<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-prakash-http-subscribe-00" category="std" consensus="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="HTTP SUBSCRIBE">The HTTP SUBSCRIBE Method</title>
    <seriesInfo name="Internet-Draft" value="draft-prakash-http-subscribe-00"/>
    <author initials="A." surname="Prakash" fullname="Amit Prakash">
      <organization>Boeing</organization>
      <address>
        <email>amitbcet2k15@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="04"/>
    <area>Applications and Real-Time (art)</area>
    <workgroup>HTTP Working Group (httpbis)</workgroup>
    <keyword>HTTP, subscribe, push, server-sent-events, websockets</keyword>
    <abstract>
      <?line 30?>

<t>This document defines the HTTP <tt>SUBSCRIBE</tt> request method. The <tt>SUBSCRIBE</tt> method allows a client to establish a long-lived, safe connection to a resource to receive real-time updates and event streams. It enables servers to push data to clients using standard HTTP structures (such as HTTP/2 or HTTP/3 streams) while supporting a request body for subscription parameters, avoiding the protocol-switching overhead of WebSockets and the URL limitations of Server-Sent Events (SSE) via <tt>GET</tt>.</t>
    </abstract>
  </front>
  <middle>
    <?line 34?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Modern web applications require efficient, low-latency, and real-time communication channels from the server to the client. Examples include chat applications, stock market tickers, collaborative document editing, and live dashboards.</t>
      <t>Historically, real-time push has been achieved using three primary workarounds:</t>
      <ol spacing="normal" type="1"><li>
          <t><strong>Long Polling:</strong> Recreating HTTP requests continuously. This is highly inefficient and creates substantial connection overhead.</t>
        </li>
        <li>
          <t><strong>WebSockets:</strong> Upgrades the connection from HTTP to a separate bidirectional TCP-based protocol. While efficient, it bypasses HTTP intermediaries (like load balancers, reverse proxies, and Web Application Firewalls), breaks semantic caching, complicates authentication, and often struggles with strict enterprise firewalls.</t>
        </li>
        <li>
          <t><strong>Server-Sent Events (SSE):</strong> Utilizes standard HTTP <tt>GET</tt> requests with <tt>text/event-stream</tt> responses. However, because <tt>GET</tt> requests do not support a request body, clients must pass subscription parameters (such as filter expressions, selected fields, or authentication tokens) within the URL query string. This leads to problems with URL length limits, logging of sensitive data, and overall architectural rigidity.</t>
        </li>
      </ol>
      <t>This specification introduces the <tt>SUBSCRIBE</tt> method to address these issues. <tt>SUBSCRIBE</tt> is a safe HTTP method that allows the client to send subscription parameters in the request body while establishing a long-lived, server-push event stream.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>
