| Internet-Draft | Payment Auth Scheme | February 2026 |
| Ryan, et al. | Expires 19 August 2026 | [Page] |
This document defines the "Payment" HTTP authentication scheme, enabling HTTP resources to require a payment challenge to be fulfilled before access. The scheme uses the HTTP 402 "Payment Required" status code with the WWW-Authenticate and Authorization headers to negotiate payment between clients and servers.¶
The protocol is payment-method agnostic; specific payment methods are defined in separate specifications.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 August 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
HTTP 402 "Payment Required" was reserved in HTTP/1.1 [RFC9110] for future use but never standardized. This specification defines the "Payment" authentication scheme that gives 402 concrete semantics.¶
A server requiring payment responds with 402 and a
WWW-Authenticate: Payment challenge describing the payment
requirements. The client fulfills the payment and retries with
an Authorization: Payment credential. The server verifies the
credential and grants access.¶
Payment methods, intents, and protocol details are defined in subsequent revisions of this document and companion specifications.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Payment credentials authorize financial transactions and MUST be treated as sensitive bearer tokens. Implementations MUST use TLS for all Payment authentication flows. Detailed security analysis will be provided in a future revision.¶
This document registers the "Payment" authentication scheme in the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" established by [RFC9110]:¶
Authentication Scheme Name: Payment¶
Reference: This document¶
Notes: Used with HTTP 402 for proof-of-payment flows¶
Future revisions will request creation of additional registries for payment methods and payment intents.¶