MPP Conformance & Production Readiness
Before writing code
Fetch live docs:
- Fetch
https://paymentauth.org/for the canonical specification requirements - Fetch
https://datatracker.ietf.org/doc/draft-ryan-httpauth-payment/for the IETF draft compliance requirements - Web-search
site:docs.stripe.com payments machine mpp productionfor Stripe production readiness - Web-search
site:paymentauth.org draft-payment-discoveryfor service discovery compliance
Protocol Compliance Checklist
HTTP 402 Response
- Returns
402 Payment Requiredstatus code for unpaid requests - Includes
WWW-Authenticate: Payment <base64url-challenge>header - Challenge contains required fields:
id,realm,method,intent,request - Challenge JSON is RFC 8785 canonicalized before base64url encoding
- Challenge size under 8KB
- Error body follows RFC 9457 Problem Details format
Authorization Header
- Accepts
Authorization: Payment <base64url-credential>header - Parses credential correctly (base64url decode → JSON)
- Validates payment proof against the payment method
- Returns appropriate error for invalid credentials
Payment-Receipt Header
- Returns
Payment-Receipt: <base64url-receipt>on successful payment - Receipt contains: status, method, timestamp, reference
- Receipt is delivered atomically with the resource
Challenge Binding
- Uses 32-byte secret key for HMAC challenge binding
- Challenge IDs are unique and non-guessable
- Challenges have expiration timestamps
- Expired challenges are rejected
- Each challenge can only be consumed once (replay protection)
Transport Security
- TLS 1.2+ on all endpoints (TLS 1.3 recommended)
- HTTPS only (port 443)
-
Cache-Control: no-storeon responses with credentials - No plaintext credential logging
Payment Methods
- At least one payment method configured
- Tempo: correct chain ID (4217), valid USDC contract address, valid recipient
- Stripe: valid API key, correct SPT handling
- Payment verification is atomic (no partial states)
Service Discovery
-
GET /openapi.jsonreturns valid OpenAPI 3.x document -
x-service-infoextension present with categories and docs -
x-payment-infoextension on each payable operation - All payable operations declare
402response - OpenAPI document under 64 KB
-
Cache-Control: max-age=300on discovery endpoints -
llms.txtavailable with service description
Error Handling
-
payment-requiredfor initial challenges -
verification-failedfor invalid proofs -
payment-expiredfor expired challenges/credentials -
malformed-credentialfor unparseable credentials - All errors include RFC 9457
typeURLs
Production Readiness Checklist
Security
- Secret key stored in environment variable or secrets manager
- No hardcoded Stripe keys, wallet keys, or SPT tokens
- Key rotation strategy documented
- Rate limiting implemented
- DDoS protection (Cloudflare, AWS Shield, etc.)
Monitoring
- Payment success/failure metrics collected
- Challenge issuance rate tracked
- Revenue per endpoint dashboarded
- Alert on verification failure spikes
- Tempo chain health monitored (if using Tempo)
- Stripe API availability monitored (if using Stripe)
Reliability
- Health check endpoint (outside payment gate)
- Graceful degradation if payment provider is down
- Credential store (Redis/DB) for replay protection has failover
- Load tested with expected traffic volume
Operations
- Deployment does not interrupt active payment sessions
- Secret key rotation does not invalidate in-flight challenges
- Refund process documented and tested
- Billing reconciliation process defined
Fetch the latest specification and IETF draft for any newly added compliance requirements before running conformance checks.