Xtrable
Contact us

Fake auth and token endpoints

Many clients must complete a token handshake before they call an API. Understudy answers that handshake with a credibly shaped token, so your client proceeds. No real security needed.

A client often must get a token before it will call an API: post a token endpoint, read back a bearer token, then carry on. A stand-in needs no real security, but it does need to satisfy that handshake. This does exactly that.

What it does

A simulation can declare auth endpoints: a method and path that return a believable token response to any request. Your client runs its normal token flow, gets back something that looks right, and goes on to call the API, which accepts any token, or none, because the stand-in never checks it.

  • A token field is filled with a fresh value on every call.
  • Fixed fields return the literals you set, like token_type: "Bearer" and expires_in: 3600.

Detected from your spec

When you import a spec that declares OAuth2 security, Understudy finds the token endpoints for you, one per token or refresh URL, with a sensible default token shape. You can adjust it, but in most cases the handshake works straight away.