Practicals
Do the things the Academy simulates — for real. Completion is derived from the actual server events you generate, never self-reported.
P1
Prove an email is yours
Sign up with a one-time code — no link, no password.
P2
Go passwordless
Register a passkey, then sign back in with it.
P3
Anatomy of your session
Inspect a real session, then revoke one.
P4
Add a second factor
Enroll a TOTP authenticator (RFC 6238).
P5
Read your own token
Issue a real ES256 JWT, then tamper with it and watch verification fail.
P6
Hit a real rate limit
Hammer a demo endpoint and watch the fixed-window limiter fire a 429.