Try to break Permisyn.
This isn't a simulated demo. Both challenges below run through the exact same enforcement code every production call goes through — app.services.passport.check_call and app.services.signing.verify_signature. Every attempt is counted below. Nothing is hidden or reset.
Recent attempts — replay one live
Real attempts from real visitors — not staged. Replay resubmits the exact stored payload against the same live enforcement endpoint, so the outcome is a genuine new decision, not a cached result.
No attempts yet — be the first below.
Challenge 1 — sneak past the passport
The live target agent's Ed25519-signed passport only allows gpt-4o-mini via openai. Pick anything else and see if it gets through.
Challenge 2 — edit a signed receipt
This is a real Ed25519-signed receipt from the arena's org key. Edit any field below, then verify — the same check anyone runs on the public verify page.
Found a real bypass? security@permisyn.com — we want to know before anyone else does.