The $403 standard is the access control layer of the protocol stack. Geo-gates, time-locks, blacklists, compliance rules, and programmable permissions — all enforced on-chain, all composable with $401 identity and $402 payment.
Platform Rules
YouTube decides who sees your content. Spotify decides where it plays. The platform controls the gate and keeps the key.
No Standard
$401 handles identity. $402 handles payment. But there's no standard for permissions, restrictions, and access rules. Until now.
On-Chain Rules
The content creator defines the rules. The protocol enforces them. No platform required. The gate is programmable and the creator holds the key.
Three HTTP status codes. Three protocol standards. One complete access control system for the decentralised web. Identity, payment, and permissions — every request passes through all three.
“Who are you?”
Identity verification. Self-sovereign, peer-underwritten, progressive disclosure.
“Pay for access”
Micropayments. Content tokens. Revenue routing. The economic layer.
“Are you allowed?”
Permissions. Geo-gates. Time-locks. Blacklists. Compliance. The rules layer.
Request arrives at a tokenised domain
A user or agent sends a request to a $402-enabled URL. Before payment is even considered, $403 rules are checked first.
$403 evaluates the ruleset
The on-chain ruleset is read: geo-restrictions, time-locks, identity requirements, blacklists, custom conditions. All composable, all transparent.
Forbidden or proceed
If any rule fails, the request gets a 403 Forbidden response with a machine-readable explanation of which rule was violated and what would satisfy it.
$401 checks identity (if required)
Some $403 rules require a minimum identity level. "Only Level 2+ identities can access this content." The $401 token satisfies the check automatically.
$402 handles payment
If all $403 rules pass and $401 identity checks pass, the $402 payment layer activates. Pay, receive token, access content. The full stack in one request.
Restrict content by jurisdiction. Block specific countries, allow specific regions. Useful for regulatory compliance and licensing.
geoEmbargo content until a specific date or block height. Release schedules, pre-orders, timed exclusives — all enforced on-chain.
temporalDeny specific addresses, identities, or token holders. DMCA takedowns, sanctions compliance, creator-defined blocks.
denyRequire a minimum $401 identity level. "Level 2+ only" for premium content. "Level 3 required" for legal documents.
$401Require ownership of specific tokens. Hold $KWEG to access Kweg-exclusive content. Hold $BOASE for insider updates.
tokenArbitrary programmable conditions. Smart contracts, oracle feeds, multi-sig requirements. If you can express it, you can enforce it.
programmable| Scenario | $403 Rule | Outcome |
|---|---|---|
| Film rights restricted to UK | Geo-gate: GB only | Non-UK requests get 403 with explanation |
| Album drops on Friday | Time-lock: 2026-02-14T00:00Z | Early requests get 403 with countdown |
| Sanctioned entity tries to access | Blacklist: address match | Blocked permanently with compliance reference |
| Legal document needs verified signer | Identity-gate: Level 3 | Unverified users get 403 with upgrade path |
| Exclusive content for token holders | Token-gate: hold $KWEG | Non-holders get 403 with purchase link |
| Multi-sig corporate access | Custom: 2-of-3 signatures | Single sig gets 403 with co-signer instructions |
Every 403 response includes a machine-readable explanation. Clients and agents can parse the reason and act accordingly.
Every request to a tokenised domain passes through the same sequence. $403 runs first — if you're forbidden, you don't even get asked to identify or pay.
$403
Are you allowed?
$401
Who are you?
$402
Pay for access
The missing layer of the protocol stack. Define the rules. The chain enforces them.