https://phosra-api-sandbox-production.up.railway.app on 2026-07-06. Package versions
were verified against the public npm registry the same day.Keys & environments
What's the difference between a test key and a live key?
What's the difference between a test key and a live key?
| Sandbox / test | Production / live | |
|---|---|---|
| Prefix | phosra_test_ | phosra_live_ |
| Base URL | https://phosra-api-sandbox-production.up.railway.app/api/v1 | https://prodapi.phosra.com/api/v1 |
| Touches real families? | No — isolated sandbox data | Yes |
phosra_test_ key only authenticates against the sandbox, and a phosra_live_ key only
against production. Crossing them returns 401 invalid API key — the key’s hash simply
isn’t in that environment’s store. Mint both on the same
Keys page (pick the environment).
Full detail: Authentication → Test keys vs live keys.Which header does the API key go in?
Which header does the API key go in?
Authorization: Bearer phosra_… is the canonical header and the one every example on this site
uses. X-Api-Key: phosra_… is accepted as an exact equivalent — use it only if a proxy or
framework reserves the Authorization header. When both are present, Authorization wins.
There is no Basic auth and no query-string key. See
Authentication → The one correct header.Do I need an API key to try Phosra at all?
Do I need an API key to try Phosra at all?
/api/v1/families, /api/v1/children/…,
/api/v1/setup/quick, /health, the Trust List) are open, so your first request returns real
data with zero credentials — the Quickstart proves it. You only need a
phosra_test_ key when you want to exercise the /api/v1/developer/* routes and hit the exact
scope + rate-limit behavior you’ll see in production.The sandbox
Does the sandbox reset or wipe my data?
Does the sandbox reset or wipe my data?
Mia, Leo, Ava) and the accredited reference providers — is always present. Anything you
create persists, and the write endpoints are idempotent: POST /setup/quick de-dupes on
(family, child_name, birth_date) and self-registering a DID is create-only (a repeat returns
409, never a silent overwrite). To start from a clean object, use a new child name or a fresh
self-registered DID rather than looking for a reset button — there isn’t one. See
Test in the sandbox.Is the sandbox isolated from production?
Is the sandbox isolated from production?
https://prodapi.phosra.com/api/v1 and send a phosra_live_… key. The request and response
shapes are byte-for-byte identical. See Test in the sandbox.The sandbox took a few seconds to answer my first call — is it down?
The sandbox took a few seconds to answer my first call — is it down?
502/503 or a slow first response is expected. Retry once after a few seconds and
it’ll be warm. See Errors → Server errors.401 vs 403
What's the difference between a 401 and a 403?
What's the difference between a 401 and a 403?
401 = we don’t know who you are. The credential is missing, malformed, unknown, revoked,
or expired.403 = we know who you are, but you’re not allowed to do this. The credential is valid but
lacks the scope, standing, or accreditation tier for the request. A /developer/* call with
no key at all is a 403 (the request reached the scope check with an empty scope set):{ "message": "missing required scope: write:enforcement", "code": 403 }. Fix a 401 by
correcting the credential; fix a 403 by granting the scope (or standing). Full matrix:
Errors → Client errors and
Authentication → Error responses.I'm getting a 401 on a signed route, not an API-key route. Same thing?
I'm getting a 401 on a signed route, not an API-key route. Same thing?
401 means the request signature is missing or invalid, and the
body carries "class": "signature_invalid":code and class, never on the prose message. See
Do I need to sign my requests? below and Errors → OCSS error classes.Should I be getting a 401 or a 404?
Should I be getting a 401 or a 404?
404 not_found means the
resource genuinely does not exist (a stale ID is never silently redirected to a live one),
while a 401 means an auth/signature problem. The
Troubleshooting → 401 vs 404
section walks through telling them apart.Signing
Do I need to sign my requests?
Do I need to sign my requests?
