> ## Documentation Index
> Fetch the complete documentation index at: https://docs.phosra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Support & getting help

> Every way to reach Phosra when you are stuck — self-serve fixes, the developer inbox, filing bugs, security disclosure, and honest response expectations.

Stuck on an integration? Start with the self-serve fixes below — most 4xx
responses resolve in under a minute without opening a ticket. When you do need a
human, this page tells you exactly **who to reach, what to include, and how
quickly to expect a reply** — no invented SLAs, no dead links.

## Fix it yourself first

Nearly every error the API returns is self-explaining and has a documented cause
and fix. Check these before you write to us — you will usually be faster.

<CardGroup cols={2}>
  <Card title="Troubleshooting" icon="wrench" href="/troubleshooting">
    Organized by **symptom**, not by code. Find what you are seeing, run the check, apply the fix.
  </Card>

  <Card title="Error reference" icon="list" href="/errors">
    Every HTTP status and error `class`, each with its cause, its fix, and a live example.
  </Card>

  <Card title="Platform status" icon="signal" href="https://openchildsafety.com/status">
    Is it you or us? Live operational status for the OCSS census, plus the full incident history.
  </Card>

  <Card title="Changelog" icon="clock-rotate-left" href="/changelog">
    Recent API and SDK changes — check here first if something worked yesterday and not today.
  </Card>
</CardGroup>

<Tip>
  Before you contact anyone, grab the **`X-Railway-Request-Id`** header from the
  failing response. It lets us find your exact request in the logs — with it, a
  reply is minutes; without it, it is a guessing game.

  ```bash theme={null}
  curl -s -D - -o /dev/null "https://phosra-api-sandbox-production.up.railway.app/health" \
    | grep -i x-railway-request-id
  ```
</Tip>

## Reach the developer team

For integration questions, sandbox behaviour, key/access requests, and anything
that is not a security issue or a public-repo bug, email the developer inbox:

<Card title="developers@phosra.com" icon="envelope" href="mailto:developers@phosra.com">
  The one address for developer support, SDK access requests, and integration help.
</Card>

To get a useful answer on the first reply, include:

<Steps>
  <Step title="The request id">
    The **`X-Railway-Request-Id`** from the failing response (see the tip above).
  </Step>

  <Step title="The error, verbatim">
    The full JSON body — at minimum `code` and `class`, plus `failed_step` if the
    response is a `403 standing_failure`. Do not paraphrase; paste it.
  </Step>

  <Step title="What you expected vs. what happened">
    The route you called, the identity (`key_id` or DID) you called it as, and the
    behaviour you expected. A minimal `curl` that reproduces it is ideal.
  </Step>
</Steps>

<Warning>
  Never paste a live secret. `phosra_test_` keys are safe to share for debugging;
  **`phosra_live_` keys, private signing keys, and session tokens are not** —
  redact them. If a live secret has already leaked, revoke it in the dashboard
  and mint a new one before anything else.
</Warning>

## Response expectations

We would rather tell you the truth than publish a number we cannot keep. Here is
what is actually committed:

| Channel                     | What it is for                       | What we commit to                                                                                                                    |
| --------------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ |
| **`security@phosra.com`**   | Vulnerabilities & security incidents | **Triage within one business day**, with updates through remediation ([published on our Trust page](https://www.phosra.com/trust))   |
| **`developers@phosra.com`** | Sandbox & integration support        | Best-effort, monitored during business hours. **No published SLA for the free sandbox**                                              |
| **Accreditation agreement** | Production partners                  | Support commitments are defined in your signed [production-accreditation](/integration/production-accreditation) agreement, not here |
| **GitHub issues**           | Bugs in the public repos             | Community best-effort; maintainers triage on a rolling basis                                                                         |

<Note>
  The sandbox is a **best-effort developer environment**, not a paid production
  service — treat the developer inbox accordingly. Time-sensitive production
  guarantees come with accreditation. For real-time platform health during an
  outage, the [status page](https://openchildsafety.com/status) is always the
  source of truth, not email.
</Note>

## File a bug

Where a bug goes depends on **which component** it is in.

