TInyAuth is an authorization service for the TI-84+ CE graphing calculator. It allows you to sign in to multiple services supporting TInyAuth using a single set of credentials (single-sign-on). This has a number of security benefits for both end users and service administrators. An end user simply needs to send a query to TInyAuth containing credentials in order to log in and a successful login results in the creation of a session token for that service valid for a period of time. A third-party service simply needs to ask TInyAuth if a valid session token exists in order to authorize you; it never receives your credentials directly.

End User

1. Register an account with TInyAuth.
2. Scan QR code for 2FA on your Dashboard with your TOTP application of choice.

Service Developer

1. Connect the client application to TInyAuth like so:
   1. Open a TCP connection to conn.cagstech.com on port 51001.
   2. Send a 1-byte packet, [0x00]. Await response. Response should be [0x00, <RSA public key>].
   3. Generate a 16, 24, or 32 bit AES key. Encrypt it using the RSA public key. Send a packet, [0x01, <encrypted-aes-key>]. Await response. [0x01, 0x00] for success or [0x01, 0x01] for error.
   4. Generate a payload containing the user's email, password, and OTP as well as the fully-qualified domain name for your service to send to TInyAuth. It should be serialized like so:

      Size	Field
      3	len(EMAIL)
      len(EMAIL)	EMAIL
      3	len(PASSWORD)
      len(PASSWORD)	PASSWORD
      3	len(OTP)
      len(OTP)	OTP
      3	len(FQDN)
      len(FQDN)	FQDN

      AES-encrypt the payload using the key, yielding [aes-iv] and [encrypted-payload].
   5. If success, send credentials to TInyAuth, formatted as follows: [0x02, <aes-iv>, <encrypted-payload>]. Await response. [0x02, 0x00] for success or [0x02, 0x01] for failure.
   6. Once TLS is properly implemented, a proper HTTPS POST request will replace this nonsense.
2. Receive the user's TInyAuth account EMAIL ADDRESS. How you code this is up to you.
3. Send an HTTPS POST request to TInyAuth containing the following JSON payload:

   {
       "email":<USER EMAIL>,
       "api-key":<YOUR SERVICE API KEY>,
       "domain":<FQDN OF YOUR SERVICE>
   }

4. Parse JSON response for authorization success or fail.

LIABILITY

The Service assumes no liability for errors in content, visual content errors, service downtime, API errors, misuse of the API by end users or compromise of credentials through user action (socal engineering).

DATA COLLECTION & USAGE

The Service collects the following personally-identifiable information from end-users:

• An email address, used to communicate with end users about service updates, planned downtime, security incidents, and for users to request a password reset.
• A NIST-standards-compliant password, recommended to be unique to the service, used for authorizing the user with our Service.

This information is not shared with other parties in any way. Users may request deletion of this information by deleting their account while signed in on the web UI.
For Parents/Guardians of Minors: If you are concerned about the information your child may have shared with us, we welcome you to contact us for more information. We will happily provide more information about the nature of this service and/or delete pertinent records on request.

ACCEPTABLE USE

It is acceptable to use the Service in a manner consistent with the Documentation. Attempting to abuse or misuse the Service including but not limited to attempts to steal user credentials or obtain unauthorized access to the Service's resources is a violation of our Terms of Services and also a crime and we will take appropriate action to protect the integrity of our resources and user's information.