<!--
Sitemap:
- [CLI Playground](/_cli)
- [Page Not Found](/404)
- [Brand](/brand): MPP brand assets and guidelines
- [Frequently asked questions](/faq): Common questions about the Machine Payments Protocol
- [Machine Payments Protocol](/overview): The open protocol for internet-native payments
- [Payment methods](/payment-methods/): Available methods and how to choose one
- [Protocol overview](/protocol/): Standardizing HTTP 402 for machine-to-machine payments
- [Quickstart](/quickstart/): Get started with MPP in minutes
- [SDKs & Tools](/sdk/): Official implementations in multiple languages
- [Building with AI](/guides/building-with-ai): Use llms-full.txt to give your coding agent complete MPP context.
- [Accept one-time payments](/guides/one-time-payments): Charge per request with a payment-gated API
- [Accept pay-as-you-go payments](/guides/pay-as-you-go): Session-based billing with payment channels
- [Accept streamed payments](/guides/streamed-payments): Per-token billing over Server-Sent Events
- [Charge](/intents/charge): Immediate one-time payments
- [Custom](/payment-methods/custom): Build your own payment method
- [Stripe](/payment-methods/stripe/): Cards, wallets, and other Stripe supported payment methods
- [Tempo](/payment-methods/tempo/): Stablecoin payments on the Tempo blockchain
- [Challenges](/protocol/challenges): Server-issued payment requirements
- [Credentials](/protocol/credentials): Client-submitted payment proofs
- [HTTP 402 payment required](/protocol/http-402): The status code that signals payment is required
- [Receipts](/protocol/receipts): Server acknowledgment of successful payment
- [Transports](/protocol/transports/): HTTP and MCP bindings for payment flows
- [Client quickstart](/quickstart/client): Handle payment-gated resources automatically
- [presto](/quickstart/presto): Make paid HTTP requests from the command line
- [Server quickstart](/quickstart/server): Charge for resources and verify payment credentials
- [Python SDK](/sdk/python/): The pympp Python library
- [Rust SDK](/sdk/rust/): The mpp Rust library
- [Getting started](/sdk/typescript/): The mppx TypeScript library
- [presto](/tools/presto): Command-line HTTP client for MPP
- [Stripe charge](/payment-methods/stripe/charge): One-time payments using Stripe Payment Tokens
- [Tempo charge](/payment-methods/tempo/charge): One-time TIP-20 token transfers
- [Session](/payment-methods/tempo/session): Low-cost high-throughput payments
- [HTTP transport](/protocol/transports/http): Payment flows using standard HTTP headers
- [MCP transport](/protocol/transports/mcp): Payment flows for AI tool calls
- [Client](/sdk/python/client): Handle 402 responses automatically
- [Core Types](/sdk/python/core): Challenge, Credential, and Receipt primitives
- [Server](/sdk/python/server): Protect endpoints with payment requirements
- [Client](/sdk/rust/client): Handle 402 responses automatically
- [Server](/sdk/rust/server): Protect endpoints with payment requirements
- [CLI Reference](/sdk/typescript/cli): Built-in command-line tool for paid HTTP requests
- [Method.from](/sdk/typescript/Method.from)
- [presto examples](/tools/presto/examples): Real-world usage patterns
- [tempo](/sdk/typescript/client/Method.tempo): Register all Tempo intents
- [Method.tempo.charge](/sdk/typescript/client/Method.tempo.charge): One-time payments
- [Method.tempo.session](/sdk/typescript/client/Method.tempo.session): Low-cost high-throughput payments
- [Mppx.create](/sdk/typescript/client/Mppx.create)
- [Mppx.restore](/sdk/typescript/client/Mppx.restore)
- [Transport.from](/sdk/typescript/client/Transport.from)
- [Transport.http](/sdk/typescript/client/Transport.http)
- [Transport.mcp](/sdk/typescript/client/Transport.mcp)
- [BodyDigest.compute](/sdk/typescript/core/BodyDigest.compute)
- [BodyDigest.verify](/sdk/typescript/core/BodyDigest.verify)
- [Challenge.deserialize](/sdk/typescript/core/Challenge.deserialize)
- [Challenge.from](/sdk/typescript/core/Challenge.from)
- [Challenge.fromHeaders](/sdk/typescript/core/Challenge.fromHeaders)
- [Challenge.fromMethod](/sdk/typescript/core/Challenge.fromMethod)
- [Challenge.fromResponse](/sdk/typescript/core/Challenge.fromResponse)
- [Challenge.meta](/sdk/typescript/core/Challenge.meta)
- [Challenge.serialize](/sdk/typescript/core/Challenge.serialize)
- [Challenge.verify](/sdk/typescript/core/Challenge.verify)
- [Credential.deserialize](/sdk/typescript/core/Credential.deserialize)
- [Credential.from](/sdk/typescript/core/Credential.from)
- [Credential.fromRequest](/sdk/typescript/core/Credential.fromRequest)
- [Credential.serialize](/sdk/typescript/core/Credential.serialize)
- [Expires](/sdk/typescript/core/Expires)
- [Method.from](/sdk/typescript/core/Method.from)
- [Method.toClient](/sdk/typescript/core/Method.toClient)
- [Method.toServer](/sdk/typescript/core/Method.toServer)
- [PaymentRequest.deserialize](/sdk/typescript/core/PaymentRequest.deserialize)
- [PaymentRequest.from](/sdk/typescript/core/PaymentRequest.from)
- [PaymentRequest.serialize](/sdk/typescript/core/PaymentRequest.serialize)
- [Receipt.deserialize](/sdk/typescript/core/Receipt.deserialize)
- [Receipt.from](/sdk/typescript/core/Receipt.from)
- [Receipt.fromResponse](/sdk/typescript/core/Receipt.fromResponse)
- [Receipt.serialize](/sdk/typescript/core/Receipt.serialize)
- [Elysia](/sdk/typescript/middlewares/elysia): Payment middleware for Elysia
- [Express](/sdk/typescript/middlewares/express): Payment middleware for Express
- [Hono](/sdk/typescript/middlewares/hono): Payment middleware for Hono
- [Next.js](/sdk/typescript/middlewares/nextjs): Payment middleware for Next.js
- [Method.tempo.charge](/sdk/typescript/server/Method.tempo.charge)
- [Method.tempo.session](/sdk/typescript/server/Method.tempo.session): Low-cost high-throughput payments
- [Mppx.create](/sdk/typescript/server/Mppx.create)
- [Mppx.toNodeListener](/sdk/typescript/server/Mppx.toNodeListener)
- [Transport.from](/sdk/typescript/server/Transport.from)
- [Transport.http](/sdk/typescript/server/Transport.http)
- [Transport.mcp](/sdk/typescript/server/Transport.mcp)
- [Transport.mcpSdk](/sdk/typescript/server/Transport.mcpSdk)
-->

