Open-source monorepo for tooling around the "Payment" HTTP Authentication Scheme (MPP).
MPP lets any client -- agents, apps, or humans -- pay for any service in the same HTTP request. It standardizes HTTP 402 with an open IETF specification, so servers can charge and clients can pay without API keys, billing accounts, or checkout flows.
mpp-tools provides tooling and test suites for managing MPP SDKs and other ecosystem primitives.
cd conformance
make allThis installs the pinned SDK releases, runs the vector suite, and runs the end-to-end 402 flow suite.
Run individual stages while developing:
make install # install pinned SDKs and adapter dependencies
make test # run vector conformance against all adapters
make flow # run end-to-end 402 flow conformancempp-tools/
├── conformance/ # Cross-SDK conformance test suite
│ ├── adapters/ # Per-language CLI adapters
│ ├── flows/ # End-to-end 402 flow tests
│ ├── golden/ # TypeScript golden adapter
│ ├── scripts/ # Test runners and helpers
│ └── vectors/ # Hand-authored protocol vectors
├── SPEC.md # SDK conformance specification
└── README.md
The conformance suite ensures every SDK produces identical protocol outputs for the same inputs. No SDK is privileged: checked-in JSON vectors are the source of truth, and each SDK is exercised through a thin CLI adapter with a shared request/response contract.
vectors/*.json -> vector_runner.py -> adapter -> pass/fail
flows/*.json -> flow_runner.py -> adapter -> pass/fail
The suite covers:
WWW-Authenticate: Payment ...challenge parsing and formattingAuthorization: Payment ...credential parsing and formattingPayment-Receipt: ...receipt parsing and formatting- base64url encoding and decoding
- deterministic challenge ID generation
- client-to-server HTTP 402 payment flows
See conformance/README.md for adapter commands, vector schemas, flow tests, prerequisites, and targeted test commands.
The harness validates the SDKs declared by the adapter manifests in conformance/adapters/. Each SDK follows the shared SDK specification. The harness installs pinned package releases from each package manager, and Dependabot opens SDK bump PRs when newer versions are available.
| SDK | Language | Repository | Package |
|---|---|---|---|
mppx |
TypeScript | wevm/mppx | npm |
mpp |
Rust | tempoxyz/mpp-rs | crates.io |
pympp |
Python | tempoxyz/pympp | PyPI |
mpp-go |
Go | tempoxyz/mpp-go | Go module |
mpp-rb |
Ruby | stripe/mpp-rb | RubyGems |
mpp-java |
Java | stripe/mpp-java | JitPack Maven |
cd conformance
make update-locks
make allSDK versions are pinned in package-manager manifests and lockfiles:
| Language | Package | Pin |
|---|---|---|
| TypeScript | mppx |
package.json / package-lock.json |
| Rust | mpp |
adapters/rust/Cargo.toml / Cargo.lock |
| Python | pympp |
adapters/python/pyproject.toml / uv.lock |
| Go | github.com/tempoxyz/mpp-go |
adapters/go/go.mod / go.sum |
| Ruby | mpp-rb |
adapters/ruby/Gemfile / Gemfile.lock |
| Java | com.github.stripe:mpp-java |
adapters/java/build.gradle / gradle.lockfile |
Built on the "Payment" HTTP Authentication Scheme, an open specification proposed to the IETF. See mpp.dev/protocol for the full protocol overview, or the IETF specification for the wire format.
git clone https://github.com/tempoxyz/mpp-tools
cd mpp-tools/conformance
make allSee CONTRIBUTING.md for the full workflow. When adding protocol behavior, add or update the relevant vectors and verify every adapter before opening a PR.
See SECURITY.md for reporting vulnerabilities.