Protocol Stack Map
How internet protocols relate β from finding things (DNS, URI) and moving packets (IP, TCP) up through encryption (TLS), request/response (HTTP), and the application platform (HTML, OAuth, WebSocket).
Naming & Addressing
How machines find each other: DNS, URIs, IP addressing, domain registration4 specsDNS is the phone book of the internet. Every domain, email MX record, SPF/DKIM TXT record, and service discovery entry depends on it.
The record types (A, MX, TXT, CNAME) you configure in every DNS panel live in this spec. Know what you're setting.
Every URL in your app, API, auth redirect, webhook, or deep link is built on this grammar. Essential for routing, redirects, and OAuth callback validation.
Browsers parse URLs per this standard, not raw RFC 3986. Critical for client-side routing, form encoding, and cross-origin behavior.
Content Addressing & Decentralized Web
Content-addressed storage and naming: CIDs, Multihash, Multibase, IPNS, DNSLink, and the HTTP Gateway specs that let ordinary browsers fetch IPFS content under a normal DNS name8 specsDNSLink is how you give an IPFS/IPNS deployment a stable human URL like `mysite.example.com` while the underlying CID changes every release. If you ever host static sites, agent artifacts, or signed manifests on IPFS and want a normal-looking domain, this is the spec.
Every DNSLink record, IPFS gateway URL, IPNS publish, and Filecoin deal references content by CID. If you do not understand what the bytes after `/ipfs/` mean, you cannot debug deploy/cache issues, validate signed manifests, or design content-addressed pipelines.
If you do not want to update a DNS TXT record on every deploy, point DNSLink at IPNS and republish the IPNS record to the new CID. IPNS is the mutable pointer that makes content-addressed storage usable for evolving sites.
Path gateways are how a regular browser without IPFS support fetches content-addressed data. Knowing the spec is required to operate a self-hosted gateway, debug 404/range/CORS issues, or build clients that fall back from native IPFS to HTTP gateways.
Path gateways break the web origin model β every CID shares the gateway origin. Subdomain gateways are the production-correct choice for hosting independent sites. This is also the only model that makes single-page apps with cookies and Service Workers function on a public gateway.
DNSLink alone tells nobody how a browser request actually turns into a served HTML page. The DNSLink Gateway spec is the contract between your DNS records and the gateway that browsers hit β required reading if you operate a custom gateway for user sites under a wildcard like `*.dial.wtf`.
Every CID contains a multihash. If you ever need to validate that a fetched IPFS payload matches its CID, swap in a different hash, or implement a custom indexer, you read and emit multihash bytes directly.
Multibase is the reason CIDv1 strings are DNS-safe lowercase base32 and can therefore appear in subdomain gateway hostnames like `bafyβ¦.ipfs.example.com`. If you build URL routers or parsers that touch CIDs, you encode and decode through multibase.
Transport
How packets move reliably between endpoints: IP, TCP, UDP, QUIC5 specsYour servers, load balancers, firewalls, and security groups are all defined in IPv4/CIDR. Know the addressing model.
ISPs and cloud providers are rolling out IPv6 dual-stack. AAAA records, IPv6 CIDR, and dual-stack routing are real concerns.
Every HTTP request your app makes rides on TCP. Understanding TCP helps with latency, timeouts, keep-alives, and connection pooling.
DNS runs over UDP. QUIC and HTTP/3 run over UDP. Media and gaming often use UDP for low-latency delivery.
Transport Security
Encryption and authentication at the transport layer: TLS, HSTS2 specsEvery HTTPS connection, SMTP/IMAP over TLS, OAuth token exchange, and API call uses TLS. It is the foundational security layer.
Certificate Trust
Public key infrastructure, certificate issuance policy, Web PKI1 specGoverns every TLS certificate you buy or provision via Let's Encrypt/ACM/Digicert. Understanding BR helps with cert errors, CAA records, and domain validation requirements.
HTTP
Request/response application protocol: semantics, caching, HTTP/1.1, HTTP/36 specsThis is the core contract of every web API, browser request, and server response. You can't design or debug HTTP without knowing this.
Correct caching is the difference between a fast app and an expensive, slow one. Mis-configured cache headers cause stale data bugs and unnecessary origin load.
HTTP/1.1 is still the baseline. Load balancers, proxies, and debugging tools often present HTTP in this format. Understanding the wire format is essential.
HTTP/3 is the current performance frontier for web delivery. CDNs enable it automatically; understand it for performance tuning and debugging.
Error response formats are the most inconsistent part of most APIs. RFC 9457 gives you a standard shape that clients can handle generically.
If you're returning 402 β or shopping for a way to monetize an API or MCP server β the spec hands you the code and nothing else. The meaning lives entirely in whatever protocol you layer above it: x402 (stablecoins, X-PAYMENT header), L402 (Lightning, WWW-Authenticate macaroon+invoice), or your own. Knowing that 402 itself is a blank canvas is the difference between shipping an interoperable agent-payable endpoint and a 402 response no client can negotiate against.
State & Sessions
Browser identity, sessions, and cross-origin trust: cookies, origin model, CORS, CSP3 specsSessions, auth tokens, tracking, and CSRF defenses all run through cookies. Know SameSite, Secure, HttpOnly, and domain scoping to avoid security bugs.
Every browser-side API call to a different origin hits CORS. Misconfigured CORS is a top source of dev frustration and security holes.
A well-configured CSP is the strongest mitigation against XSS. Required by modern security audits and browser hardening.
Data Formats
How data is serialized and exchanged: JSON, multipart, media types4 specsJSON is the lingua franca of web APIs. RFC 8259 is short and worth reading once β it clarifies edge cases around numbers, encoding, and trailing commas.
Every file upload in your app uses this. Know the MIME boundary, Content-Disposition, and Content-Type mechanics to build and debug file upload APIs.
