Application-Layer Protocol Negotiation (ALPN)

ALPN (Application-Layer Protocol Negotiation) is a TLS extension that lets a client and server agree on the application protocol, such as h2 or http/1.1, while the TLS handshake is still in progress. The agreement happens inside the handshake, so no extra round trip is spent choosing a protocol before data flows.

Table of Contents

What ALPN solves
How ALPN works in the handshake
Protocol identifiers
Relationship to HTTP/2 and HTTP/3
Example
See also

What ALPN solves

ALPN removes the need for a separate negotiation step after TLS completes. A single port like 443 can serve HTTP/1.1, HTTP/2, and other protocols at the same time, and the client and server have to agree on which one to speak. Without ALPN, that agreement would cost an additional exchange after the encrypted channel is ready, delaying the first request.

ALPN folds the choice into the existing TLS handshake. The client advertises the protocols it supports as part of the first message it already sends, and the server picks one in the message it already returns. Application data then starts immediately under the agreed protocol. This is what makes HTTP/2 practical over TLS, since browsers negotiate h2 through ALPN rather than through an in-band upgrade.

How ALPN works in the handshake

ALPN runs as an extension carried in the ClientHello and ServerHello messages of the TLS handshake. The negotiation completes before any application data is sent, and it adds no network round trips of its own.

The flow has two steps:

ClientHello: the client includes an application_layer_protocol_negotiation extension holding a list of protocol identifiers, ordered by client preference. A typical browser sends h2 followed by http/1.1.
ServerHello: the server selects a single protocol from that list, usually the one it prefers most, and echoes the chosen identifier back in its own ALPN extension. Both sides then proceed with the selected protocol.

When the server supports none of the offered protocols, it ends the handshake with a fatal no_application_protocol alert rather than guessing. The selected identifier is also available early enough for the server to choose a certificate based on the negotiated protocol.

ALPN is visible on the wire

The protocol list and the server's choice travel in the cleartext portion of the handshake in standard TLS. This visibility lets network equipment tell which protocol a connection uses. Encrypted Client Hello (ECH) hides the ALPN values by encrypting the inner ClientHello.

Protocol identifiers

ALPN protocol identifiers are short byte strings registered with IANA, each naming one application protocol. The client offers identifiers it supports and the server returns the single identifier it selected. The common HTTP values:

Identifier Selects

Identifier	Selects
`http/1.1`	QUIC where TLS 1.3 is built into the transport, so ALPN is part of the QUIC handshake rather than a separate TLS layer. The registry also holds historical identifiers such as `spdy/1`, `spdy/2`, and `spdy/3` from the protocol that preceded HTTP/2. Relationship to HTTP/2 and HTTP/3 ALPN is the standard way clients and servers select an HTTP version over a secure connection. HTTP/2 over TLS is negotiated almost entirely through ALPN using the `h2` identifier, which replaced the cleartext upgrade path the original HTTP/2 specification once described. HTTP/3 depends on ALPN for protocol identification inside the QUIC handshake, using the `h3` token. A client typically learns that a server speaks HTTP/3 through an Alt-Svc advertisement or an HTTPS DNS record, then opens a QUIC connection where ALPN confirms `h3`. This differs from the HTTP/1.1 protocol upgrade mechanism, which switches protocols on an already open cleartext connection. ALPN instead settles the protocol while the secure channel is being built. Example The negotiated protocol is visible with `openssl s_client`, which prints the ALPN result after the handshake. The `-alpn` flag sends the listed identifiers in the ClientHello, and the server's choice appears in the output. A client offering `h2` and falling back to `http/1.1` against an HTTPS host on port 443: `openssl s_client -connect www.example.re:443 -alpn h2,http/1.1` When the server supports HTTP/2, the handshake output reports the agreed protocol: `ALPN protocol: h2` The `h2` result confirms both sides settled on HTTP/2 during the TLS handshake. A server limited to HTTP/1.1 would instead report `ALPN protocol: http/1.1`, and a server offering nothing from the list would close the connection with a `no_application_protocol` alert. See also RFC 7301: TLS Application-Layer Protocol Negotiation Extension IANA TLS ALPN Protocol IDs Registry HTTPS Protocol upgrade Alt-Svc HTTP/1.1 HTTP/2 HTTP/3 HTTP connection management HTTP headers Last updated: June 5, 2026 HTTP Status Tester Test live and from different countries the HTTP responses, redirect chains and status codes of one or multiple URLs. Try it now! About the author Fili Technical SEO Consultant Fili is a former Google Search Engineer, and currently a Technical SEO Consultant at Search Brothers Status HTTP Status Codes overview 100 Continue 101 Switching Protocols 102 Processing 103 Early Hints 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 207 Multi-Status 208 Already Reported 218 This is fine 226 IM Used 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 305 Use Proxy 306 Switch Proxy 307 Temporary Redirect 308 Permanent Redirect 400 Bad Request 401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Content Too Large 414 URI Too Long 415 Unsupported Media Type 416 Range Not Satisfiable 417 Expectation Failed 418 I'm a teapot 419 Page Expired 420 Method Failure or Enhance your calm 421 Misdirected Request 422 Unprocessable Content 423 Locked 424 Failed Dependency 425 Too Early 426 Upgrade Required 428 Precondition Required 429 Too Many Requests 430 Security Rejection 431 Request Header Fields Too Large 440 Login Time-out 444 No Response 449 Retry With 450 Blocked by Windows Parental Controls 451 Unavailable For Legal Reasons 460 Client closed connection prematurely 463 Too many forwarded IP addresses 464 Incompatible protocol 470 Request Denied 492 User Access Forbidden 493 Unsupported Browser 494 Request header too large 495 SSL Certificate Error 496 SSL Certificate Required 497 HTTP Request Sent to HTTPS Port 498 Invalid Token 499 Token Required or Client Closed Request 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 506 Variant Also Negotiates 507 Insufficient Storage 508 Loop Detected 509 Bandwidth Limit Exceeded 510 Not Extended 511 Network Authentication Required 520 Web Server Is Returning an Unknown Error 521 Web Server Is Down 522 Connection Timed Out 523 Origin Is Unreachable 524 A Timeout Occurred 525 SSL Handshake Failed 526 Invalid SSL Certificate 527 Railgun Listener to Origin 529 The Service Is Overloaded 530 Site Frozen 531 Upstream Connection Error 532 Response Too Large 533 Upstream TLS Error 534 Application Error 535 Unknown Application 536 HTTP Response Timeout 537 DNS Resolution Error 538 Request Loop 539 Serverless Timeout 540 Temporarily Disabled 541 Out of Workers 542 Database Error / Header Overflow 543 Communication Error / Upstream Timeout 544 Management Error / Invalid Host Header 545 Authentication Error / Component Not Ready 546 Unknown Application / TLS Error 547 No HTTP Response 548 Invalid Response / DNS Resolution Error 549 Authentication Gateway Error / Application Crash 552 Application Unreachable 553 Directory Service Error 554 Authentication Token Error 555 Application Does Not Support Kerberos 556 Unexpected Authentication Challenge 557 KDC Unreachable 558 Connection Limit Stop 559 Connection Limit Stop 561 Unauthorized 562 Credential Error 598 Network Read Timeout Error 599 Network Connect Timeout Error 600 Invalid Headers 893 Load Balancing Overflow 999 Request Denied Headers HTTP Headers overview A-IM Accept Accept-CH Accept-CH-Lifetime Accept-Charset Accept-Datetime Accept-Encoding Accept-Language Accept-Patch Accept-Post Accept-Ranges Accept-Signature Access-Control-Allow-Credentials Access-Control-Allow-Headers Access-Control-Allow-Methods Access-Control-Allow-Origin Access-Control-Expose-Headers Access-Control-Max-Age