Open License Protocol (OLP)

Version 1.0 Draft. Last updated: 2025-08-14.

The Open License Protocol (OLP) defines a set of standardized HTTPS APIs for acquiring, validating, and using RSL licenses. OLP is an extension of the the OAuth 2.0 authorization framework and related specifications to o support using RSL licenses as credentials for controlling access to digital assets.

The OLP protocol suite includes

• a protocol for acquiring an RSL license for a digital asset
• a protocol for checking if an RSL license grants access to a digital asset
• a protocol for retrieving a license key to encrypt or decrypt a digital asset file

Other server capabilities, including license registration, management, payment, and service-level policies, are outside the scope of this specification and are left to the implementation of individual license server operators.

Client Authentication

OLP uses standard OAuth 2.0 client authentication to verify the identity of clients that want to interact with an RSL License Server. Each client is assigned a unique client_id and client_secret by the license server operator when the client registers with the server, and the client must use these credentials to authenticate itself when making requests to the server.

If the client is not authorized for a request, the server responds with an error as defined in RFC 6749 Section 5.2.

Example: Client Credentials Flow

POST /token
Host: rslstandard.org/api
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)

Acquire a License for an Asset

To acquire an RSL license for a digital asset, the client submits a request to the license server using the OAuth 2.0 token endpoint with the grant type rsl. The request must include a complete RSL <license> element that describes the terms under which the client wants to license the digital asset, and a resource parameter specifying the URL of the digital asset to be licensed.

This grant type allows a client to obtain an RSL License Token that serves as proof that the client has acquired an RSL license for a digital asset. The license token may later be introspected or used to retrieve encryption keys, as described in subsequent sections.

Endpoint

POST /token

Request Parameters

Parameter	Type	Required	Description
grant_type	string	YES	MUST be set to client_credentials.
license	string	YES	A complete <license> XML element describing the requested terms. The XML MUST be well-formed, conform to the RSL namespace, and be URL-encoded. Other licensing formats MAY be provided when specified by the accompanying license_type parameter.
license_type	string	NO	Media type of the license parameter. Defaults to application/rsl+xml. Used to indicate support for other licensing formats.
resource	string	YES	The URL of the digital asset for which the license is being requested. MUST match or fall within the scope of a <content url> defined by the publisher’s RSL license.

Response Fields

If the request is valid and authorized, the license server responds with a license token that represents the acquired RSL license. The license token is returned in the form of an OAuth access token, with the token type set to license.

Field	Type	Description
access_token	string	A token representing the acquired RSL license.
token_type	string	Always license.
expires_in	integer	Lifetime of the token in seconds. A value of 0 indicates a non-expiring license.

Example

Request

POST /token
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
license=%3Clicense%3E...%3C%2Flicense%3E&
resource=https%3A%2F%2Fexample.com%2Farticle%2F123

Response

{
  "access_token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
  "token_type": "license",
  "expires_in": 0
}

Error Responses

If the request is invalid or unauthorized, the license server responds with an HTTP 400 status code and a JSON object describing the error.

Error Format

{
  "error": "invalid_request",
  "error_description": "The request is missing a required parameter."
}

Error Code	Description
invalid_request	The request is missing a required parameter, includes an invalid parameter value, or is otherwise malformed
invalid_client	Client authentication failed (e.g., bad credentials or unknown client)
unauthorized_client	The client is not permitted access to this server
invalid_license	The license is invalid or not available for the specified resource
invalid_resource	The resource is invalid or not managed by this license server
unsupported_grant_type	The grant_type value is not supported by the token endpoint
server_error	The server encountered an unexpected condition that prevented it from fulfilling the request

Validate Access to an Asset

This protocol allows a resource server or client to determine whether the terms of a previously issued license token permit access to a digital asset. This check is typically performed by a website before serving license-restricted content (see also Authorizing Web Crawlers) or by a client to verify that they are in compliance with license terms.

Validation is performed by submitting the license token and the digital asset URL to the license server’s introspection endpoint. This endpoint conforms to the OAuth 2.0 token introspection specification (RFC 7662), with OLP-specific extensions.

Endpoint

POST /introspect

Request Parameters

Parameter	Type	Required	Description
token	string	YES	The RSL License Token to be validated.
resource	string	YES	The UTF-8 encoded URL of the digital asset for which access is being checked.