Correct Content-Type headers drive content negotiation, browser rendering, and API behavior. Wrong types cause security and parsing bugs.
JSON Schema is the standard way to document and validate API request/response shapes. OpenAPI 3.1 fully adopts it. Know it if you design APIs.
Authentication & Authorization
Who can do what: OAuth 2.0, OpenID Connect, JWT, WebAuthn8 specsThe foundation of modern app auth: third-party login, API authorization, SSO, and machine-to-machine access all use OAuth 2.0.
Every API that accepts an OAuth access token uses bearer token transport. Know the header format and the security implications of each transport method.
Required for all public clients (SPAs, mobile apps, desktop apps). If you're building a non-confidential OAuth client, PKCE is mandatory per current best practice.
The original RFC 6749 allowed patterns now known to be insecure. RFC 9700 is the current security baseline β follow it, not just the base OAuth spec.
Sign-in with Google/Apple/GitHub all use OIDC. If your app authenticates users via a third party, you're using OIDC whether you know it or not.
JWTs are the token format for OIDC ID tokens and many OAuth implementations. Understanding the structure and security tradeoffs is essential.
When your app verifies a JWT from an identity provider, it fetches the public key as a JWK from the OIDC discovery endpoint.
Passkeys are the modern replacement for passwords. WebAuthn is the browser API. Every new auth system should evaluate it for primary or MFA flow.
Identity & Provisioning
User identity federation, directory, and provisioning: SCIM, SAML, LDAP2 specsEnterprise customers expect SCIM for automatic user lifecycle management from their IdP (Okta, Entra ID). Required for enterprise SaaS SSO packages.
Browser Platform
The application runtime: HTML, DOM, CSS, JavaScript, Storage, Workers, Web Components, Crypto, Streams, and platform APIs22 specsThe spec behind every HTML page, form, and browser API. The canonical reference for how browsers actually parse and process HTML.
Every frontend framework (React, Vue, Svelte) ultimately produces DOM operations. Understanding the event model and tree structure prevents subtle bugs.
Every fetch() call and XHR request is governed by this spec. It also defines CORS behavior in detail.
CSS drives all visual layout. Key modules: Grid, Flexbox, Custom Properties, Cascade layers, Container Queries. The snapshot identifies what's stable vs experimental.
JavaScript is the execution model of the web. The spec is the canonical reference for language semantics β closures, coercion, prototype lookup, module resolution, and async scheduling.
Every component framework (React, Vue, Lit, Angular) either compiles to or interacts with these primitives. Shadow DOM is how browsers isolate component internals. Understanding the native model prevents framework lock-in.
The simplest client-side persistence. Used everywhere for auth tokens, user preferences, feature flags, and cross-tab state. Know the 5 MB limit, synchronous blocking, and origin scoping rules.
Service Workers power offline support, background sync, and push notifications. Required for serious PWA/installable app behavior.
Required for Add to Home Screen / Install App functionality on iOS and Android. Defines how your web app presents when installed as a native-like app.
The bridge between CSS animations and JavaScript control. Required for complex choreography, scroll-driven animations, and animation libraries (GSAP, Motion One) that target this API.
The only serious client-side database in browsers. Required for offline-first apps, large dataset caching, and any storage that outgrows localStorage's 5 MB or needs indexed queries.
Any CPU-intensive work (parsing, compression, crypto, WASM) must run off the main thread to keep UI responsive. Workers are the browser's concurrency primitive β understand their message passing model and limitations (no DOM access).
The correct way to do crypto in the browser β no npm packages needed. Required for client-side encryption, token signing, secure key storage, and WebAuthn integration. Also available in Node.js and Deno.
Streams are how modern browsers handle large data: fetch response bodies, file reads, compression, and encoding are all stream-based. Understanding backpressure and piping is essential for efficient data processing.
The standard way to implement lazy loading, infinite scroll, ad viewability tracking, and scroll-triggered animations. Far more performant than scroll event listeners β runs off the main thread.
The data source behind Core Web Vitals (LCP, FID/INP, CLS), RUM (Real User Monitoring), and performance debugging. PerformanceObserver is the modern API; the older performance.timing is deprecated.
Every SPA router (React Router, Next.js, Vue Router) is built on pushState/popstate. The Navigation API is the modern replacement with better intercept semantics. Understanding the history stack prevents navigation bugs.
Required for web push notifications β the re-engagement channel for PWAs. Works with Service Workers and the Notifications API. Understanding VAPID and the subscription lifecycle prevents broken push implementations.
Essential for responsive components that need to adapt to their container size (not just viewport). Powers container-query polyfills, responsive charts, and layout-aware components.
Required for any 'Copy to clipboard' button, paste-from-image, or rich text editing. The async API requires user gesture and permissions β understanding the security model prevents frustrating clipboard failures.
Used by every file upload, image preview, drag-and-drop, and client-side file processing feature. Blob URLs are the bridge between binary data and DOM elements (img, video, a[download]).
Required whenever you work with binary data in JavaScript β ArrayBuffers from fetch, WebSocket binary frames, file contents, or crypto operations all need encoding/decoding. UTF-8 is the web's canonical encoding.
Input & Interaction
User input event models: Pointer, Touch, Keyboard, Gamepad, Drag & Drop, and interaction primitives7 specsThe foundational event model that every web application uses. Understanding event propagation (capture, target, bubble), event.preventDefault(), and the difference between key and code prevents input handling bugs.
The modern way to handle all pointing devices with one code path. Replaces separate mouse + touch event handling. Required for drawing apps, drag interactions, and multi-touch. Pressure and tilt enable pen/stylus features.
Still the primary touch API on iOS Safari (Pointer Events support is newer and incomplete). Required for pinch-to-zoom, swipe gestures, and touch-specific UX. Most apps need both Touch and Pointer Events.
