I think you've just described a protocol ;)

Yes it could be in higher layer than what I suggested indeed, on top of HTTP sounds good to me.

My rule of thumb is that it should work with curl (which makes it not antibots, but just anti scrapper & ddos, which is what I have a problem with)

Ah yeah sloppy wording on my part. I think it should ideally be its own protocol built on top as opposed to integrated into an existing one. Integration is good but mandatory complexity and tight coupling not so much.

I'd much prefer for this to be standardised rather than an ad-hoc layer on top of what we have. Our protocols are already complex, and at least what we would be doing is moving that complexity somewhere where it can be handled more conveniently.

It would still be standardized. Anyone who wanted to support it would. Those who didn't want to support it wouldn't be burdened. And it could then evolve on its own, gaining variants for layering it on additional underlying protocols.

It's basic separation of responsibilities. It's helpful for reuse but also innovation. For example, the auth scheme baked in to HTTP is pretty much stuck in time and not very useful. We'd likely be better off if it wasn't tightly coupled to something unrelated like that. If I were implementing an HTTP stack I'd want to omit it, but that would make me noncompliant.