# Phosra Developer Docs ## Docs - [Consult advisor](https://docs.phosra.com/api-reference/control-plane/consult-advisor.md): Dispatches a consultation to the best available advisor for the given capability domain. Returns a verdict and a consultation ID for audit purposes. If no suitable advisor is registered, verdict is `unavailable` with reason `no_advisor` — this is still a 200 response. - [Create API key](https://docs.phosra.com/api-reference/control-plane/create-key.md) - [Create MCP token](https://docs.phosra.com/api-reference/control-plane/create-mcp-token.md): Issues a new MCP token bound to the authenticated user's first family. The plaintext token (`plain`, prefix `phomcp_`) is returned once in `CreatedMcpToken` and never stored server-side — the caller must display it to the user immediately. - [Create organization](https://docs.phosra.com/api-reference/control-plane/create-org.md) - [Declare payload key](https://docs.phosra.com/api-reference/control-plane/declare-payload-key.md): Self-service possession-auth declaration. Authentication is by the advisor's registered Ed25519 signing key: the body must carry a detached signature over the exact `payload_public_key_jwk` string bytes plus a freshness timestamp. No bearer token scheme applies to this operation — authorization is e… - [Delete organization](https://docs.phosra.com/api-reference/control-plane/delete-org.md) - [Get organization](https://docs.phosra.com/api-reference/control-plane/get-org.md) - [Get usage](https://docs.phosra.com/api-reference/control-plane/get-usage.md) - [List API keys](https://docs.phosra.com/api-reference/control-plane/list-keys.md) - [List MCP tokens](https://docs.phosra.com/api-reference/control-plane/list-mcp-tokens.md) - [List members](https://docs.phosra.com/api-reference/control-plane/list-members.md) - [List organizations](https://docs.phosra.com/api-reference/control-plane/list-orgs.md) - [Regenerate API key](https://docs.phosra.com/api-reference/control-plane/regenerate-key.md): Issues a new secret for the given key, invalidating the previous secret. The raw secret (`key`) is returned only in this response. - [Register advisor](https://docs.phosra.com/api-reference/control-plane/register-advisor.md): Registers an advisor agent at provisional tier. For scope=global a DNS verification token is returned — publish it as a DNS TXT record at `_phosra-verify.` to complete ownership verification. An unrecognized capability name causes the request to be rejected with 400 (`unknown_capabi… - [Revoke API key](https://docs.phosra.com/api-reference/control-plane/revoke-key.md) - [Revoke MCP token](https://docs.phosra.com/api-reference/control-plane/revoke-mcp-token.md) - [Update organization](https://docs.phosra.com/api-reference/control-plane/update-org.md) - [Get provider connect config](https://docs.phosra.com/api-reference/providers/connect.md): Returns the OAuth endpoints `@phosra/link` uses to run the connect ceremony against a provider. This is the **Phosra product layer** of a two-layer resolution — it answers *how* to reach a provider. Whether you *may* connect is decided first by the OCSS Trust List (`/.well-known/ocss/trust-list`, ro… - [Bulk apply rules](https://docs.phosra.com/api-reference/rules/bulk-upsert-rules.md): Create or update multiple rules at once for a policy. Each rule in the array must include category, enabled, and config. - [Apply a rule to a policy](https://docs.phosra.com/api-reference/rules/create-rule.md) - [Delete a rule](https://docs.phosra.com/api-reference/rules/delete-rule.md) - [List a policy's rules](https://docs.phosra.com/api-reference/rules/list-policy-rules.md) - [Update a rule](https://docs.phosra.com/api-reference/rules/update-rule.md) - [Authentication](https://docs.phosra.com/authentication.md): Which credential to use — WorkOS AuthKit JWT, developer API key, or device key - [Children & Age Groups](https://docs.phosra.com/concepts/children-and-age.md): How Phosra models children and computes age-appropriate defaults - [Enforcement](https://docs.phosra.com/concepts/enforcement.md): How Phosra pushes policies to connected platforms — verification contract, polling, and the consumer vs developer surface - [Families](https://docs.phosra.com/concepts/families.md): How family groups work in Phosra - [Platforms & Enforcement Modes](https://docs.phosra.com/concepts/platforms.md): How GET /platforms signals honest enforcement capability — and what manual_attested means for your UI - [Policies & Rules](https://docs.phosra.com/concepts/policies-and-rules.md): How policies organize rules across 123 OCSS rule categories - [Strictness Levels](https://docs.phosra.com/concepts/strictness-levels.md): How strictness presets affect rule generation - [Errors](https://docs.phosra.com/errors.md): HTTP status codes, error response format, and rate limiting - [Billing Model](https://docs.phosra.com/integration/billing.md): Phosra charges providers per distinct linked family (the FamilyMeter). Platforms pay nothing. The safety/enforcement path is never metered and never blocked. - [CLI Quickstart](https://docs.phosra.com/integration/cli.md): The fastest path to a signed round-trip: phosra init scaffolds a config, phosra doctor verifies census reachability, trust-list root signature, spec-version negotiation, and a full §8.3.2+§8.3.1 sandbox write — all in under two minutes with zero provisioning. - [Safe Content Monitoring](https://docs.phosra.com/integration/content-monitoring.md): Architect an on-device content classifier the accredited way — benign content deleted, harmful excerpts sealed to the parent, Phosra router-blind throughout. For child-safety app vendors. - [Forward Compatibility](https://docs.phosra.com/integration/forward-compatibility.md): New