Required for building rich text editors (Notion, Google Docs, ProseMirror, Tiptap). The beforeinput event with inputType lets you intercept and customize every editing operation before it happens.
Powers file upload drop zones, sortable lists, kanban boards, and drag-based UI. The DataTransfer API is shared with clipboard events. Understanding dragover prevention (preventDefault) and data transfer types is essential.
Required for web-based games and interactive experiences. The polling model (no events for button presses) means you need a requestAnimationFrame loop. Supports Xbox, PlayStation, Switch Pro, and generic HID controllers.
Required for rich text editors, annotation tools, and any feature that reads or manipulates text selection. The Selection/Range model is how browsers track cursor position in contenteditable regions.
Device Access & Sensors
Hardware and sensor APIs: Geolocation, Camera/Mic, Bluetooth, USB, Serial, Orientation, Permissions18 specsThe gating mechanism for every sensitive browser API. Check permission state before requesting access to avoid unexpected prompt dialogs. The change event lets you react when users revoke permissions in browser settings.
Required for maps, location-based search, delivery tracking, geofencing, and any feature that needs the user's physical location. Understanding accuracy levels (GPS vs Wi-Fi vs IP) and the permission flow is essential.
Required for video calls, audio recording, photo capture, barcode scanning, and AR experiences. Understanding constraints, track lifecycle (enabled, muted, ended), and device enumeration prevents broken camera/mic UX.
The display side of web notifications (Push API handles delivery). Used for chat messages, calendar reminders, and real-time alerts. Understanding the permission model and notification lifecycle prevents spam UX.
Required for video players, presentations, games, and immersive experiences. Understanding the security restrictions (user gesture required, no cross-origin iframes by default) prevents fullscreen request failures.
Essential for pausing animations/video, reducing network requests, and saving state when the user navigates away. Analytics and session tracking depend on visibility events to measure actual engagement time.
Required for mobile games, video players, and apps that need landscape mode. Lock prevents disorienting rotation during gameplay or presentations. Understanding the fullscreen requirement for lock() prevents failures.
Required for recipe apps, presentation slides, navigation/maps, music players, and any app where the screen must stay on. The automatic release on visibility change means you must re-acquire on visibilitychange.
Required for voice memos, video recording, screen recording tools, and any app that captures media. Understanding chunk-based recording (timeslice parameter) enables real-time upload during recording.
Required for screen sharing in video calls, screen recording tools, and remote support apps. Understanding the user-driven selection (browser shows picker) and tab audio capture enables proper UX.
Enables motion-based UX (shake to undo, tilt to scroll), compass features, step counting, and AR experiences. The unified permission model means understanding the base Sensor lifecycle covers all sensor types.
Enables web apps to communicate with BLE devices: fitness trackers, smart home sensors, medical devices, and custom hardware. The user-driven device picker (no background scanning) provides the security model.
Enables web-based firmware updates, microcontroller programming (Arduino, ESP32), and custom USB device control without native drivers. Chrome-only but the only web path to raw USB access.
Enables web-based communication with serial devices: Arduino/microcontroller consoles, GPS receivers, lab equipment, POS terminals, and CNC machines. Uses the Streams API for data flow.
Enables web apps to access HID devices that the Gamepad API doesn't cover: custom controllers, macro pads, LED strips, barcode scanners, and specialized input devices. Complements Gamepad API for non-standard controllers.
Required for web-based music production tools, DAWs, visualizers, and MIDI controller integration. SysEx access requires explicit user permission due to the ability to reprogram devices.
Enables haptic feedback for notifications, game events, form validation errors, and timer alerts on mobile devices. Simple API but important for mobile-first UX and accessibility.
Required for video players, video calls, and live streaming UIs that need to stay visible while multitasking. Document PiP extends this to custom player controls, chat overlays, and productivity widgets.
Graphics & XR
GPU rendering and immersive experiences: WebGL, WebGPU, WebXR3 specsThe established GPU rendering API in browsers. Powers Three.js, Babylon.js, PixiJS, MapboxGL, Google Earth, and countless games and visualizations. WebGL 2.0 has near-universal support and is the baseline for serious graphics work.
The successor to WebGL with dramatically better performance and GPU compute support. Enables ML inference on GPU, real-time ray tracing, physics simulation, and AAA-quality rendering in the browser. Ships in Chrome, Edge, and Firefox.
The standard for browser-based VR/AR: headset rendering, controller input, room-scale tracking, and AR overlays. Supports Meta Quest, Apple Vision Pro, HoloLens, and phone-based AR. Works with WebGL and WebGPU for rendering.
Real-time
Bidirectional and streaming communication: WebSocket, WebTransport, SSE3 specsReal-time features β chat, live dashboards, collaborative editing, notifications, trading UIs β run on WebSockets. Every serious app eventually needs them.
The go-to protocol for server-push without WebSocket complexity. Used for AI/LLM streaming responses, live notifications, and real-time dashboards over plain HTTP.
For gaming, live collaboration, and real-time data where WebSocket's TCP head-of-line blocking matters. Runs over QUIC so multiple streams don't block each other.
WebRTC
Peer-to-peer audio/video/data in browsers: WebRTC, ICE, STUN, TURN, DTLS-SRTP5 specsVideo calls (Meet, Zoom web), voice calls, peer-to-peer file transfer, and collaborative tools. The browser API surface for real-time A/V communication.
NAT traversal is why WebRTC calls fail. ICE is how browsers find a working path between peers. Know it when debugging call connectivity failures.
STUN is how WebRTC discovers the public-facing address for peer-to-peer connections. Every WebRTC deployment needs a STUN server.
~15-20% of WebRTC calls require TURN relay because both peers are behind symmetric NAT. Without TURN, those calls fail silently.
