Authenticated per-user check

The homepage scan proves what an anonymous visitor can read. This one goes deeper: it logs in as two of your own test users and checks whether one can read the other’s rows — the horizontal privilege-escalation (BOLA) class that stays invisible to an anonymous probe. Because it authenticates as a real user, it runs only on a domain you’ve verified.

Test user A
Test user B (a different account)

Use two distinct, already-confirmed logins (not the anon or service key). For the strongest signal, make sure both accounts own some representative data — a leak is proven by user A reading user B’s rows.

Passwords are exchanged for short-lived access tokens the moment you submit and are never stored. We read only as user A; user B is signed in only to learn its id.