Token Protocol Explorer

Protocol Explorer

X-ray vision for network authentication protocols. Pick a scenario, step through the requests, and watch the cryptographic math at every single hop.

Protocols

Each protocol is a self-contained explorer with annotated sequence diagrams and a step-by-step breakdown of the cryptographic signatures.

OAuth 1.0a

RFC 5849 ↗

Three-legged authorization protocol using HMAC-SHA1 signed requests. Consumer obtains temporary credentials, user grants access, consumer exchanges for access token.

Happy Path (3-legged flow)

AWS SigV4

AWS Docs ↗

AWS Signature Version 4 protocol for authenticating API requests. Features a 4-step signing process deriving a scope-limited signing key from the AWS secret access key.

API Request (STS)

OAuth 2.0

RFC 6749 ↗

The industry-standard authorization framework. Explore advanced extension profiles like Proof-of-Possession (DPoP), PKCE, and token exchange.

DPoP (RFC 9449)Token Exchange: Delegation Token Exchange: Impersonation Txn-Tokens (Draft)

HTTP Signatures

RFC 9421 ↗

A powerful mechanism for creating and verifying digital signatures over HTTP messages, protecting integrity and authenticity of headers and payloads.

Basic Signature Signature-Key Header (Draft)

Credential Broker for Agents

draft-hartman-cb4a-00 ↗

IETF draft protocol that solves credential sprawl in agentic AI systems. Instead of agents holding long-lived API keys, a Policy Decision Point (PDP) and Credential Delivery Point (CDP) collaborate to issue short-lived, DPoP-bound tokens.

Happy Path (Token Minting)

MCP Authorization

MCP Auth Draft ↗

The Model Context Protocol Authorization flow utilizing OAuth 2.1, PKCE, and Protected Resource Metadata for secure client-server communication.

Auth Code + PKCE

Client Instance Assertion

IETF Draft ↗

OAuth 2.0 extension enabling ephemeral runtime instances (containers, agents, functions) to be individually authenticated via short-lived JWT instance assertions, with sender-constrained access tokens bound to instance keys. Covers both self-acting (client_credentials) and user-delegation (authorization_code) flows.

Client Credentials (Self-Acting)Auth Code (Delegation)SPIFFE Workload (SPIRE → OAuth)

AAuth

aauth.dev ↗

AAuth is an Agent Authentication protocol designed for programmatic, autonomous agent-to-agent communication.

Protocol Explorer ↗

ID-JAG (Xaa)

IETF Draft ↗

Identity Assertion Authorization Grant — a cross-trust-domain protocol enabling users to access external services using their internal corporate identity. The internal IdP vouches for the user; the SaaS IdP independently decides whether to grant access.

Cross-Domain Access (Xaa)

How it works

Each scenario is a JSON file defining participants, HTTP requests, responses, and cryptographic artifacts. The UI is a media player — use Play/Pause or arrow keys to step through. Click any arrow in the sequence diagram to jump to that step. The right panel shows headers, bodies, and the full HMAC signature breakdown.