render-api:/v1/renderThe operation being protected.
Protocol preview · illustrative interface
DaemonPay separates payment evidence, entitlement issuance, holder proof, access policy, and resource delivery. This guide shows the intended developer contract without pretending the eventual public API is frozen.
$ daemonpay verify request.json
issuer merchant:7f3a… trusted
audience render-api match
permission render.create granted
holder ed25519:31c9… proven
validity 2026-07-16/08-16 current
remaining render 1000 reserve 1
decision allow local
1man application_data false
Five independent objects
The resource declares a right. The offer describes ways to obtain it. A trusted event qualifies. The issuer creates signed evidence. The destination gate decides whether that evidence authorizes this exact request.
render-api:/v1/renderThe operation being protected.
trial · prepaid · grantThe terms that produce a right.
settled · approved · invitedAuthenticated qualifying evidence.
issuer-signed capabilityThe holder’s bounded right.
allow · challenge · denyThe resource-side decision.
A watcher may prove settlement but cannot sign an entitlement. The entitlement issuer may grant a right but cannot spend merchant funds. The gate can validate a right but does not inherit authority to identify the holder outside that request.
Machine-readable challenge
When proof is absent, a gate can return the exact audience, permission, policy version, and relevant offers. The use of HTTP 402 below is a proposed DaemonPay convention; the final specification must define retry, cache, compatibility, and error behavior precisely.
GET /v1/reports/quarterly HTTP/1.1
Host: reports.example
Authorization: DaemonPay <presented-proof>
HTTP/1.1 402 Payment Required
Content-Type: application/json
Cache-Control: no-store
{
"error": "entitlement_required",
"resource": "reports:quarterly",
"required": {
"audience": "reports-api",
"permissions": ["reports.read"],
"minimum_policy_version": 3
},
"offers": [
{
"id": "reports-trial",
"kind": "trial",
"grant": {
"requests": 25,
"expires_after": "P7D"
}
},
{
"id": "reports-prepaid-1000",
"kind": "purchase"
}
]
}
Choose an offered trial or open one of the merchant’s supported checkout paths.
Use an entitlement acquired elsewhere or ask an authorized person or organization to grant access.
If no path applies, report that the resource remains unavailable. Never invent a free, public, or relayed fallback.
Portable right
The right should carry authorization facts, not an accidental customer dossier. The example uses readable JSON for explanation; production serialization, signature envelope, canonicalization, field bounds, and algorithm identifiers remain versioned protocol decisions.
{
"version": 1,
"issuer": "merchant:7f3a…",
"entitlement_id": "ent_01J…",
"audience": ["render-api"],
"holder": {
"type": "key",
"id": "ed25519:31c9…"
},
"grant": {
"permissions": ["render.create"],
"features": ["high_resolution"]
},
"limits": {
"renders": 1000,
"devices": 3
},
"validity": {
"not_before": "2026-07-16T00:00:00Z",
"expires_at": "2026-08-16T00:00:00Z"
},
"policy": {
"transferable": false,
"delegatable": true,
"renewable": true,
"revocable": true
},
"source": {
"kind": "purchase",
"offer_id": "render-1000"
},
"policy_version": 3
}
High-risk rights can require fresh online introspection. Ordinary bounded rights should remain locally verifiable when the provider’s declared policy permits.
Integration depth
Every mode preserves the same issuer and resource boundaries. A managed ingress is never implied: if a third party carries application bytes, that is a separately selected and disclosed data-path role.
Declare route matches, required rights, finite consumption, and relevant offers in owner-controlled policy. Forward only after validation.
GET /reports/** → reports.readRun the verifier beside the application for challenges, local proof checks, revocation synchronization, counters, and private forwarding.
Daemonet → sidecar → appExtract proof, request a decision, add the result to request context, then let the handler focus on product behavior.
Require("reports.read", handler)Use verified features and limits to select quality, export, model, administrative, or another product-specific behavior.
decision.Has("video.uhd")Finite use and retries
A metered operation reserves estimated units, performs the work, settles actual use, and releases the remainder. An issuance or consumption retry returns the prior result for the same idempotency key instead of creating another grant or charge.
Check proof and policy.
Atomically hold estimated units.
Run the exact bound operation.
Commit actual consumption.
Return unused reservation.
Use one stable event identifier and idempotent issuance. Retry returns the same entitlement or an explicitly linked replacement.
Recover through the result artifact, local Daemon state, or a separately opted-in minimal recovery mechanism.
Existing valid rights continue where policy allows; inability to sell does not silently cancel prior access.
Apply the declared fail policy: closed, recent synchronized state, read-only, or fresh proof. Never guess.
Reject metered work, use a bounded offline allowance, or permit only non-metered operations. Never create unlimited use.
Bind checkout and entitlement to a request-intent identifier; the origin guarantees at-most-once execution.
Release requirements
DaemonPay removes duplicated product plumbing; it does not remove adversaries, key operations, financial obligations, or failure handling. These are protocol requirements, not optional polish.
The client selects an offer identifier. The authoritative price, asset, destination, terms, and grant come from signed merchant configuration.
Validate provider signature or source, amount, asset, destination, offer, status, finality, event time, and uniqueness.
A trial key must not inherit enterprise-administration authority. Bound issuance by audience, offer, right, quantity, environment, and time.
Require holder-key control for high-value entitlements. Keep long-lived secrets out of URLs, history, referrers, logs, and screenshots.
Use canonical requests, nonces, idempotency keys, atomic counters, exact request binding, and signed service identity.
Publish key validity and revocation, test migration, and avoid logging complete proofs, payment secrets, content, or unrelated identity data.
Data-domain separation
Even if a company operates several roles, the payment system, entitlement issuer, access gate, resource service, and analytics system can retain different minimal facts under different access and deletion policies.
A private service can bind to its Daemonet interface and terminate HTTPS on the owner host. 1Man can coordinate identity and entitlement metadata without receiving application bytes. An explicit Daemon Hub or another selected gateway is a different mode with a declared data-path role.
Provisional developer contract
Before production use, pin the eventual versioned protocol and complete wallet, provider, accounting, legal, support, revocation, restore, and paid-customer release canaries.