# Challenges \[Server-issued payment requirements]

Your server issues a **challenge** to describe the payment required for a resource. Send challenges in the `WWW-Authenticate` header using the `Payment` authentication scheme.

## Structure

```http
WWW-Authenticate: Payment id="qB3wErTyU7iOpAsD9fGhJk",
    realm="mpp.dev",
    method="tempo",
    intent="charge",
    expires="2025-01-15T12:05:00Z",
    request="eyJhbW91bnQiOiIxMDAwIiwiY3VycmVuY3kiOiJ1c2QifQ"
```

### Required parameters

| Parameter | Description |
|-----------|-------------|
| `id` | Unique challenge identifier, cryptographically bound to challenge parameters |
| `realm` | Protection space identifier (typically the API domain) |
| `method` | Payment method identifier (such as `tempo` or `stripe`) |
| `intent` | Payment intent type (such as `charge` or `authorize`) |
| `request` | Base64url-encoded JSON with payment details |

### Optional parameters

| Parameter | Description |
|-----------|-------------|
| `expires` | ISO 8601 timestamp when the challenge expires |
| `description` | Human-readable description of what's being paid for |

## `request` object

The `request` parameter contains method-specific payment details encoded as base64url JSON:

```json [Decoded request object]
{
  "amount": "1000",
  "currency": "usd",
  "recipient": "0xa726a1CD723409074DF9108A2187cfA19899aCF8"
}
```

Common fields across payment methods:

| Field | Description |
|-------|-------------|
| `amount` | Payment amount in base units (for example, cents for USD) |
| `currency` | Currency code (`usd`) or token address (`0x20c0...`) |
| `recipient` | Payment destination in method-native format |

## Multiple challenges

Servers can offer multiple payment options in a single response:

```http
HTTP/1.1 402 Payment Required
WWW-Authenticate: Payment id="abc", method="tempo", ...
WWW-Authenticate: Payment id="def", method="stripe", ...
```

Clients select one based on their capabilities and submit a single credential.

## Challenge binding

:::warning\[Security requirement]
Challenges must be cryptographically bound to their parameters through the `id` field. This prevents clients from reusing a challenge ID with modified payment terms.
:::

Typical binding includes:

* `realm`, `method`, `intent`
* Hash of the `request` object
* `expires` timestamp

Use an [HMAC-bound](https://en.wikipedia.org/wiki/HMAC) challenge ID to prevent clients from reusing a challenge ID with modified payment terms.

## Learn more

<Cards>
  <SpecCard to="https://tempoxyz.github.io/mpp-specs/" />

  <PaymentMethodsCard />
</Cards>