API Reference lockspire v#1.0.0

Narrow public API for host applications embedding Lockspire.

Operator-facing service boundary for Lockspire admin workflows.

Query and command boundary for operator-managed OAuth clients.

Shared query and command boundary for operator and host-owned consent workflows.

Query boundary for operator-managed Device Authorizations.

Operator boundary for Initial Access Token lifecycle.

Operator-facing query and command boundary for guided signing-key lifecycle work.

Query and command boundary for Lockspire server policy.

Shared query and command boundary for operator token support workflows.

Lockspire OTP application.

Normalized durable audit event payload for append-only incident evidence.

Public API for host applications to manage CIBA (Backchannel Authentication) flows.

Durable client registration API for secure Phase 2 client onboarding.

Result returned from client registration.

Runtime configuration helpers for the embedded Lockspire library.

Core domain model for OpenID Connect Client-Initiated Backchannel Authentication (CIBA).

Durable client registration state owned by Lockspire.

Durable consent state granted by an account to a client.

Core domain model for OAuth 2.0 Device Authorization Grant (RFC 8628).

Durable DPoP proof replay state for the supported acceptance window.

Durable initial access token used to gate POST /register when Lockspire.Domain.ServerPolicy.registration_policy == :initial_access_token.

Ephemeral-but-durable authorization interaction state.

Durable per-client, per-channel logout propagation snapshot state.

Durable protocol-owned logout event state.

Durable server-owned state for pushed authorization requests.

Durable server-wide operator policy owned by Lockspire.

Durable signing-key lifecycle state for JWKS publication and rotation.

Durable token and token-family state owned by Lockspire.

Domain struct representing a used JTI (JWT ID) to prevent replay attacks.

Minimal error view used by the Lockspire endpoint when a controller or LiveView raises during dispatch.

Generates editable Lockspire host integration files inside a Phoenix app.

Template inventory for generated host-owned Lockspire integration files.

Singular host seam for account lookup, claim material, and login handoff.

Behaviour for triggering out-of-band notifications to users during CIBA flows.

Structured claim material returned by the host account resolver.

Contextual information passed to host integration callbacks.

A default implementation of Lockspire.Host.TokenExchangeValidator that properly structures the act (actor) claim when delegating tokens according to RFC 8693.

Default implementation of the token exchange validator that denies all requests.

Structured login handoff returned by the host account resolver.

Context data carrier for the token exchange flow.

Behaviour for validating token exchange requests against host application business logic.

Manifest storage for Lockspire-managed generated scaffolding.

Install-time diagnostics for the canonical embedded Lockspire host integration.

Small helpers for normalized install verification checks.

Fetches and caches JSON Web Key Sets (JWKS) dynamically using Req and Cachex.

A custom LiveDashboard page for Lockspire.

Named Oban instance owned by Lockspire for durable protocol work.

Shared audit and telemetry emission helpers.

Orchestrates durable authorization interactions, consent decisions, and code issuance.

Validates /authorize request parameters before any web or host handoff occurs.

Browser-safe or redirect-safe authorization request validation error.

Canonical validated /authorize request state.

Protocol pipeline for CIBA Backchannel Authentication (OpenID Connect CIBA).

Error response for CIBA backchannel authorization.

Successful CIBA backchannel authorization response.

Shared token-endpoint client authentication for OAuth lifecycle surfaces.

Client authentication failure returned to OAuth protocol handlers.

Pure remembered-consent rules for authorization interactions.

DPoP proof decoding, verification, and proof-key thumbprint helpers.

Resolves the effective DCR policy for an inbound RFC 7591 client registration request as the intersection of

Protocol pipeline for Device Authorization (RFC 8628).

Error response for device authorization.

Successful device authorization response.

Narrow lookup and approval seam for host-owned device verification UX.

Pending device authorization context exposed to the host verification seam.

Builds truth-based OIDC discovery metadata from Lockspire config and mounted routes.

Publishes truthful authorization-response discovery metadata from mounted surfaces and the effective issuer signing posture.

Resolves effective DPoP policy from server-wide defaults and client overrides.

Validates RP-initiated logout requests before any host logout redirect occurs.

End-session validation error payload.

Canonical validated end-session state.

Boundary fail-fast enforcer for FAPI 2.0 Security Profile.

Builds and signs minimal OIDC ID tokens with Lockspire-owned protocol claims.

Initial access token (IAT) lifecycle — atomic redemption.

