Authentication

As Caido is built around a client/server architecture, each instance requires access control to authenticate the client (desktop or web application GUI) to the server (Caido CLI), to ensure it is only accessible to you.

DANGER

Although the API is authenticated, the proxy traffic is currently unprotected. We strongly advise not to expose your Caido instances to the open internet.

Authentication in Caido is based on OAuth 2.0. Every instance that is created registers to our cloud service and obtains a client ID and secret. On initial login to the instance using your account credentials, you claim the instance's client ID.

OAuth Grants Used by Caido

• Client Credentials: This grant is used to obtain an access token that authenticates the instance with the cloud.
• Device Authorization: This grant is used to obtain access and refresh tokens to authenticate users. Contrary to most other grants, this grant eliminates the browser redirect.
• Refresh Token: This grant is used to refresh user access tokens without requiring re-authentication.

NOTE

At this moment, we do not make any guarantees on the lifetime of the tokens.

Secrets Storage

• The client secret and instance access token are both encrypted and stored in the secrets.db database in the instance data directory on disk.
• User access and refresh tokens are stored in the client's local storage. These tokens are never stored on the instance, but can be present in memory.