PostQuantum.Jwt / live production-shape demo

Two real services on Azure Container Apps. IssuerApi mints ML-DSA-65-signed (and optionally X-Wing-encrypted) tokens. OrdersApi validates them fail-closed against a JWKS-equivalent it polls, a Redis-backed replay cache it owns, and a typed failure-reason taxonomy that never silently downgrades. Click a numbered step on the left and watch the full chain run — issue, decode, validate, replay-reject, tamper-reject, key-rotate.

SPEC.md · SECURITY.md · KNOWN-GAPS.md · TESTING.md · Source for this demo
issuer orders redis
The tour — 8 steps
Reading the output: each step shows the verdict pill, the actual JOSE shape we sent or got back (decoded from base64url where possible), and a one-paragraph explanation of which security property the step proved. The state sidebar on the right updates live.
Pick a step on the left
idle Click step 1 to start the tour, or jump in anywhere.
Token shape (decoded)
No token in flight yet.
What just happened
Click any step to see the validator's reasoning, the typed PqJwtFailureReason on a rejection, and the wire-level evidence.
Raw responses
// Network requests + JSON responses will print here as the demo runs.
Issuer key ring
Step 1 will load the published keys.
Last token issued
No token yet.
Validation outcomes
  • — pick a step —