Fetch issuer directory
The starting point: load an issuer's keys and endpointsWhat's this?
Give it an issuer's directory
URL and it fetches the issuer's configuration (the token types it supports, its public
keys, and where to send token requests), then checks the response is well formed. Whatever
it finds pre-fills the actions below. The URL should normally end with
/.well-known/private-token-issuer-directory, though that isn't
enforced here.
Next steps: Validate public key & Create challenge
Validate public key
Check an issuer key imports and is well formedWhat's this?
Takes one of the issuer's public keys and checks that your browser can import it, showing its ASN.1 structure so you can confirm it's well formed. A quick sanity check on a key before you rely on it. Currently supports type 2 (blind RSA) keys, encoded as in the spec.
Create challenge
Build a challenge from the issuer's key(s)What's this?
Builds a Privacy Pass challenge from the issuer's key. A challenge is what an origin sends a client to ask for a token, so this is useful whether you want to hand one off or feed it straight into a token request. You can supply up to three issuers at once.
Next steps: Inspect challenge, Trigger origin challenge & Send token request
Inspect challenge
Decode a challenge header into readable fieldsWhat's this?
Decodes a WWW-Authenticate challenge into readable fields: token
type, issuer name, origin, redemption context, key ID, and max age. Handy for understanding
a challenge you just created, or one you paste in straight from a browser's network tab.
Works on its own; you don't need to fetch an issuer first.
Trigger origin challenge
See how your platform responds to a challengeWhat's this?
Asks the local server to issue a challenge with this header, which exercises your device or platform's own Privacy Pass implementation. Use it to see how the platform you're on actually responds. Behavior varies between operating systems and browsers.
Send token request
The full round-trip: request a token and check itWhat's this?
Sends the token request to the issuer and checks the token that comes back against the issuer's public key, trying both the current (draft 16) and legacy (draft 2) protocols. This is the full round-trip, so it's the quickest way to confirm an issuer is actually issuing valid tokens. It only works if your machine can reach the issuer.
Next steps: Inspect token & Verify token
Inspect token
Decode a token header into its partsWhat's this?
Decodes an Authorization token into its parts: token type, key
ID, nonce, challenge digest, and authenticator. Works on a token produced here, or one you
paste in from a captured request. Works on its own; you don't need to fetch an issuer
first.
Verify token
Confirm a token is valid for an issuer keyWhat's this?
Checks that a token is cryptographically valid for a given issuer public key. Use it to confirm a token you received genuinely matches the issuer it claims to come from.