OAuth 2 Flow Network Drawing for Executive Infographic

Tech architecture infographic titled "OAuth 2 Flow" — PROTOCOL HANDSHAKE (numbered exchanges). Create a minimal flat network drawing for a non-technical executive audience, showing a clear left-to-right handshake with labeled boxes and directional arrows. Include these boxes as clean vector panels with simple icons, English names, and one-line English role descriptions: 1) User Browser — "End-user app that starts sign-in and receives redirects"; 2) Client Application / Web App — "Frontend or backend app requesting delegated access"; 3) Authorization Server — "Authenticates user and issues authorization code and tokens"; 4) API Gateway / Resource Server — "Validates access token and serves protected data"; 5) Token Store DB — "Persists clients, grants, token metadata, and consent records"; 6) Cache — "Stores short-lived session or token validation data"; 7) Queue — "Handles asynchronous audit or notification events". Use arrows with short English labels for each numbered exchange: (1) Browser → Client Application: "Open sign-in page over HTTPS"; (2) Client Application → Browser: "302 redirect to Authorization Server"; (3) Browser → Authorization Server: "Authorization request: client_id, scope, redirect_uri, response_type=code"; (4) Authorization Server ↔ Token Store DB: "Read client, user session, consent"; (5) Authorization Server → Browser: "302 redirect with authorization code"; (6) Browser → Client Application: "Return with authorization code"; (7) Client Application → Authorization Server: "POST /token over HTTPS with authorization code"; (8) Authorization Server ↔ Token Store DB: "Validate code, client, redirect URI"; (9) Authorization Server → Client Application: "200 OK with access token, optional refresh token, token_type"; (10) Client Application → Cache: "Store short-lived token/session data"; (11) Client Application → API Gateway / Resource Server: "HTTPS API request with Bearer JWT access token"; (12) API Gateway / Resource Server ↔ Cache: "Token introspection cache lookup"; (13) API Gateway / Resource Server → Client Application: "200 OK JSON response or 401 Unauthorized"; (14) Authorization Server / API Gateway → Queue: "Audit event / login event". Make the OAuth 2 sequence technically accurate and executive-friendly: emphasize authorization code flow, redirects, token exchange, protected API access, and optional cache/queue support; avoid implying this is an audited or complete security reference architecture. Add subtle numbered badges near arrows to match the handshake order. Include a numbered legend 1-7 in English summarizing the lifecycle: 1. "User opens the application and chooses to sign in" 2. "The app redirects the browser to the Authorization Server" 3. "The user authenticates and grants consent" 4. "The Authorization Server returns an authorization code" 5. "The app exchanges the code for an access token" 6. "The app calls the protected API with the Bearer token" 7. "The API returns data and systems record audit events". Visual style: editorial developer-blog illustration, isometric or flat tech-diagram style, vector-clean infographic layout. Use a minimal flat composition, generous whitespace, crisp outlines, rounded rectangles, simple protocol icons, light grid background, and a modern network-diagram feel. Color palette: developer pink and teal with soft neutrals, off-white background, teal arrows for primary request path, pink highlights for authorization and token steps, muted gray for storage/support systems. Add small generic cloud icons only where helpful, with no vendor branding. Keep all labels concise, readable, and business-friendly. All text MUST be written in English (array). Every heading, label, caption, legend and metric name in the image must be in English — not English. Spell each English word correctly using English characters and diacritics. Numbers stay as digits, no real cloud-vendor logos (AWS / GCP / Azure) — use generic cloud icons, no watermarks No real cloud-vendor logos (AWS, GCP, Azure) beyond generic cloud icons. Common protocol names (HTTPS, TCP, JWT, OAuth, REST, GraphQL) stay in canonical English form. No security-claim overstatements (do not present diagrams as audited reference architectures).