← Index
Lab
Interactive explainers of the systems I work with — operate them, don't just read about them.
§01 · OAuth 2.0 + PKCE
At Aquaview I built a production OAuth2/OIDC identity provider from scratch. This is the authorization-code flow it implements — step through it, and toggle PKCE off to see the code-interception attack it defends against.
Authorization Code + PKCE
Browser
Client
Auth Server
API
code_verifier = base64url( random(32) ) code_challenge = base64url( sha256(code_verifier) ) method = S256
01 / 09
§02 · Rate limiting
Hardening APIs at Illumibot meant keeping callers from overwhelming a service. A token bucket is the classic shape: tokens refill at a fixed rate, each request spends one, and an empty bucket returns 429. Hammer it.
Token Bucketcap 10 · refill 2/s
[██████████]10 / 10 tokens
0 ok · 0 429
Click send — fast. Watch the bucket drain and the 429s start.