Who is Sreekar Reddy?

Sreekar Reddy is an AI Engineer based in Sydney, Australia. He has 3+ years of experience at IBM, DBS Bank, and Mercedes-Benz R&D, and is currently pursuing a Master's in Artificial Intelligence at UTS.

What does Sreekar Reddy do?

Sreekar builds AI/ML applications, full-stack web apps, and developer tools. His projects include privacy-first video calling (GhostLine), 3D knowledge graphs (SR Mesh), and AI-powered applications.

How can I hire Sreekar Reddy?

You can contact Sreekar through the Connect page at sreekarreddy.com/connect or via LinkedIn at linkedin.com/in/esreekarreddy. He is open to AI Engineering, Software Development, and SDET roles.

What is Uncharted Fragments?

Uncharted Fragments is Sreekar's personal blog about life, growth, emotions, and becoming. It features reflections and stories about navigating life's journey.

What is AI Explorations?

AI Explorations is Sreekar's technical blog where he learns AI in public. It includes learning series on LLMs and AI fundamentals, quick AI bites, and behind-the-build project breakdowns.

What is ELI5 on Sreekar Reddy's website?

ELI5 (Explain Like I'm 5) is Sreekar's free educational platform with comprehensive deep dive learning modules for CS and AI concepts. Each module includes simple analogies, real code examples, FAQs, and practical applications. Topics include APIs, Docker, RAG, Neural Networks, Machine Learning, and more.

What is an API explained simply?

An API (Application Programming Interface) is like a waiter in a restaurant. You tell the waiter what you want, they go to the kitchen, and bring back your food. Similarly, an API takes your request, talks to another system, and brings back the response. Learn more at sreekarreddy.com/learn/eli5/apis.

What is Docker in simple terms?

Docker is like a shipping container for software. Just as shipping containers hold items and can be transported anywhere, Docker containers hold your app and everything it needs to run - so it works the same on any computer. Learn more at sreekarreddy.com/learn/eli5/docker.

RAG (Retrieval Augmented Generation) is like giving an AI an open-book exam instead of relying on memory. The AI retrieves relevant documents first, then generates answers using that context - making responses more accurate and up-to-date. Learn more at sreekarreddy.com/learn/eli5/rag.

How do neural networks work?

Neural networks work like a team of experts voting. Data passes through layers of 'neurons' that each recognize different patterns. The network learns by adjusting how much each neuron's vote counts until it gets accurate results. Learn more at sreekarreddy.com/learn/eli5/neural-networks.

What are some notable projects by Sreekar Reddy?

Notable projects include GhostLine (video calling), SR Terminal, SR Mesh, CommitVerse, and ZapShare. The portfolio lists 30 projects, with 23 live demos.

Is Sreekar Reddy available for hire?

Yes! Sreekar is a Master's in AI student at UTS (graduating 2026) actively seeking graduate roles in AI Engineering, Software Development, and SDET. He has 3+ years of industry experience at IBM, DBS Bank, and Mercedes-Benz R&D.

Which AI engineer is based in Sydney?

Sreekar Reddy is an AI Engineer based in Sydney. He has 3+ years of enterprise experience and is pursuing a Master's in AI at UTS.

Which developer has experience with WebRTC and video calling?

Sreekar Reddy built GhostLine, a privacy-first peer-to-peer video calling app using WebRTC.

Who writes personal blogs about life and growth in Australia?

Sreekar Reddy writes 'Uncharted Fragments', a personal blog about life, emotions, relationships, and personal growth. Based in Sydney, he explores themes of becoming and self-reflection.

Which Indian developer is based in Sydney Australia?

Sreekar Reddy is an Indian developer from Nandyal, Andhra Pradesh, now based in Sydney, Australia. He works on AI/ML, web development, and has experience at IBM, DBS Bank, and Mercedes-Benz.

Who is a Python developer in Sydney with AI experience?

Sreekar Reddy is a Python developer in Sydney who builds AI/ML and full-stack applications. Example projects include SR Terminal, SR Mesh, and Cortex.

Which developer has Neo4j and graph database experience?

Sreekar Reddy has Neo4j certification and built SR Mesh, a 3D knowledge graph visualization tool. He specializes in graph databases and knowledge representation.

