RPP402-000: Introduction
| RFC | RPP402-000 |
| Title | Introduction |
| Status | Draft |
| Version | 1.0.0 |
| Category | Informational -this RFC defines no wire format itself; RPP402-001 through RPP402-006 do. |
Overview
The Robinhood Payments Protocol (RPP402) is an open protocol that lets autonomous AI agents discover services, request pricing, authorize payment, and settle commerce on Robinhood Chain -and receive cryptographic proof that it happened. RPP402 v1 defines exactly six primitives:
- Discovery -an agent finds a service and its capabilities.
- Quote -an agent requests pricing for a capability.
- Commerce Session -an atomic lifecycle container that groups one or more quotes into a single purchase.
- Payment Intent -an agent authorizes payment for a session.
- Settlement -the authorized intent executes on Robinhood Chain.
- Receipt -cryptographic proof the session settled.
Nothing else is in scope for v1. Everything else -subscriptions, streaming, escrow, wallet delegation, marketplace listing, reputation, identity, and more -is deliberately deferred to the Roadmap as future RFCs, so v1 stays small enough to fully implement, fully audit, and fully commit to.
Robinhood Chain
↑
Settlement
↑
RPP402
↓
Discovery → Quote → Commerce Session → Payment Intent → Receipt
↓
AI AgentsMotivation
An autonomous agent's purchase is rarely one resource. An agent provisioning a research pipeline might need a market-data quote from one provider, compute from a second, and a model API from a third -compared against alternatives, held in a consistent state while it decides, and settled together. No primitive in the prior art below represents that multi-step, multi-provider shape; each treats "pay for one HTTP resource" as the whole problem. RPP402 treats that as one primitive (Quote) inside a larger one (Commerce Session) built to hold exactly this kind of state.
RPP402 is also the first agent-commerce protocol that can settle in a tokenized real-world asset, not only a stablecoin, because it is the native protocol of the one chain whose operator is a regulated broker-dealer with an existing tokenized-equity product. See RPP402-004 §Settlement Assets.
Problem
Concretely, before RPP402 an agent that wanted to compare three data providers, buy from the cheapest, and prove the purchase happened had to:
- Hand-roll provider comparison (no standard quote object to diff).
- Track purchase state itself across N independent HTTP 402 cycles with no shared session identity.
- Accept whatever receipt format (if any) each provider invented.
- Have no standard way to pay in anything other than a stablecoin, even when the paying agent's actual spending authority is denominated in tokenized equity via a Robinhood Agentic Account.
RPP402 standardizes all four without inventing a competing payment-transport wire format -see Relationship to Prior Art.
Terminology
| Term | Definition |
|---|---|
| Agent | The software (autonomous or human-operated) initiating a purchase. Identified in v1 by a wallet address. |
| Service | A provider of a paid capability, discoverable via RPP402-001. |
| Capability | A named, priceable unit of work a Service offers (e.g. market-data.quote, compute.inference). |
| Primitive | One of the six objects defined by RPP402-001 through RPP402-006. |
| Commerce Session | The atomic container (RPP402-003) holding one or more Quotes, an Intent, a Settlement, and a Receipt. |
| Settlement Asset | What a Payment Intent is denominated and settled in -a stablecoin or a tokenized security. See RPP402-004. |
| Robinhood Chain | The Arbitrum-Orbit Ethereum L2 (mainnet since 2026-07-01) that RPP402 settles on. |
| Reference implementation | @rpp402/protocol (schemas), @rpp402/sdk (client), @rpp402/cli (tooling) -see each RFC's Reference Implementation section. |
Relationship to Prior Art
RPP402 is not the first attempt to standardize machine-to-machine payment. Two efforts predate it, are already in production, and RPP402 does not try to replace either:
| MPP | x402 | RPP402 | |
|---|---|---|---|
| Backers | Stripe, Tempo Labs | Coinbase, Cloudflare, Linux Foundation | Robinhood Chain |
| Governance | IETF-track (paymentauth.org) | Linux Foundation | RFC-driven, this repository |
| Core unit of work | One HTTP resource per 402 challenge/response cycle | One HTTP resource per 402 challenge/response cycle | A Commerce Session -one or more Quotes, from one or more Services, held in shared state until settled together |
| Settlement asset | Stablecoins, cards (via Stripe), Bitcoin (Lightning) | Stablecoins (EVM chains, Solana) | Stablecoins or tokenized real-world assets (RPP402-004) |
| Settlement chain | Tempo | Any x402-compatible chain (Base, Polygon, Arbitrum, Solana, etc.) | Robinhood Chain |
| Status (as of 2026-07) | Live, 100+ services | Live, 150M+ transactions | Pre-release |
Where MPP and x402 answer "how does an agent pay for one thing," RPP402 answers "how does an agent conduct a multi-step purchase that happens to settle on Robinhood Chain, possibly in a tokenized security." These are complementary, not competing, questions -an RPP402 Settlement (RPP402-005) could in principle execute over an x402 or MPP payment rail for the stablecoin-denominated case. That bridge is intentionally not specified in v1; it is tracked as a roadmap item (see Roadmap: MPP/x402 Interoperability) so v1 can ship without taking on a dependency on either protocol's stabilization.
We name both explicitly, here and in every RFC where relevant, because an infrastructure standard that hides well-known prior art from the engineers it's asking to trust it has already lost their trust.
Protocol Versioning
- The wire format version is
1.0.0(this document). RPP402 follows semver for the wire format: additive, backward-compatible fields are minor bumps; anything requiring a client to change to keep working is a major bump. - Every RPP402 object carries an
rpp402_versionfield (e.g."1.0") so a client or server can detect a version mismatch instead of silently misparsing. - RFC status lifecycle: Draft (this repository, pre-release) → Active (adopted, wire-format frozen for that major version) → Superseded (replaced by a later RFC, kept for historical reference).
Security (Overview)
Each RFC has its own Security section scoped to that primitive. At the protocol level: every primitive is signed or verifiable back to an onchain artifact (a Payment Intent authorization, a Settlement transaction, a Receipt signature) -nothing in RPP402 relies on an unverifiable claim from a single party. See RPP402-004 §Security, RPP402-005 §Security, and RPP402-006 §Security.
Errors
All RPP402 endpoints return errors as application/problem+json (RFC 9457):
{
"type": "https://rpp402.com/errors/quote-expired",
"title": "Quote Expired",
"status": 410,
"detail": "Quote quote_8f2e... expired at 2026-07-10T18:22:00Z.",
"instance": "/sessions/sess_1a2b/legs"
}Each RFC defines its own type values in its Errors section; there is no separate error registry RFC in v1.
Best Practices
- Treat every primitive's identifier (
quote_*,sess_*,intent_*,settle_*,rcpt_*) as opaque and globally unique -never parse structure out of it. - Always check
rpp402_versionbefore trusting a response shape. - Prefer the SDK (
@rpp402/sdk) over hand-rolling HTTP calls against these schemas directly; it is generated from the same source (@rpp402/protocol) these RFCs document, so it cannot drift from them.
Reference Implementation
- Schemas:
(Phase 4, this phase).packages/protocol - Client:
(Phase 5).packages/sdk - CLI:
(Phase 10).packages/cli
Next: RPP402-001 -Discovery
