]> Tempo Labs

brendan@tempo.xyz

Tempo Labs

jake@tempo.xyz

Tempo Labs

thomas@tempo.xyz

Stripe

jweinstein@stripe.com

Stripe

stevekaliski@stripe.com

This document defines the "Payment" HTTP authentication scheme, enabling HTTP resources to require a payment challenge to be fulfilled before access. The scheme uses the HTTP 402 "Payment Required" status code with the WWW-Authenticate and Authorization headers to negotiate payment between clients and servers. The protocol is payment-method agnostic; specific payment methods are defined in separate specifications.

Introduction HTTP 402 "Payment Required" was reserved in HTTP/1.1 for future use but never standardized. This specification defines the "Payment" authentication scheme that gives 402 concrete semantics. A server requiring payment responds with 402 and a WWW-Authenticate: Payment challenge describing the payment requirements. The client fulfills the payment and retries with an Authorization: Payment credential. The server verifies the credential and grants access. Payment methods, intents, and protocol details are defined in subsequent revisions of this document and companion specifications.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Security Considerations Payment credentials authorize financial transactions and MUST be treated as sensitive bearer tokens. Implementations MUST use TLS for all Payment authentication flows. Detailed security analysis will be provided in a future revision.

IANA Considerations This document registers the "Payment" authentication scheme in the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" established by : Authentication Scheme Name: Payment Reference: This document Notes: Used with HTTP 402 for proof-of-payment flows Future revisions will request creation of additional registries for payment methods and payment intents.

&RFC2119; &RFC8174; &RFC9110;

Acknowledgements TBD