Media Delivery
Audio, video, and asset delivery: MSE, EME, HTTP range requests2 specsVideo players (YouTube, Netflix, Twitch) use MSE for adaptive streaming. Required if you build a custom media player or do in-browser video processing.
Required for any platform that distributes premium or licensed video content (streaming services, pay-per-view, licensed media).
API Design
Standards for describing and building APIs: OpenAPI, GraphQL, gRPC, AsyncAPI5 specsOpenAPI is the de-facto standard for API documentation, code generation, mock servers, and contract testing. Most APIs you build should have an OpenAPI spec.
GraphQL solves over-fetching and under-fetching in complex UIs. If your frontend needs flexible, composable data queries across multiple entity types, GraphQL is the tool.
gRPC is the dominant service-to-service RPC in polyglot microservices. Smaller payloads and faster than JSON/REST for high-throughput internal APIs.
Protobuf is the wire format for gRPC and many high-performance internal APIs. Schemas are also used for event/message contracts in Kafka/pubsub systems.
If you have event-driven systems (Kafka, RabbitMQ, WebSocket APIs, IoT), AsyncAPI is the description format. Analogous to OpenAPI for async what OpenAPI is for REST.
Durable Execution & Workflows
Long-running, stateful application logic that survives crashes and restarts: event-sourced replay, durable timers, idempotent steps, and resumable streams. Covers Workflow DevKit (use workflow / use step), Temporal, AWS Step Functions / Amazon States Language, Cloudflare Workflows, and the underlying event-sourcing pattern.10 specsWDK is the durable-execution model arriving inside the JavaScript ecosystem proper: instead of writing a state machine, you write `async` code with two extra string directives and you get crash-safe, resumable, retry-aware, observable workflows. If you're building AI agents, multi-step background jobs, human-in-the-loop flows, or anything that previously needed BullMQ + a state machine + careful idempotency, WDK collapses that into a single mental model. Even if you don't pick WDK specifically, the directives + replay model are the durable-execution pattern Temporal pioneered and Cloudflare/Restate/DBOS now ship β knowing one teaches you the rest.
If you remember one thing about durable execution, remember this: workflow code runs many times and the event log decides what's real. That single fact explains every WDK rule β why steps must be idempotent, why you can't read `Date.now()` directly in a workflow, why parameters are passed by value, why mutating an object inside a step doesn't propagate, and why bundlers occasionally bite you. Internalize the replay model and the rest of WDK (and Temporal, and Cloudflare Workflows) becomes obvious.
These are the primitives that make durable workflows worth their cost. Anything you'd previously implement with a cron job, a state column, a polling loop, or a queue + scheduled job collapses into ordinary linear code. Human-in-the-loop, long-running approval flows, multi-day onboarding sequences, and "call a tool then wait for the user" agent patterns all fall out of `sleep` + `createWebhook` for free.
AI chat UIs and agent dashboards need two things at once: streaming responses for perceived speed, and durable state so a reload doesn't lose the conversation. Workflow DevKit's resumable streams give you both β the same writer that powers `streamText`-style UX is also the workflow's persisted output. If you've ever lost an in-progress LLM response to a refresh, this is the fix.
Durable execution removes the "did the request actually go through?" anxiety, but only if your steps are idempotent. The single most common WDK / Temporal / Step Functions bug is a non-idempotent step that sends two emails on retry. Treat steps like HTTP PUTs: design them to be safely repeatable, key your side-effecting external calls with a deterministic id, and the rest of the model takes care of itself.
Temporal is the prior art every durable-execution framework is measured against. If you're picking a workflow runtime, evaluating WDK, or reading a paper on durable execution, the Temporal model β workflows + activities + signals + timers + event history β is the vocabulary. Even if you choose WDK or Step Functions for a specific stack, understanding Temporal makes their tradeoffs legible (sandbox restrictions vs full Node, hosted runtime vs self-host, JSON DSL vs code).
Step Functions is the most widely deployed durable-execution runtime, and ASL is the JSON contract under it. If you ever need a state machine to coordinate Lambdas, run a Saga, or fan out parallel work in AWS, you'll write ASL β and unlike WDK or Temporal it's a declarative DSL, not code, which is both its strength (visualizable, statically inspectable) and its weakness (loops and dynamic control flow are awkward). Worth knowing as the canonical "workflow as JSON" comparison point.
Most "my workflow exploded after a deploy" reports come down to something non-serializable hiding in a step argument or return value. Treat the boundary like an API: pass plain data, return plain data, do all I/O and mutation inside steps, and never assume an object reference survives. Same discipline applies to Temporal activities and Step Functions tasks β it's a property of event-sourced replay, not a WDK quirk.
If your stack is on Cloudflare Workers, Cloudflare Workflows is the native durable-execution option β no extra infra, billed alongside Workers, and able to call other Workers/D1/R2/Queues directly. Useful comparison point for WDK: same model, different runtime constraints. Worth knowing both to pick the right tool and to recognize the durable-execution pattern as it spreads across edge platforms.
The deeper pattern under every durable-execution runtime. If you understand event sourcing, you understand why a WDK workflow function runs over and over and gets the same answer, why steps must be deterministic on the workflow side, and why activities/steps can be retried freely. Also useful in its own right β for ledgers, audit logs, CQRS read models, and any system where "how did we get to this state?" is a real question.
Every email your company sends or receives goes through SMTP. You need this to configure mail servers, debug delivery failures, and understand SPF/DKIM/DMARC.
The structure of every email header you've ever seen is defined here. Essential for email deliverability debugging and understanding DKIM header signing.
Your email client (Outlook, Gmail app, Thunderbird, Apple Mail) uses IMAP or JMAP to read mail. Essential for mail server configuration and client integration.
Without a correct SPF record, your domain's email will fail or be deferred by major receivers (Gmail, Outlook). Set correctly as part of basic email deliverability.
