The IntegrAuth Lab
Where our Academy runs for real.
You've simulated it in the Academy — now do it for real in the Lab. Prove an email, go fully passwordless with a passkey, inspect your real session, add a second factor, read a live JWT and trip a real rate limit — each with an X-ray of the actual server events.
For learners
Six guided practicals. Each one has you do the real thing — real passkeys, real sessions, real tokens — then shows the actual HTTP/DB reality in an X-ray timeline, cross-linked to the exact Academy lesson.
For teams evaluating IntegrAuth
The Lab is identity and API security implemented properly, in public — the same work we build for clients. What this app demonstrates:
Passwordless WebAuthn
Hand-rolled passkey registration & login — CBOR, COSE and ECDSA verification on WebCrypto, no library.
Hashed-at-rest sessions
Server-side sessions in D1; the cookie is __Host- prefixed and only the SHA-256 of the token is stored.
AES-GCM TOTP
RFC 6238 second factor with the seed encrypted at rest and step-replay defense.
Insert-only audit
Every flow writes a sanitized, append-only event — the data source behind the X-ray panel.
Strict CSP & headers
No unsafe-inline scripts, HSTS, frame-ancestors none, __Host- cookies — an A+ security posture.
API rate limiting
A fixed-window limiter with X-RateLimit headers and 429 Retry-After — the API-gateway pattern.