# lockspire v1.0.0 - Table of Contents

Embedded OAuth/OIDC authorization server library for Phoenix applications

## Pages

- [Lockspire](readme.md)

- Guides
  - [Where Lockspire Fits — The Auth Stack at a Glance](ecosystem-overview.md)
  - [Getting Started](getting-started.md)
  - [Install And Onboard](install-and-onboard.md)
  - [Private Key JWT Host Guide](private-key-jwt-host-guide.md)
  - [Custom RAR Consent In A Host Phoenix App](rar-consent-host-guide.md)
  - [Operator And Admin Guide](operator-admin.md)
  - [Dynamic Client Registration](dynamic-registration.md)
  - [Supported Surface](supported-surface.md)
  - [Lockspire + Sigra (same Phoenix host)](sigra-companion-host.md)

- Maintainers
  - [Changelog](changelog.md)
  - [Security Policy](security.md)
  - [Maintainer Conformance Workflow](maintainer-conformance.md)
  - [Maintainer And Release Guide](maintainer-release.md)

## Modules

- [Lockspire](Lockspire.md): Narrow public API for host applications embedding Lockspire.

- [Lockspire.Admin](Lockspire.Admin.md): Operator-facing service boundary for Lockspire admin workflows.

- [Lockspire.Admin.Clients](Lockspire.Admin.Clients.md): Query and command boundary for operator-managed OAuth clients.

- [Lockspire.Admin.Consents](Lockspire.Admin.Consents.md): Shared query and command boundary for operator and host-owned consent workflows.

- [Lockspire.Admin.DeviceAuthorizations](Lockspire.Admin.DeviceAuthorizations.md): Query boundary for operator-managed Device Authorizations.

- [Lockspire.Admin.InitialAccessTokens](Lockspire.Admin.InitialAccessTokens.md): Operator boundary for Initial Access Token lifecycle.

- [Lockspire.Admin.Keys](Lockspire.Admin.Keys.md): Operator-facing query and command boundary for guided signing-key lifecycle work.

- [Lockspire.Admin.ServerPolicy](Lockspire.Admin.ServerPolicy.md): Query and command boundary for Lockspire server policy.

- [Lockspire.Admin.Tokens](Lockspire.Admin.Tokens.md): Shared query and command boundary for operator token support workflows.

- [Lockspire.Application](Lockspire.Application.md): Lockspire OTP application.

- [Lockspire.Audit.Event](Lockspire.Audit.Event.md): Normalized durable audit event payload for append-only incident evidence.

- [Lockspire.Ciba](Lockspire.Ciba.md): Public API for host applications to manage CIBA (Backchannel Authentication) flows.

- [Lockspire.Clients](Lockspire.Clients.md): Durable client registration API for secure Phase 2 client onboarding.

- [Lockspire.Clients.RegistrationResult](Lockspire.Clients.RegistrationResult.md): Result returned from client registration.

- [Lockspire.Config](Lockspire.Config.md): Runtime configuration helpers for the embedded Lockspire library.

- [Lockspire.Domain.CibaAuthorization](Lockspire.Domain.CibaAuthorization.md): Core domain model for OpenID Connect Client-Initiated Backchannel Authentication (CIBA).

- [Lockspire.Domain.Client](Lockspire.Domain.Client.md): Durable client registration state owned by Lockspire.

- [Lockspire.Domain.ConsentGrant](Lockspire.Domain.ConsentGrant.md): Durable consent state granted by an account to a client.

- [Lockspire.Domain.DeviceAuthorization](Lockspire.Domain.DeviceAuthorization.md): Core domain model for OAuth 2.0 Device Authorization Grant (RFC 8628).

- [Lockspire.Domain.DpopReplay](Lockspire.Domain.DpopReplay.md): Durable DPoP proof replay state for the supported acceptance window.

- [Lockspire.Domain.InitialAccessToken](Lockspire.Domain.InitialAccessToken.md): Durable initial access token used to gate `POST /register` when
`Lockspire.Domain.ServerPolicy.registration_policy == :initial_access_token`.
- [Lockspire.Domain.Interaction](Lockspire.Domain.Interaction.md): Ephemeral-but-durable authorization interaction state.

