$ open public_api

API sandbox

The same Fastify service that powers the live telemetry dashboard also exposes three public, rate-limited endpoints you can poke at. Every call you make below is a real round-trip — full status, headers and timing are surfaced inline so the demo isn't a screenshot.

login → token → use → tamper

Walk through the JWT round-trip. The server hardcodes demo / demo, signs a 15-minute Bearer token, and only releases the protected payload when a valid signature is presented. Try tampering with the signature at the end to see the reject path.

  1. 1

    Exchange creds for a token

    Try to see the 401 path.

  2. 2

    Decode the token (client-side, just base64)

    (Run step 1 first.)

  3. 3

    Use it: Authorization: Bearer …

  4. 4

    Tamper with the token

    Flip a character of the signature → server's HMAC verification fails → 401. The payload itself is untouched, which proves the signature is what's actually trusted.

API base: https://portfolio-api-wvjy.onrender.com

Request log

0 requests

Click a step above to fire the matching request — login, verify, protected, or tamper.