Public API with OAuth2, JWT & API Key Authentication

A real auth-protected API you can practice against. Get a JWT, exchange OAuth2 client credentials, send an API key — all flows are live and free. No signup needed (the sandbox issues credentials on demand).

Three auth flows, one sandbox

1. JWT (username + password → Bearer token)

curl -X POST https://demo.totalshiftleft.ai/auth/token \
  -H "Content-Type: application/json" \
  -d '{"username":"demo","password":"demo"}'

# → { "access_token": "eyJhbGc...", "expires_in": 3600 }

Then call protected endpoints:

curl https://demo.totalshiftleft.ai/api/v1/me \
  -H "Authorization: Bearer eyJhbGc..."

2. OAuth2 client-credentials

curl -X POST https://demo.totalshiftleft.ai/auth/oauth \
  -d "grant_type=client_credentials&client_id=demo&client_secret=demo-secret"

3. API key (header)

curl https://demo.totalshiftleft.ai/api/v1/products \
  -H "x-api-key: demo-key-sandbox-2024"

What you can practice

Token acquisition, expiry handling and refresh-token rotation
Role-based access (the demo user has limited scopes; admin gets more)
401 vs 403 differentiation — call a protected endpoint without / with a wrong-role token
Postman auth helpers — Bearer, OAuth2, API Key — all importable from /openapi.json
OWASP API Security Top 10 scenarios (BOLA, broken auth, excessive data exposure)

Same auth works across REST, GraphQL and SOAP

Get a JWT once, then pass Authorization: Bearer ... to /api/v1/*, /graphql, or /soap — same identity, three protocols.

Frequently asked questions

Are the credentials really public?

Yes, the sandbox issues demo credentials on request. Treat tokens as throwaway — they only work against demo.totalshiftleft.ai.

Does this support refresh tokens?

Yes. POST /auth/token returns a refresh_token; POST /auth/refresh swaps it for a new access_token.

Can I test OAuth2 authorization-code flow?

Currently client-credentials only. Authorization-code with PKCE is on the roadmap.

How do I test for security bugs (OWASP)?

The sandbox includes intentional auth edge cases: try fetching another user's record by ID, sending an expired token, or omitting scopes — and observe how the API responds.

Other free public APIs in this sandbox

Ready to try it?

Open the live sandbox — REST, GraphQL, SOAP and auth in one place. No signup, no API key.

Open the API Sandbox →

Topics: API with authentication · OAuth2 test API · JWT API for testing · API key authentication example · Bearer token API · refresh token testing · sandbox API with OAuth2