- [Lockspire.Domain.LogoutDelivery](Lockspire.Domain.LogoutDelivery.md): Durable per-client, per-channel logout propagation snapshot state.

- [Lockspire.Domain.LogoutEvent](Lockspire.Domain.LogoutEvent.md): Durable protocol-owned logout event state.

- [Lockspire.Domain.PushedAuthorizationRequest](Lockspire.Domain.PushedAuthorizationRequest.md): Durable server-owned state for pushed authorization requests.

- [Lockspire.Domain.ServerPolicy](Lockspire.Domain.ServerPolicy.md): Durable server-wide operator policy owned by Lockspire.

- [Lockspire.Domain.SigningKey](Lockspire.Domain.SigningKey.md): Durable signing-key lifecycle state for JWKS publication and rotation.

- [Lockspire.Domain.Token](Lockspire.Domain.Token.md): Durable token and token-family state owned by Lockspire.

- [Lockspire.Domain.UsedJti](Lockspire.Domain.UsedJti.md): Domain struct representing a used JTI (JWT ID) to prevent replay attacks.

- [Lockspire.ErrorView](Lockspire.ErrorView.md): Minimal error view used by the Lockspire endpoint when a controller or LiveView
raises during dispatch.
- [Lockspire.Generators.Install](Lockspire.Generators.Install.md): Generates editable Lockspire host integration files inside a Phoenix app.

- [Lockspire.Generators.Templates](Lockspire.Generators.Templates.md): Template inventory for generated host-owned Lockspire integration files.

- [Lockspire.Host.AccountResolver](Lockspire.Host.AccountResolver.md): Singular host seam for account lookup, claim material, and login handoff.

- [Lockspire.Host.BackchannelNotification](Lockspire.Host.BackchannelNotification.md): Behaviour for triggering out-of-band notifications to users during CIBA flows.

- [Lockspire.Host.Claims](Lockspire.Host.Claims.md): Structured claim material returned by the host account resolver.

- [Lockspire.Host.Context](Lockspire.Host.Context.md): Contextual information passed to host integration callbacks.

- [Lockspire.Host.DefaultDelegationValidator](Lockspire.Host.DefaultDelegationValidator.md): A default implementation of `Lockspire.Host.TokenExchangeValidator` that properly structures
the `act` (actor) claim when delegating tokens according to RFC 8693.

- [Lockspire.Host.DefaultDenyTokenExchangeValidator](Lockspire.Host.DefaultDenyTokenExchangeValidator.md): Default implementation of the token exchange validator that denies all requests.

- [Lockspire.Host.InteractionResult](Lockspire.Host.InteractionResult.md): Structured login handoff returned by the host account resolver.

- [Lockspire.Host.TokenExchangeContext](Lockspire.Host.TokenExchangeContext.md): Context data carrier for the token exchange flow.

- [Lockspire.Host.TokenExchangeValidator](Lockspire.Host.TokenExchangeValidator.md): Behaviour for validating token exchange requests against host application business logic.

- [Lockspire.Install.Manifest](Lockspire.Install.Manifest.md): Manifest storage for Lockspire-managed generated scaffolding.

- [Lockspire.Install.Verify](Lockspire.Install.Verify.md): Install-time diagnostics for the canonical embedded Lockspire host integration.

- [Lockspire.Install.Verify.Check](Lockspire.Install.Verify.Check.md): Small helpers for normalized install verification checks.

- [Lockspire.JwksFetcher](Lockspire.JwksFetcher.md): Fetches and caches JSON Web Key Sets (JWKS) dynamically using Req and Cachex.

- [Lockspire.LiveDashboardPage](Lockspire.LiveDashboardPage.md): A custom LiveDashboard page for Lockspire.
- [Lockspire.Oban](Lockspire.Oban.md): Named Oban instance owned by Lockspire for durable protocol work.

- [Lockspire.Observability](Lockspire.Observability.md): Shared audit and telemetry emission helpers.

- [Lockspire.Protocol.AuthorizationFlow](Lockspire.Protocol.AuthorizationFlow.md): Orchestrates durable authorization interactions, consent decisions, and code issuance.

- [Lockspire.Protocol.AuthorizationRequest](Lockspire.Protocol.AuthorizationRequest.md): Validates `/authorize` request parameters before any web or host handoff occurs.

