All games

Auth Token Inspector

Inspect authentication scenarios and choose safe backend decisions for tokens, scopes, sessions, CSRF, and object-level authorization.

Concept
Authentication, authorization, sessions, and token safety
Difficulty
Intermediate
Play time
6-9 minutes
Path
Foundations
practice/auth-token-inspector Auth decision score

Play, get feedback, save local progress, and optionally submit a leaderboard score.

Concept explanation

Backend auth bugs often happen when identity, permission, session state, and browser protections are blended together. This game asks you to inspect realistic request evidence and choose the backend response that keeps users and data safe.

Your local progress

0 XP 0 games played 0 completed

Progress, review history, and best scores are stored in this browser with localStorage.

Open full progress dashboard

Playable game area

Use the controls below. Feedback appears immediately, and final scores are stored locally.

Leaderboard

Top 10 submitted scores. No account required.

Loading leaderboard...

    Finish the game to load your latest local score.

    Learning objectives

    • Separate authentication failures from authorization failures.
    • Recognize token expiration, missing scopes, CSRF risk, and session fixation risk.
    • Apply object-level authorization instead of trusting a valid token alone.

    How to play

    1. Read the request, token/session evidence, and endpoint context.
    2. Choose the safest backend decision.
    3. Use the explanation to distinguish identity, permission, and browser protection problems.

    Scoring

    • Correct decisions add points and build a streak bonus.
    • Incorrect decisions show the safer backend behavior.
    • Finishing the round saves your best local auth decision score.

    Backend concept notes

    Authentication answers who the caller is. Authorization answers what that caller may do. A valid token is only the beginning of the backend security decision.

    Browser sessions need extra care around CSRF, secure cookie attributes, and session rotation when privilege changes. APIs also need object-level checks to prevent IDOR-style access bugs.

    Common mistakes

    • Treating a valid JWT signature as permission for every object or action.
    • Returning 401 for authenticated users who lack scope or ownership.
    • Ignoring CSRF on cookie-authenticated write endpoints.
    • Keeping the same session id after login or privilege escalation.

    FAQ

    Short answers for how this game fits backend interview and study practice.

    Should every auth failure be 401?

    No. 401 means the caller needs valid authentication. 403 means the caller is authenticated but not allowed to perform that action.

    Does JWT validation replace database authorization checks?

    No. Tokens can carry claims, but object ownership and current permission rules often still need server-side checks.