MPP Development Patterns

Before writing code

Fetch live docs:

• Specification: Fetch https://paymentauth.org/ for canonical security and encoding requirements
• IETF draft: Web-search site:datatracker.ietf.org draft-ryan-httpauth-payment for the latest RFC draft
• Stripe docs: Fetch https://docs.stripe.com/payments/machine/mpp for production integration patterns
• SDK: Web-search site:npmjs.com mppx for error handling and retry APIs

Pattern: HMAC Challenge Binding

The 32-byte secretKey is the server's core security primitive:

• Every challenge ID is HMAC-bound to the secret key
• Prevents challenge forgery — attackers cannot create valid challenges without the key
• Prevents replay attacks — each challenge is unique and bound to the request context
• Generate with openssl rand -hex 32
• Rotate periodically and support key rollover