Skip to content

feat: add auth-hints extension to streamline scheme-level authentication#1902

Open
alftom wants to merge 1 commit intox402-foundation:mainfrom
oma3dao:feat/extension-auth-hint
Open

feat: add auth-hints extension to streamline scheme-level authentication#1902
alftom wants to merge 1 commit intox402-foundation:mainfrom
oma3dao:feat/extension-auth-hint

Conversation

@alftom
Copy link
Copy Markdown
Contributor

@alftom alftom commented Apr 2, 2026

Adds the auth-hints extension specification (specs/extensions/extension-auth-hints.md).

This extension provides scheme-level authentication hints in x402 payment requirements, enabling clients to discover that specific payment schemes require authentication and complete registration/token acquisition before submitting a payment payload — avoiding an unnecessary 401 round trip.

Key points:

  • Described general auth scheme for x402, mainly on HTTP transports
  • Initial support for two auth method types: oauth2 (Bearer/DPoP) and sign-in-with-x
  • Defined scheme and acceptIndex hints for matching auth requirements to accepts[] entries
  • Documented how x402 works with standard HTTP WWW-Authenticate without any extension
  • Includes a complete example flow for OAuth 2.0 with DCR and DPoP
  • Explicitly separates authentication identity from payer wallet identity
  • Server ↔ Client only — the facilitator is not involved in authentication

This was discussed with @erikreppel-cb and @CarsonRoscoe and identified as a priority for enterprise and agent use cases where payment schemes like deferred require client identity verification.

Open question for discussion: should servers use acceptIndex (precise, per-entry), scheme (broad, per-scheme-type), or both for matching auth requirements to accepts[]?

Tests

Spec-only change — no code, no tests. This PR adds a single markdown file.

Checklist

  • I have formatted and linted my code
  • All new and existing tests pass
  • My commits are signed (required for merge)
  • I added a changelog fragment for user-facing changes (docs-only changes can skip)

@alftom
feat: add auth-hints extension to streamline scheme-level authentication
64631e5 
- Described general auth scheme for x402, mainly on HTTP transports
- Initial support for two auth method types: oauth2 (Bearer/DPoP) and sign-in-with-x
- Defined scheme and acceptIndex hints.
@cb-heimdall
Copy link
Copy Markdown

cb-heimdall commented Apr 2, 2026

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 2, 2026

@alftom is attempting to deploy a commit to the Coinbase Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the specs Spec changes or additions label Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

specs Spec changes or additions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alftom @cb-heimdall