We Proposed a New Web Standard
So Systems Can Prove Compliance to Each Other.
RuleMesh has submitted a draft specification to the Internet Engineering Task Force (IETF) — the standards body behind HTTP, TLS, and the protocols that run the web. It is called HCAP: the HTTP Compliance Authorization Protocol.
Compliance still runs on email attachments.
Two companies want to connect their systems. One of them handles personal data, processes payments, or serves a regulated industry. Before they can do business, somebody has to answer a question: does the other side actually meet the compliance requirements we are obliged to enforce?
Today, that question is answered like this:
- 01A vendor questionnaire is emailed around.
- 02A Data Processing Agreement is negotiated.
- 03A SOC 2 report is shared on a drive.
- 04A security review happens at contract time.
- 05Then the integration goes live, and nobody checks again for a year.
The evidence is prose. The verification is manual. It happens once, at contract time — not at request time. And there is no runtime signal that the partner on the other end of the wire actually still meets the policies they claimed to meet when the contract was signed.
This is how trillions of dollars of B2B traffic move across the internet every day.
Compliance verification, moved into the HTTP layer.
HCAP moves compliance verification out of email and into the same layer where the web already handles identity, encryption, and authorization. The mechanics, in plain terms:
Declare
An API provider publishes a machine-readable manifest of the compliance requirements a caller must meet to use a given endpoint.
Obtain
The caller fetches a signed Compliance Credential from a trusted registry stating which requirements it satisfies. Portable across providers.
Present
On every request, the caller presents the credential in a standard Authorization header. The provider verifies it cryptographically, in milliseconds, without phoning home.
Four steps. One HTTP request.
The declare / obtain / present sequence, with the cryptographic verification step performed by the resource server itself — no call-home dependency on the request path.
Four properties TLS gave us for transport security. Now available for compliance.
Declarative
Compliance is published in a machine-readable manifest, not negotiated in legal prose and email attachments.
Portable
A credential earned once can be reused with any provider that trusts the same ruleset — across vendors, clouds, and jurisdictions.
Runtime-verifiable
Compliance is checked on every protected request, not once at contract signing and then forgotten until the next annual review.
Offline-verifiable
Cryptographic signatures let providers verify credentials without a live call back to the registry. No central gatekeeper on the request path.
Think of it as what TLS did for transport security, applied to compliance. TLS turned “is this connection secure?” from a manual review into a cryptographic check the browser performs automatically. HCAP does the same for “does this caller meet our regulatory requirements?”
An open protocol, not a proprietary service.
RuleMesh could have built a proprietary compliance verification service. Many companies do. We chose the IETF instead — a public commitment that compliance verification should be open infrastructure, implementable by anyone, interoperable across vendors.
The same playbook that made HTTPS the default.
The IETF is the standards body responsible for the protocols that actually run the internet: HTTP, TLS, TCP/IP, DNS, OAuth. Submitting a draft to the IETF is a public commitment — a statement that we believe compliance verification should be open infrastructure, implementable by anyone, interoperable across vendors, and governed by the community of internet operators rather than by any single company.
This is the same playbook that turned HTTPS from a niche feature into the default state of the web. The vendors that built their businesses on that open foundation — certificate authorities, CDN operators, cloud providers — did not suffer from the standardisation. They thrived on it. The market grew because the foundation was solid.
We believe the same arc is available for compliance.
The economics of B2B software change the moment compliance stops being paperwork.
Faster integrations
Compliance checks that take weeks of back-and-forth complete in milliseconds on the first request.
Continuous assurance
Compliance is verified every time a protected endpoint is called — not once, then forgotten until the next annual review.
Portable trust
A credential earned once can be reused with any provider that trusts the same ruleset. Answer the questionnaire once, not fifty times.
Auditable by design
Every protected request carries a signed record of which requirements were checked and satisfied. Cryptographic evidence that holds up in audit.
For regulated industries — financial services, healthcare, data processing, critical infrastructure — this is not a nice-to-have. The cost of today's manual compliance verification is paid by every API provider in security review overhead and every API consumer in sales-cycle friction. HCAP removes both.
None of this can run on email attachments.
The web is about to change shape. AI agents are starting to make API calls on behalf of humans. Autonomous software is increasingly transacting with other autonomous software. Machine-to-machine traffic is growing faster than human-to-machine traffic.
An AI agent cannot wait three weeks for a Data Processing Agreement to be negotiated before it completes a task. A fleet of autonomous agents cannot each separately pass a vendor security review.
When one software system asks another “can I trust you with this?”, the answer has to be machine-readable, cryptographically verifiable, and available at request time.
Not blockchain hype, but a web where trust between autonomous systems is established at the protocol level rather than in legal prose. HCAP is the near-term fix for today's HTTP traffic. It is also the foundation for the agent-driven traffic that is already beginning to dominate.
HCAP is the protocol. The governance layer is where RuleMesh operates.
HCAP
The wire format. Defines how compliance credentials are requested, issued, presented, and verified on the web. Implementable by anyone. Interoperable across vendors.
Structured regulatory knowledge
The protocol does not specify what evidence underlies a given claim or how a registry decides whether a caller meets a requirement. That is the layer RuleMesh operates at.
Compliance is about to stop being paperwork.
We are building the infrastructure for what replaces it.
If you are an API provider tired of questionnaire fatigue, an API consumer tired of answering the same compliance review for the fiftieth time, or an operator thinking about how AI agents will interact with your regulated systems — we would like to hear from you.
HCAP · Individual Submission · Lawrance Nyakiso (RuleMesh) · trust200902 · This article is not legal advice.