RSL Open License Protocol (OLP) 1.0 Draft Specification
Last updated: June 28, 2025
The RSL Open Licensing Protocol (OLP) is an extension of the OAuth 2.0 authorization framework. OLP introduces a new OAuth grant type, rsl, to support using RSL licenses as credentials for controlling access to digital assets.
The OLP protocol suite includes
- a protocol for acquiring an RSL license for a digital asset
- a protocol for checking if an RSL license grants access to a digital asset
- a protocol for retrieving a license key to encrypt or decrypt a digital asset file
Other server capabilities including license registration, management, payment, and service-level policies are outside the scope of this specification and are left to the implementation of individual license server operators.
Client Authentication
OLP uses standard OAuth 2.0 client authentication to verify the identity of clients that want to interact with an RSL License Server. Each client is assigned a unique client_id and client_secret by the license server operator when the client registers with the server, and the client must use these credentials to authenticate itself when making requests to the server.
If the client is not authorized to for a request, the server responds with an error as defined in RFC 6749 Section 5.2.
Example: Client Credentials Flow
POST /token
Host: rslstandard.org/api
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64(client_id:client_secret)Acquire an RSL License for a Digital Asset
To acquire an RSL license for a digital asset, the client submits a request to the license server using the OAuth 2.0 token endpoint with the grant type rsl. The request must include both a complete RSL <license> element that describes the terms under which the client wants to license the digital asset, and a resource parameter specifying the URL of the digital asset to be licensed.
This grant type allows a client to obtain an RSL License Token that serves as proof that the client has acquired an RSL license for a digital asset. The license token may later be introspected or used to retrieve encryption keys, as described in subsequent sections.
Endpoint
POST /tokenRequest Parameters
| Parameter | Type | Description |
|---|---|---|
| grant_type | string | MUST be set to rsl |
| license | string | A complete RSL <license> XML element of the requested licensing terms |
| resource | string | The URL of the digital asset for which the license is being requested |
Response Fields
If the request is valid and authorized, the license server responds with a license token that represents the acquired RSL license. The license token is returned in the form of an OAuth access token, with the token type set to rsl.
| Field | Type | Description |
|---|---|---|
| access_token | string | A token representing the acquired RSL license |
| token_type | string | Always rsl |
| expires_in | integer | Lifetime of the token, in seconds |
Example
Request
POST /token
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded
grant_type=rsl&
license=%3Clicense%3E...%3C%2Flicense%3E&
resource=https%3A%2F%2Fexample.com%2Farticle%2F123Response
{
"access_token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
"token_type": "rsl",
"expires_in": 0
}Error Responses
If the request is invalid or unauthorized, the license server responds with an HTTP 400 status code and a JSON object describing the error.
Error Format
{
"error": "invalid_request",
"error_description": "The request is missing a required parameter."
}| Error Code | Description |
|---|---|
invalid_request | The request is missing a required parameter, includes an invalid parameter value, or is otherwise malformed |
invalid_client | Client authentication failed (e.g., bad credentials or unknown client) |
unauthorized_client | The client is not authorized to use the rsl grant type |
invalid_license | The license is either invalid or not available for the specified resource |
invalid_resource | The resource is either invalid or managed by this license server |
unsupported_grant_type | The grant_type value is not supported by the token endpoint |
server_error | The server encountered an unexpected condition that prevented it from fulfilling the request |
Validate Access to a Digital Asset
This protocol allows a resource server or client to determine whether the terms of a previously issued license token permit access to a digital asset. This check is typically performed by a website before serving license-restricted content (see also Authenticating Web Crawlers) or by a client to verify that they are in compliance with license terms.
Validation is performed by submitting the license token and the digital asset URL to the license server’s introspection endpoint. This endpoint conforms to the OAuth 2.0 token introspection specification (RFC 7662), with OLP-specific extensions.
Endpoint
POST /introspectRequest Parameters
| Parameter | Type | Description |
|---|---|---|
| token | string | The RSL license token to be validated |
| resource | string | The URL of the digital asset whose access is being validated against the license token |
Response Fields
| Field | Type | Description |
|---|---|---|
| active | boolean | Whether the license token is valid and recognized by the license server |
| token_type | string | Always rsl |
| license | string | RSL <license> XML element represented by the license token |
| resource | string | URL of the digital asset covered by the RSL license |
| permitted | boolean | Whether the license permits access to the specified resource |
| reason | string | (Optional) Human-readable explanation if access is denied |
Example
Request
{
"token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
"resource": "https://example.com/article/abc"
}Successful Response
{
"active": true,
"token_type": "rsl",
"license": "<license>...</license>",
"resource": "https://example.com/",
"permitted": true
}Denied Response
{
"active": true,
"token_type": "rsl",
"license": "<license>...</license>",
"resource": "https://test.com/",
"permitted": false,
"reason": "License does not cover this resource"
}Expired or Invalid Token
{
"active": false
}Error Responses
If the request is malformed or unauthorized, the server responds with HTTP 400 or 401 status codes and an error object conforming to RFC 7662 Section 2.3.
| Error Code | Description |
|---|---|
invalid_request | Missing token or resource, or invalid parameter encoding |
invalid_token | License token is expired, revoked, or unrecognized |
unauthorized | Client authentication failed or is not permitted to use this endpoint |
server_error | The server encountered an unexpected condition |
Example Error
{
"error": "invalid_request",
"error_description": "Missing required parameter: resource"
}Retrieve License Key to Encrypt or Decrypt a Digital Asset
This protocol allows a client to retrieve a JSON Web Key (JWK) to encrypt or decrypt a digital asset governed by an RSL license. This capability enables content owners to securely license nonpublic, proprietary content to client applications, including paywalled articles, books, videos, and datasets.
License keys are provisioned by the license server when an RSL license is registered for a digital asset, and a client with a valid RSL license token can retrieve the associated key using the /key endpoint.
Endpoint
POST /keyRequest Parameters
| Parameter | Type | Description |
|---|---|---|
| token | string | A valid RSL license token previously obtained via the /token endpoint |
| resource | string | The URL of the encrypted digital asset file |
Response Fields
| Field | Type | Description |
|---|---|---|
| key | object | A symmetric encryption key represented in JWK format |
| resource | string | The URL of the encrypted digital asset file |
The key object will include the following fields:
| JWK Field | Type | Description |
|---|---|---|
kty | string | Key type — always "oct" for symmetric keys |
kid | string | A unique identifier for the key (e.g., UUID) |
k | string | Base64url-encoded symmetric key (e.g., 128-bit AES key) |
alg | string | Encryption algorithm used, such as "A128CTR" |
Example
Request
{
"token": "rsl_cnNsLWNsaWVudC0xMjM6czNjcjN0S0VZ",
"resource": "https://example.com/media/episode-1.mp4.aes"
}Successful Response
{
"key": {
"kty": "oct",
"kid": "7e0d5c22-1234-4567-b89c-aabbccddeeff",
"k": "L8sX8V3vB8r-k7oSdhZMQw",
"alg": "A128CTR"
},
"resource": "https://example.com/media/episode-1.mp4.aes"
}Error Responses
If the license token is invalid or the license does not permit access to the requested asset, the server responds with an appropriate error.
| Error Code | Description |
|---|---|
invalid_token | The license token is expired, revoked, or not recognized |
access_denied | The license does not permit access for the specified resource |
invalid_request | Missing or malformed token or resource parameter |
unauthorized | Client authentication failed |
server_error | The server encountered an unexpected condition |
Example Error
{
"error": "access_denied",
"error_description": "License does not permit access to this resource"
}