@phosra/sdk package provides a typed client for the Phosra API, with support for Node.js and browser environments.
Verified against the published package. Everything on this page was checked against
@phosra/sdk@0.1.0 (the current npm release) and the code was run against the live sandbox — see Verified live at the bottom.Installation
0.1.0. Pin it in package.json for reproducible builds:
Quick Start
Every tab below leads with the open sandbox —https://phosra-api-sandbox-production.up.railway.app — so your first copy-paste returns 201 with no API key. Paste any tab as-is and run it; nothing you create in the sandbox touches production. The Get a production key step (a real dashboard link) comes after you’ve seen it work.
Going to production
The sandbox is open. Production requires aphosra_ API key — pass it as apiKey (the SDK sends it as X-Api-Key) and drop the sandbox baseUrl so the client uses the default production host:
Get your API key
Sign up at dashboard.phosra.com/signup, then mint a key on the Keys page —
phosra_test_… for the sandbox, phosra_live_… for production. See Authentication for the full key lifecycle.Authentication
PhosraClientConfig accepts exactly these fields (verified against @phosra/sdk@0.1.0):
| Field | Header sent | Use for |
|---|---|---|
apiKey | X-Api-Key: phosra_… | Server-to-server / B2B / agents |
accessToken | Authorization: Bearer <jwt> | Parent-app user sessions (WorkOS token) |
deviceKey | X-Device-Key: phosra_dev_… | On-device enforcement |
baseUrl | — | Override the API host (defaults to https://prodapi.phosra.com/api/v1) |
onTokenExpired | — | () => Promise<string> — called on 401; return a fresh access token to retry |
The SDK sends
apiKey as the X-Api-Key header internally; the raw curl / Python / Go tabs above
send the same key as Authorization: Bearer (the canonical header the rest of the docs use). The API
accepts both interchangeably — pick either. See Authentication.deviceKey > apiKey > accessToken.
Refreshing an expired token
There is nomaxRetries/retryDelay option in @phosra/sdk@0.1.0. Token refresh is handled by the onTokenExpired callback — the client calls it on a 401, then retries the request once with the returned token:
Resource Namespaces
The client organizes endpoints into resource namespaces:Error Handling
The SDK throws typed errors.PhosraError is the base class (it carries only message); API failures throw a PhosraApiError (or one of its subclasses) which adds statusCode, code, and details. For the full wire-level status/class matrix (every 4xx/5xx, its cause, and its fix) see the Errors reference:
PhosraError):
| Class | Thrown on | Extra fields |
|---|---|---|
PhosraError | base class | message |
PhosraApiError | any non-2xx | statusCode, code?, details? |
PhosraAuthError | 401 | (inherits PhosraApiError) |
PhosraNotFoundError | 404 | (inherits PhosraApiError) |
PhosraValidationError | 422 | (inherits PhosraApiError) |
PhosraRateLimitError | 429 | retryAfter? (seconds) |
Full Example: Setup to Enforcement
Resource methods (verified surface)
Every namespace and method below exists onPhosraClient in @phosra/sdk@0.1.0:
| Namespace | Methods |
|---|---|
auth | register, login, refresh, logout, me |
families | list, create, get, update, delete |
children | list, create, get, update, delete, ageRatings |
members | list, invite, remove |
policies | list, create, get, update, delete, activate, pause, generateFromAge |
rules | list, create, update, delete, bulkUpsert |
enforcement | trigger, triggerLink, listJobs, getJob, getResults, retry |
compliance | list, create, verify, delete, enforce |
platforms | list, get, byCategory, byCapability |
ratings, standards, devices, reports, sources | see the API Reference |
setup | quick |
Verified live
The Quick Start code was run against the open sandbox census (https://phosra-api-sandbox-production.up.railway.app/api/v1, no key required) with @phosra/sdk@0.1.0: