",
"id": 2,
"method": "eth_getBlockByNumber",
"params": ["latest", false],
"_meta": {
"org.paymentauth/credential": { ... }
}
}
¶
Nested _meta (MCP): The _meta field is placed inside
params (for requests) or result (for responses), per MCP
conventions where params is always an object:¶
{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "expensive-api",
"_meta": {
"org.paymentauth/credential": { ... }
}
}
}
¶
Servers MUST check both locations for _meta and MUST NOT
require clients to use a specific placement. Servers MUST
ignore org.paymentauth/credential on methods that do not
require payment.¶
Clients send payment credentials using the _meta field with
key org.paymentauth/credential. The key uses reverse-DNS
naming to avoid collisions with other extensions:¶
{
"jsonrpc": "2.0",
"id": 2,
"method": "eth_getBlockByNumber",
"params": ["latest", false],
"_meta": {
"org.paymentauth/credential": {
"challenge": {
"id": "qB3wErTyU7iOpAsD9fGhJk",
"realm": "api.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "1000",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z"
},
"payload": {
"signature": "0x1b2c3d4e5f..."
}
}
}
}
¶
The org.paymentauth/credential object MUST contain:¶
challenge (REQUIRED): The complete challenge object from the
server's -32042 error response. Clients MUST echo the challenge
unchanged.¶
payload (REQUIRED): Method-specific payment proof as a JSON
object. The schema is defined by the payment method specification.¶
The credential object MAY contain:¶
source (OPTIONAL): Identifier of the payment source (e.g., a
DID or address).¶
After successful payment verification and settlement, servers
MUST include a receipt using _meta with key
org.paymentauth/receipt. The _meta field placement follows
the same rules as Section 7.1: root-level for generic
JSON-RPC, nested in result for MCP.¶
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"number": "0x1348c9",
"hash": "0x7736fab79e05dc611604d22470dadad2..."
},
"_meta": {
"org.paymentauth/receipt": {
"status": "success",
"method": "tempo",
"timestamp": "2025-01-15T12:00:30Z",
"reference": "tx_abc123...",
"challengeId": "qB3wErTyU7iOpAsD9fGhJk"
}
}
}
¶
Servers MUST return org.paymentauth/receipt on every successful
response to a paid request. Servers MUST NOT return receipts for
unpaid requests.¶
The org.paymentauth/receipt object MUST contain:¶
status (REQUIRED): Settlement status. MUST be "success" for
successful payments.¶
method (REQUIRED): Payment method that was used.¶
timestamp (REQUIRED): [RFC3339] timestamp of settlement.¶
challengeId (REQUIRED): The id from the fulfilled challenge.¶
The receipt object MAY contain:¶
reference (OPTIONAL): Method-specific settlement reference
(e.g., transaction hash, invoice ID).¶
The following MCP operations support payment flows.¶
Tool invocations via tools/call MAY require payment:¶
Challenge:¶
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "premium-analysis"
}
}
¶
Response:¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "tool-pay-123",
"realm": "tools.example.com",
"method": "tempo",
"intent": "charge",
"request": {"amount": "500", "currency": "usd"}
}]
}
}
}
¶
Resource reads via resources/read MAY require payment:¶
Challenge:¶
{
"jsonrpc": "2.0",
"id": 1,
"method": "resources/read",
"params": {
"uri": "data://premium/market-data"
}
}
¶
Response:¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "resource-pay-456",
"realm": "data.example.com",
"method": "stripe",
"intent": "charge",
"request": {"amount": "100", "currency": "usd"}
}]
}
}
}
¶
Prompt retrieval via prompts/get MAY require payment:¶
Response:¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "prompt-pay-789",
"realm": "prompts.example.com",
"method": "tempo",
"intent": "charge",
"request": {"amount": "50", "currency": "usd"}
}]
}
}
}
¶
Servers MUST map payment errors to JSON-RPC error codes within the server error range (-32000 to -32099) per [JSON-RPC]:¶
| Condition | Code | Description |
|---|---|---|
| Payment required | -32042 | Payment challenge in error.data
|