Access-Control-Request-Headers Access-Control-Request-Method Age Akamai-GRN Allow Alt-Svc Alt-Used Authentication-Info Authorization Available-Dictionary Cache-Control Cache-Group-Invalidation Cache-Groups Cache-Status Capsule-Protocol CDN-Cache-Control CDN-Loop Cf-Cache-Status Cf-Edge-Cache Cf-Mitigated Cf-Ray Clear-Site-Data Client-Cert Client-Cert-Chain Connection Content-Digest Content-Disposition Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range Content-Security-Policy Content-Security-Policy-Report-Only Content-Type Cookie Critical-CH Cross-Origin-Embedder-Policy Cross-Origin-Embedder-Policy-Report-Only Cross-Origin-Opener-Policy Cross-Origin-Opener-Policy-Report-Only Cross-Origin-Resource-Policy Date Delta-Base Deprecation Device-Memory Dictionary-ID Digest DNT Document-Isolation-Policy Document-Isolation-Policy-Report-Only Document-Policy Downlink DPoP DPoP-Nonce Early-Data ECT Edge-Control ETag Expect Expect-CT Expires Feature-Policy Forwarded From GLB-X-Seen-By Host Host-Header HTTP2-Settings If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since IM Incremental Keep-Alive Last-Event-ID Last-Modified Link Link-Template Location Max-Forwards Memento-Datetime MIME-Version NEL No-Vary-Search Onion-Location Origin Origin-Agent-Cluster Origin-Trial P3P Panel Permissions-Policy Ping-From Ping-To Platform Powered-By Pragma Prefer Preference-Applied Priority Proxy-Authenticate Proxy-Authentication-Info Proxy-Authorization Proxy-Status Public-Key-Pins Public-Key-Pins-Report-Only Purpose Range RateLimit RateLimit-Limit RateLimit-Policy RateLimit-Remaining RateLimit-Reset Referer Referrer-Policy Refresh Replay-Nonce Report-To Reporting-Endpoints Repr-Digest Request-Context Retry-After RTT Save-Data Sec-CH-Prefers-Color-Scheme Sec-CH-Prefers-Reduced-Motion Sec-CH-UA Headers Sec-CH-UA-Arch Sec-CH-UA-Bitness Sec-CH-UA-Full-Version-List Sec-CH-UA-Mobile Sec-CH-UA-Model Sec-CH-UA-Platform Sec-CH-UA-Platform-Version Sec-Fetch-Dest Sec-Fetch-Mode Sec-Fetch-Site Sec-Fetch-User Sec-GPC Sec-Purpose Sec-Speculation-Tags Sec-WebSocket-Accept Sec-WebSocket-Extensions Sec-WebSocket-Key Sec-WebSocket-Protocol Sec-WebSocket-Version Server Server-Timing Set-Cookie Shopify-Complexity-Score Signature Signature-Agent Signature-Input SourceMap Speculation-Rules Strict-Transport-Security Sunset Supports-Loading-Mode Surrogate-Control Surrogate-Key TE Timing-Allow-Origin Traceparent Traceresponse Tracestate Trailer Transfer-Encoding Upgrade Upgrade-Insecure-Requests Use-As-Dictionary User-Agent Vary Via Want-Content-Digest Want-Digest Want-Repr-Digest Warning WWW-Authenticate X-AC X-Adblock-Key X-Akamai-Transformed X-Amz-Cf-Id X-Amz-Cf-Pop X-Amz-Id-2 X-Amz-Request-Id X-Amz-Server-Side-Encryption X-Amz-Version-Id X-Amzn-RequestId X-Amzn-Trace-Id X-AspNet-Version X-AspNetMvc-Version X-Azure-Ref X-B3-TraceId X-Cache X-Cache-Group X-Cache-Hits X-Cache-Miss-From X-Cache-Status X-Cacheable X-CDN X-Clacks-Overhead X-Cloud-Trace-Context X-Content-Security-Policy X-Content-Type-Options X-ContextId X-Correlation-Id X-DC X-DNS-Prefetch-Control X-Domain X-Download-Options X-Drupal-Cache X-Drupal-Dynamic-Cache X-Envoy-Upstream-Service-Time X-Fastly-Request-Id X-FB-Debug X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto X-Frame-Options X-Generator X-GitHub-Request-Id X-Hacker X-Host X-IInfo X-IPLB-Instance X-IPLB-Request-Id X-LiteSpeed-Cache X-LiteSpeed-Cache-Control X-LiteSpeed-Tag X-Matched-Path X-Meta-Site-Id X-Middleware-Rewrite X-MS-Request-Id X-Nextjs-Cache X-Nextjs-Prerender X-Nextjs-Stale-Time X-Nf-Request-Id X-Pcrew-Blocked-Reason X-Pcrew-Ip-Organization X-Permitted-Cross-Domain-Policies X-Pingback X-Powered-By X-Proxy-Cache X-RateLimit-Limit X-RateLimit-Remaining X-RateLimit-Reset X-Real-IP X-Redirect X-Redirect-By X-Request-ID X-Robots-Tag X-Runtime X-Seen-By X-Served-By X-ShardId X-ShopId X-SiteId X-Sorting-Hat-PodId X-Sorting-Hat-ShopId X-Storefront-Renderer-Rendered X-Sucuri-Id X-Timer X-Turbo-Charged-By X-UA-Compatible X-Varnish X-Vercel-Cache X-Vercel-Id X-Version X-WebKit-CSP X-Wix-Cache-Control X-Wix-Request-Id X-WS-RateLimit-Limit X-WS-RateLimit-Remaining X-XSS-Protection Methods HTTP Methods overview CONNECT DELETE GET HEAD OPTIONS PATCH POST PRI PUT QUERY TRACE HTTP Testing Tools HTTP Status Tester HTTP Compression Check HTTP Caching Check HTTP/2 Check HTTP/3 Check HTTP Response API URL Parse API Content-Type Check HTTP Specifications HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/3 Application-Layer Protocol Negotiation (ALPN) HTTP Authentication Binary HTTP HTTP Caching Canonical URLs Client Hints HTTP Compression HTTP Conditional Requests CONNECT-TCP HTTP Content Negotiation HTTP Cookies Cross-Origin Resource Sharing (CORS) Data URLs HTTP Explained Hreflang HTTP Strict Transport Security HTTP Connection Management HyperText Transfer Protocol Secure (HTTPS) HyperText Transfer Protocol (HTTP) MASQUE HTTP Media Types Oblivious HTTP Origins Percent-Encoding Problem Details for HTTP APIs HTTP Protocol Upgrade Mechanism Punycode QUIC HTTP Range Requests HTTP Redirections HTTP Request Resource Hints HTTP Response A Typical HTTP Session Soft 404s HTTP Streaming HTTP Structured Fields Uniform Resource Identifier (URI) Uniform Resource Locator (URL) Uniform Resource Name (URN) WebDAV Well-Known URIs WHEP (WebRTC-HTTP Egress Protocol) WHIP (WebRTC-HTTP Ingestion Protocol) WebSocket WebSocket Secure (wss://) Made with ♥ by Technical SEO Consultant Fili © 2022 - 2026 Licensed under CC BY-NC-ND 4.0

