Privacy Pass Demo Tool

A browser-based tool for testing Privacy Pass issuers and tokens. Work the flow on the left; results appear on the right. Start by fetching an issuer directory, and the actions it unlocks open automatically as you go.

Fetch issuer directory

The starting point: load an issuer's keys and endpoints
What's this?

Give it an issuer's directory URL and it fetches the issuer's configuration (the token types it supports, its public keys, and where to send token requests), then checks the response is well formed. Whatever it finds pre-fills the actions below. The URL should normally end with /.well-known/private-token-issuer-directory, though that isn't enforced here.

Next steps: Validate public key & Create challenge

Validate public key

Check an issuer key imports and is well formed
What's this?

Takes one of the issuer's public keys and checks that your browser can import it, showing its ASN.1 structure so you can confirm it's well formed. A quick sanity check on a key before you rely on it. Currently supports type 2 (blind RSA) keys, encoded as in the spec.

Create challenge

Build a challenge from the issuer's key(s)
What's this?

Builds a Privacy Pass challenge from the issuer's key. A challenge is what an origin sends a client to ask for a token, so this is useful whether you want to hand one off or feed it straight into a token request. You can supply up to three issuers at once.

Issuer 1 (required)

Issuer 2 (optional)

Issuer 3 (optional)

Next steps: Inspect challenge, Trigger origin challenge & Send token request

Inspect challenge

Decode a challenge header into readable fields
What's this?

Decodes a WWW-Authenticate challenge into readable fields: token type, issuer name, origin, redemption context, key ID, and max age. Handy for understanding a challenge you just created, or one you paste in straight from a browser's network tab. Works on its own; you don't need to fetch an issuer first.

Trigger origin challenge

See how your platform responds to a challenge
What's this?

Asks the local server to issue a challenge with this header, which exercises your device or platform's own Privacy Pass implementation. Use it to see how the platform you're on actually responds. Behavior varies between operating systems and browsers.

Send token request

The full round-trip: request a token and check it
What's this?

Sends the token request to the issuer and checks the token that comes back against the issuer's public key, trying both the current (draft 16) and legacy (draft 2) protocols. This is the full round-trip, so it's the quickest way to confirm an issuer is actually issuing valid tokens. It only works if your machine can reach the issuer.

Next steps: Inspect token & Verify token

Inspect token

Decode a token header into its parts
What's this?

Decodes an Authorization token into its parts: token type, key ID, nonce, challenge digest, and authenticator. Works on a token produced here, or one you paste in from a captured request. Works on its own; you don't need to fetch an issuer first.

Verify token

Confirm a token is valid for an issuer key
What's this?

Checks that a token is cryptographically valid for a given issuer public key. Use it to confirm a token you received genuinely matches the issuer it claims to come from.