- [Lockspire.Protocol.AuthorizationRequest.Error](Lockspire.Protocol.AuthorizationRequest.Error.md): Browser-safe or redirect-safe authorization request validation error.

- [Lockspire.Protocol.AuthorizationRequest.Validated](Lockspire.Protocol.AuthorizationRequest.Validated.md): Canonical validated `/authorize` request state.

- [Lockspire.Protocol.BackchannelAuthentication](Lockspire.Protocol.BackchannelAuthentication.md): Protocol pipeline for CIBA Backchannel Authentication (OpenID Connect CIBA).

- [Lockspire.Protocol.BackchannelAuthentication.Error](Lockspire.Protocol.BackchannelAuthentication.Error.md): Error response for CIBA backchannel authorization.
- [Lockspire.Protocol.BackchannelAuthentication.Success](Lockspire.Protocol.BackchannelAuthentication.Success.md): Successful CIBA backchannel authorization response.
- [Lockspire.Protocol.ClientAuth](Lockspire.Protocol.ClientAuth.md): Shared token-endpoint client authentication for OAuth lifecycle surfaces.

- [Lockspire.Protocol.ClientAuth.Error](Lockspire.Protocol.ClientAuth.Error.md): Client authentication failure returned to OAuth protocol handlers.

- [Lockspire.Protocol.ConsentPolicy](Lockspire.Protocol.ConsentPolicy.md): Pure remembered-consent rules for authorization interactions.

- [Lockspire.Protocol.DPoP](Lockspire.Protocol.DPoP.md): DPoP proof decoding, verification, and proof-key thumbprint helpers.
- [Lockspire.Protocol.DcrPolicy](Lockspire.Protocol.DcrPolicy.md): Resolves the effective DCR policy for an inbound RFC 7591 client registration request
as the intersection of
- [Lockspire.Protocol.DeviceAuthorization](Lockspire.Protocol.DeviceAuthorization.md): Protocol pipeline for Device Authorization (RFC 8628).

- [Lockspire.Protocol.DeviceAuthorization.Error](Lockspire.Protocol.DeviceAuthorization.Error.md): Error response for device authorization.
- [Lockspire.Protocol.DeviceAuthorization.Success](Lockspire.Protocol.DeviceAuthorization.Success.md): Successful device authorization response.
- [Lockspire.Protocol.DeviceVerification](Lockspire.Protocol.DeviceVerification.md): Narrow lookup and approval seam for host-owned device verification UX.

- [Lockspire.Protocol.DeviceVerification.PendingAuthorization](Lockspire.Protocol.DeviceVerification.PendingAuthorization.md): Pending device authorization context exposed to the host verification seam.
- [Lockspire.Protocol.Discovery](Lockspire.Protocol.Discovery.md): Builds truth-based OIDC discovery metadata from Lockspire config and mounted routes.

- [Lockspire.Protocol.Discovery.AuthorizationResponseCapabilities](Lockspire.Protocol.Discovery.AuthorizationResponseCapabilities.md): Publishes truthful authorization-response discovery metadata from mounted surfaces
and the effective issuer signing posture.

- [Lockspire.Protocol.DpopPolicy](Lockspire.Protocol.DpopPolicy.md): Resolves effective DPoP policy from server-wide defaults and client overrides.

- [Lockspire.Protocol.EndSession](Lockspire.Protocol.EndSession.md): Validates RP-initiated logout requests before any host logout redirect occurs.

- [Lockspire.Protocol.EndSession.Error](Lockspire.Protocol.EndSession.Error.md): End-session validation error payload.

- [Lockspire.Protocol.EndSession.Result](Lockspire.Protocol.EndSession.Result.md): Canonical validated end-session state.

- [Lockspire.Protocol.FAPI20EnforcerPlug](Lockspire.Protocol.FAPI20EnforcerPlug.md): Boundary fail-fast enforcer for FAPI 2.0 Security Profile.
- [Lockspire.Protocol.IdToken](Lockspire.Protocol.IdToken.md): Builds and signs minimal OIDC ID tokens with Lockspire-owned protocol claims.

