v0.4.1 PRODUCTION ES256 / WebAuthn EUPL-1.2 LICENSED RFC INTERNET-DRAFT

The protocol that proves
a real human is here.

HHTTPS extends HTTP/HTTPS with cryptographic human verification. WebAuthn-backed, ES256-signed, GDPR-compliant, zero personal data stored. An open standard maintained by the HumanProof Initiative.

View on GitHub → JWKS Public Key Discovery
§ 1

Abstract

HHTTPS (Human-verified HTTPS) is an open protocol that adds a cryptographic proof-of-personhood layer on top of HTTPS. It allows web servers to verify that an HTTP request was initiated by a real human — without storing personally identifiable information.

The protocol combines three established standards: WebAuthn (W3C) for human presence verification, ES256-signed JWTs (RFC 7519) for portable claims, and JWKS (RFC 7517) for distributed verification. Adoption requires no central authority — any operator can run an HHTTPS issuer compatible with this spec.

Status
v0.4.1 — Production
Reference Implementation
hhttps.org
Algorithm
ES256 (P-256 / SHA-256)
License
EUPL-1.2 (open source)
§ 2

Design Principles

  • Zero PII storage. The issuer never stores name, address, or contact data. Only public keys, hashed identifiers, and ephemeral session state.
  • No central authority. Anyone can run an HHTTPS issuer. Tokens are verified against the issuer's public JWKS — no API key exchange, no rate-limited validation calls.
  • Standards over invention. WebAuthn, JWT, JWKS — all W3C/IETF standards. No proprietary cryptography. No new threat model.
  • European by default. GDPR-compliant by design. eIDAS-aware. Servers in the EU. No US cloud lock-in.
  • Roles, not identities. A token claims a role (e.g. medical_professional) and trust score (0–100), not a person.
  • Revocable. Tokens can be revoked via the issuer; revocation status is published in real-time at /hhttps/revoke/status.
§ 3

API Endpoints

All endpoints listed are part of the v0.4.1 reference implementation at hhttps.org. Custom prefixes are permitted; .well-known/hhttps-configuration is the source of truth for endpoint paths.

Discovery

GET
/.well-known/hhttps-configuration
Returns issuer metadata, supported roles, endpoint URLs.
GET
/.well-known/jwks.json
Returns the issuer's public keys (JWKS, RFC 7517).

WebAuthn Flow

POST
/hhttps/webauthn/register/start
Begin passkey registration; returns PublicKeyCredentialCreationOptions.
POST
/hhttps/webauthn/register/finish
Verify attestation; persist credential.
POST
/hhttps/webauthn/auth/{start,finish}
Authenticate with passkey, get verified session.
POST
/hhttps/role/declare
Declare role + verification method, receive access + refresh token.
POST
/hhttps/token/refresh
Exchange refresh token for fresh access token (no biometrics needed).

Token Operations

POST
/hhttps/check
★ The primary verification endpoint. Verify any HHTTPS token.
POST
/hhttps/validate
Validate token signature + revocation status only.
POST
/hhttps/revoke
Revoke a token (user-requested or compromised).
GET
/hhttps/revoke/status?jti=...
Public revocation lookup (no auth required).
§ 4

Token Format

An HHTTPS access token is a standard JWT (RFC 7519) signed with ES256. The payload contains claims about the verified human's role and trust level.

HHTTPS Token Payload (decoded) 
{
  "jti":        "550e8400-e29b-41d4-a716-446655440000",
  // unique token identifier
  "iss":        "hhttps://hhttps.org",
  "sub":        "human-verified",
  "human":      true,
  "actorType":  "human",
  "role":       "medical_professional",
  "roleLevel":  "approbation-id",
  "trustScore": 93,
  "method":     "webauthn-passkey",
  "deviceType": "singleDevice",
  "ia":         1715242800,
  "exp":        1715246400
}

Tokens are short-lived (1 hour by default). Refresh tokens (7 days) allow extension without repeated WebAuthn challenges. Both can be revoked via /hhttps/revoke.

