API Authentication Testing Sandbox

Configure any authentication scheme in your favourite tool — Shift-Left API, Postman, RestAssured, Bruno, Karate, SoapUI, APIDog, Tricentis, etc. — point it at the matching protected endpoint, and get an instant pass/fail. 17 schemes, one diagnostic endpoint each. Free, no signup.

How it works

Every scheme has a diagnostic protected endpoint at /auth/protected/{scheme}. Send credentials the way the scheme expects:

• 200 with the authenticated identity when your tool is configured correctly.
• 401 with a specific reason — and the correct challenge header (WWW-Authenticate) for Basic/Digest/Bearer — when something is off.

Browse the machine-readable catalog (demo credentials + per-tool notes for all schemes) at GET /auth/methods.

Supported schemes

OAuth 2.0 — all four grants

Token endpoint POST /auth/oauth/token accepts JSON or form-urlencoded and supports:

# client_credentials (machine-to-machine)
curl -X POST https://demo.totalshiftleft.ai/auth/oauth/token \
  -d grant_type=client_credentials -d client_id=sandbox-client -d client_secret=sandbox-secret

# password (resource owner)
curl -X POST https://demo.totalshiftleft.ai/auth/oauth/token \
  -d grant_type=password -d username=alice@demo.com -d password=alice123

# authorization_code + PKCE
#   1) GET /auth/oauth/authorize?response_type=code&client_id=sandbox-client&code_challenge=...&code_challenge_method=S256
#   2) POST /auth/oauth/token grant_type=authorization_code code=... code_verifier=... client_id=sandbox-client

# refresh_token (rotates — the old token is revoked, reuse is detected)
curl -X POST https://demo.totalshiftleft.ai/auth/oauth/token \
  -d grant_type=refresh_token -d refresh_token=<token>

Tool setup guides

Shift-Left API

Our own API testing tool. Open the request's Auth selector, pick the scheme (Basic, Bearer, API Key, OAuth 2.0, OAuth 1.0a, Hawk, AWS Signature, …), paste the demo credentials from /auth/methods, and send to the matching /auth/protected/{scheme} endpoint. Every scheme on this page is testable end-to-end in Shift-Left API.

Postman

Open the Authorization tab on the request and pick the type: Basic Auth, Bearer Token, API Key, Digest Auth, OAuth 2.0, OAuth 1.0, Hawk Authentication or AWS Signature. For OAuth 2.0 set Auth URL /auth/oauth/authorize, Token URL /auth/oauth/token, client sandbox-client/sandbox-secret, and enable PKCE. For HMAC, compute the signature in a Pre-request Script and set x-signature.

REST Assured (Java)

given().auth().preemptive().basic("alice@demo.com","alice123")
  .when().get("/auth/protected/basic").then().statusCode(200);

given().header("x-api-key","demo-key-sandbox-2026")
  .when().get("/auth/protected/apikey-header").then().statusCode(200);

Bruno

Use the Auth dropdown per request (Basic, Bearer, API Key, Digest, OAuth2). For signature schemes, add headers via a pre-request script.

Karate

Given url 'https://demo.totalshiftleft.ai/auth/protected/bearer'
And header Authorization = 'Bearer ' + token
When method get
Then status 200

SoapUI

On the request, set Auth → Basic or Digest. SoapUI is ideal for the Digest challenge/response handshake and for SOAP-style enterprise auth.

APIDog / Tricentis

All expose an auth-type selector equivalent to Postman's. Pick the scheme, paste the demo credentials from /auth/methods, and send to the matching /auth/protected/{scheme} endpoint.

A note on the signature schemes

HMAC, AWS SigV4, Hawk and OAuth 1.0a depend on the server seeing the exact bytes you signed. This sandbox sits behind a TLS-terminating reverse proxy, so the robust HMAC scheme signs a simple server-defined canonical string — METHOD\nPATH\nTIMESTAMP\nsha256hex(body) — that survives proxy normalisation. The full AWS/Hawk/OAuth1 schemes are implemented faithfully for learning, but header normalisation by an intermediary can affect them. mTLS is simulated via proxy-forwarded headers (X-SSL-Client-Verify), not a real client-certificate handshake.

Frequently asked questions

Do I need to sign up or get an API key?

No. Every credential is public and printed at /auth/methods. Tokens only work against demo.totalshiftleft.ai.

Which tools does this work with?

Any HTTP client with an auth picker — Shift-Left API, Postman, RestAssured, Bruno, Karate, SoapUI, APIDog, Tricentis, Insomnia, and curl.

How do I know my tool is configured correctly?

Hit /auth/protected/{scheme}. A 200 returns the identity you authenticated as; a 401 returns a specific reason explaining exactly what was missing or wrong.

Is the mTLS test real?

No — it is simulated. The app runs behind a proxy that terminates TLS, so it checks the X-SSL-Client-Verify / X-SSL-Client-S-DN headers an nginx mTLS setup would forward. It teaches the pattern without a real client-certificate handshake.

Does OAuth2 support PKCE and refresh-token rotation?

Yes. The authorization_code grant verifies the PKCE S256 challenge, and refresh tokens rotate on every use with reuse detection.

Other free public APIs in this sandbox

Topics: API authentication testing · OAuth2 test API · Basic Auth · JWT · HMAC signed requests · AWS Signature v4 · Hawk · Digest · OAuth 1.0a · PKCE · refresh token rotation · Shift-Left API · Postman · RestAssured · SoapUI · Bruno · Karate