DKIM is required to pass DMARC. Without it, your email won't be trusted by major providers. Set up alongside SPF as part of any serious email configuration.
VPN & Tunneling
Encrypted tunnels and virtual private networks: IPsec, IKEv2, WireGuard, GRE, L2TP10 specsIPsec is the dominant VPN technology for enterprise site-to-site links (AWS VPN, Azure VPN Gateway, on-prem firewalls). Understanding tunnel vs transport mode, SAs, and the SPD is essential for configuring and debugging VPN connectivity.
ESP is the workhorse of IPsec β every encrypted VPN tunnel uses it. When your cloud VPN shows 'Phase 2 SA established', that's an ESP SA. Understanding ESP's SPI, sequence numbers, and algorithm negotiation is key to VPN troubleshooting.
IKEv2 is how IPsec tunnels are established and rekeyed. Every cloud VPN gateway (AWS, GCP, Azure), enterprise firewall, and mobile VPN client uses IKEv2. Phase 1/Phase 2 failures are the #1 VPN debugging scenario.
WireGuard is replacing IPsec and OpenVPN for most new VPN deployments. Its simplicity (~4,000 lines of kernel code vs 400,000+ for OpenVPN/IPsec) makes it auditable. Used by Tailscale, Mullvad, Mozilla VPN, and most modern VPN services.
AH is mostly historical β ESP does everything AH does and adds encryption. However, AH appears in legacy configurations and exam material. Understanding why it was replaced helps explain modern IPsec design decisions.
GRE is the standard tunneling protocol for carrying routing protocols (OSPF, EIGRP) across IPsec links. AWS Transit Gateway, SD-WAN overlays, and many enterprise networks use GRE+IPsec. Also the basis for PPTP's data channel.
L2TP/IPsec was the default VPN protocol on every major OS for a decade. Understanding L2TP explains why many legacy VPN deployments use UDP port 1701, why they're always paired with IPsec, and how they differ from pure IPsec tunnel mode.
Mobile VPN clients constantly switch networks (Wi-Fi to cellular, roaming between APs). Without MOBIKE, every IP change tears down the VPN and forces a full IKEv2 re-handshake. MOBIKE is why modern mobile VPN clients reconnect instantly.
PPTP is a cautionary tale in protocol design. Understanding why it's broken (DES key space in MS-CHAPv2, RC4 key reuse in MPPE) teaches important lessons about protocol-level cryptographic failures. Never deploy it.
The IPsec RFC ecosystem is large and interconnected. When you need to find the right RFC for a specific algorithm, extension, or use case, this roadmap saves hours of cross-referencing.
Blockchain & Web3
Decentralized protocols and standards: EIPs/ERCs, BIPs, DIDs, Verifiable Credentials18 specsAll Ethereum JSON-RPC APIs (Infura, Alchemy, local nodes, MetaMask) use JSON-RPC 2.0. You need to know the protocol to interact with EVM chains.
Understanding EIP-1 gives you the map for reading all other EIPs. Know which type a given EIP is (Core, Networking, Interface, ERC) and what Final vs Draft status means.
ERC-20 is the most widely deployed standard in the Ethereum ecosystem. Every DeFi integration, exchange, and wallet interacts with ERC-20 tokens constantly.
NFTs, digital ownership, gaming assets, and on-chain certificates all use ERC-721. The standard that launched the NFT market.
EIP-712 is the standard for secure off-chain message signing used in permit() flows, meta-transactions, and Sign-In with Ethereum. Prevents blind signing attacks.
EIP-1559 is how Ethereum gas fees work since London fork (2021). Required knowledge for estimating transaction costs, building gas estimation into apps, and understanding ETH supply.
SIWE is the Web3 equivalent of Sign-In with Google. Enables dApps to authenticate users via their Ethereum address without a password, using their wallet signature.
Every modern cryptocurrency wallet (Ledger, Trezor, MetaMask, Coinbase Wallet) uses BIP-32 for key derivation. The foundation of the seed phrase model.
Seed phrases are the primary backup mechanism for all HD wallets. BIP-39 defines the 12/24 word format, wordlist, and checksum β everything about the backup experience.
Derivation paths determine which addresses you get from a seed phrase on each chain. BIP-44 paths (m/44'/60'/0'/0/0 for ETH) explain why the same seed gives different addresses on different wallets.
EIP-4337 is the deployed standard powering smart wallets across Base, Optimism, Arbitrum, and Polygon (Coinbase Smart Wallet, Safe{Core}, Biconomy, Pimlico, Alchemy AA). Required knowledge for building AI agents that pay gas through Paymasters, gasless onboarding flows, and any wallet experience that doesn't start with "buy ETH first."
DIDs are the foundation of self-sovereign identity (SSI) and Web3 identity. They underpin Verifiable Credentials, Sign-In with Ethereum, and many blockchain identity schemes.
The W3C standard for digital credentials. Increasingly important for identity verification, age proofs, academic credentials, and government ID use cases.
More gas-efficient than deploying separate ERC-20 + ERC-721 contracts. Standard for gaming, semi-fungible assets, and multi-edition NFTs.
Every NFT's display (image, name, description, traits) is driven by this metadata schema. Off-chain storage of this JSON (IPFS, Arweave, HTTP) is a critical design decision.
EIP-191 is the foundation under every off-chain Ethereum signature you've ever validated β personal_sign, EIP-712, SIWE, x402, EIP-3009, and EIP-2612 all sit on top of it. Knowing the version bytes is essential when verifying signatures server-side or debugging signature mismatches.
EIP-2612 is how DEXes, lending protocols, and meta-tx relayers achieve gasless approvals. If you're integrating ERC-20s into any UX where the user shouldn't need ETH first, permit() is the canonical solution. DAI, USDC, and most modern stablecoins implement it.