rule categories, new parameters, new accredited parties, and new spec minor versions reach your installed SDK as runtime data — no reinstall required. The wire protocol is the integration contract. - [Partner Integration Overview](https://docs.phosra.com/integration/overview.md): Two integration roles, one hosted census. Parental-controls providers write rules; platforms enforce them. Both SDKs are MIT-licensed; you pay Phosra only for the hosted census. - [Platform Quickstart](https://docs.phosra.com/integration/platform.md): Content and service apps use @phosra/gatekeeper to receive signed enforcement profiles, make local enforcement decisions with zero network latency, and emit §8.3.8 confirmation receipts. - [Platform Registration](https://docs.phosra.com/integration/platform-registration.md): Mint your platform endpoint, receive the connect-secret once, declare your webhook URL, and wire the six PHOSRA_* env vars into @phosra/gatekeeper. This is the one-time step that opens the connect channel a provider uses to reach you. - [Production Accreditation](https://docs.phosra.com/integration/production-accreditation.md): How to move from a sandbox provisional DID to a production-accredited entry on the OCSS Trust List. Sandbox is self-serve today; production is a vetted gate. - [Provider Quickstart](https://docs.phosra.com/integration/provider.md): Parental-controls providers use @phosra/link to link families, ingest parent consent, and write signed rule directives to the hosted OCSS census. - [Provider Discovery — the directory](https://docs.phosra.com/integration/provider-discovery.md): Browse GET /api/v1/directory to find a provider counterparty by DID, role, and capability, then resolve how to reach it with GET /providers/{did}/connect. The directory is an index over the signed Trust List — never a key gate. - [Server-Side Enclave Routing](https://docs.phosra.com/integration/server-side-enclave-routing.md): The trust layer for server-side content classification — register an enclave, classify content seal-direct, report minimization, and verify compliance bundles. All endpoints live on the sandbox today. - [Introduction](https://docs.phosra.com/introduction.md): Phosra is an accredited OCSS provider — the Phosra control-plane API and the open OCSS protocol, clearly separated. - [OCSS Signed Rule Writes & Intent API](https://docs.phosra.com/ocss/intent-api.md): The Ed25519-signed write-receipt surface (live) and the intent-resolution API (not yet built — roadmap). - [Getting on the Trust List](https://docs.phosra.com/ocss/onboarding.md): How to join the OCSS Trust Framework — DID registration, accreditation lanes, and per-role onboarding artifacts. Sandbox self-registration is live today; production accreditation is governance-gated. - [OCSS Overview](https://docs.phosra.com/ocss/overview.md): What the Open Child Safety Specification is, and what Phosra's role in it is — Phosra implements OCSS; it does not own it. - [OCSS Protocol SDK](https://docs.phosra.com/ocss/protocol-sdk.md): The OCSS half of @phosra/sdk-dev — @openchildsafety/ocss re-exported verbatim. Sign and verify receipts, open sealed envelopes, resolve the Trust List. Zero Phosra cryptographic logic. - [OCSS Roles](https://docs.phosra.com/ocss/roles.md): The four §3.2 roles defined by the Open Child Safety Specification at openchildsafety.com. Phosra implements them; the specification defines them. - [OCSS Rule Reference](https://docs.phosra.com/ocss/rule-reference.md): 123 rule categories across 8 capabilities — defined by the Open Child Safety Specification at openchildsafety.com. Phosra implements OCSS; it does not own it. - [Conformance Status](https://docs.phosra.com/ocss/status.md): Live vs. preview for every OCSS and Phosra surface — exact, honest, no endpoint implied live unless it is. - [OCSS Trust Framework](https://docs.phosra.com/ocss/trust-framework.md): The OCSS routing and trust layer — the two-layer signed envelope, the eIDAS-style Trust List, accreditation tiers, and the signed-verb model. Hosted by Phosra at /.well-known/ocss/*. - [Create your account & get keys](https://docs.phosra.com/platform/create-account.md): The live self-serve path from zero to a working phosra_ API key — sign up, get an org, mint your first key. No pre-existing key, no handshake, no email required. - [Developer Platform Overview](https://docs.phosra.com/platform/overview.md): The Phosra control plane — manage developer orgs, API keys, usage, advisor agents, and MCP tokens. Live at prodapi.phosra.com. - [Phosra Link Branding Requirement](https://docs.phosra.com/sdks/branding.md): Every Phosra Link connect/consent surface MUST render the published, branded kit — the phosra · OCSS lockup, the Trust-List trust signals, and the "never a fake green" honesty rule. Mandatory and assessed. - [@phosra/link](https://docs.phosra.com/sdks/link.md): Writer-plane SDK for providers — signed consent ceremonies, rule directives, and the platform connect flow - [Phosra Link for iOS](https://docs.phosra.com/sdks/link-ios.md): PhosraLinkKit — the native-iOS Connect sheet a parental-controls app presents in ~10 lines (the Plaid-Link analog). - [Phosra Developer SDK](https://docs.phosra.com/sdks/phosra-developer-sdk.md): TypeScript SDK for the Phosra developer control plane — OCSS-conformant. Two halves: management (generated REST client) and protocol (@openchildsafety/ocss re-export). ## OpenAPI Specs - [openapi.data-plane](https://docs.phosra.com/openapi.data-plane.yaml) - [openapi.control-plane](https://docs.phosra.com/openapi.control-plane.yaml) - [openapi](https://docs.phosra.com/openapi.yaml) ## Optional - [Status](https://openchildsafety.com/status) - [Developers](mailto:developers@phosra.com)