Ease of adoption is a requirement of PCHP, not an afterthought. If you cannot understand the protocol in five minutes, we have failed. So here is the whole thing, fast.
The mental model
A person (the owner) has private data. Someone else (a requester — an app, a CPA's software, an agent) wants to read a slice of it. PCHP is the handshake that gets from "wants to read" to "has read, with a receipt" — and lets the owner see and revoke the whole time.
Five nouns, and you know the protocol:
- Consent Receipt — proof the owner said yes, to these scopes, until this time.
- Data Access Token — a single-read key derived from a receipt.
- Sealed Envelope — the data, encrypted so only the requester can open it.
- Transparency Log — the append-only record the owner can read.
- Scope — a dotted, least-privilege string like
attr.identity.*orportfolio.read.
The handshake, in six steps
1. Discover. The requester reads the host's capabilities:
GET https://host.example/.well-known/hussh
→ { protocol_versions, issuer, scopes_supported, token_profiles, log }
2. Hello. The requester asks for exactly what it needs, and no more:
POST {issuer}/hello
{ "version": "pchp/2026-07-12",
"requester": "...verifiable id...",
"scope": ["portfolio.read"],
"purpose": "Prepare 2026 tax return" }
3. Offer. The issuer shows the owner a plain-language request: who, what, why, how long.
4. Consent. The owner approves with a real credential (a passkey/biometric tap). A Consent Receipt is minted, and REQUESTED + CONSENT_GRANTED land in the log.
5. Deliver. For each read, the issuer derives a Data Access Token and returns a sealed envelope:
GET {issuer}/read?resource=portfolio.statements
Authorization: Bearer <data-access-token>
→ sealed envelope (opens only with the requester's key)
6. Acknowledge. The requester confirms; a READ event is logged. Done — and fully attributable.
At any moment the owner can revoke, and the receipt and every token derived from it die everywhere at once.
Least privilege, by construction
Notice what you cannot accidentally do. You cannot ask for "everything" — scopes are narrow and the issuer refuses over-broad asks. You cannot hold a permanent copy — tokens expire and reads are sealed per-envelope. You cannot share silently — every step is logged. The protocol makes the safe path the easy path.
Conform in one test
At the baseline level, conformance has an objective test: reproduce the published golden vectors for the token format. If your implementation matches every vector, your token layer is conformant. The reference implementation cross-checks the same suite in two languages, so "it works on my machine" is not a question of opinion.
Where to go next
- The full specification — normative, with the JSON Schema and the scope grammar.
- The Overview — if you want the why before the how.
That is PCHP. Five nouns, six steps, one conformance test. Now go build something that treats a person's consent as the protocol.
— Manish Sainani and 🤫 Research & Intelligence Team
