> ## Documentation Index
> Fetch the complete documentation index at: https://docs.phosra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create your account & get keys

> The live self-serve path from zero to a working phosra_ API key — sign up, get an org, mint your first key. No pre-existing key, no handshake, no email required.

Getting a `phosra_` API key requires **no pre-existing credential and no contact with the Phosra team**. The entire funnel is live and self-serve:

1. **Sign up** — [dashboard.phosra.com/signup](https://dashboard.phosra.com/signup) (WorkOS AuthKit hosted sign-up; email or SSO)
2. **Your developer org is auto-provisioned** — first visit to the [developer console](https://dashboard.phosra.com/dashboard/developers/console) creates it idempotently
3. **Mint your first key** — from the [Keys page](https://dashboard.phosra.com/dashboard/developers/keys), or in one API call (below)

<Note>
  **Management plane, not census.** This funnel — signup, orgs, `phosra_` keys — is the Phosra **control plane** and sits outside OCSS §8.1 census scope. OCSS census verbs (rule writes, enforcement confirmations, harm-context, consent attestations) remain **RFC-9421 DID-signed only**: a `phosra_` key or session token never authenticates a census write. For the census path, see [Onboarding](/ocss/onboarding).
</Note>

***

## Path A — the console (browser)

1. Go to [dashboard.phosra.com/signup](https://dashboard.phosra.com/signup) and create an account. Existing accounts sign in at [dashboard.phosra.com/login](https://dashboard.phosra.com/login).
2. You land on the [developer console](https://dashboard.phosra.com/dashboard/developers/console). On first load the console provisions your developer organization automatically — no form to fill.
3. Open **[API Keys](https://dashboard.phosra.com/dashboard/developers/keys)** → **Create Key**. Pick a name, environment (`test` or `live`), and scopes.
4. The key is shown **once** — `phosra_test_<64hex>` or `phosra_live_<64hex>`. Copy it immediately; only its SHA-256 hash is stored server-side.

***

## Path B — the API (curl)

Everything the console does is plain HTTP. Authentication for these management calls is your **WorkOS session bearer** (the access token from your signup/login session) — *not* a `phosra_` key, which is exactly why no key is needed to get your first key.

### One-call bootstrap

`POST /api/ensure-dev-org` (a dashboard BFF route) idempotently returns your org, creating it if needed — and with `bootstrap_key: true` also mints the org's **first** `phosra_` key when none exists yet:

```bash theme={null}
curl -X POST https://dashboard.phosra.com/api/ensure-dev-org \
  -H "Authorization: Bearer $WORKOS_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp", "bootstrap_key": true}'
```

```json theme={null}
{
  "id": "8f14e45f-…",
  "name": "Acme Corp",
  "slug": "acme-corp",
  "first_key": {
    "id": "c9f0f895-…",
    "name": "First key (bootstrap)",
    "environment": "test",
    "key": "phosra_test_4a1b2c…"
  }
}
```

`first_key.key` is returned only when the org has zero active keys — the flag never mints a second key. Save it immediately.

### Or the raw control-plane calls

```bash theme={null}
# 1. Create your developer org (WorkOS session bearer — no phosra_ key needed)
curl -X POST https://prodapi.phosra.com/api/v1/developers/orgs \
  -H "Authorization: Bearer $WORKOS_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Acme Corp"}'

# 2. Mint your first key (key returned once)
curl -X POST https://prodapi.phosra.com/api/v1/developers/orgs/$ORG_ID/keys \
  -H "Authorization: Bearer $WORKOS_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "my-first-key", "environment": "test", "scopes": ["read:families", "write:policies"]}'
```

***

## Verify the key works

```bash theme={null}
curl https://prodapi.phosra.com/api/v1/developer/families \
  -H "Authorization: Bearer phosra_test_4a1b2c…"
```

A `200` with a JSON array (empty is fine for a fresh org) confirms the credential loop is closed: fresh signup → org → usable `phosra_` key, with no pre-existing key anywhere in the chain.

***

## Where each credential is used

| Credential                          | Issued by                                                                                             | Authenticates                                                    |
| ----------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
| WorkOS session bearer               | [Signup](https://dashboard.phosra.com/signup) / [login](https://dashboard.phosra.com/login) (AuthKit) | Management: `/developers/orgs*`, keys, usage — the control plane |
| `phosra_live_` / `phosra_test_` key | Console Keys page or `POST /developers/orgs/{orgId}/keys`                                             | Data plane: `/api/v1/developer/*` routes                         |
| Ed25519 DID key (RFC-9421)          | Your own keypair + Trust List entry ([Onboarding](/ocss/onboarding))                                  | OCSS census verbs — never a `phosra_` key                        |

***

## Conformance

The credential loop above needs a session bearer, so the full signup → key path is not a
no-credential `curl`. What a docs-only stranger — or the nightly docs-conformance CI — **can**
run with no credentials is that the control-plane the funnel lands on is live and correctly
auth-gated (the org-creation endpoint exists and rejects unauthenticated writes with `401`, not
`404`):

```bash theme={null}
# 1. The control plane is live.
curl -fsS https://prodapi.phosra.com/health
# → 200 {"status":"ok"}

# 2. Org creation exists and is auth-gated (401, NOT 404 — the endpoint is real, just needs your session bearer).
curl -s -o /dev/null -w "%{http_code}\n" -X POST https://prodapi.phosra.com/api/v1/developers/orgs
# → 401
```

A `401` here (not `404`) is the proof the self-serve funnel is real: the endpoint the console
and the one-call bootstrap post to is deployed and gated — supply your WorkOS session bearer
(from [signup](https://dashboard.phosra.com/signup)) and the same call returns your new org.

***

## Further reading

* [Developer Platform overview →](/platform/overview) — all 17 control-plane operations
* [Platform Registration →](/integration/platform-registration) — the platform-side counterpart: mint your endpoint + connect-secret
* [Authentication →](/authentication) — credential formats, scopes, rotation
* [OCSS onboarding →](/ocss/onboarding) — the census-side (RFC-9421) path
