01
Bound the source and the claim
Use the supplied fixture or a flow your organization permits you to process. State whether it is illustrative or implementation-derived, and do not present a generic example as your production authentication design.
OAuth PKCE sequence · worked example
Turn a bounded authorization-code and PKCE note into an editable sequence, then ask a human reviewer to challenge state handling, verifier custody, token exchange, and the failure path.
01
Input
Defined scope
02
Agent
First draft
03
Canvas
Stable URL
04
Human
Review + edit
05
Agent
Same-canvas update
A sequence diagram earns trust when it exposes where the browser stops, where the server validates state, and why a mismatch creates no session—not when it merely draws a happy path.
Reproduce it
01
Use the supplied fixture or a flow your organization permits you to process. State whether it is illustrative or implementation-derived, and do not present a generic example as your production authentication design.
02
Mint a read + write Personal Access Token and add @excaliwow/mcp. Keep publish and delete off for this review loop, and keep the token outside the repository.
MCP client config
{
"mcpServers": {
"excaliwow": {
"command": "npx",
"args": ["-y", "@excaliwow/mcp"],
"env": {
"EXCALIWOW_TOKEN": "excw_pat_…"
}
}
}
}03
Send the exact prompt, open the returned editor URL, and ask a reviewer to find the state check and verifier use. Record corrections on the canvas before asking the agent for the same-diagram failure-path update.
Human review
Same-canvas follow-up
Update the same diagram in place: add the explicit state-mismatch rejection and secure cookie flags without moving the human-highlighted trust boundary.
Start free—no credit card. First 10,000 verified accounts keep the core workspace free; 3 diagrams to start and earn more capacity.