    </section>
    <section anchor="the-subscribe-method">
      <name>The SUBSCRIBE Method</name>
      <t>The <tt>SUBSCRIBE</tt> method is used to request a persistent, real-time event stream from a target resource.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Safe:</strong> Yes. A <tt>SUBSCRIBE</tt> request is read-only; it MUST NOT modify the state of the target resource on the server.</t>
        </li>
        <li>
          <t><strong>Idempotent:</strong> Yes. Multiple identical <tt>SUBSCRIBE</tt> requests will yield identical event stream configurations.</t>
        </li>
        <li>
          <t><strong>Request Body:</strong> Allowed. The request body contains subscription parameters (e.g., query filters, requested fields, backfill start time, or sub-topics).</t>
        </li>
        <li>
          <t><strong>Response Body:</strong> Allowed. The response body is a long-lived stream of events or data updates.</t>
        </li>
      </ul>
      <section anchor="request-semantics">
        <name>Request Semantics</name>
        <t>Clients send a <tt>SUBSCRIBE</tt> request to the target URI. The request body SHOULD specify the parameters of the subscription. For example, a JSON payload may describe a topic filter:</t>
        <sourcecode type="http"><![CDATA[
SUBSCRIBE /events/trades HTTP/1.1
Host: api.example.com
Content-Type: application/json
Accept: text/event-stream

{
  "ticker": "GOOG",
  "min_volume": 100,
  "fields": ["price", "volume", "timestamp"]
}
]]></sourcecode>
      </section>
      <section anchor="response-semantics">
        <name>Response Semantics</name>
        <t>A successful response is indicated by the <tt>200 OK</tt> status code. The response body MUST consist of a continuous stream of structured data chunks.</t>
        <t>To maintain the subscription, the server holds the response stream open indefinitely.</t>
        <ul spacing="normal">
          <li>
            <t><strong>HTTP/1.1:</strong> The server MUST use chunked transfer encoding (<tt>Transfer-Encoding: chunked</tt>) to stream data.</t>
          </li>
          <li>
            <t><strong>HTTP/2 and HTTP/3:</strong> The server streams data over a single multiplexed stream, utilizing native frame transport without requiring chunked transfer encoding.</t>
          </li>
        </ul>
        <t>The response <tt>Content-Type</tt> SHOULD indicate a streaming protocol, such as <tt>text/event-stream</tt> or <tt>application/x-ndjson</tt>.</t>
        <t>Example response header and initial stream chunk:</t>
        <sourcecode type="http"><![CDATA[
HTTP/1.1 200 OK
Content-Type: text/event-stream
Cache-Control: no-cache, no-store
Connection: keep-alive

data: {"price": 175.20, "volume": 150, "timestamp": 1719999999}

data: {"price": 175.25, "volume": 500, "timestamp": 1720000005}
]]></sourcecode>
      </section>
    </section>
    <section anchor="client-and-server-behavior">
      <name>Client and Server Behavior</name>
      <section anchor="client-behavior">
        <name>Client Behavior</name>