Response Fields

Field	Type	Description
active	boolean	Indicates whether the token is valid and recognized by the License Server.
token_type	string	Always license.
license	string	The RSL <license> XML element represented by the token.
resource	string	The URL of the digital asset covered by the license.
permitted	boolean	Indicates whether the license permits access to the specified resource.
reason	string	Optional. Human-readable explanation if permitted is false.

Example

Request

{
  "token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
  "resource": "https://example.com/article/abc"
}

Successful Response

{
  "active": true,
  "token_type": "rsl",
  "license": "<license>...</license>",
  "resource": "https://example.com/",
  "permitted": true
}

Denied Response

{
  "active": true,
  "token_type": "rsl",
  "license": "<license>...</license>",
  "resource": "https://test.com/",
  "permitted": false,
  "reason": "License does not cover this resource"
}

Expired or Invalid Token

{
  "active": false
}

Error Responses

If the request is malformed or unauthorized, the server responds with HTTP 400 or 401 status codes and an error object conforming to RFC 7662 Section 2.3.

Error Code	Description
invalid_request	Missing token or resource, or invalid parameter encoding
invalid_token	License token is expired, revoked, or unrecognized
unauthorized_client	Client authentication failed or is not permitted to use this endpoint
server_error	The server encountered an unexpected condition

Example Error

{
  "error": "invalid_request",
  "error_description": "Missing required parameter: resource"
}

Retrieve Key for an Asset

RSL enables client applications to securely license and access proprietary digital assets, including paywalled web content, images, videos, books, and datasets, by using Encrypted Media Standard (EMS) files. This protocol allows a client to retrieve a symmetric JSON Web Key (JWK) that can be used to encrypt or decrypt an EMS file.

When an RSL license is registered for a digital asset, the license server provisions an associated encryption key. A client holding a valid RSL license token can retrieve this key using the /key endpoint.

Endpoint

GET /key

Request Parameters

Field	Type	Required	Description
token	string	YES	A valid RSL License Token obtained via the /token endpoint.
resource	string	YES	The absolute URL of the encrypted asset file for which the key is being requested.

Response Fields

Field	Type	Description
key	JWK object	A symmetric encryption key represented in JWK format
iv	string	(Optional) Base64url-encoded initialization vector (IV) for the key, if applicable
resource	string	The URL of the encrypted digital asset file

The key object includes the following fields:

JWK Field	Type	Description
kty	string	Key type: always "oct"
kid	string	Unique key identifier
alg	string	Algorithm identifier (e.g., "A256GCM")
use	string	Use: always "enc"
key_ops	array	Allowed operations: always ["encrypt", "decrypt"]
k	string	Base64url-encoded raw key value

Example

Request

{
  "token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
  "resource": "https://example.com/media/episode-1.mp4.enc"
}

Successful Response

{
  "key": {
    "kty": "oct",
    "kid": "sym-2025-09-30",
    "alg": "A256GCM",
    "use": "enc",
    "key_ops": ["encrypt", "decrypt"],
    "k": "1a7d9af3c8e2b8f7e1a6c0b3d5e8f2a1c6b9d4e7f8a3b2c1d0e9f6" 
  },
  "iv": "f1e2d3c4b5a6987867564534",
  "resource": "https://example.com/media/episode-1.mp4.enc"
}

Example Command to Decrypt a Digital Asset

Use the following OpenSSL command to decrypt an AES-256-GCM encrypted EMS file using the returned key and iv values:

openssl enc -d -aes-256-gcm -in episode-1.mp4.enc -out episode-1.mp4 \ 
        -K 1a7d9af3c8e2b8f7e1a6c0b3d5e8f2a1c6b9d4e7f8a3b2c1d0e9f6 \
        -iv f1e2d3c4b5a6987867564534

Error Responses

If the license token is invalid or the license does not permit access to the requested asset, the server responds with an appropriate error.

Error Code	Description
invalid_token	The license token is expired, revoked, or unrecognized
insufficient_scope	The license does not permit access for the specified resource
invalid_request	Missing or malformed token or resource parameter
unauthorized_client	Client authentication failed
server_error	The server encountered an unexpected condition

Example Error

{
  "error": "access_denied",
  "error_description": "License does not permit access to this resource"
}

Changelog

• 2025-08-14: Initial OLP API (acquire licenses, validate licenses, retrieve keys).