How OHTTP Works

Protocol Overview

Oblivious HTTP separates knowledge between two parties:

The Relay knows who you are (your IP) but can’t see what you’re requesting
The Gateway can see your request but doesn’t know who you are

This separation means no single entity can link your identity to your requests.

The Flow

+---------+       +-------+       +---------+    +--------+
| Client  |       | Relay |       | Gateway |    | Target |
+---------+       +-------+       +---------+    +--------+
     |                |                |             |
     | Encapsulated   |                |             |
     | Request        |                |             |
     +--------------->| Forward        |             |
     |                +--------------->| Decrypt &   |
     |                |                | Forward     |
     |                |                +------------>|
     |                |                |             |
     |                |                |<------------+
     |                |                | Encrypt     |
     |                |<---------------+ Response    |
     |<---------------+                |             |
     | Decapsulated   |                |             |
     | Response       |                |             |

Step by Step

1. Client Encrypts Request

The client fetches the gateway’s public key from /.well-known/ohttp-gateway and uses HPKE (Hybrid Public Key Encryption) to encrypt the HTTP request.

2. Client Sends to Relay

The encrypted blob is sent to the relay as a POST request with Content-Type: message/ohttp-req. The relay sees:

Client’s IP address
An encrypted blob it cannot read

3. Relay Forwards to Gateway

The relay forwards the encrypted blob to the gateway. The relay cannot:

Read the request
Know what endpoint the client is accessing
Link multiple requests from the same client

4. Gateway Decrypts

The gateway decrypts the request using its private key and processes it. The gateway sees:

The full HTTP request
The relay’s IP address (not the client’s)

5. Response Path

The response follows the reverse path:

Gateway encrypts the response
Relay forwards it back
Client decrypts with the context from step 1

Cryptography

OHTTP uses:

HPKE (RFC 9180) for encryption
Binary HTTP (RFC 9292) for message encoding
Default cipher suite: X25519, HKDF-SHA256, AES-128-GCM

Trust Model

Entity	Knows Identity	Knows Request
Relay	Yes (client IP)	No
Gateway	No	Yes
Relay + Gateway colluding	Yes	Yes

For maximum privacy, the relay and gateway should be operated by different entities.

Limitations

No replay protection: OHTTP doesn’t prevent replay attacks by design. Applications must implement their own if needed.
Latency: Two extra hops add latency compared to direct requests.
Trust in relay: If the relay and gateway collude, they can correlate identity and requests.