| Payment verification failed | -32043 | Fresh challenge + failure reason |
| Malformed credential | -32602 | Invalid params (bad JSON structure) |
| Internal payment error | -32603 | Payment processor failure |
Note: -32700 (Parse error) applies only when the entire JSON-RPC
message is unparseable, not for malformed _meta subfields. Use
-32602 for credential structure errors.¶
When payment verification fails, servers MUST return code -32043
with a fresh challenge and failure details:¶
{
"jsonrpc": "2.0",
"id": 2,
"error": {
"code": -32043,
"message": "Payment Verification Failed",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "retry-challenge-abc",
"realm": "api.example.com",
"method": "tempo",
"intent": "charge",
"request": {"amount": "1000", "currency": "usd"}
}],
"failure": {
"reason": "signature-invalid",
"detail": "Signature verification failed"
}
}
}
}
¶
On verification failure, servers MAY return the same challenge if it
remains valid, or issue a fresh challenge. Clients SHOULD treat any
-32043 response as requiring a new payment attempt.¶
The failure object MAY contain:¶
reason (OPTIONAL): Machine-readable failure code.¶
detail (OPTIONAL): Human-readable failure description.¶
Technical errors use standard JSON-RPC error codes:¶
Invalid Params (-32602):¶
Used for malformed credentials or missing required fields:¶
{
"jsonrpc": "2.0",
"id": 2,
"error": {
"code": -32602,
"message": "Invalid params",
"data": {
"detail": "Missing required field: challenge.id"
}
}
}
¶
JSON-RPC notifications are requests without an id field that
expect no response. Since payment challenges require a response,
notifications cannot support payment flows.¶
Servers MUST NOT process payment-gated operations invoked as notifications. Servers SHOULD silently drop such notifications per JSON-RPC 2.0 semantics.¶
Servers MAY log dropped payment-required notifications for debugging purposes.¶
Servers MAY send JSON-RPC notifications to deliver data after a client has fulfilled a prior payment challenge (e.g., streaming subscription updates over WebSocket).¶
Clients SHOULD NOT invoke payment-gated operations as
notifications. Operations that may require payment SHOULD always
include a request id to receive payment challenges and results.¶
Servers MUST cryptographically bind challenge IDs to their parameters
(at minimum: realm, method, intent, request hash, expires).
The request hash MUST be computed over the JCS-canonicalized
representation of request per [RFC8785].
This prevents clients from reusing a challenge ID with modified
payment terms.¶
Servers SHOULD also bind challenges to the specific operation being requested (e.g., tool name, resource URI) to prevent a challenge issued for one operation being used for another.¶
Servers MUST reject credentials for:¶
Servers SHOULD maintain a record of used challenge IDs for at least the challenge validity period. For high-throughput scenarios, servers MAY use stateless challenge tokens (e.g., MAC over canonical parameters) and maintain only a post-use replay set.¶
When two concurrent requests race using the same challenge, servers MUST ensure only one succeeds via atomic check-and-mark operations.¶
When using network transports (HTTP, WebSocket), all communication MUST occur over TLS 1.2 [RFC5246] or later (TLS 1.3 [RFC8446] RECOMMENDED).¶
For stdio transport, security depends on the process isolation provided by the operating system.¶
For persistent transports (e.g., WebSocket), servers SHOULD additionally rate limit connection establishment and close connections that exceed challenge request thresholds.¶
Payment credentials MAY contain sensitive data (signatures, tokens). Clients MUST NOT log or persist credentials beyond immediate use. Servers MUST NOT log full credential payloads. This includes crash dumps, distributed tracing, and analytics telemetry.¶
On-path attackers or malicious intermediaries could strip
org.paymentauth/credential from requests (causing repeated
payment challenges) or org.paymentauth/receipt from responses
(affecting auditability). For network transports, TLS provides