EIP-3009 is the gasless transfer primitive USDC uses on Ethereum and Base. It's the on-chain mechanism behind the x402 "exact" scheme: the buyer signs an authorization, the seller (or facilitator) submits it on-chain to settle. If you're building anything that spends USDC on behalf of a user without them paying gas, this is the spec.
HTTP Payments
Machine-payable APIs and agent payment protocols layered on HTTP 402: x402, L402, and gasless stablecoin authorization flows2 specsx402 is the leading candidate for the agent-economy payment rail: it lets an AI agent (or any HTTP client) pay for an API call inline, with no API key, no signup, and no human-in-the-loop. If you're building agentic apps, paid MCP servers, per-request data products, or anything where "charge for this request without a session" matters, x402 is the standard to know β supported by Coinbase, Cloudflare, Vercel AI Gateway, and a growing facilitator ecosystem.
L402 is the Bitcoin-native counterpart to x402: same HTTP 402 surface, but settled off-chain on Lightning instead of on-chain via stablecoins. Useful when you need true micropayments (sub-cent), instant finality without facilitators, and Bitcoin economics. Powers paid LLM access (e.g. Fewsats), paid storage gateways, and a small but real ecosystem of metered Lightning APIs.
Physical & Link Layer
Wired and wireless link-layer protocols: Ethernet (802.3), Wi-Fi (802.11), VLANs, and port-based access control5 specsEvery server, switch, and cloud datacenter runs on Ethernet. Understanding frames, MTU, VLANs, and flow control prevents subtle performance and networking bugs.
VLANs are how you segment networks in every datacenter and enterprise. You'll hit 802.1Q any time you configure a switch, provision cloud VPCs, or troubleshoot inter-tenant isolation.
802.1X is how enterprises authenticate devices before allowing network access. Required knowledge for corporate Wi-Fi, VPN alternatives, and zero-trust network access designs.
Wi-Fi 6/6E is the current enterprise and consumer wireless standard. OFDMA and TWT are especially relevant for dense IoT deployments and high-density venues like offices and stadiums.
Wi-Fi 7 is arriving in enterprise and consumer hardware now. MLO's simultaneous multi-band operation fundamentally changes how wireless latency and throughput scale.
Cellular Networks
Mobile network generations and standards: GSM/2G, UMTS/3G, LTE/4G, 5G NR, and IoT cellular (LTE-M, NB-IoT, eSIM)7 specsLTE is the dominant global mobile network. VoLTE, QoS bearers, and EPC architecture are directly relevant when building mobile-connected applications, IoT modules, or carrier infrastructure.
5G is the foundation for edge compute, private networks, URLLC industrial automation, and mmWave backhaul. Understanding network slicing, SA vs NSA deployment modes, and QoS flows is critical for 5G-connected application design.
GSM underpins SMS delivery, international roaming, and network fallback. Understanding A-interface, MSC, and MSISDN is essential for any telecom or SMS gateway integration.
LTE-M is the go-to for IoT devices needing voice, mobility, and moderate data rates on cellular. PSM and eDRX power modes directly affect battery life design in firmware and device management.
NB-IoT is the cellular choice for deep coverage (underground, rural) and ultra-low-power IoT: smart meters, agricultural sensors, and asset trackers. NIDD and CoAP integration are key design decisions.
eSIM is now standard in smartphones (iPhone XR+, Android flagships), laptops, and cellular IoT modules. Understanding SGP.22 RSP is essential for telecom apps that provision cellular connectivity programmatically.
UMTS/HSPA was the bridge from 2G voice to mobile internet. IMS architecture from UMTS carries forward into LTE VoLTE. Understanding HSPA variants helps debug mobile data fallback scenarios.
Telephony & VoIP
Voice over IP signaling and media: SIP, SDP, RTP, SRTP, Opus, G.711, and E.164 number addressing12 specsEvery phone number your app touches β Twilio, AWS SNS, WhatsApp, SIP β uses E.164. Getting number formatting and parsing right (libphonenumber patterns) requires understanding CC/NDC/SN structure.
SIP is the PSTN of the internet. Every VoIP platform (Twilio, Vonage, AWS Chime, Asterisk, FreeSWITCH) speaks SIP. Building any communications product requires understanding INVITE flows, registration, and codec negotiation via SDP.
SDP is the handshake language between any two endpoints setting up a call. WebRTC, SIP, and RTSP all use it. You can't debug codec mismatches, ICE failures, or video call setup without reading SDP.
RTP carries all real-time media: VoIP, WebRTC, live video, and video conferencing. Understanding SSRC demultiplexing, jitter buffers, and RTCP feedback loops is essential for any media application.
Any media you send over the internet should be encrypted. SRTP is the protocol. In WebRTC it's automatic via DTLS-SRTP; in SIP deployments you must configure it explicitly. Know it when auditing VoIP security.
Opus is the codec for real-time audio on the internet. WebRTC mandates it; Discord, Zoom, and most VoIP apps use it. Understanding bitrate, FEC, and frame sizing directly impacts audio quality and bandwidth.
SIP over WebSocket is how browser-based softphones and WebRTC-SIP gateways work. If you're building a web-based communications app that bridges to PSTN or SIP trunks, this is the transport spec.
G.711 is the common denominator of telephony. Every PSTN gateway and legacy SIP trunk speaks G.711. When codec negotiation fails and you're left with 64 kbps PCM, this is why.
ENUM is how SIP networks look up where to route a call to a phone number. Essential for VoIP providers, number portability implementations, and understanding how PSTN-to-SIP calls are routed.
H.323 remains in enterprise video conferencing (Cisco, Polycom legacy endpoints) and some carriers. Understanding it is necessary when integrating with legacy infrastructure or gateways.
G.722 is the standard for HD voice in SIP and enterprise telephony. When you enable 'HD Voice' on a SIP trunk, G.722 is typically what's negotiated. Essential for enterprise UC deployments.