- [Lockspire.Protocol.InitialAccessToken](Lockspire.Protocol.InitialAccessToken.md): Initial access token (IAT) lifecycle — atomic redemption.
- [Lockspire.Protocol.Introspection](Lockspire.Protocol.Introspection.md): Returns caller-authorized opaque token state while collapsing inactive outcomes to `active: false`.

- [Lockspire.Protocol.Introspection.Error](Lockspire.Protocol.Introspection.Error.md): Introspection endpoint error payload.

- [Lockspire.Protocol.Introspection.Success](Lockspire.Protocol.Introspection.Success.md): Successful introspection context with protocol-owned payload truth and signer inputs.

- [Lockspire.Protocol.IntrospectionJwt](Lockspire.Protocol.IntrospectionJwt.md): Signs RFC 9701 JWT token introspection responses from protocol-owned success context.

- [Lockspire.Protocol.Jar](Lockspire.Protocol.Jar.md): JWT Secured Authorization Request (JAR) foundation.
- [Lockspire.Protocol.Jarm](Lockspire.Protocol.Jarm.md): Core JARM (JWT Secured Authorization Response Mode) encoder.

- [Lockspire.Protocol.Jwks](Lockspire.Protocol.Jwks.md): Builds a public JWK set from publishable durable signing keys.

- [Lockspire.Protocol.LogoutPropagation](Lockspire.Protocol.LogoutPropagation.md): Owns `/end_session/complete` logout propagation orchestration.

- [Lockspire.Protocol.LogoutToken](Lockspire.Protocol.LogoutToken.md): Signs OIDC Back-Channel Logout tokens from durable logout snapshot state.

- [Lockspire.Protocol.MessageSigningProfile](Lockspire.Protocol.MessageSigningProfile.md): Canonical readiness and transition rules for the strict message-signing profile.

- [Lockspire.Protocol.ParPolicy](Lockspire.Protocol.ParPolicy.md): Resolves effective PAR policy from server-wide defaults and client overrides.

- [Lockspire.Protocol.ProtectedResourceDPoP](Lockspire.Protocol.ProtectedResourceDPoP.md): Validates DPoP-bound access token use on Lockspire-owned protected resources.

- [Lockspire.Protocol.PushedAuthorizationRequest](Lockspire.Protocol.PushedAuthorizationRequest.md): Accepts pushed authorization requests and returns opaque PAR references.

- [Lockspire.Protocol.PushedAuthorizationRequest.Error](Lockspire.Protocol.PushedAuthorizationRequest.Error.md): PAR error payload safe for JSON responses.

- [Lockspire.Protocol.PushedAuthorizationRequest.Success](Lockspire.Protocol.PushedAuthorizationRequest.Success.md): Successful PAR response payload.

- [Lockspire.Protocol.RefreshExchange](Lockspire.Protocol.RefreshExchange.md): Rotates refresh tokens and revokes the full family on reuse.

- [Lockspire.Protocol.Registration](Lockspire.Protocol.Registration.md): RFC 7591 dynamic client registration intake — `Plug.Conn`-free orchestrator.
- [Lockspire.Protocol.RegistrationAccessToken](Lockspire.Protocol.RegistrationAccessToken.md): Registration access token (RAT) primitives — generate, hash, verify.
- [Lockspire.Protocol.RegistrationManagement](Lockspire.Protocol.RegistrationManagement.md): RFC 7592 dynamic client registration management — `Plug.Conn`-free orchestrator.
- [Lockspire.Protocol.RequestObject](Lockspire.Protocol.RequestObject.md): Orchestrates JAR (RFC 9101) request-object consumption for `/authorize` and `/par`.
- [Lockspire.Protocol.Revocation](Lockspire.Protocol.Revocation.md): Revokes client-bound opaque access and refresh tokens with RFC-safe success semantics.

- [Lockspire.Protocol.Revocation.Error](Lockspire.Protocol.Revocation.Error.md): Revocation endpoint error payload.

- [Lockspire.Protocol.Rfc8693Exchange](Lockspire.Protocol.Rfc8693Exchange.md): Implements OAuth 2.0 Token Exchange (RFC 8693).

- [Lockspire.Protocol.SecurityProfile](Lockspire.Protocol.SecurityProfile.md): Resolves effective security profile from server-wide defaults and client overrides.

