The "Payment" HTTP Authentication Scheme
draft-ryan-httpauth-payment-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Brendan Ryan , Jake Moxey , Tom Meagher , Jeff Weinstein , Steve Kaliski | ||
| Last updated | 2026-02-15 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ryan-httpauth-payment-00
Network Working Group B. Ryan
Internet-Draft J. Moxey
Intended status: Experimental T. Meagher
Expires: 19 August 2026 Tempo Labs
J. Weinstein
S. Kaliski
Stripe
15 February 2026
The "Payment" HTTP Authentication Scheme
draft-ryan-httpauth-payment-00
Abstract
This document defines the "Payment" HTTP authentication scheme,
enabling HTTP resources to require a payment challenge to be
fulfilled before access. The scheme uses the HTTP 402 "Payment
Required" status code with the WWW-Authenticate and Authorization
headers to negotiate payment between clients and servers.
The protocol is payment-method agnostic; specific payment methods are
defined in separate specifications.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 August 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
Ryan, et al. Expires 19 August 2026 [Page 1]
Internet-Draft Payment Auth Scheme February 2026
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2
3. Security Considerations . . . . . . . . . . . . . . . . . . . 2
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. Normative References . . . . . . . . . . . . . . . . . . . . 3
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 3
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 3
1. Introduction
HTTP 402 "Payment Required" was reserved in HTTP/1.1 [RFC9110] for
future use but never standardized. This specification defines the
"Payment" authentication scheme that gives 402 concrete semantics.
A server requiring payment responds with 402 and a WWW-Authenticate:
Payment challenge describing the payment requirements. The client
fulfills the payment and retries with an Authorization: Payment
credential. The server verifies the credential and grants access.
Payment methods, intents, and protocol details are defined in
subsequent revisions of this document and companion specifications.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Security Considerations
Payment credentials authorize financial transactions and MUST be
treated as sensitive bearer tokens. Implementations MUST use TLS for
all Payment authentication flows. Detailed security analysis will be
provided in a future revision.
Ryan, et al. Expires 19 August 2026 [Page 2]
Internet-Draft Payment Auth Scheme February 2026
4. IANA Considerations
This document registers the "Payment" authentication scheme in the
"Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry"
established by [RFC9110]:
* *Authentication Scheme Name*: Payment
* *Reference*: This document
* *Notes*: Used with HTTP 402 for proof-of-payment flows
Future revisions will request creation of additional registries for
payment methods and payment intents.
5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9110] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
<https://www.rfc-editor.org/info/rfc9110>.
Appendix A. Acknowledgements
TBD
Authors' Addresses
Brendan Ryan
Tempo Labs
Email: brendan@tempo.xyz
Jake Moxey
Tempo Labs
Email: jake@tempo.xyz
Ryan, et al. Expires 19 August 2026 [Page 3]
Internet-Draft Payment Auth Scheme February 2026
Tom Meagher
Tempo Labs
Email: thomas@tempo.xyz
Jeff Weinstein
Stripe
Email: jweinstein@stripe.com
Steve Kaliski
Stripe
Email: stevekaliski@stripe.com
Ryan, et al. Expires 19 August 2026 [Page 4]