integrity. For stdio transport, rely on process isolation.¶
Clients may be tricked into paying for unintended operations if method names or realms are misleading. Client implementations SHOULD:¶
This document has no IANA actions. Payment methods and intents are registered per [I-D.httpauth-payment].¶
Servers MUST use the following JSON-RPC error codes:¶
| Code | Name | Description |
|---|---|---|
| -32042 | Payment Required | Server requires payment to proceed |
| -32043 | Payment Verification Failed | Payment credential invalid |
These codes are within the JSON-RPC server error range (-32000 to -32099). Implementations MUST use these exact codes for interoperability.¶
An eth_getBlockByNumber call over WebSocket with payment
required for RPC access:¶
Connection:¶
GET / HTTP/1.1 Host: rpc.example.com Upgrade: websocket Connection: Upgrade¶
Step 1: Initial Request¶
{
"jsonrpc": "2.0",
"id": 1,
"method": "eth_getBlockByNumber",
"params": ["latest", false]
}
¶
Step 2: Payment Challenge¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "ch_ws_789",
"realm": "rpc.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "1",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z",
"description": "Ethereum RPC call"
}]
}
}
}
¶
Step 3: Request with Credential¶
{
"jsonrpc": "2.0",
"id": 2,
"method": "eth_getBlockByNumber",
"params": ["latest", false],
"_meta": {
"org.paymentauth/credential": {
"challenge": {
"id": "ch_ws_789",
"realm": "rpc.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "1",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z"
},
"source": "0x1234567890abcdef...",
"payload": {
"signature": "0xabc123..."
}
}
}
}
¶
Step 4: Success with Receipt¶
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"number": "0x1348c9",
"hash": "0x7736fab79e05dc611604d22470dadad2...",
"parentHash": "0x61cdb2a09ab99abf791d474f20c2ea...",
"timestamp": "0x56ffeff8",
"gasLimit": "0x47e7c4",
"gasUsed": "0x38658",
"miner": "0xf8b483dba2c3b7176a3da549ad41a48b...",
"transactions": []
},
"_meta": {
"org.paymentauth/receipt": {
"status": "success",
"method": "tempo",
"timestamp": "2025-01-15T12:00:15Z",
"reference": "0xtx789...",
"challengeId": "ch_ws_789"
}
}
}
¶
A complete MCP tool call with payment, using nested _meta
per MCP conventions:¶
Step 1: Initial Request¶
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "web-search",
"arguments": {"query": "MCP protocol"}
}
}
¶
Step 2: Payment Challenge¶
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32042,
"message": "Payment Required",
"data": {
"httpStatus": 402,
"challenges": [{
"id": "ch_abc123",
"realm": "search.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "10",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z",
"description": "Web search query"
}]
}
}
}
¶
Step 3: Request with Payment¶
{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "web-search",
"arguments": {"query": "MCP protocol"},
"_meta": {
"org.paymentauth/credential": {
"challenge": {
"id": "ch_abc123",
"realm": "search.example.com",
"method": "tempo",
"intent": "charge",
"request": {
"amount": "10",
"currency": "usd",
"recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00"
},
"expires": "2025-01-15T12:05:00Z"
},
"source": "0x1234567890abcdef...",
"payload": {
"signature": "0xabc123..."
}
}
}
}
}
¶
Step 4: Success with Receipt¶
{
"jsonrpc": "2.0",
"id": 2,
"result": {
"content": [{
"type": "text",
"text": "Search results for 'MCP protocol'..."
}],
"_meta": {
"org.paymentauth/receipt": {
"status": "success",
"method": "tempo",
"timestamp": "2025-01-15T12:00:15Z",
"reference": "0xtx789...",
"challengeId": "ch_abc123"
}
}
}
}
¶
MCP Base Protocol: https://modelcontextprotocol.io/specification/2025-11-25/basic¶
MCP Transports: https://modelcontextprotocol.io/specification/2025-11-25/basic/transports¶
MCP Tools: https://modelcontextprotocol.io/specification/2025-11-25/server/tools¶
MCP Resources: https://modelcontextprotocol.io/specification/2025-11-25/server/resources¶
MCP _meta Field: https://modelcontextprotocol.io/specification/2025-11-25/basic¶