- Developer REST routes (
/api/v1/developer/*and the consumer/api/v1/*routes): no signing. Aphosra_API key (or a WorkOS session JWT) in theAuthorizationheader is all you need. This is the vast majority of the API — families, children, policies, enforcement, devices, webhooks. - OCSS Trust Framework routes (signed rule writes, enforcement confirmations, consent
attestations, receipts): yes — RFC 9421 HTTP Message Signatures are required, signed with
a key that’s published on the Trust List. These carry the extra
classfield and return401 signature_invalidwhen the signature is absent or wrong.
@openchildsafety/ocss
library signs and verifies OCSS envelopes, and @phosra/link wraps the consent
ceremony + signed rule-write directives. See Authentication for how API
keys, WorkOS JWTs, and request signing fit together.Where does the WorkOS JWT fit in?
Where does the WorkOS JWT fit in?
Authorization: Bearer <workos_jwt>. The API only validates
the JWT — there is no /auth/register, /auth/login, or /auth/refresh on the Phosra API
(those live in WorkOS). Server-to-server integrations use a phosra_ API key instead. See
Authentication → Consumer path.Rate limits
What are the rate limits?
What are the rate limits?
How do I know how much quota I have left?
How do I know how much quota I have left?
/api/v1/* response carries:X-RateLimit-Reset is Unix epoch seconds. On a 429, honour Retry-After (seconds) and
retry exactly once — there’s a copy-paste backoff loop in curl, TypeScript, Python, and Go on
the Rate limits page.SDKs & npm package names
What are the exact npm package names?
What are the exact npm package names?
@phosra/*, and the vendor-neutral OCSS reference
library under @openchildsafety/*. There is no published @ocss/* npm scope — if you
saw that anywhere, it’s stale. Versions verified live against the npm registry on 2026-07-06:| Package | Version | What it does |
|---|---|---|
@phosra/sdk | 0.1.0 | Typed control-plane client (PhosraClient) — families, children, policies, rules, enforcement |
@openchildsafety/ocss | 0.1.3 | OCSS reference library — sign/verify receipts, sealed envelopes, Trust List, vocabulary |
@phosra/link | 0.1.2 | Writer-plane SDK — consent ceremony + signed rule-write directives |
@phosra/gatekeeper | 0.2.2 | Platform-side — verify signed profiles, local decision engine, §8.3.8 receipts |
@phosra/connect | 0.1.1 | Embeddable Connect component (the “Plaid Link” for parental-controls apps) |
@phosra/mcp | 0.4.0 | MCP server exposing Phosra tools to AI agents (npx @phosra/mcp) |
@phosra/cli | 0.2.0 | Partner CLI — scaffold configs, verify OCSS setup, sandbox round-trip checks |
@phosra/provider | 0.1.0 | Provider-side helpers over @openchildsafety/ocss |
@phosra/classify | 0.1.1 | Rule-category classification helpers |
@phosra/sdk for the REST API, or the
SDK overview for the full map.Is there a Python / Go / iOS / Android SDK?
Is there a Python / Go / iOS / Android SDK?
Can I use the MCP server with Claude / other agents?
Can I use the MCP server with Claude / other agents?
npx @phosra/mcp --api-key=KEY exposes Phosra’s tools over the Model Context Protocol to
any MCP-compatible agent (Claude, and others). See MCP Server.Going to production
How do I move from sandbox to production?
How do I move from sandbox to production?
https://prodapi.phosra.com/api/v1, and (2) swap your phosra_test_… key for a phosra_live_…
key from the same Keys page. Request
and response shapes are identical. Note that production and sandbox Trust Lists differ — the
production census admits only accredited parties (governance-gated). See
Authentication → Verify your setup.How do I rotate or revoke a key?
How do I rotate or revoke a key?
POST …/keys/{keyId}/regenerate issues a new
secret in place (the old one stops working); DELETE …/keys/{keyId} kills a key permanently
(any request with it then returns 401 "API key has been revoked"). For zero-downtime rotation,
mint a second key, deploy it, then revoke the old one. Full steps:
Authentication → Rotation.Still stuck?
Troubleshooting
Errors reference
class, each with its cause, its fix, and a live example.