v0.2 protocol · Mode B · live demonstration

The replay cache, in your browser.

Click Mint Mode B bundle. The demo issuer generates an ephemeral Ed25519 keypair, embeds the public key in the passport's cnf.jwk.x claim, and signs a canonical RFC 9421 request with the matching private key. Click Verify (1st time): the verifier consults a global Cloudflare Durable Object, marks the (jti, signature) pair as seen, returns allow. Click Verify (2nd time): the DO sees the same pair, returns deny · replay_detected. Real protocol, no animation.

Spec § replay-cache  ·  verifier/src/replay.ts

The pattern, animated

Before you click Mint below, here's the full lifecycle in seven steps — from key generation through Durable Object lookup. Same shape as the live demo. Click Play.

🔄
Scenario: Mode B requests carry an RFC 9421 signature bound to a specific URL + body. If an attacker replays the same signed request, the verifier's Durable Object replay cache catches it. Second attempt: replay_detected.
🤖 Agent (Mode B) passport + signed request 🔐 Verifier RFC 9421 sig check 🧠 Replay cache (DO) stores (jti, sig) global single-instance 😈 Adversary captures + replays request #1 record (jti, sig) #1: allow, replay_checked=true request #2 (replay) lookup (jti, sig) #2: deny failure_reason: replay_detected
Step 0 of 5
Ready to start.
Click Play to watch the same Mode B request get accepted, then replayed and caught.
1 Mint pending
jti
cnf.jwk.x
sig
2 Verify #1 pending
verdict
replay_checked
elapsed_ms
reason
3 Verify #2 pending
verdict
replay_checked
elapsed_ms
reason
No bundle minted yet. Click step 1 above.
View raw bundle + verifier responses

demo bundle

(not minted)

verify #1 response

(not run)

verify #2 response

(not run)