Protocol · Semantics

hops://

HTTP over the mesh

operator network behind the firewall firewall HNS reach record ✓ → hop address 1 · resolve 2 · request client relays · mesh hop-endpoint origin hop packets · sealed (hdp) HTTP terminates hop → HTTP
Resolve the name via HNS (the domain's TLS-served reach record, a hop address, not an IP), then spray sealed hop packets across the mesh to the hop-endpoint behind the operator's firewall. Only there are they translated to HTTP for the origin. The endpoint is the origin, not a proxy.
How it works
  • Resolve the domain via HNS to the endpoint's key, verified by the domain's TLS-served reach recordReach record: a signed statement the domain serves at /.well-known/hop. TLS proves the domain, the signature proves the address, so a name can't be forged into the wrong key., not an IP, or address the endpoint directly and skip the lookup.
  • Sealed hop datagrams cross the mesh to the operator's own hop-endpoint. The only live hop is endpoint↔backend, on the operator's own wire; the client↔endpoint path stays delay-tolerant.
  • The endpoint runs the request against its own origin and re-seals the response. It is the origin, bound to one domain, never an open proxy, so nothing on the mesh ever sees plaintext HTTP.
Why it matters
For developers

Send an HTTP request to hops://host/path. The request carries only a path plus a signed host; the endpoint refuses anything but its configured origin (no open-relay abuse). Finite responses auto-chunk; live ones (SSE, WebSocket) stream.

For business

Expose your existing web service to devices with no internet, running on your own infrastructure, with no third-party proxy in the middle that could read your traffic or your users'.

Deeper implementation detail is coming in the Hop whitepaper.

Ready to build on it?