- [Lockspire.Protocol.TokenEndpointDPoP](Lockspire.Protocol.TokenEndpointDPoP.md): Resolves shared DPoP issuance context for token-endpoint exchanges.

- [Lockspire.Protocol.TokenExchange](Lockspire.Protocol.TokenExchange.md): Redeems Phase 2 authorization codes into durable opaque bearer access tokens.

- [Lockspire.Protocol.TokenExchange.Delegation](Lockspire.Protocol.TokenExchange.Delegation.md): Handles token exchange delegation logic, including depth limits.

- [Lockspire.Protocol.TokenExchange.Error](Lockspire.Protocol.TokenExchange.Error.md): Token endpoint error payload.

- [Lockspire.Protocol.TokenExchange.Success](Lockspire.Protocol.TokenExchange.Success.md): Successful token endpoint response payload.

- [Lockspire.Protocol.Userinfo](Lockspire.Protocol.Userinfo.md): Resolves OIDC userinfo from durable opaque bearer tokens and host claims.

- [Lockspire.Protocol.Userinfo.Error](Lockspire.Protocol.Userinfo.Error.md): Userinfo endpoint error payload.

- [Lockspire.Redaction](Lockspire.Redaction.md): Shared redaction helpers for telemetry and durable audit metadata.

- [Lockspire.Security.DeviceCode](Lockspire.Security.DeviceCode.md): Utilities for generating secure device authorization codes.

- [Lockspire.Security.Policy](Lockspire.Security.Policy.md): Shared security invariants for boot-time posture and protocol/runtime checks.

- [Lockspire.Storage.CibaAuthorizationStore](Lockspire.Storage.CibaAuthorizationStore.md): Behaviour for storing and managing CIBA Authorizations.

- [Lockspire.Storage.ClientStore](Lockspire.Storage.ClientStore.md): Domain-level persistence contract for OAuth clients.

- [Lockspire.Storage.ConsentStore](Lockspire.Storage.ConsentStore.md): Domain-level persistence contract for consent grants.

- [Lockspire.Storage.DeviceAuthorizationStore](Lockspire.Storage.DeviceAuthorizationStore.md): Behaviour for storing and managing OAuth 2.0 Device Authorizations.

- [Lockspire.Storage.DpopReplayStore](Lockspire.Storage.DpopReplayStore.md): Domain-level persistence contract for DPoP replay detection state.

- [Lockspire.Storage.Ecto.CibaAuthorizationRecord](Lockspire.Storage.Ecto.CibaAuthorizationRecord.md)
- [Lockspire.Storage.Ecto.DeviceAuthorizationRecord](Lockspire.Storage.Ecto.DeviceAuthorizationRecord.md)
- [Lockspire.Storage.Ecto.Repository](Lockspire.Storage.Ecto.Repository.md): Default Ecto-backed implementation for Lockspire's domain storage contracts.

- [Lockspire.Storage.Ecto.UsedJtiRecord](Lockspire.Storage.Ecto.UsedJtiRecord.md): Ecto schema for storing used JTIs to prevent replay attacks.

- [Lockspire.Storage.InteractionStore](Lockspire.Storage.InteractionStore.md): Domain-level persistence contract for authorization interactions.

- [Lockspire.Storage.KeyStore](Lockspire.Storage.KeyStore.md): Domain-level persistence contract for signing keys.

- [Lockspire.Storage.LogoutStore](Lockspire.Storage.LogoutStore.md): Domain-level persistence contract for durable logout propagation state.

- [Lockspire.Storage.PushedAuthorizationRequestStore](Lockspire.Storage.PushedAuthorizationRequestStore.md): Domain-level persistence contract for pushed authorization request state.

- [Lockspire.Storage.ServerPolicyStore](Lockspire.Storage.ServerPolicyStore.md): Domain-level persistence contract for Lockspire server policy.

- [Lockspire.Storage.TokenStore](Lockspire.Storage.TokenStore.md): Domain-level persistence contract for access and refresh token state.

- [Lockspire.Storage.UsedJtiStore](Lockspire.Storage.UsedJtiStore.md): Behavior for tracking and verifying used JTIs to prevent replay attacks.

