Protocol Explorer
X-ray vision for network authentication protocols. Pick a scenario, step through the requests, and watch the cryptographic math at every single hop.
Each protocol is a self-contained explorer with annotated sequence diagrams and a step-by-step breakdown of the cryptographic signatures.
OAuth 1.0a
RFC 5849 ↗Three-legged authorization protocol using HMAC-SHA1 signed requests. Consumer obtains temporary credentials, user grants access, consumer exchanges for access token.
AWS SigV4
AWS Docs ↗AWS Signature Version 4 protocol for authenticating API requests. Features a 4-step signing process deriving a scope-limited signing key from the AWS secret access key.
OAuth 2.0
RFC 6749 ↗The industry-standard authorization framework. Explore the foundational Authorization Code grant with PKCE, Device Authorization for CLIs and IoT, advanced DPoP token binding, and token exchange patterns.
OpenID Connect
OIDC Core 1.0 ↗The identity layer on top of OAuth 2.0. Where OAuth answers 'what can this client do?', OIDC answers 'who is this user?'. Introduces the ID Token, nonce, at_hash binding, and the UserInfo endpoint.
HTTP Signatures
RFC 9421 ↗A powerful mechanism for creating and verifying digital signatures over HTTP messages, protecting integrity and authenticity of headers and payloads.
Credential Broker for Agents
draft-hartman-cb4a-00 ↗IETF draft protocol that solves credential sprawl in agentic AI systems. Instead of agents holding long-lived API keys, a Policy Decision Point (PDP) and Credential Delivery Point (CDP) collaborate to issue short-lived, DPoP-bound tokens.
MCP Authorization
MCP Auth Draft ↗The Model Context Protocol Authorization flow utilizing OAuth 2.1, PKCE, and Protected Resource Metadata for secure client-server communication.
Client Instance Assertion
IETF Draft ↗OAuth 2.0 extension enabling ephemeral runtime instances (containers, agents, functions) to be individually authenticated via short-lived JWT instance assertions, with sender-constrained access tokens bound to instance keys. Covers both self-acting (client_credentials) and user-delegation (authorization_code) flows.
AAuth
aauth.dev ↗AAuth is an Agent Authentication protocol designed for programmatic, autonomous agent-to-agent communication.
Provenance Identity Continuity — replaces Proof of Possession with Proof of Continuity. Authority is anchored to an immutable origin principal (p_0) and monotonically restricted at every causal hop, eliminating confused deputy and ambient authority attacks across microservices, federations, and AI agents.
ID-JAG (Xaa)
IETF Draft ↗Identity Assertion Authorization Grant — a cross-trust-domain protocol enabling users to access external services using their internal corporate identity. The internal IdP vouches for the user; the SaaS IdP independently decides whether to grant access.
How it works
Each scenario is a JSON file defining participants, HTTP requests, responses, and cryptographic artifacts. The UI is a media player — use Play/Pause or arrow keys to step through. Click any arrow in the sequence diagram to jump to that step. The right panel shows headers, bodies, and the full HMAC signature breakdown.