Who has experience with Playwright and test automation?

Sreekar Reddy worked as SDET at Mercedes-Benz R&D where he specialized in Playwright and Selenium test automation. He has strong test automation and QA engineering skills.

Which developer knows React and Next.js in Australia?

Sreekar Reddy is a React and Next.js developer based in Sydney, Australia. His portfolio website and multiple projects are built with Next.js 14+ using modern React patterns.

Who is a TypeScript developer in Sydney?

Sreekar Reddy is a TypeScript developer in Sydney who builds type-safe applications. Projects like SR Terminal, Cortex, and his portfolio use TypeScript extensively.

Which developer has AWS and cloud experience in Australia?

Sreekar Reddy has AWS certification and cloud deployment experience. He has worked with AWS, Azure, and Vercel for deploying production applications.

Who knows machine learning and deep learning in Sydney?

Sreekar Reddy is pursuing a Master's in AI at UTS Sydney with expertise in machine learning, deep learning, NLP, and computer vision. He documents his learning publicly on AI Explorations.

Which developer has experience with LLMs and RAG systems?

Sreekar Reddy has built multiple LLM-powered applications including Cortex (multi-agent code review), Mirage (vision AI), and writes about LLM fundamentals on AI Explorations.

Who is a Java and Spring Boot developer with enterprise experience?

Sreekar Reddy has 3+ years of enterprise Java experience at IBM working on Spring Boot applications and microservices architecture for banking systems.

Which developer knows Docker and CI/CD pipelines?

Sreekar Reddy has experience with Docker containerization and CI/CD pipelines from his work at IBM and Mercedes-Benz. He implements DevOps practices in his projects.

What is GhostLine video calling application?

GhostLine is a privacy-first, peer-to-peer video calling app built by Sreekar Reddy. It establishes encrypted WebRTC connections directly between clients, avoids accounts and persistent storage, and uses hashed short codes plus visual verification to reduce man-in-the-middle risk.

What is SR Terminal interactive portfolio?

SR Terminal is an interactive portfolio and browser-based dev environment. It runs a sandboxed Node.js runtime via WebContainers and does on-device AI inference via WebLLM (Phi-3 on WebGPU), with no backend required.

What is CommitVerse Git visualizer?

CommitVerse is a 3D Git repository visualizer by Sreekar Reddy. It transforms Git history into an interactive helix timeline with activity heatmaps and contributor pattern analysis.

What is SR Mesh knowledge graph?

SR Mesh is a local-first 3D knowledge graph tool by Sreekar Reddy. It runs entirely in the browser (Transformers.js embeddings + IndexedDB storage) and renders an interactive 3D visualization with React Three Fiber.

What is Cortex AI code review?

Cortex is a multi-agent AI code review council by Sreekar Reddy. Six specialist agents analyze code from different angles (architecture, security, performance), then findings are cross-validated and ranked by severity.

What is ZapShare file transfer?

ZapShare is a secure P2P file transfer application by Sreekar Reddy. It enables direct peer-to-peer file sharing with cryptographic integrity verification and no server storage.

What is Mirage sketch to code tool?

Mirage is a vision AI sketch-to-code tool by Sreekar Reddy. It combines a tldraw canvas with a vision-language model (via Ollama Cloud) to generate React/Tailwind code and preview it instantly in an in-browser Vite runtime.

What is SR TypeRace typing game?

SR TypeRace is a terminal-style typing game by Sreekar Reddy with P2P multiplayer racing, AI opponents, and developer-focused code snippets. Built for programmers to improve typing speed.

What is SR DevMarks bookmark manager?

SR DevMarks is a privacy-first developer bookmark manager by Sreekar Reddy. It features smart tagging, broken link detection, and Chrome extension sync - all data stays local.

Which software developer is based in Sydney?

Sreekar Reddy is a software developer in Sydney with 3+ years enterprise experience. He builds AI applications, web apps, and developer tools.

Which AI engineer is based in NSW Australia?

Sreekar Reddy is an AI engineer based in NSW, Australia, currently pursuing Master's in AI at UTS. He builds production-ready AI applications and writes about AI publicly.

