Introduction
Phosra is an accredited provider on the Open Child Safety Specification (OCSS) — the open standard for age-appropriate access control. Phosra implements OCSS; it does not own it.
The relationship is the same as Yubico shipping a FIDO2-conformant authentication key: Yubico implements FIDO2; the FIDO Alliance owns the standard. Phosra implements OCSS; the OCSS stewardship body owns the standard. The consequence for every API call, receipt, and SDK import in this documentation: the protocol signing and verification primitives are not Phosra code — they are the open OCSS library, @openchildsafety/ocss, re-exported without modification.
Two halves
Every surface in this documentation belongs to one of two clearly-separated halves.
The Phosra control plane
Management operations over the Phosra platform: create developer orgs, provision and revoke phosra_-prefixed API keys, register and consult advisor agents, declare OCSS payload keys for federation, mint and revoke MCP tokens, and pull hourly usage rollups. All management operations use standard HTTP Bearer authentication. This is the Phosra-specific surface.
The OCSS protocol
The open protocol surface: signed write receipts, sealed envelopes, the Trust List, the succession record, and the 115-category rule vocabulary — all sourced from @openchildsafety/ocss, the vendor-neutral OCSS reference library. Phosra adds zero cryptographic logic here. In preview, the /protocol subpath of @phosra/sdk-dev will re-export @openchildsafety/ocss verbatim. If you later integrate a different OCSS-conformant provider, this surface is identical across implementations.
What is live today
Live now — no account required:
- The OCSS Trust List, served at
/.well-known/ocss/trust-list— validly signed against the published root key (root-prod-2026-06). Production accreditation entries are added through OCSS governance; no test or sandbox keys are present in production. - The Ed25519-signed succession record, served at
/.well-known/ocss-succession— the steward-of-record and anti-capture covenant in machine-checkable form.
Live now — auth-gated:
- The Phosra control-plane management API at
https://prodapi.phosra.com/api/v1(requires aphosra_API key). Covers orgs, API keys, usage, advisor agents, and MCP tokens.
Preview — committed shape, not yet deployed:
- The public
/v1/checkdecision endpoint and the full self-serve developer funnel (API key provisioning without a direct handshake, published@phosra/sdk-devand@phosra/mcppackages).
Each page in this documentation labels its live-vs-preview status explicitly. No endpoint is implied live unless marked as such.
Base URL
https://prodapi.phosra.com/api/v1
All Phosra control-plane management requests use this base URL. Override for local development with http://localhost:8080/api/v1.
The standard lives at openchildsafety.com
The OCSS specification, 115-category rule registry, and conformance suite are published at openchildsafety.com — not here. Phosra does not host, own, or gatekeep the standard. That separation is the asset: a standard you cannot capture is one you can build on.