AuthGeek Demo
Try to Break It

Attack the live stack

Every other page here shows the happy path. This one fires four real attack attempts at the running stack — a forged token, a tier-escalation attempt, a request with no credentials at all, and a replay of a revoked session — and shows exactly which component caught each one: the gateway's signature check, OPA's policy, or the BFF's session store.

Every demo so far shows the happy path. This one fires the requests an attacker would actually try — against the real, running stack — and shows exactly which layer rejects each one. Nothing here is simulated: these are live HTTP calls to APISIX, OPA, and session-service.

The tier-escalation attempt needs a real basic.user token first (the other three work standalone).

Forged / tampered JWT

A JWT-shaped string claiming admin tier, never signed by Keycloak.

Tier escalation

Real basic.user token requesting an admin-only route.

Missing credentials

A protected route hit with no Authorization header at all.

Replay after logout (BFF)

Use a session_id again right after logging out with it.

Results

No attempts yet — pick one above.