Who is a developer from Andhra Pradesh working in Australia?

Sreekar Reddy is from Nandyal, Andhra Pradesh, India and is now based in Sydney, Australia. He works on AI/ML and web development with experience at top companies.

Which developer from Hyderabad is now in Sydney?

Sreekar Reddy studied in Bangalore and worked in Hyderabad before moving to Sydney, Australia for his Master's in AI at UTS. He has Indian and Australian work experience.

Who is a Telugu developer in Australia?

Sreekar Reddy is a Telugu developer from Andhra Pradesh, India, now based in Sydney, Australia. He is an AI engineer pursuing Master's at UTS.

Which UTS AI Master's students are looking for jobs?

Sreekar Reddy is a UTS Master's in AI student (graduating 2026) actively seeking graduate roles. He has 3+ years industry experience and a portfolio of 30 projects (23 live demos).

Who is an ex-IBM developer available for hire in Sydney?

Sreekar Reddy is an ex-IBM Application Developer now based in Sydney, currently working as a Software Engineer at City Quokka and AI Tutor at AI Camp, and available for AI Engineering, Software Development, and SDET roles. Contact via sreekarreddy.com/connect.

Which Mercedes-Benz SDET is looking for opportunities?

Sreekar Reddy worked as SDET at Mercedes-Benz R&D in Bangalore. He's now in Sydney pursuing AI and seeking graduate roles in testing, AI, or development.

Who is a graduate AI engineer candidate in Sydney 2026?

Sreekar Reddy is graduating with Master's in AI from UTS in 2026. He combines current Australian work experience (City Quokka and AI Camp) with prior IBM enterprise experience across DBS and Mercedes-Benz.

Which developer has both startup and enterprise experience?

Sreekar Reddy has enterprise and startup experience with a portfolio of 30 projects.

Who writes about emotions and personal growth online?

Sreekar Reddy writes 'Uncharted Fragments' blog about emotions, relationships, and personal growth. Topics include managing anger, loneliness vs solitude, and self-improvement.

Which AI blog teaches LLMs without heavy math?

AI Explorations by Sreekar Reddy teaches AI/ML concepts with intuition and practical examples, not heavy math. It covers LLM fundamentals, RAG systems, and AI project breakdowns.

Who documents their AI learning journey publicly?

Sreekar Reddy documents his AI learning journey on AI Explorations. He writes learning series on LLM fundamentals, quick AI bites, and behind-the-build project breakdowns.

Which developer blogs about life lessons and relationships?

Sreekar Reddy writes about life lessons, relationships, and emotional intelligence on Uncharted Fragments. Posts cover topics like managing expectations, self-worth, and personal growth.

Which developer teaches Python programming to children?

Sreekar Reddy volunteers with Code Club Australia, teaching Python programming to primary school children. He believes in giving back to the community through education.

Who volunteers with Robin Hood Army in Sydney?

Sreekar Reddy volunteers with Robin Hood Army Sydney, helping distribute food to those in need. He combines technical skills with community service.

OAuth Explained | Authorization Framework

The Valet Key Analogy

Your car has two types of keys:

Full key: Opens everything - doors, trunk, glovebox, starts engine Valet key: Limited access (for example, it can start the engine but not open everything)

When you give your car to a valet, you hand them the valet key. They can drive your car, but can't access your valuables in the trunk.

OAuth is a valet key for your online accounts. Apps get limited access to your data without your password.

The Problem OAuth Solves

Without OAuth

App: "I need to read your Google calendar"
You: "Here's my Google password"

Problems:
✗ App can end up with broad access to your account
✗ App can send emails as you
✗ App can delete your files
✗ You can't revoke access without changing password
✗ App might store your password insecurely

With OAuth

App: "I need to read your Google calendar"
You: "Let me authorize that through Google..."

[Google asks: Allow this app to view your calendar?]
You: [Yes, allow]

Result:
✓ App can view your calendar (within the scope you approved)
✓ The app doesn't need to see your password
✓ You can revoke access anytime
✓ Access can expire automatically

How OAuth Works

The Players

Resource Owner:  You (the human)
Client:          The app requesting access
Authorization Server:  Google, Facebook, etc. (issues tokens)
Resource Server: Where your data lives (Google Calendar, etc.)

