L The IntegrAuth Lab

The IntegrAuth Lab

Where our Academy runs for real.

You've simulated it in the Academy — now do it for real in the Lab. Prove an email, go fully passwordless with a passkey, inspect your real session, add a second factor, read a live JWT and trip a real rate limit — each with an X-ray of the actual server events.

For learners

Six guided practicals. Each one has you do the real thing — real passkeys, real sessions, real tokens — then shows the actual HTTP/DB reality in an X-ray timeline, cross-linked to the exact Academy lesson.

For teams evaluating IntegrAuth

The Lab is identity and API security implemented properly, in public — the same work we build for clients. What this app demonstrates:

Passwordless WebAuthn

Hand-rolled passkey registration & login — CBOR, COSE and ECDSA verification on WebCrypto, no library.

Hashed-at-rest sessions

Server-side sessions in D1; the cookie is __Host- prefixed and only the SHA-256 of the token is stored.

AES-GCM TOTP

RFC 6238 second factor with the seed encrypted at rest and step-replay defense.

Insert-only audit

Every flow writes a sanitized, append-only event — the data source behind the X-ray panel.

Strict CSP & headers

No unsafe-inline scripts, HSTS, frame-ancestors none, __Host- cookies — an A+ security posture.

API rate limiting

A fixed-window limiter with X-RateLimit headers and 429 Retry-After — the API-gateway pattern.