hub · compare

/oauth-token

well-formed RFC 6749 token response — expires_in as integer, scope space-delimited, token_type Bearer, refresh_token present. Cache-Control: no-store.

chaos chaos.catastrophic.io

GET /oauth-token

Returns RFC 6749 §5.1 token responses with schema violations. Default returns `expires_in` as a string instead of an integer. Use ?mode= to isolate other violations: comma-delimited scope, nonstandard token_type, or id_token without the openid scope.

modes: expires-in-type-shift scope-delimiter-wrong token-type-nonstandard id-token-without-scope

full chaos docs →

control not.catastrophic.io

GET /oauth-token

well-formed RFC 6749 token response — expires_in as integer, scope space-delimited, token_type Bearer, refresh_token present. Cache-Control: no-store.

full control docs →

Build against not.catastrophic.io/oauth-token, then flip the hostname to chaos.catastrophic.io to exercise the chaos.