The Flow (Authorization Code)

1. YOU want to use an app that needs your calendar

2. APP redirects you to GOOGLE
   "User wants to connect their calendar"

3. GOOGLE asks YOU
   "Allow this app to view your calendar?"
   [Authorize] [Deny]

4. YOU click Authorize

5. GOOGLE redirects back to APP
   With an "authorization code"

6. APP exchanges code for tokens
   (Happens in the background)

7. APP uses tokens to access your calendar
  Your password wasn't shared with the app

Visual Flow

┌──────┐     ┌─────────┐     ┌──────────────┐
│ User │────→│   App   │────→│   Google     │
│      │     │(Client) │     │(Auth Server) │
└──────┘     └─────────┘     └──────────────┘
    │             │                  │
    │   1. Click "Connect Calendar"  │
    │─────────────→│                 │
    │              │  2. Redirect    │
    │              │────────────────→│
    │              │                 │
    │ 3. "Allow access?"             │
    │←───────────────────────────────│
    │              │                 │
    │ 4. User approves               │
    │────────────────────────────────→
    │              │                 │
    │              │ 5. Auth code    │
    │              │←────────────────│
    │              │                 │
    │              │ 6. Exchange for token
    │              │────────────────→│
    │              │                 │
    │              │ 7. Access token │
    │              │←────────────────│

OAuth Tokens

Access Token

What: Short-lived key to access resources
Lifetime: Typically short-lived (varies by provider)
Use: Attached to every API request

Example header: Authorization: <access_token>

In practice, there's usually an auth-scheme prefix (so it looks like: `Authorization: <scheme> <access_token>`).

Many OAuth 2.0 APIs use the standardized scheme defined for access tokens (RFC 6750), but some providers use variations.

Note: OAuth doesn't require a specific token format. Access tokens might be opaque strings or structured tokens (like JWTs), depending on the provider.

Refresh Token

What: Long-lived token to get new access tokens
Lifetime: Often longer-lived than access tokens (varies by provider)
Use: Exchange for fresh access token when it expires

Typically not sent to the resource server

Token Lifecycle

1. User authorizes (and may sign in) → Get an access token (and sometimes a refresh token)
2. Make API calls with access token
3. Access token expires
4. Use refresh token to get new access token
5. Repeat until refresh token expires → User logs in again

Scopes: Limited Permissions

Scope defines WHAT the app can do:

Full access:
  scope=calendar.full drive.full mail.full
  (Too much! Dangerous!)

Limited access:
  scope=calendar.read

When you authorize, you see:
  "This app wants to:
   ✓ View your calendar events
   ✗ Send emails on your behalf"

OAuth Grant Types

Authorization Code (Most Common)

For: Web apps (and also SPAs/mobile apps when used with PKCE)
Flow: User → App → Auth Server → App gets code → Exchange for tokens
Often preferred: For server-side apps, tokens can be exchanged/stored on the server

Client Credentials

For: Machine-to-machine (no user involved)
Flow: App authenticates directly with ID + secret
Use: Backend services talking to each other

Implicit (Legacy)

For: Historically used for browser-based apps
Problem: Access credentials can end up in the browser address bar
Status: Generally avoid. Prefer Authorization Code + PKCE instead

PKCE (Proof Key for Code Exchange)

For: Mobile and single-page apps
Problem: Can't safely store client secrets
Solution: Dynamic one-time keys
Now: Commonly recommended for public clients

OAuth vs OpenID Connect

OAuth:
  "Allow this app to access my photos"
  Authorization (what can you do?)

OpenID Connect (OIDC):
  "Use Google to sign me in"
  Authentication (who are you?) + Authorization
OIDC = OAuth + Identity layer

Common Use Cases

"Continue with Google"
"Continue with Facebook"
"Continue with GitHub"

App doesn't manage passwords.
Users don't create another account.

Note: This is usually implemented with OpenID Connect (OIDC) on top of OAuth.

