GameAuthIntermediateAuthentication, authorization, sessions, and token safetyAuthJWTsessionsCSRFauthorizationGamePractice backend authentication and authorization decisions with an interactive game covering 401, 403, JWT expiration, scopes, CSRF, session rotation, and IDOR prevention.Auth Token InspectorAuthIntermediateAuthentication, authorization, sessions, and token safety/games/auth-token-inspector/
Inspect authentication scenarios and choose safe backend decisions for tokens, scopes, sessions, CSRF, and object-level authorization.
Concept
Authentication, authorization, sessions, and token safety
Difficulty
Intermediate
Play time
6-9 minutes
Path
Foundations
practice/auth-token-inspectorAuth decision score
Play, get feedback, save local progress, and optionally submit a leaderboard score.
Concept explanation
Backend auth bugs often happen when identity, permission, session state, and browser protections are blended together. This game asks you to inspect realistic request evidence and choose the backend response that keeps users and data safe.
Your local progress
0 XP0 games played0 completed
Progress, review history, and best scores are stored in this browser with localStorage.
Apply object-level authorization instead of trusting a valid token alone.
How to play
Read the request, token/session evidence, and endpoint context.
Choose the safest backend decision.
Use the explanation to distinguish identity, permission, and browser protection problems.
Scoring
Correct decisions add points and build a streak bonus.
Incorrect decisions show the safer backend behavior.
Finishing the round saves your best local auth decision score.
Backend concept notes
Authentication answers who the caller is. Authorization answers what that caller may do. A valid token is only the beginning of the backend security decision.
Browser sessions need extra care around CSRF, secure cookie attributes, and session rotation when privilege changes. APIs also need object-level checks to prevent IDOR-style access bugs.
Common mistakes
Treating a valid JWT signature as permission for every object or action.
Returning 401 for authenticated users who lack scope or ownership.
Ignoring CSRF on cookie-authenticated write endpoints.
Keeping the same session id after login or privilege escalation.
Related Backend Study Lab articles
Use the main site for deeper reading after playing.