phosra_ API key requires no pre-existing credential and no contact with the Phosra team. The entire funnel is live and self-serve:
- Sign up — dashboard.phosra.com/signup (WorkOS AuthKit hosted sign-up; email or SSO)
- Your developer org is auto-provisioned — first visit to the developer console creates it idempotently
- Mint your first key — from the Keys page, or in one API call (below)
Management plane, not census. This funnel — signup, orgs,
phosra_ keys — is the Phosra control plane and sits outside OCSS §8.1 census scope. OCSS census verbs (rule writes, enforcement confirmations, harm-context, consent attestations) remain RFC-9421 DID-signed only: a phosra_ key or session token never authenticates a census write. For the census path, see Onboarding.Path A — the console (browser)
- Go to dashboard.phosra.com/signup and create an account. Existing accounts sign in at dashboard.phosra.com/login.
- You land on the developer console. On first load the console provisions your developer organization automatically — no form to fill.
- Open API Keys → Create Key. Pick a name, environment (
testorlive), and scopes. - The key is shown once —
phosra_test_<64hex>orphosra_live_<64hex>. Copy it immediately; only its SHA-256 hash is stored server-side.
Path B — the API (curl)
Everything the console does is plain HTTP. Authentication for these management calls is your WorkOS session bearer (the access token from your signup/login session) — not aphosra_ key, which is exactly why no key is needed to get your first key.
One-call bootstrap
POST /api/ensure-dev-org (a dashboard BFF route) idempotently returns your org, creating it if needed — and with bootstrap_key: true also mints the org’s first phosra_ key when none exists yet:
first_key.key is returned only when the org has zero active keys — the flag never mints a second key. Save it immediately.
Or the raw control-plane calls
Verify the key works
200 with a JSON array (empty is fine for a fresh org) confirms the credential loop is closed: fresh signup → org → usable phosra_ key, with no pre-existing key anywhere in the chain.
Where each credential is used
| Credential | Issued by | Authenticates |
|---|---|---|
| WorkOS session bearer | Signup / login (AuthKit) | Management: /developers/orgs*, keys, usage — the control plane |
phosra_live_ / phosra_test_ key | Console Keys page or POST /developers/orgs/{orgId}/keys | Data plane: /api/v1/developer/* routes |
| Ed25519 DID key (RFC-9421) | Your own keypair + Trust List entry (Onboarding) | OCSS census verbs — never a phosra_ key |
Conformance
The credential loop above needs a session bearer, so the full signup → key path is not a no-credentialcurl. What a docs-only stranger — or the nightly docs-conformance CI — can
run with no credentials is that the control-plane the funnel lands on is live and correctly
auth-gated (the org-creation endpoint exists and rejects unauthenticated writes with 401, not
404):
401 here (not 404) is the proof the self-serve funnel is real: the endpoint the console
and the one-call bootstrap post to is deployed and gated — supply your WorkOS session bearer
(from signup) and the same call returns your new org.
Further reading
- Developer Platform overview → — all 17 control-plane operations
- Platform Registration → — the platform-side counterpart: mint your endpoint + connect-secret
- Authentication → — credential formats, scopes, rotation
- OCSS onboarding → — the census-side (RFC-9421) path