Looking Glass
Looking Glass is the primary interface for executing protocol flows. It shows every step of a flow as it happens, with full payload visibility via WebSocket event streaming.
How It Works
Section titled “How It Works”- Select a protocol and flow from the sidebar.
- Enter required inputs (varies by flow — could be a client ID, subject, callback URL, or tx_code).
- Execute the flow.
- Watch each step render in real time as the backend emits events.
- Click any step to inspect full request/response payloads, tokens, and validation results.
What You See
Section titled “What You See”Each flow execution produces a timeline of events:
| Event Type | What It Shows |
|---|---|
flow.step | Major protocol steps (authorization request sent, token exchanged, assertion delivered) |
token.issued | Token creation with decoded claims |
token.validated | Token validation results with pass/fail details |
request.sent | Outbound HTTP requests with headers and body |
response.received | HTTP responses with status, headers, and body |
http.exchange | Complete request/response pairs |
security.warning | Validation failures, missing parameters, spec violations |
security.info | Successful security checks and confirmations |
crypto.operation | Key generation, signing, hash verification |
Every event includes an annotation with RFC references (for example “RFC 6749 Section 4.1”) and security context explaining what the step does and why.
Deep-Links and URL State
Section titled “Deep-Links and URL State”Looking Glass supports shareable deep-links in the format /looking-glass?protocol=X&flow=Y. These links are generated by the palette search (cmd+K) and the Share button in the flow toolbar.
URL query parameters follow a consume-and-clear lifecycle:
- When a deep-link is opened, the
?protocol=and?flow=params are read and applied, then removed from the address bar. - Changing protocol or flow via the UI dropdowns updates the URL to reflect the new selection.
- Resetting or clearing the flow strips query params entirely.
- Navigating away from Looking Glass always results in a clean URL on return.
When a flow is selected, three icon buttons appear next to the protocol/flow dropdowns:
| Control | What It Does |
|---|---|
| Reset | Resets the current flow execution to its initial state and clears the URL |
| Share | Copies a shareable deep-link for the current protocol and flow to the clipboard |
| Clear | Clears all selections (protocol, flow, tokens, configuration), resets every input field, and strips query params from the URL |
Session Management
Section titled “Session Management”Each flow execution creates a Looking Glass session. Sessions are linked to backend processing via:
- The
X-Looking-Glass-SessionHTTP header - The
lg_sessionquery parameter (used for redirects where headers cannot be set)
You can list active sessions at GET /api/lookingglass/sessions and retrieve a specific session at GET /api/lookingglass/sessions/{id}.
Token Inspector
Section titled “Token Inspector”The built-in token decoder is available at POST /api/lookingglass/decode. It handles:
- JWT access tokens and ID tokens
- SAML assertions
- Security Event Tokens (SETs)
- X.509 certificates
SSF Sandbox
Section titled “SSF Sandbox”SSF flows use a dedicated sandbox experience instead of the standard Looking Glass timeline. The SSF sandbox provides:
- Stream configuration and management
- CAEP/RISC event transmission and delivery
- Receiver status monitoring with real event processing
- Response action execution and security state tracking
Use Looking Glass for all other protocol families.