Get provider connect config
Returns the OAuth endpoints @phosra/link uses to run the connect ceremony against a provider. This is the Phosra product layer of a two-layer resolution — it answers how to reach a provider. Whether you may connect is decided first by the OCSS Trust List (/.well-known/ocss/trust-list, root-verified): the SDK’s resolver requires the DID to be an active, unexpired entry before this endpoint is ever fetched, and fails closed otherwise. Connect configs are deliberately not part of the signed OCSS document — the standard stays vendor-neutral (trust, keys, accreditation); connection mechanics are Phosra’s concern as the OCSS implementor.
Responds 404 (without distinguishing the cases) when the DID is unknown, revoked, or accredited but has no connect config yet.
Two layers, resolved in order
Connecting a platform to a provider is a two-layer resolution, and the layers are deliberately not the same trust surface:- The OCSS Trust List decides whether you may connect. The SDK resolver fetches the
root-verified
/.well-known/ocss/trust-listand requires the target DID to be anactive, unexpired entry. Absent, suspended, revoked, or expired — the resolver fails closed and this endpoint is never called. - This endpoint (
GET /providers/{did}/connect) says how to reach it. It returns the OAuthauthorize_url/token_url/profiles_url/scopesa client uses to run the connect ceremony. It is a Phosra product-layer lookup, deliberately not part of the signed OCSS document — the standard stays vendor-neutral (trust, keys, accreditation); connection mechanics are Phosra’s concern as the OCSS implementor.
404 is returned (without distinguishing the cases) for an unknown DID, a revoked DID, or an
accredited DID that has no connect config registered yet — no existence leak.
Registering your connect config
There is no self-serve write path for this endpoint yet. To get your platform’s connect config published: Interim (today): email developers@phosra.com with the four fields:authorize_url— your OAuth 2.0 authorization endpoint (PKCE S256)token_url— your OAuth 2.0 token endpointprofiles_url— your child-profile listing endpoint (bearer access token; the token is discarded after the profile fetch)scopes— the OAuth scopes the connect ceremony should request (e.g.child_profiles.read)
PUT on this same path, so an accredited
platform can register and rotate its own connect config without an email round-trip. Not yet
built — no such endpoint exists today.Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
The provider's OCSS DID, e.g. did:ocss:loopline. Colons are path-safe (RFC 3986) — send them literally, do not percent-encode.
^did:ocss:[a-z0-9-]+$Response
The provider's OAuth connect config
The provider's OAuth 2.0 authorization endpoint (PKCE S256).
The provider's OAuth 2.0 token endpoint.
The provider's child-profile listing endpoint (bearer access token; the token is discarded after the profile fetch).
OAuth scopes the connect ceremony requests, e.g. child_profiles.read.