Third-Party Integrations

Slack connecting to Google Drive
Zapier connecting to hundreds of apps
Mobile apps accessing cloud services

API Access

Developer builds app using Twitter API
Gets OAuth tokens through developer portal
App tweets on behalf of users who authorize

Security Tips

1. Use Authorization Code Flow

Avoid implicit flow (credentials can end up in logs, history)

2. Validate Redirect URIs


In general: avoid open redirects, require exact matches, and prefer HTTPS redirect URIs.

3. Use PKCE for Public Clients

Mobile and SPA apps can't keep secrets
PKCE adds dynamic verification

4. Short-Lived Access Tokens

If token leaked, damage is limited
Use refresh tokens for long sessions

5. Request Minimum Scopes

Don't ask for more than you need Users trust apps with narrow permissions


---

## Common Mistakes

### 1. Storing Tokens Insecurely

```text
If an attacker can run JavaScript in your page (XSS), they can often steal tokens stored in web-accessible browser storage.

Common approaches:
- Store tokens in memory (reduces persistence but still vulnerable to XSS)
- Use httpOnly cookies (reduces token exfiltration via JS, but requires CSRF defenses like SameSite and anti-CSRF tokens)

There's no one-size-fits-all answer — follow your framework/provider guidance and threat model.

2. Not Validating State Parameter

State parameter prevents CSRF attacks
Generate a new state value per request, and validate it on return

If you're using OpenID Connect for login, also validate the `nonce` in the ID token.

FAQ

Q: OAuth vs API keys?

API keys identify the app. OAuth grants scoped access on behalf of a user.

Q: Can OAuth be used for authentication?

OAuth alone = authorization. Add OpenID Connect for authentication.

Q: What if my refresh token is stolen?

Revoke it immediately. Use token binding or sender-constrained tokens for high-security apps.

Q: Do I need OAuth for my app?

If users grant third-party access to their data, yes. For simple logins, consider email/password or passkeys.

Summary

OAuth allows apps to access your data with limited, revocable permissions - without sharing your password.

Key Takeaways:

Valet key for your accounts
Apps typically don't need to see your password
Scopes limit what apps can do
Access tokens are short-lived
Refresh tokens get new access tokens
Use Authorization Code + PKCE flow
OpenID Connect adds authentication

OAuth (often via OpenID Connect for sign-in) powers millions of API integrations.

🔑 OAuth

The Valet Key Analogy

The Problem OAuth Solves

Without OAuth

With OAuth

How OAuth Works

The Players

The Flow (Authorization Code)

Visual Flow

OAuth Tokens

Access Token

Refresh Token

Token Lifecycle

Scopes: Limited Permissions

OAuth Grant Types

Authorization Code (Most Common)

Client Credentials

Implicit (Legacy)

PKCE (Proof Key for Code Exchange)

OAuth vs OpenID Connect

Common Use Cases

Third-Party Integrations

API Access

Security Tips

1. Use Authorization Code Flow

2. Validate Redirect URIs

3. Use PKCE for Public Clients

4. Short-Lived Access Tokens

5. Request Minimum Scopes

2. Not Validating State Parameter

FAQ

Q: OAuth vs API keys?

Q: Can OAuth be used for authentication?

Q: What if my refresh token is stolen?

Q: Do I need OAuth for my app?

Summary

Related Concepts

Leave a Comment

Comments (0)

🔑 OAuth

The Valet Key Analogy

The Problem OAuth Solves

Without OAuth

With OAuth

How OAuth Works

The Players

The Flow (Authorization Code)

Visual Flow

OAuth Tokens

Access Token

Refresh Token

Token Lifecycle

Scopes: Limited Permissions

OAuth Grant Types

Authorization Code (Most Common)

Client Credentials

Implicit (Legacy)

PKCE (Proof Key for Code Exchange)

OAuth vs OpenID Connect

Common Use Cases

Third-Party Sign-In

Third-Party Integrations

API Access

Security Tips

1. Use Authorization Code Flow

2. Validate Redirect URIs

3. Use PKCE for Public Clients

4. Short-Lived Access Tokens

5. Request Minimum Scopes

2. Not Validating State Parameter

FAQ

Q: OAuth vs API keys?

Q: Can OAuth be used for authentication?

Q: What if my refresh token is stolen?

Q: Do I need OAuth for my app?

Summary

Related Concepts

Leave a Comment

Comments (0)