        <t>A client initiates a subscription by issuing a <tt>SUBSCRIBE</tt> request. The client MUST be prepared to read the response body incrementally as data chunks arrive.</t>
        <t>If the client wishes to terminate the subscription, it MUST close the transport-level stream (or connection).</t>
      </section>
      <section anchor="server-behavior">
        <name>Server Behavior</name>
        <t>Upon receiving a <tt>SUBSCRIBE</tt> request, the server:</t>
        <ol spacing="normal" type="1"><li>
            <t>MUST parse and validate the request body and headers.</t>
          </li>
          <li>
            <t>MUST verify authorization for the requested subscription.</t>
          </li>
          <li>
            <t>On success, MUST send response headers (e.g., <tt>200 OK</tt>) and keep the stream active.</t>
          </li>
          <li>
            <t>MUST push events to the stream as they occur.</t>
          </li>
          <li>
            <t>SHOULD periodically transmit keep-alive/heartbeat chunks (such as empty comments in <tt>text/event-stream</tt>) to prevent intermediary timeouts.</t>
          </li>
        </ol>
        <t>If the request is invalid or unauthorized, the server MUST return an appropriate 4xx or 5xx status code and close the connection immediately.</t>
      </section>
    </section>
    <section anchor="caching-considerations">
      <name>Caching Considerations</name>
      <t>Because <tt>SUBSCRIBE</tt> responses represent dynamic, real-time streams of events, they MUST NOT be cached by shared caches or HTTP intermediaries.</t>
      <t>Servers MUST include a <tt>Cache-Control: no-cache, no-store</tt> header in the response. Intermediaries MUST immediately forward both the request and response stream without buffering.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="connection-exhaustion-dos">
        <name>Connection Exhaustion (DoS)</name>
        <t>Long-lived connections consume file descriptors and memory. Malicious clients could open thousands of subscriptions to deplete server resources (Denial of Service).</t>
        <t>Servers SHOULD:</t>
        <ul spacing="normal">
          <li>
            <t>Enforce limits on the number of concurrent subscriptions per client/IP address.</t>
          </li>
          <li>
            <t>Support HTTP/2 and HTTP/3 to multiplex subscriptions over a minimal number of TCP/QUIC connections.</t>
          </li>
          <li>
            <t>Implement aggressive timeouts for clients that do not read stream chunks.</t>
          </li>
        </ul>
      </section>
      <section anchor="authentication-and-authorization">
        <name>Authentication and Authorization</name>
        <t>Subscriptions often contain sensitive live data. Because connections are long-lived, token expiration (e.g., OAuth tokens) must be handled. Servers SHOULD validate token longevity during the initial request handshake. If a token expires while a stream is active, the server MAY push an expiration event and close the connection, forcing the client to re-authenticate and re-subscribe.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to register the <tt>SUBSCRIBE</tt> method in the "HTTP Method Registry" under the Hypertext Transfer Protocol (HTTP) Parameters registry:</t>