- [Lockspire.Web.AuthorizeController](Lockspire.Web.AuthorizeController.md): Thin `/authorize` delivery adapter.

- [Lockspire.Web.AuthorizeHTML](Lockspire.Web.AuthorizeHTML.md): First-party HTML rendering for unsafe authorization errors.

- [Lockspire.Web.BCAuthorizeController](Lockspire.Web.BCAuthorizeController.md): Thin `/bc-authorize` delivery adapter for CIBA request intake.

- [Lockspire.Web.ConsentLive](Lockspire.Web.ConsentLive.md): Reference consent surface rendered from durable interaction state.

- [Lockspire.Web.DeviceAuthorizationController](Lockspire.Web.DeviceAuthorizationController.md): Thin `/device/code` delivery adapter for device authorization request intake.

- [Lockspire.Web.DiscoveryController](Lockspire.Web.DiscoveryController.md): Thin discovery delivery adapter.

- [Lockspire.Web.EndSessionController](Lockspire.Web.EndSessionController.md): Thin `/end_session` delivery adapter for OIDC RP-initiated logout.

- [Lockspire.Web.InteractionController](Lockspire.Web.InteractionController.md): Delivery adapter for host login handoff and consent finalization.

- [Lockspire.Web.IntrospectionController](Lockspire.Web.IntrospectionController.md): Thin `/introspect` delivery adapter over protocol-owned opaque token classification.

- [Lockspire.Web.JwksController](Lockspire.Web.JwksController.md): Thin JWKS delivery adapter.

- [Lockspire.Web.Live.Admin.PoliciesLive.Dcr.PolicyForm](Lockspire.Web.Live.Admin.PoliciesLive.Dcr.PolicyForm.md): Embedded schema and changeset for validating DCR policy form submissions.

- [Lockspire.Web.PushedAuthorizationRequestController](Lockspire.Web.PushedAuthorizationRequestController.md): Thin `/par` delivery adapter for pushed authorization request intake.

- [Lockspire.Web.RegistrationController](Lockspire.Web.RegistrationController.md)
- [Lockspire.Web.RevocationController](Lockspire.Web.RevocationController.md): Thin `/revoke` delivery adapter for client-bound lifecycle token revocation.

- [Lockspire.Web.Router](Lockspire.Web.Router.md): Mountable Phoenix router exposing Lockspire's host-facing interaction entrypoints.

- [Lockspire.Web.TokenController](Lockspire.Web.TokenController.md): Thin `/token` delivery adapter for OAuth token exchange.

- [Lockspire.Web.UserinfoController](Lockspire.Web.UserinfoController.md): Thin `/userinfo` delivery adapter over protocol-owned bearer validation.

- [Lockspire.Workers.BackchannelLogoutDeliveryWorker](Lockspire.Workers.BackchannelLogoutDeliveryWorker.md): Delivers back-channel logout notifications from persisted delivery snapshots.

- [Lockspire.Workers.CibaNotificationWorker](Lockspire.Workers.CibaNotificationWorker.md): Delivers CIBA (Backchannel Authentication) notifications to Relying Parties.
Supports both Ping and Push delivery modes.

- [Lockspire.Workers.Pruner](Lockspire.Workers.Pruner.md): Background worker to aggressively sweep and prune expired domain records.

## Mix Tasks

- [mix lockspire.client.create](Mix.Tasks.Lockspire.Client.Create.md): Register a durable OAuth client from the command line.

- [mix lockspire.install](Mix.Tasks.Lockspire.Install.md): Generate host-owned Lockspire integration files for a Phoenix application.

- [mix lockspire.oidf_conformance](Mix.Tasks.Lockspire.OidfConformance.md): Validate the OIDF FAPI 2.0 conformance preflight environment.
- [mix lockspire.test.setup](Mix.Tasks.Lockspire.Test.Setup.md): Create and migrate the Lockspire test database used by automated checks.

- [mix lockspire.upgrade](Mix.Tasks.Lockspire.Upgrade.md): Upgrade manifest-tracked Lockspire-managed scaffolding only when it is still unchanged.

- [mix lockspire.verify](Mix.Tasks.Lockspire.Verify.md): Verify the canonical Lockspire host install wiring after generation and host edits.

