permisynDeveloper guide →
Public red-team arena · no login

Try to break Permisyn.

This isn't a simulated demo. Both challenges below run through the exact same enforcement code every production call goes through — app.services.passport.check_call and app.services.signing.verify_signature. Every attempt is counted below. Nothing is hidden or reset.

Recent attempts — replay one live

Real attempts from real visitors — not staged. Replay resubmits the exact stored payload against the same live enforcement endpoint, so the outcome is a genuine new decision, not a cached result.

No attempts yet — be the first below.

Challenge 1 — sneak past the passport

The live target agent's Ed25519-signed passport only allows gpt-4o-mini via openai. Pick anything else and see if it gets through.

Challenge 2 — edit a signed receipt

This is a real Ed25519-signed receipt from the arena's org key. Edit any field below, then verify — the same check anyone runs on the public verify page.

Found a real bypass? security@permisyn.com — we want to know before anyone else does.