      <ul spacing="normal">
        <li>
          <t><strong>Method Name:</strong> <tt>SUBSCRIBE</tt></t>
        </li>
        <li>
          <t><strong>Safe:</strong> Yes</t>
        </li>
        <li>
          <t><strong>Idempotent:</strong> Yes</t>
        </li>
        <li>
          <t><strong>Reference:</strong> This document</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9110" target="https://www.rfc-editor.org/info/rfc9110" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC5789" target="https://www.rfc-editor.org/info/rfc5789" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5789.xml">
          <front>
            <title>PATCH Method for HTTP</title>
            <author fullname="L. Dusseault" initials="L." surname="Dusseault"/>
            <author fullname="J. Snell" initials="J." surname="Snell"/>
            <date month="March" year="2010"/>
            <abstract>
              <t>Several applications extending the Hypertext Transfer Protocol (HTTP) require a feature to do partial resource modification. The existing HTTP PUT method only allows a complete replacement of a document. This proposal adds a new HTTP method, PATCH, to modify an existing HTTP resource. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5789"/>
          <seriesInfo name="DOI" value="10.17487/RFC5789"/>
        </reference>
        <reference anchor="RFC10008">
          <front>
            <title>The HTTP QUERY Method</title>
            <author initials="" surname="IETF" fullname="IETF">
              <organization/>
            </author>
            <date year="2026" month="June"/>
          </front>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA4VZ71PjOBL97r9CxX6BqTgEdtjZyX25wDADdzCwJNTW1NXV
odhKosO2vJINZKdm//Z73ZJihx911NTgKLLU6n79+rVI0zRpdFOosZitlDib
za7F9PZ4enJzfnwqLlWzMnki53OrHsbPvk1yk1WyxJu5lYsmra28l26Vrpqm
Tl07d5nVc5WORkkuG8w6HB3+ko4+pKP3SYaBpbHrsXBNniS6tmPR2NY1h6PR
x9FhIq2SYzGp60JjqjaVE7LKxY2SRTrTpRK70jZ7yaOx90tr2jqY9js+62op
vtCY2CVD5trtJfdqjam5nzUQG9sGom7dCgPKPiibOlU1qXrA/24gHtXcmexe
NS6RLbxgx4kQqdCVg2FDce0PizEhvBMmpW62ho1djsWxUbCIP6tS6mIsJObN
M9Uc3h8c/X1JY8PMlElSGVvirA+KNrr5fHJ4cPAxPP568OF9ePx4cDAaw2PV
4tn0ow+/xukHo9Ho1zHvGUK7s4ntb7enN99CXHd4Sj84v/BId176ScP5zk9n
n5M0TYWcu8bKrEmS2Uo7ARS0JXwmcrXQlXKiiXvdbaByJ6z6o1WuESXvPGSw
9b/340IWhXlEsEVWaFqzMQJvyXmh3QqjhamWaYFD5wiaXCiRmapSGSGEpkps
40xrM0WfrMoUpuI3UNMQatqaDuuxxHEG/PBt6YbivBGqwj741qPB0RIED3KQ
pA/eJCdaRxiDVVUube6PinXarGmxvdh1bQZbHX+xfwgY+Kef42Z74nGlCwUY
1rWxDS0mN/6Zm3wtENsI0prPVkuLGDSwaiDkg9E5vUR+rq1pTGaK1D3qJlvR
sIHxKyVzYRbidzWfehDzmemN25sLUWhgMOQVZk09/KfkkFOGv9idTk/3xIOW
4u7L6exumHDkS53nhUqSn8R51ViTt+z5JLk0ubIVpYyQ/ZylQ2mrhFosdEbO
GyCCj2mBIFTZesA2ddFBFpRtFV4W2UoitIUTC2tKttzHhSJBn3w0huL0SZY1
hU1XWdHmil5stswAVOCje1FKC08gJeAQciTcVsi5sZxFHYxVrikm3rqCv0JG
zw1i7eCHM43VLNYuCpygs56hskLY50pVQiIWQFgewNKsrKJgadiwFkRbEhRV
5Q6pfDAU4t27CyBbXMMiTB+/eweqy7A2g4MBFvDhCPEYbU3rijWlETIQ/1Z6