<CardGroup cols={2}>
  <Card title="iOS Link Kit — PhosraLinkKit" icon="apple" href="https://github.com/Phosra-Inc/phosra-link-kit-ios/issues">
    The native-iOS **Phosra Link** connect sheet (Swift). Open an issue on the public repo.
  </Card>

  <Card title="OCSS conformance harness — Touchstone" icon="check-double" href="https://github.com/Phosra-Inc/touchstone/issues">
    The open **`@openchildsafety/provider-harness`** (TypeScript). File conformance-tooling bugs here.
  </Card>
</CardGroup>

For everything else — the **control-plane / data-plane API**, the dashboard, the
managed [`@phosra/*` SDKs](/sdks/overview), or the [MCP server](/sdks/mcp-server)
— the source is not public, so there is no issue tracker to file against. Email
[developers@phosra.com](mailto:developers@phosra.com) with the request id and the
verbatim error instead. A good bug report is reproducible: include the exact
route, the identity you called it as, and a minimal `curl`.

<Info>
  A crash or 5xx that you can reproduce is one of the most useful things you can
  send. Retry with backoff first ([5xx are transient](/errors#server-errors)); if
  it persists, send the `X-Railway-Request-Id` — that is what lets us pull your
  exact trace.
</Info>

## Report a security issue

Found a vulnerability? Please **do not** open a public GitHub issue. Email:

<Card title="security@phosra.com" icon="shield-halved" href="mailto:security@phosra.com">
  Responsible-disclosure contact. Triaged within one business day; researchers are
  credited in our disclosure log with your permission.
</Card>

We welcome good-faith research under a few ground rules, taken directly from our
[Trust & security page](https://www.phosra.com/trust):

* **Do not access data that is not your own.** Use your own sandbox org and test
  identities.
* **Do not test against production parent or child accounts.** This is a
  child-safety platform — real accounts are strictly off-limits.
* **Do not run scanners that degrade service** for other developers.

In return, we triage within one business day, keep you updated through
remediation, and — with your permission — credit you in our public disclosure
log. Confirmed breaches are notified within **72 hours**, consistent with GDPR
Article 33 and CCPA. Full detail lives on the [Trust page](https://www.phosra.com/trust).

## Community & staying informed

Phosra does not run a public chat community (no Discord or Slack) — so if you see
one claiming to be us, it is not. The honest set of channels today:

<CardGroup cols={2}>
  <Card title="Changelog" icon="rss" href="/changelog">
    The canonical feed of API and SDK changes. Check it before assuming a regression.
  </Card>

  <Card title="Status & incidents" icon="tower-broadcast" href="https://openchildsafety.com/status">
    Live operational status and the full incident history for the OCSS census.
  </Card>

  <Card title="Open-source repos" icon="github" href="https://github.com/Phosra-Inc">
    Public repos (Link Kit, Touchstone). Issues are the place for questions on those components.
  </Card>

  <Card title="OCSS standard" icon="book-open-cover" href="/ocss/overview">
    The open specification Phosra implements — protocol, roles, and the trust framework.
  </Card>
</CardGroup>

<Note>
  The vendor-neutral OCSS protocol library ships on npm as
  **`@openchildsafety/*`** (there is no `@ocss/*` scope). SDK install and status
  details are on the [SDKs overview](/sdks/overview).
</Note>

***

## Still stuck?

<CardGroup cols={2}>
  <Card title="Troubleshooting" icon="wrench" href="/troubleshooting">
    Symptom-first fixes with a runnable check for each — start here.
  </Card>

  <Card title="Error reference" icon="list" href="/errors">
    The complete status-code and error-class tables, every field documented.
  </Card>
</CardGroup>
