El usuario inicia el login en la aplicación cliente.
Each flow is drawn as a sequence diagram: the actors (user, client, servers) are columns and the messages are arrows over time. Press Play or ⏭ to step through it.
Change the client_id, redirect_uri, scope, credentials, etc. and the diagram regenerates. Click any arrow to inspect the real HTTP request and its explanation.
Basic (username:password in Base64), Bearer/JWT, Authorization Code, Code + PKCE (recommended today), Implicit (legacy), Client Credentials (machine-to-machine), Device Code (TVs/CLI) and Refresh Token (renew without re-login).
On any step with an HTTP request you can copy it as a curl command to replay it in your terminal. If the step carries a JWT, open it in the JWT decoder to inspect its header and payload.
Enable an attack to see an Attacker actor and the malicious steps (in red): credential sniffing, alg:none, code interception without PKCE, CSRF from a missing state. Toggle the mitigation and the attack is neutralized (in green), showing why it fails.
On the Compare tab you pick a flow on each side (or a preset pair) and they are drawn together. Equivalent steps line up on the same row (same /authorize, same /token…) so the difference stands out, and a summary lists which params and actors each one adds. Click any arrow to inspect it.
The Tools tab gathers practical OAuth utilities, all in the browser: generate and verify PKCE pairs (S256), build a copy-ready /authorize URL and parse a callback URL (extracts code/state or the fragment tokens and detects errors).
El usuario inicia el login en la aplicación cliente.