uSrW8MHG1Ww+r0GQBpiA10bLop8yESrD5JCN6OBCJtzWSyvzkNC9tzggbBSn
nFOEzkaJOWBp/RxsMzu5TufSwQURo0PxO+O+hwYw5nxdS+eUTxccACAvEQJp
NeVSoe8VMAM0z2Uhq4wDh1qE3wz+J8zykYLt/YIhPsOWRwTJ7Q0Eqpe8p8Qu
yQeZyCSnCkGg9G8QKYD1FH3N7/tFzQJI5eReLgljSLIVfdQZ0QVMRUhhyCLu
NUx+Zke+lVHs1kYX+k8KyhaDcJ51Yead7hr11OwzU6WePGiGqwFqBc46M4/k
CZxPZbKFHc/WyI2oTBN55hnJDDZ8VqLuCgrCW5zTUdpCFxgQ6qmGGS4klyoQ
dMR5oVWRYwDkte1L4OReVcR7OJSuNjQEY5AN5M5qGaBcAI2eea0BGZfBEUxa
qlrikbnLEZEsl0x3C1hQOe2TGFQdIgfHICJCWoS6UcTNAKXVS4C0WQ9D7XK1
yvQimqkDqQXIv1KeCPB5TmenGfC4dq6lUPTnaqpfXJ04sPFVpiVf3jr+ohVh
fv6m64O7tsqDLx+buugLyFZp9PBjSurXuSFR9wwJpisD/63JC0pAHRElwe87
l7fT2c7A/xZfr/j55vS32/Ob00/0PD2bXFxsHuKM6dnV7cWn7ql78+Tq8vL0
6yf/MkbFs6HLybcdH6+dq+vZ+dXXycWOP3JfWEANkp/mytMDsEdwAxxBTqzj
cnrn+ORaHLwX378H7fTjh38m8YTnRwAyQKMq1uEjXLumWqGkpSUIMJmsURsL
YhXgY2UeK7FSVnnXwVsvxHHyhpTRpBRU7pWIj54UNWKKAsLk19WOfow8vUJw
SLtEtYqChiowEQtgRSTyjUA3eVVhaaq7Mk/pmH8jho3BFKXJ9WLta2lDjI3c
oQ/PthKm6tXbIe97nquyNmT3ZvfLtmg0Kq/QuU/14jVzKIHh1TVxQ2/m1olR
WxZ62Vpfrv2GN+E0xwA8bTmhzFFBOG5lAxVECVn+Nnup4XI4CGzjGYyLCK/R
4625zO4XZCycY0knlIrJDOumjal15vaibZ6C3zIufMvWMRl0uRmPDM/7RoM2
YIEZtCnh7CcRTz8NFcslyUlga2YL+WrkgzIK4by9OX/FWyFDPfF5LPRcFQDR
9+RQfDbE+KyykBTiH9Orr3hnzVW5lOtNFhJoyU3Bx5A2f/31l6AmLOmSxlcz
t994acHK+GB4kJwZ16A3qvUwbMVN0QliS8Vvtq7VuC/q9v/rIDwnWaZqvPai
TCbJd3QvO17q7aD/+XJ19WVnQGPgvv88mALMgnF0SjzoIYCBf+2gomeKuClM
GtAyJZFtWe/8O/lBhwoxCnHuBWkC18Em5xZt0QGBJFqVs8yAjvFOv0OnK67+
eceZ2JKsy9Vr+OHkBcSJNSg8sicAe2Da9B+5R1O2aqt7AtPMIEaaM+RFaAd9
Wb0yRe5CrQkGxOVrRbWR2zuU0mIduCjGjjJg1i3EFpMaYRuIAK2s3IJkQ4VT
UrXavZuFsfQ0jI3j9Ls9rol+azrLsNvskPnbd1PPdg29lT89FX+qwVgX/FQG
onrapN9AtCzCyJbKy/8F5YA3lcUSyQ7TNqGFoYlvHmfoS8DGbXd91N7FjIsI
ILvYCFozSmO6k/AK6zXJh/y762P/Ka1ywj+1ZaH96XYnPU+nr6goalb8kWbp
AP2sjAEUHovPsu1lUp1ANquUZllTjKEtUxLSIAU8UVOkaIXQJYwhK1SdSmK9
hC6A5Fh8D8mFvPtwNDwcdUmGkaPRVqbRnIOP/ufHGwsc9Rc4Gr1cAOein6OY
tMKTKDvHS3RxrFbyQRvLKR2+7sYmUaZ5V3KbsF1n5mvWgF6DvULKPqfDKpwa
c2pcqGeK2kDm22nn60aF3o3UD/WZrHW6tIYgsnAron++6GvJR4hBxeq5YY1H
aHuZ81ERZIVx/vsN6tMC8d7gZRe469q+PV+ZXrjtFkaHq5Y3ndAnmtDxsglw
AkygaDwAKHm0d6tg0bce0863qfwmFqLy5W+q9J9ev9O1Se99ta2qfW92VUWK
HviVuJ4+y56NZogsvcdmEKKDemIHyazhMLzfnGcjuF0sxnGq81rTZFkLSXWE
NwIvQBFqk/v7BB8JukfskmcfJtlmjj4+Rn/TjUGSNWu+NuEdwfCvsMee76a8
4Oq112sWOKA41+GoJyF1xSEh7mmr6GbqLZpnTA8x3lpI54rKszVIUArj+6cn
evUIv3oFzt9JbHDXu1PQJVsVqgsy0Xfo4oQqHyLipWGSHMdOdwtkoSPGE/Wl
fBe5rsCwWV9kxwqxkV5B/m/kMRKT+YxrtFtxgvKAi3d4z64nYOk03BXyIvEG
Cjnwf6nyLhL1psHzhxjS1Vr/CsSv3LmHUP5ItwZzg264HzXZB3LAXSxj83aB
kuWLFSUxUIg2+IV7iQO7oJw+reBsftz9ZKZ7SXLRCdkueHwn5cDCJPxUkIM1
DukvHUtVGrtGvwA8ZZpkS7x4yEyLpoDlBVnpMJvD089aTqRcocQ1G9zFRgWp
8ElVVOHCJSZqw14vKD7DxqRWTum+HK2Nvz2IHU7VlnOsh7dxArjEclOytTvS
M9i7f34dm3+SJNNwq/JCmJDBG8nxbLUgTMDNuoTZ3f6zk+t9tNknfbfSLudU
3H0TvFzynQu0SkxcJrzoTL5fCDc+XFP6VT+0FZPtaxmyedJnULhu21y+/goN
Vu+apYh3LUMRE7IPB+rX+9cRfP1Dl0baAy2y6xVtvrkc4mso5OAKZhXUTG2H
sVcieDnaQD0QiPPWxuvwqHhiStBayOR7SqsF9ycbS+g2j+9Roh7jVo0ZfZvk
Jt88r8utI3g+fYvPBhSaLFrVXfVYlfauxlRI2e6PZZyd55OvkxeZyYPa9Wob
L7ekywT71nVV4JYd5i5/XYG2hd6x6x3weh5ePYPgs1Q6RNTl4jooU7FLL++J
665JtGGFsW8Dwrpf6Y9E0OQ9M57fWLx+kxBaamwKQa28rO/d/iT/A5KACZCi
HAAA

-->

</rfc>
