diff --git a/proposals/web-payments-http-api/index.html b/proposals/web-payments-http-api/index.html new file mode 100644 index 0000000..425e6d9 --- /dev/null +++ b/proposals/web-payments-http-api/index.html @@ -0,0 +1,543 @@ + + +
++This document outlines how to register payment apps, request payments, +and acknowledge payment requests using a standard HTTP API. +
+There are a number of ways that one may participate in the development of + this specification:
+ ++This HTTP API enables a web application to initiate payment for a product or +service by responding with an HTTP 402 Payment Required response and +enough data to initiate and complete a payment flow. The +implementation of this feature is expected to be implemented by any HTTP +server and client that is interested in executing payments. +
+This document is a detailed specification for a HyperText Transfer Protocol + application programming interface (HTTP API) for executing payments via + an HTTP client and server. The document is primarily intended for the following + audiences:
+ ++The terminology in this specification's terminology and messages need to be +updated to match the +Payments Architecture document. +
+ ++The diagram below outlines a basic HTTP client payment flow with no errors. +The basic flow starts out with the payer accessing a protected resource. +The payee provides a location where a payment request for the resource +can be fetched. The payer fetches the payment request, selects +a payment app, and sends the request and the selected app +on to the appropriate payment service provider for processing. The +payment service provider initiates the payment and sends a +payment request acknowledgement back to the payer. The payer +then forwards the payment request acknowledgement back to the +payee. If there are no errors, the payee then grants access to +the resource that was purchased. +
+ ++The flow below reflects a fairly advanced tokenized payment scenario. We may +want to use a simpler basic credit card flow where the customer doesn't have +a payment service provider and just returns the credit card details to the +merchant. +
+ + + ++It may be a good idea to return the payment request with the 402 response. +The concern is that this would be a misrepresentation of the resource. The +counter-argument is that a client shouldn't interpret a 402 response as +the resource, and since 402 has not been formally defined yet, we could +define it to always come with a payment request response. +
+ +Location
header
+to fetch the request
from.
+ request
from the URL specified
+in the Location
header in the previous step.
+ acceptedMethods
in the
+payment request.
+ request
, and
+selected payment app via an HTTP POST to the
+paymentRequestService
in the payment app for approval.
+ paymentRequestService
in the
+acceptedMethod
(note that the payee
+sets this, not the payment app).
+
+Melvin Carvalho has also raised an issue noting that we may not want to use
+402 and the Location header, but rather an additional HTTP header called
+Payment
that is compatible with multiple 4xx error conditions.
+
+The diagram below outlines the basic payment flow described above for a +push-based payment. +
++Describe the payment flow in detail here using Adrian's flow diagram and Ian's +steps. +
+ ++GET /apps/visa HTTP/1.1 +Host: mybank.example.org +Date: Tue, 07 Jun 2017 20:51:35 GMT +Accept: application/json +Authorization: Digest username="jdoe", realm="jane@mybank.example.org", ... ++
+GET /apps/visa HTTP/1.1 +Host: mybank.example.org +Date: Tue, 07 Jun 2017 20:51:35 GMT +Accept: application/json +Authorization: Signature keyId="https://mybank.example.org/people/jane/keys/42", + algorithm="rsa-sha256",headers="(request-target) host date", + signature="jgSqYK0yKclIHfF9zdApVEbDp5eqj8C4i4X76pE+XHoxugXv7qnVrGR+30bmB + gtpR39I4utq17s9ghz/2QFVxlnToYAvbSVZJ9ulLd1HQBugO0jOyn9sXOtcN7 + uNHBjqNCqUsnt0sw/cJA6B6nJZpyNqNyAXKdxZZItOuhIs78w=" ++
+HTTP/1.1 200 OK +Date: Tue, 07 Jun 2017 20:51:36 GMT +Content-Type: application/json +Content-Length: 412 + +{ + "type": "PaymentApp", + "paymentMethod": "https://payments.example.org/payment-schemes#Visa", + "label": "ExampleBank Visa Card", + "paymentRequestService": "https://mybank.example.org/services/cards/2745023475" +} ++
+GET /movies/dr-strangelove HTTP/1.1 +Host: videos.example.com +Date: Tue, 07 Jun 2017 21:31:35 GMT ++
+HTTP/1.1 402 Payment Required +Date: Tue, 07 Jun 2017 21:31:36 GMT +Content-Type: application/json +Content-Length: 873 + +{ + "type": "PaymentRequest", + "description": "Payment for Dr. Strangelove", + "acceptedMethod": { + "paymentMethod": "https://payments.example.org/payment-schemes#Visa", + "transfer": { + "amount": "2.99", + "currency": "USD" + }, + "destination": "20389472398" + }, + "paymentCompleteService": "https://videos.example.com/services/paymentComplete?transaction=923847298" +} ++
+POST /services/cards/2745023475 HTTP/1.1 +Host: mybank.example.org +Date: Tue, 07 Jun 2017 20:51:35 GMT +Accept: application/json + +{ + "type": "PaymentRequest", + "description": "Payment for Dr. Strangelove", + "acceptedMethod": { + "paymentMethod": "https://payments.example.org/payment-schemes#Visa", + "transfer": { + "amount": "2.99", + "currency": "USD" + }, + "destination": "20389472398" + }, + "paymentCompleteService": "https://videos.example.com/services/paymentComplete?transaction=923847298" +} ++
+HTTP/1.1 200 OK +Date: Tue, 07 Jun 2017 20:51:36 GMT +Content-Type: application/json +Content-Length: 623 + +{ + "type": "PaymentAcknowledgement", + "description": "Payment to ExampleMerch for widgets", + "selectedScheme": { + "paymentMethod": "https://payments.example.org/payment-schemes#Visa", + "status": "authorized", + "token": "10025AB", + "transfer": { + "amount": "2.99", + "currency": "USD" + }, + "destination": "20389472398" + } +} ++
+POST /services/paymentComplete?transaction=923847298 HTTP/1.1 +Host: videos.example.com +Date: Tue, 07 Jun 2017 20:51:35 GMT +Content-Type: application/json + +{ + "type": "PaymentAcknowledgement", + "description": "Payment to ExampleMerch for widgets", + "selectedScheme": { + "paymentMethod": "https://payments.example.org/payment-schemes#Visa", + "status": "authorized", + "token": "10025AB", + "transfer": { + "amount": "2.99", + "currency": "USD" + }, + "destination": "20389472398" + } +} ++
+HTTP/1.1 302 Found +Date: Tue, 07 Jun 2017 20:51:36 GMT +Location: /movies/dr-strangelove ++
+One proposal for providing message extensibility is to allow messages to
+be interpreted as JSON-LD with a specific context, such as
+https://example.org/contexts/web-payments/v1
. Doing this would
+not only solve message versioning, but it would also enable
+decentralized extensibility for all payment messages while ensuring that
+there are no clashes in terminology between industry verticals.
+
+There are a variety of ways that message integrity can be protected. Which +set of methods will this specification employ. +
++There are a variety of ways that message replay can be protected against. Which +set of methods will this specification employ. +
++The editor would like to thank the Web Payments Community Group, and the +Web Payments Interest Group. +
+ ++Thanks to the following individuals, in order of their first name, for +their input on the specification: ... +
+ +