Returns caller-authorized opaque token state while collapsing inactive outcomes to active: false.

Introspection endpoint error payload.

Successful introspection context with protocol-owned payload truth and signer inputs.

Signs RFC 9701 JWT token introspection responses from protocol-owned success context.

JWT Secured Authorization Request (JAR) foundation.

Core JARM (JWT Secured Authorization Response Mode) encoder.

Builds a public JWK set from publishable durable signing keys.

Owns /end_session/complete logout propagation orchestration.

Signs OIDC Back-Channel Logout tokens from durable logout snapshot state.

Canonical readiness and transition rules for the strict message-signing profile.

Resolves effective PAR policy from server-wide defaults and client overrides.

Validates DPoP-bound access token use on Lockspire-owned protected resources.

Accepts pushed authorization requests and returns opaque PAR references.

PAR error payload safe for JSON responses.

Successful PAR response payload.

Rotates refresh tokens and revokes the full family on reuse.

RFC 7591 dynamic client registration intake — Plug.Conn-free orchestrator.

Registration access token (RAT) primitives — generate, hash, verify.

RFC 7592 dynamic client registration management — Plug.Conn-free orchestrator.

Orchestrates JAR (RFC 9101) request-object consumption for /authorize and /par.

Revokes client-bound opaque access and refresh tokens with RFC-safe success semantics.

Revocation endpoint error payload.

Implements OAuth 2.0 Token Exchange (RFC 8693).

Resolves effective security profile from server-wide defaults and client overrides.

Resolves shared DPoP issuance context for token-endpoint exchanges.

Redeems Phase 2 authorization codes into durable opaque bearer access tokens.

Handles token exchange delegation logic, including depth limits.

Token endpoint error payload.

Successful token endpoint response payload.

Resolves OIDC userinfo from durable opaque bearer tokens and host claims.

Userinfo endpoint error payload.

Shared redaction helpers for telemetry and durable audit metadata.

Utilities for generating secure device authorization codes.

Shared security invariants for boot-time posture and protocol/runtime checks.

Behaviour for storing and managing CIBA Authorizations.

Domain-level persistence contract for OAuth clients.

Domain-level persistence contract for consent grants.

Behaviour for storing and managing OAuth 2.0 Device Authorizations.

Domain-level persistence contract for DPoP replay detection state.

Default Ecto-backed implementation for Lockspire's domain storage contracts.

Ecto schema for storing used JTIs to prevent replay attacks.

Domain-level persistence contract for authorization interactions.

Domain-level persistence contract for signing keys.

Domain-level persistence contract for durable logout propagation state.

Domain-level persistence contract for pushed authorization request state.

Domain-level persistence contract for Lockspire server policy.

Domain-level persistence contract for access and refresh token state.

Behavior for tracking and verifying used JTIs to prevent replay attacks.

Thin /authorize delivery adapter.

First-party HTML rendering for unsafe authorization errors.

Thin /bc-authorize delivery adapter for CIBA request intake.

Reference consent surface rendered from durable interaction state.

Thin /device/code delivery adapter for device authorization request intake.

Thin discovery delivery adapter.

Thin /end_session delivery adapter for OIDC RP-initiated logout.

Delivery adapter for host login handoff and consent finalization.

Thin /introspect delivery adapter over protocol-owned opaque token classification.

Thin JWKS delivery adapter.

Embedded schema and changeset for validating DCR policy form submissions.

Thin /par delivery adapter for pushed authorization request intake.

Thin /revoke delivery adapter for client-bound lifecycle token revocation.

Mountable Phoenix router exposing Lockspire's host-facing interaction entrypoints.

Thin /token delivery adapter for OAuth token exchange.

Thin /userinfo delivery adapter over protocol-owned bearer validation.

Delivers back-channel logout notifications from persisted delivery snapshots.

Delivers CIBA (Backchannel Authentication) notifications to Relying Parties. Supports both Ping and Push delivery modes.

Background worker to aggressively sweep and prune expired domain records.

Register a durable OAuth client from the command line.

Generate host-owned Lockspire integration files for a Phoenix application.

Validate the OIDF FAPI 2.0 conformance preflight environment.

Create and migrate the Lockspire test database used by automated checks.

Upgrade manifest-tracked Lockspire-managed scaffolding only when it is still unchanged.

Verify the canonical Lockspire host install wiring after generation and host edits.