AMR-WB is mandatory for VoLTE β every LTE voice call uses it. Understanding rate adaptation and the AMR payload format (RFC 4867) is essential for mobile VoIP and operator codec policy.
Messaging Protocols
Text and rich messaging standards: SMS, MMS, RCS, XMPP, and Matrix federated messaging6 specsSMS is how billions of people receive OTP codes, alerts, and notifications. Understanding PDU format, encoding (GSM-7 vs UCS-2), and concatenation is essential for any platform sending SMS at scale via Twilio, AWS SNS, or direct SMPP.
RCS is replacing SMS for brand messaging, OTP, and consumer engagement. Every major US/EU carrier now supports RCS Universal Profile. If you build SMS communications today, you need to understand RCS UP for 2025+ deployments.
XMPP powers enterprise messaging (Cisco Jabber), IoT device management, and many open federated chat systems. WhatsApp internally uses a modified XMPP protocol for message delivery.
The roster and subscription model in RFC 6121 defines how federated chat contacts work. Essential for implementing XMPP clients, servers, or S2S (server-to-server) federation between XMPP deployments.
Matrix is the modern alternative to XMPP for federated messaging: bridges to Discord/Slack/WhatsApp, end-to-end encryption by default, and full decentralization. Used by the German government, French public sector, and Mozilla.
MMS is still widely used for group messaging (iMessage fallback on non-Apple devices), marketing images, and vCards. Understanding MM7 (application-to-MMSC API) is needed when integrating with carrier MMS gateways.
IoT Protocols
Machine-to-machine and IoT application protocols: CoAP, MQTT, LwM2M, Matter, Zigbee, LoRaWAN, and Thread8 specsCoAP is the HTTP of the IoT world β same REST semantics, fraction of the overhead. Used in NB-IoT NIDD, LwM2M device management, and any embedded system where TCP overhead is prohibitive.
MQTT is the dominant IoT messaging protocol. AWS IoT Core, Azure IoT Hub, Google Cloud IoT, HiveMQ, and Mosquitto all speak MQTT. Understanding QoS levels (0/1/2), retained messages, and LWT (Last Will and Testament) is essential for any IoT backend.
Matter is the end-state for smart home interoperability. Any connected home product launched today needs Matter support. Understanding commissioning, fabric topology, and the data model is essential for IoT product developers.
LwM2M is the SNMP of IoT: the standard way to provision, monitor, and update IoT devices at scale. Used by major LPWA module vendors (Sierra Wireless, Telit, u-blox) for carrier-managed device lifecycle.
Zigbee is installed in hundreds of millions of devices. Smart lighting (Hue, IKEA TrΓ₯dfri), home hubs (SmartThings, Home Assistant), and building automation all use it. Understanding ZCL clusters and coordinator setup is required for integrations.
LoRaWAN is the leading non-cellular LPWA technology for agriculture, smart cities, asset tracking, and utility metering. The Things Network provides global coverage. Understanding OTAA, ADR, and downlink duty cycle is essential for LoRaWAN application design.
Thread is the networking layer under Matter β when you see Matter over Thread, Thread is doing the mesh networking. Understanding the border router, DTLS commissioning, and leader/router/end-device roles is required for Matter deployments.
Z-Wave is strong in smart locks, sensors, and dimmers β especially from legacy vendors. Integration with Home Assistant, SmartThings, or Z-Wave JS requires understanding mesh inclusion and command classes.
Network Management & AAA
Device management, configuration, and access control: SNMP, NETCONF, YANG, RESTCONF, RADIUS, DIAMETER, TACACS+, gNMI8 specsRADIUS is the AAA protocol behind every enterprise Wi-Fi login, VPN authentication, and 802.1X deployment. FreeRADIUS, Cisco ISE, and Aruba ClearPass all implement it. Essential for understanding corporate network access and SSO integration.
SNMP remains the universal monitoring protocol for network equipment: routers, switches, UPS, servers. Every NOC and network monitoring tool (Zabbix, Nagios, LibreNMS) speaks SNMP. Understanding OID trees, MIB compilation, and USM vs community strings is essential for network operations.
NETCONF replaced manual CLI for network device configuration in most modern SD-WAN, carrier, and enterprise deployments. Understanding datastores, capabilities, and YANG-driven RPC is essential for network automation.
YANG is to NETCONF what JSON Schema is to REST APIs β it describes the data model. Any network automation work with modern devices (Juniper, Cisco IOS-XR, Nokia SR-OS) requires reading and writing YANG models.
RESTCONF brings network device management to the HTTP/JSON world. Most modern network OSes (Cisco IOS-XE 16.6+, Junos 17.3+, Nokia SR-OS) support it. If you prefer REST over SSH/XML for network automation, this is your interface.
Diameter is the AAA backbone of LTE and IMS networks. If you build carrier infrastructure or work on 4G/5G billing and policy enforcement, you'll encounter Diameter on the S6a, Rx, Gx, and Gy interfaces.
TACACS+ is the standard for managing network infrastructure logins. Cisco, Juniper, and Aruba devices all support it. Any NOC that uses TACACS+ via Cisco ISE or Tac_Plus needs engineers who understand the AAA separation model.
gNMI is replacing SNMP for modern network monitoring: lower latency, higher efficiency, native streaming telemetry. Arista, Cisco (IOS-XR, IOS-XE), Juniper, and Nokia all support gNMI. Key for network observability pipelines (Telegraf, gnmic).
Routing Protocols
Inter- and intra-domain routing: BGP-4, OSPF, IS-IS, MPLS, Segment Routing, EVPN, and BFD8 specsBGP stitches the internet together β every AS, CDN, cloud provider, and multi-homed network runs it. Understanding AS path, communities, and prefix aggregation is essential for cloud networking, CDN design, and any serious network engineering role.
