Live Demo Hub
No integration needed — just scan with PalmxApp to experience Palm's core flows end-to-end.
OAuth Binding
Use the Palm OAuth SDK to scan with PalmxApp and bind your account, obtaining an open_id.
Try OAuth Binding
Scan the QR code with PalmxApp to bind your account and get an open_id.
What you'll see:
- How the iframe + postMessage architecture avoids cross-origin issues
- SDK returns code + codeVerifier after user scan authorization
- Backend exchanges code for open_id and access_token
OAuth Verification
When a user initiates a sensitive operation, the backend creates a verification challenge. The user confirms with a palm scan in PalmxApp.
Try OAuth Verification
Simulate a transfer: create a verification challenge and confirm in PalmxApp.
What you'll see:
- Backend calls VerifyCreate to initiate verification
- Complete flow of user palm scan confirmation
- Polling VerifyQuery for result status (pending / approved / denied / expired)
Agent Registration & Authorization
Grant an AI Agent a "human-claimed" identity credential. After the real person scans the QR code and palm-scans in PalmxApp, the Agent receives an authorization token and the business can bind it to a local account.
Try Registration & Authorization
Scan the QR code below with PalmxApp to experience the full Agent registration and human authorization flow.
What you'll see:
- Agent generates an Ed25519 key pair locally; private key never leaves the device
- Real person QR scan + palm scan triggers a single-transaction server-side binding
- Agent polls for a one-time code and passes it to the business to exchange for
open_id
Agent Identity Verification
Every business request is signed by the Agent's private key. The business fetches and caches the public key, then verifies locally — proving "it's the same Agent."
Try Identity Verification
Call verify/device to fetch the public key and verify the Agent registration status.
What you'll see:
- How the canonical string is constructed (body hash + nonce)
- Method A (cached local verification) vs Method B (online verification)
- Revocation delay equals cache TTL
High-risk Step-up Verification
When an Agent initiates a high-risk operation (transfer, withdrawal, etc.), the real person must palm-scan on PalmxApp to approve. The server issues an Assertion JWT as the authorization credential.
Try High-risk Step-up
Enter the DeviceId to simulate a Step-up verification for a transfer.
What you'll see:
- Differences between Step-up Levels 1 / 2 / 3
- Full flow from real-person palm scan to Assertion JWT issuance
- The six-step JWT verification sequence (including
action_detailhash tamper protection)