Caido

Instances & Authentication

An "instance" is a reference to the directory that stores the data generated by Caido's installation and usage.

This abstraction allows you to manage multiple, separate installations of Caido on a single device.

Local Instances

Additional local instances can be created using either the standalone Caido CLI or desktop application by changing the data storage location.

Remote Instances

Additional instances can also be created for remote installations of the Caido CLI via the launch window of the desktop application.

Specifying a new remote instance.

Authentication

Each instance requires access control to authenticate the Caido GUI (client component) to the Caido CLI (server component), to ensure it is only accessible to you.

DANGER

Although the API is authenticated, the proxy traffic is currently unprotected. We strongly advise not to expose your Caido instances to the open internet.

Client/server architecture.

Authentication in Caido is based on OAuth 2.0. Every instance that is created registers to our cloud service and obtains a client ID and secret. On initial login to the instance using your account credentials, you claim the instance's client ID.

Workspaces

Once an instance has been registered and claimed, it is associated with your account workspace. Workspaces provide a central management location and facilitate collaboration between team members via the Instances interface of the account dashboard.

OAuth Grants Used by Caido

  • Client Credentials: This grant is used to obtain an access token that authenticates the instance with the cloud.
  • Device Authorization: This grant is used to obtain access and refresh tokens to authenticate users. Contrary to most other grants, this grant eliminates the browser redirect.
  • Refresh Token: This grant is used to refresh user access tokens without requiring re-authentication.

NOTE

At this moment, we do not make any guarantees on the lifetime of the tokens.

Authenticate user flow.

Secrets Storage

  • The client secret and instance access token are both encrypted and stored in the secrets.db database in the instance data directory on disk.
  • User access and refresh tokens are stored in the client's local storage. These tokens are never stored on the instance, but can be present in memory.