HTTP Headers

HHTTPS responses set the following headers, exposing verification status to client-side code and intermediaries:

Response Headers 
HHTTPS-Protocol-Version: 0.4.1
HHTTPS-Status:           verified
HHTTPS-Human:            true
HHTTPS-Actor-Type:       human
HHTTPS-Role:             medical_professional
HHTTPS-Role-Level:       approbation-id
HHTTPS-Trust-Score:      93
HHTTPS-Method:           webauthn-passkey
HHTTPS-Issuer:           hhttps://hhttps.org
§ 5

Trust Scoring

Each verification method maps to a numeric trust score (0–100). Verifiers choose a minimum threshold based on their use case — a comment section may accept 30+, a medical-advice forum may require 90+.

self-declared
30
Baseline
webauthn
60
Passkey verified
email-verified
70
Domain-based
orcid
88
Researcher
approbation-id
93
Doctor / Pharmacist
notary-chamber
95
Notary
official-email
90
Civil servant
bundestag-id
98
Politician

See the full mapping in roles.js. Higher methods strictly imply lower ones (a score of 93 also satisfies any threshold ≤ 93).

§ 6

Integration

Verifying tokens requires no API call to the issuer — only the public JWKS, which can be cached for hours. Below: minimal Express middleware example.

Express middleware (Node.js) 
import jwt        from 'jsonwebtoken';
import jwksClient from 'jwks-rsa';

const jwks = jwksClient({
  jwksUri: 'https://hhttps.org/.well-known/jwks.json',
  cache: true, cacheMaxAge: 3600000
});

function requireHuman({ minTrust = 60, allowedRoles = null } = {}) {
  return async (req, res, next) => {
    const token = req.headers['hhttps-token'];
    if (!token) return res.status(401).json({ error: 'token required' });

    try {
      const decoded = await new Promise((resolve, reject) => {
        jwt.verify(token, getKey, { algorithms: ['ES256'] }, (e, d) => e ? reject(e) : resolve(d));
      });
      if (decoded.trustScore < minTrust)         throw new Error('trust too low');
      if (allowedRoles && !allowedRoles.includes(decoded.role)) throw new Error('role denied');
      req.hhttps = decoded;
      next();
    } catch (e) { res.status(401).json({ error: e.message }); }
  };
}

// Use it on any route:
app.post('/medical-advice',
  requireHuman({ minTrust: 90, allowedRoles: ['medical_professional'] }),
  postAdvice
);

Reference SDKs are available for JavaScript and Python, with examples for Express, Flask, Django, and FastAPI.

§ 7

Discovery

Any HHTTPS issuer publishes its configuration at /.well-known/hhttps-configuration. Clients use this to discover endpoints without hard-coding URLs:

GET /.well-known/hhttps-configuration 
{
  "issuer":                   "hhttps://hhttps.org",
  "protocol_version":         "0.4.1",
  "jwks_uri":                "https://hhttps.org/.well-known/jwks.json",
  "check_endpoint":          "https://hhttps.org/hhttps/check",
  "registration_endpoint":   "https://hhttps.org/hhttps/webauthn/register/start",
  "authentication_endpoint": "https://hhttps.org/hhttps/webauthn/auth/start",
  "revocation_endpoint":     "https://hhttps.org/hhttps/revoke",
  "supported_algorithms":    ["ES256"],
  "supported_roles":         ["citizen", "journalist", ..., "craftsman"],
  "token_ttl":                3600,
  "refresh_ttl":              604800
}
§ 8

Security Considerations

  • Private keys never leave the user's device. WebAuthn enforces this in hardware (TPM, Secure Enclave, YubiKey).
  • Issuer signing keys must be rotated periodically. JWKS supports multi-key publishing for seamless rotation.
  • The token's jti is logged at issuance and removed at expiration. Revocation persists permanently.
  • Replay protection: each WebAuthn ceremony uses a fresh server-generated challenge.
  • The RP_ID binds passkeys to a specific origin. A token issued at hhttps.org cannot be authenticated against a different origin.
  • Rate-limiting is applied per IP at all sensitive endpoints (registration, authentication, email, revocation).
  • For maximum trust, issuers SHOULD publish a transparency log of issued/revoked token hashes (planned for v0.5).
§ 9

Governance & License

The HHTTPS specification and reference implementation are released under the European Union Public Licence (EUPL-1.2) — an OSI-approved license compatible with GPLv3, AGPLv3, MPLv2, and most permissive licenses, with explicit GDPR alignment.

The protocol is maintained by the HumanProof Initiative (github.com/dhannus/HumanProof), an unfunded civic-tech project. Anyone may propose changes via pull request. Major specification revisions require public discussion period (≥ 30 days).

An IETF Internet-Draft is in preparation. Once stable, the protocol will be submitted for standardization through the IETF process — independent of the reference implementation.

Initiative contact: daniel.hannuschka@tweakz.de · Press & institutional inquiries welcome.