PDPP
Sandbox / Mock educational surface

A scoped PDPP grant, end to end, in your browser.

Click through a fictional tax-prep app asking a fictional owner for three pay statements. Approve the grant, see only the granted fields come back, then revoke and watch the next read get refused. The transcript on the right shows the API-shaped JSON for each step.

Start the walkthroughSee coverage matrixProtocol docs
Simulated walkthroughAll data is fictional. Nothing leaves your browser.
  1. 0
  2. 1
  3. 2
  4. 3
  5. 4
Owner
Sam Rivera

Decides what to share, can revoke at any time.

Client app
Quill Tax

Import the last three pay statements so you can finish your tax return without re-keying numbers.

Connector
Acme Payroll (simulated)

Stand-in payroll connector used only inside this sandbox. No real Acme Corporation, employer, or paycheck data is involved.

Start here

A small, end-to-end PDPP story

Press Stage the request to begin. You'll play the fictional owner, Sam, deciding what Quill Tax can read from a simulated payroll connector.

Grant scope
Pay statements
Not requested yet

Net and gross pay totals from the last three pay periods, plus the issuing employer name.

  • period_end
  • employer
  • gross_pay_cents
  • net_pay_cents
  • currency
Access modesingle_use
Purpose codetax_filing
Grant idgrant_sb_2026_demo
Expires2026-05-25T00:00:00Z
Records pane

No grant yet, so no records to project. PDPP refuses unscoped reads by construction, not by convention.

  • Stage the request. Simulates a client POST to /par with the proposed scope.
Inspectable transcript

API-shaped requests & responses

Simulated JSON

Each panel reveals as you advance the walkthrough. Shapes are representative of PDPP, not byte-for-byte from a live reference run. See /docs for normative semantics.

  1. 1. Client requests access
    Locked
  2. 2a. Owner denies the request
    Locked
  3. 2. Owner consent + grant issued
    Locked
  4. 3. Resource query returns scoped records
    Locked
  5. 4. Owner revokes / next query refused
    Locked
Reviewer

See the surface a real owner approves

Grant scope, fields, retention, and refusal evidence are all visible without reading the spec first.

Implementer

Inspect the API shapes

Each step exposes a representative request/response so you can compare your own draft to the protocol.

Skeptic

Confirm scope is enforced, not implied

Approve a grant, revoke it, and watch the simulated resource server refuse the next read.

What this sandbox isn't

Keeping artifact boundaries crisp is part of the protocol's contract with reviewers.

Not the dashboard

/dashboard is for live operation

Operator views run against a real local or self-hosted reference instance with owner auth. They are intentionally out of scope here.

See the surface map->
Not the protocol

/docs holds normative semantics

When the sandbox and the docs disagree, trust the docs. The sandbox is pedagogy, not a conformance suite.

Read the docs->
Not a hosted service

No live reference instance

Vana does not host a canonical PDPP owner instance. To run one, fork the repo and use the Docker compose stack.

Self-host instructions->