Skip to main content
Everything on this page is real and runnable today. The starter below runs copy-paste against the open sandbox with no API key; every repo and package in the catalog is published and linked to its actual source — nothing here is a placeholder or a “coming soon.”
How to read this page. We are explicit about what each sample is, because a dead link or a 404 on npm install costs a developer all their trust:
  • Runnable starter — a copy-paste snippet (not a repo) you can paste into a terminal right now. It runs against https://phosra-api-sandbox-production.up.railway.app with no credential. Every response shown is verbatim from that live sandbox.
  • Clonable repo — a public GitHub repository you can git clone. We link only repos that actually exist (verified against the GitHub API while writing this page).
  • Published package — on the public npm registry. Versions are verified against npm view; pin the one you use.
  • Private / on-request — the native iOS & Android enforcement SDKs are distributed privately. We say so plainly and give you the contact, rather than show an install line that would 404.

The 60-second starter

This is the smallest complete integration: mint nothing, create a protected child, enforce the policy, and read the result — the same four moves every Phosra integration makes. It is a snippet, not a clonable repo. It needs no API key because it targets the open sandbox.
1

Prove the sandbox is up

2

Create a family + child + active policy in one call

3

Enforce the policy (async job)

4

Poll the job to completion

# A complete, runnable integration — paste the whole block into a terminal.
# No API key: this targets the open partner sandbox.
HOST="https://phosra-api-sandbox-production.up.railway.app"
BASE="$HOST/api/v1"

# 1 — health check (no key)
curl -s "$HOST/health"           # → {"status":"ok"}

# 2 — create a protected child; capture the child id
CHILD_ID=$(curl -s -X POST "$BASE/setup/quick" \
  -H "Content-Type: application/json" \
  -d '{"child_name":"Aria","birth_date":"2015-08-20","strictness":"recommended"}' \
  | jq -r '.child.id')
echo "child: $CHILD_ID"

# 3 — enforce → returns a job (status "running")
JOB_ID=$(curl -s -X POST "$BASE/children/$CHILD_ID/enforce" | jq -r '.id')
echo "job:   $JOB_ID"

# 4 — poll the job until it is "completed"
curl -s "$BASE/enforcement/jobs/$JOB_ID" | jq '{status, completed_at}'
Verbatim sandbox output (captured while writing this page — setup/quick returns 200, the enforce job flips to completed in well under a second):
// POST /setup/quick — trimmed to the fields the starter reads
{
  "family": { "id": "ecf280b3-b684-4945-a694-18a4f566a450", "name": "Aria's Family" },
  "child":  { "id": "ef0ca46d-411e-4801-9a5d-a05dd599c093", "name": "Aria",
              "birth_date": "2015-08-20T00:00:00Z" },
  "policy": { "id": "fe8203da-00d5-45b9-bfa9-76f3f3227bdd",
              "name": "Aria's Protection Policy", "status": "active" },
  "rules":  [ /* 20 age-appropriate rules, enabled */ ]
}

// POST /children/{id}/enforce — the async job, immediately after the call
{ "id": "0eb048ce-497c-4193-ba32-5dc9a0894954", "status": "running", "trigger_type": "manual" }

// GET /enforcement/jobs/{id} — after polling
{ "id": "0eb048ce-497c-4193-ba32-5dc9a0894954", "status": "completed",
  "completed_at": "2026-07-06T11:22:04.645214Z" }
Add the webhook leg. The starter stops at “enforce + read result.” To finish a production-grade integration, register a webhook so your backend is pushed the change instead of polling. That step needs a phosra_test_ key (webhook registration is authenticated). The verified, copy-paste signature-verifying handler — in curl, TypeScript, Python, and Go — lives in Webhook events → Verifying signatures.

What the starter builds, in a real app

The four API calls above are exactly what a parental-control app runs behind its UI. Every screen below is a real screenshot captured from Propagate — a reference app built on this same sandbox API — following one child (Ruby) end to end. Nothing is mocked or drawn.
Propagate iOS Family screen listing children Ruby and Mateo under a KIDS section, with the parent shown as Owner under a PARENTS section, and a bottom tab bar.
Propagate 'Connect Notflix' screen under a 'phosra · OCSS' header, listing four rules the platform will apply and verify, with a green Continue button and an honesty disclaimer.
Propagate platform detail screen with a green shield 'Enforced' card, a Status section (Protection type Enforced, Connected date, Last sync 'Applied & verified just now'), and an Applied Rules list with green checkmarks.
Want the full ten-phase lifecycle — link, unlink, per-service isolation, relink — with every request and response run live? See the End-to-end walkthrough.

