Playground.
Five scenarios. Each one fires a real POST /api/agent/checkout against the same pipeline production agents would hit. The token is signed server-side; the response carries every check's verdict. See which one rejects which attack.
The eight-check pipeline
- 1.Token present
- 2.Signature valid (HMAC-SHA256, constant-time)
- 3.Not expired
- 4.Agent matches caller
- 5.Scope matches (action + SKU + maxCents)
- 6.Nonce unused (replay protection)
- 7.Idempotency-Key check (retry protection)
- 8.Process charge + revalidateTag
Order is cheapest-first so an attacker spamming junk tokens never touches Redis. The crypto rejects them in ~1ms.
PICK A SCENARIO