http/1.1

QUIC where TLS 1.3 is built into the transport, so ALPN is part of the QUIC handshake rather than a separate TLS layer.

The registry also holds historical identifiers such as spdy/1, spdy/2, and spdy/3 from the protocol that preceded HTTP/2.

Relationship to HTTP/2 and HTTP/3

ALPN is the standard way clients and servers select an HTTP version over a secure connection. HTTP/2 over TLS is negotiated almost entirely through ALPN using the h2 identifier, which replaced the cleartext upgrade path the original HTTP/2 specification once described.

HTTP/3 depends on ALPN for protocol identification inside the QUIC handshake, using the h3 token. A client typically learns that a server speaks HTTP/3 through an Alt-Svc advertisement or an HTTPS DNS record, then opens a QUIC connection where ALPN confirms h3. This differs from the HTTP/1.1 protocol upgrade mechanism, which switches protocols on an already open cleartext connection. ALPN instead settles the protocol while the secure channel is being built.

Example

The negotiated protocol is visible with openssl s_client, which prints the ALPN result after the handshake. The -alpn flag sends the listed identifiers in the ClientHello, and the server's choice appears in the output.

A client offering h2 and falling back to http/1.1 against an HTTPS host on port 443:

openssl s_client -connect www.example.re:443 -alpn h2,http/1.1

When the server supports HTTP/2, the handshake output reports the agreed protocol:

ALPN protocol: h2

The h2 result confirms both sides settled on HTTP/2 during the TLS handshake. A server limited to HTTP/1.1 would instead report ALPN protocol: http/1.1, and a server offering nothing from the list would close the connection with a no_application_protocol alert.