The catalog

Real, published integrations you can clone or install today. The two GitHub repositories below are public in the Phosra-Inc org:
GitHub organization page for Phosra-Inc showing two public repositories: 'touchstone' (TypeScript, MIT License) and 'phosra-link-kit-ios' (Swift), each marked Public.

Clonable repos

Provider conformance harness

Phosra-Inc/touchstone (TypeScript, MIT). The independent OCSS conformance harness — probe a provider enclave and print a signed report. Zero runtime dependencies.
npm install @openchildsafety/provider-harness
npx ocss-harness run --enclave ref

iOS Link kit (Connect sheet)

Phosra-Inc/phosra-link-kit-ios (Swift). The native-iOS Phosra Link — a branded Connect sheet your app presents in ~10 lines, with onSuccess / onExit callbacks. The Plaid-LinkKit analog.
.package(url: "https://github.com/Phosra-Inc/phosra-link-kit-ios.git", from: "0.1.0")

Run without cloning — one-command samples

Each of these runs a real integration from a single command against the sandbox.

MCP server for AI agents

Expose Phosra tools to Claude, GPT, and any MCP client. One command, no clone:
npx @phosra/mcp --api-key=YOUR_KEY
Full client config (Claude Desktop, Cursor) on the MCP Server page.

Partner CLI — sandbox round-trip

Scaffold configs and run a sandbox round-trip check without writing code:
npx @phosra/cli doctor
See the CLI guide for every subcommand.

Embeddable Connect component

The “Plaid Link” for parental-controls apps — web + React Native. Drives the consent ceremony end to end:
npm install @phosra/connect

OCSS protocol reference lib

Sign/verify receipts, sealed envelopes, the Trust List — the vendor-neutral OCSS surface, no Phosra account:
npm install @openchildsafety/ocss

Every published package

All verified against the public npm registry while writing this page — pin the version you use.
PackageVersionSample it powersDocs
@phosra/sdk0.1.0Typed control-plane client — the 60-second starter, but typedTypeScript SDK
@phosra/mcp0.4.0MCP server for AI agents (npx @phosra/mcp)MCP Server
@phosra/cli0.2.0Sandbox round-trip + scaffolding (npx @phosra/cli)CLI
@phosra/link0.1.2The consent ceremony + signed rule-write directivesLink
@phosra/connect0.1.1Embeddable Connect component (web + React Native)Link
@phosra/gatekeeper0.2.2Platform-side: verify signed profiles, local decision enginePlatform
@openchildsafety/ocss0.1.3The OCSS reference library (receipts, envelopes, trust list)Developer SDK
@openchildsafety/provider-harness0.1.3The touchstone conformance harness aboveProvider
No @ocss/* scope exists. The open standard’s library ships under @openchildsafety/*, and the Phosra client libraries under @phosra/*. If you see an @ocss/… install line anywhere, it is wrong — it will 404 on npm.

Private / on-request

The native on-device enforcement SDKs are not on a public registry yet — we distribute them privately rather than show an install line that would fail.
SDKStatusHow to get it
iOS enforcement SDKPrivate repoiOS SDK · email developers@phosra.com
Android enforcement SDKPrivate (not on Maven Central)Android SDK · email developers@phosra.com
The iOS Link kit (phosra-link-kit-ios) — the Connect sheet — is public and in the catalog above. The separate iOS enforcement SDK (the one that drives FamilyControls / ManagedSettings on-device) is the private one.

Reference provider integrations

The sandbox ships a built-in reference provider that powers the live OAuth consent page you meet in the Connect a platform guide and the end-to-end walkthrough. It exposes real /oauth/authorize, /oauth/token, and /oauth/profiles endpoints with fixed demo child profiles (Mia, Leo, Ava), so you can drive a complete connect ceremony against the sandbox without standing up your own provider.
The brand names in the walkthrough screenshots — “Notflix”, “Pixagram” — are the reference app’s stand-in labels, not separate clonable projects or accredited providers. There is no public “Notflix” repository; the sandbox’s reference OAuth surface is what makes that flow runnable. We call this out so you don’t go looking for a repo that doesn’t exist.

Next steps

Quickstart

The same first calls, with more explanation of each field and response.

End-to-end walkthrough

The full family lifecycle — link, unlink, isolation, relink — run live.

Webhook events

Finish the starter: verified signature-checking handlers in four languages.

Get your API key

Move from the sandbox to production — same request shapes, one new header.