OSPF is the interior routing protocol of choice for enterprise and carrier networks. Understanding area design, LSA types, and SPF convergence is essential for data center networking, WAN design, and network certification paths.
MPLS is the forwarding substrate of carrier networks, MPLS VPNs, and traditional WAN services. Understanding FEC, LDP, and LSP concepts is essential for service provider or enterprise WAN networking.
SR is replacing RSVP-TE and MPLS LDP in modern SD-WAN, 5G transport, and hyper-scale DC networks. Cisco, Juniper, Nokia, and Arista have all standardized on it. Essential for modern network engineering.
BFD is how networks achieve sub-second failover β without it, BGP takes 90+ seconds to detect a peer failure. Any high-availability design (active-active DC, SD-WAN, carrier) relies on BFD for fast convergence.
OSPFv3 is required for IPv6 network deployments. If you're dual-stacking or going IPv6-only, you'll need OSPFv3 alongside or replacing OSPFv2.
IS-IS is the IGP of choice in most Tier-1 and Tier-2 carrier networks and large-scale DC fabrics (Meta, Amazon). It runs under BGP in many hyperscale designs. Essential for service provider and large-scale DC networking roles.
EVPN-VXLAN is the fabric technology in modern hyperscale and enterprise data centers. Arista, Cisco (ACI), and Juniper (QFX) use it. Understanding MAC/IP type-2 routes and ARP suppression is key for data center network engineering.
CPU Architectures & ISAs
Instruction set architectures and processor specifications: RISC-V, AArch64 (Arm), x86-64, and POWER ISA5 specsRISC-V is the only fully open, royalty-free ISA gaining mainstream adoption β in SiFive/StarFive SoCs, SSD controllers, RISC-V Linux, and embedded MCUs. The base spec is required reading for anyone doing hardware or firmware on RISC-V.
AArch64 now dominates mobile (every smartphone), Apple Silicon (M-series Macs, iPad), and increasingly servers (AWS Graviton3/4, Ampere Altra, Neoverse). Cross-compilation, performance tuning, and assembly work all require knowing the ISA.
x86-64 dominates server (cloud compute), desktop, and laptop computing. Understanding the SDM is required for OS development, JIT compilation, security research, and any performance-critical native code.
Required for any OS kernel, hypervisor, or firmware work on RISC-V. Every RISC-V Linux port, OpenSBI, U-Boot, QEMU model, and Keystone security monitor implements this spec.
POWER runs mission-critical IBM mainframe-class workloads. Required for AIX, IBM i (AS/400), and Linux-on-POWER development, and for anyone building compilers or tools targeting POWER.
OS Interfaces & ABIs
Operating system interfaces and application binary interfaces: POSIX, ELF, calling conventions, and debug info formats7 specsPOSIX defines the lingua franca of Unix/Linux systems programming. Every system call pattern, signal handler, file descriptor idiom, and shell script convention in the Linux/macOS world comes from this spec.
Every C/C++/Rust/Go/Swift program on x86-64 Linux follows this ABI. Understanding it is essential for FFI bindings, inline assembly, debugger step-over logic, and compiler backend development.
Every function call on AArch64 (Apple Silicon, Android arm64, AWS Graviton) follows AAPCS64. Required for correct assembly, FFI bindings from any language, and compiler backend targeting Arm64.
Every compiled binary on Linux is ELF. Understanding ELF is essential for debugging, reverse engineering, dynamic linking, build toolchains, binary patching, and tools like readelf, objdump, ldd, and patchelf.
Required for writing RISC-V assembly, setting up cross-compilation toolchains, or building compilers and OSes targeting RISC-V.
Every debugger, profiler, crash reporter, and sanitizer on Linux/macOS reads DWARF. Understanding it is critical for improving build-time debug quality, diagnosing toolchain issues, and building custom binary analysis tools.
LSB defines what 'Linux-compatible binary' means in practice. Critical for ISVs shipping pre-compiled software across distros and for understanding minimum glibc version requirements in cross-distro deployments.
Firmware & Platform
Pre-OS firmware and platform standards: UEFI, ACPI, SMBIOS, and TPM β the foundation software below the OS4 specsEvery modern x86-64 and AArch64 server, workstation, and PC uses UEFI. Required for OS development, bootloader work (GRUB, systemd-boot, shim), Secure Boot policy, and firmware engineering.
ACPI is how every OS discovers hardware topology, manages CPU power states, handles thermal throttling, and receives platform events. Required for kernel, power management, and firmware development on all modern x86/Arm platforms.
TPM 2.0 is the hardware root of trust for modern Secure Boot, disk encryption, remote attestation, and zero-trust device health verification. Understanding it is essential for enterprise security architecture and cloud confidential computing.
SMBIOS is how software reads hardware inventory: CPU model, RAM config, system UUID, and BIOS version. Cloud hypervisors inject SMBIOS tables to identify instance type; asset management tools harvest them for CMDB population.
Hardware Interfaces
Hardware bus and I/O standards: PCIe, USB, NVMe, and SATA β the protocols that connect CPUs to peripherals and storage3 specsPCIe is the universal high-speed peripheral bus. Understanding lane width, bandwidth, BAR mapping, and MMIO is essential for GPU compute (CUDA/ROCm), NVMe performance tuning, SR-IOV NIC virtualization, and DPDK kernel-bypass networking.
USB is the universal connector. Understanding USB PD for 240W power delivery, USB4 tunneling for Thunderbolt docks, and USB 3.x throughput tiers is essential for hardware-connected software, embedded development, and device driver work.
NVMe is the interface for all modern SSDs. Understanding queue depth, namespace management, ZNS for log-structured workloads, and NVMe-oF for disaggregated storage is required for storage system design, cloud storage backends, and OS I/O subsystem work.