# lockspire v0.2.0 - Table of Contents Embedded OAuth/OIDC authorization server for Phoenix applications ## Pages - [Lockspire](readme.md) - Guides - [Getting Started](getting-started.md) - [Install And Onboard](install-and-onboard.md) - [Operator And Admin Guide](operator-admin.md) - [Supported Surface](supported-surface.md) - [Lockspire + Sigra (same Phoenix host)](sigra-companion-host.md) - Maintainers - [Changelog](changelog.md) - [Security Policy](security.md) - [Maintainer And Release Guide](maintainer-release.md) ## Modules - [Lockspire](Lockspire.md): Narrow public API for host applications embedding Lockspire. - [Lockspire.Admin](Lockspire.Admin.md): Operator-facing service boundary for Lockspire admin workflows. - [Lockspire.Admin.Clients](Lockspire.Admin.Clients.md): Query and command boundary for operator-managed OAuth clients. - [Lockspire.Admin.Consents](Lockspire.Admin.Consents.md): Shared query and command boundary for operator and host-owned consent workflows. - [Lockspire.Admin.Keys](Lockspire.Admin.Keys.md): Operator-facing query and command boundary for guided signing-key lifecycle work. - [Lockspire.Admin.Tokens](Lockspire.Admin.Tokens.md): Shared query and command boundary for operator token support workflows. - [Lockspire.Application](Lockspire.Application.md): Lockspire OTP application. - [Lockspire.Audit.Event](Lockspire.Audit.Event.md): Normalized durable audit event payload for append-only incident evidence. - [Lockspire.Clients](Lockspire.Clients.md): Durable client registration API for secure Phase 2 client onboarding. - [Lockspire.Clients.RegistrationResult](Lockspire.Clients.RegistrationResult.md): Result returned from client registration. - [Lockspire.Config](Lockspire.Config.md): Runtime configuration helpers for the embedded Lockspire library. - [Lockspire.Domain.Client](Lockspire.Domain.Client.md): Durable client registration state owned by Lockspire. - [Lockspire.Domain.ConsentGrant](Lockspire.Domain.ConsentGrant.md): Durable consent state granted by an account to a client. - [Lockspire.Domain.Interaction](Lockspire.Domain.Interaction.md): Ephemeral-but-durable authorization interaction state. - [Lockspire.Domain.SigningKey](Lockspire.Domain.SigningKey.md): Durable signing-key lifecycle state for JWKS publication and rotation. - [Lockspire.Domain.Token](Lockspire.Domain.Token.md): Durable token and token-family state owned by Lockspire. - [Lockspire.Generators.Install](Lockspire.Generators.Install.md): Generates editable Lockspire host integration files inside a Phoenix app. - [Lockspire.Generators.Templates](Lockspire.Generators.Templates.md): Template inventory for generated host-owned Lockspire integration files. - [Lockspire.Host.AccountResolver](Lockspire.Host.AccountResolver.md): Singular host seam for account lookup, claim material, and login handoff. - [Lockspire.Host.Claims](Lockspire.Host.Claims.md): Structured claim material returned by the host account resolver. - [Lockspire.Host.InteractionResult](Lockspire.Host.InteractionResult.md): Structured login handoff returned by the host account resolver. - [Lockspire.Observability](Lockspire.Observability.md): Shared audit and telemetry emission helpers. - [Lockspire.Protocol.AuthorizationFlow](Lockspire.Protocol.AuthorizationFlow.md): Orchestrates durable authorization interactions, consent decisions, and code issuance. - [Lockspire.Protocol.AuthorizationRequest](Lockspire.Protocol.AuthorizationRequest.md): Validates `/authorize` request parameters before any web or host handoff occurs. - [Lockspire.Protocol.AuthorizationRequest.Error](Lockspire.Protocol.AuthorizationRequest.Error.md): Browser-safe or redirect-safe authorization request validation error. - [Lockspire.Protocol.AuthorizationRequest.Validated](Lockspire.Protocol.AuthorizationRequest.Validated.md): Canonical validated `/authorize` request state. - [Lockspire.Protocol.ClientAuth](Lockspire.Protocol.ClientAuth.md): Shared token-endpoint client authentication for OAuth lifecycle surfaces. - [Lockspire.Protocol.ClientAuth.Error](Lockspire.Protocol.ClientAuth.Error.md): Client authentication failure returned to OAuth protocol handlers. - [Lockspire.Protocol.ConsentPolicy](Lockspire.Protocol.ConsentPolicy.md): Pure remembered-consent rules for authorization interactions. - [Lockspire.Protocol.Discovery](Lockspire.Protocol.Discovery.md): Builds truth-based OIDC discovery metadata from Lockspire config and mounted routes. - [Lockspire.Protocol.IdToken](Lockspire.Protocol.IdToken.md): Builds and signs minimal OIDC ID tokens with Lockspire-owned protocol claims. - [Lockspire.Protocol.Introspection](Lockspire.Protocol.Introspection.md): Returns caller-authorized opaque token state while collapsing inactive outcomes to `active: false`. - [Lockspire.Protocol.Introspection.Error](Lockspire.Protocol.Introspection.Error.md): Introspection endpoint error payload. - [Lockspire.Protocol.Jwks](Lockspire.Protocol.Jwks.md): Builds a public JWK set from publishable durable signing keys. - [Lockspire.Protocol.RefreshExchange](Lockspire.Protocol.RefreshExchange.md): Rotates refresh tokens and revokes the full family on reuse. - [Lockspire.Protocol.Revocation](Lockspire.Protocol.Revocation.md): Revokes client-bound opaque access and refresh tokens with RFC-safe success semantics. - [Lockspire.Protocol.Revocation.Error](Lockspire.Protocol.Revocation.Error.md): Revocation endpoint error payload. - [Lockspire.Protocol.TokenExchange](Lockspire.Protocol.TokenExchange.md): Redeems Phase 2 authorization codes into durable opaque bearer access tokens. - [Lockspire.Protocol.TokenExchange.Error](Lockspire.Protocol.TokenExchange.Error.md): Token endpoint error payload. - [Lockspire.Protocol.TokenExchange.Success](Lockspire.Protocol.TokenExchange.Success.md): Successful token endpoint response payload. - [Lockspire.Protocol.Userinfo](Lockspire.Protocol.Userinfo.md): Resolves OIDC userinfo from durable opaque bearer tokens and host claims. - [Lockspire.Protocol.Userinfo.Error](Lockspire.Protocol.Userinfo.Error.md): Userinfo endpoint error payload. - [Lockspire.Redaction](Lockspire.Redaction.md): Shared redaction helpers for telemetry and durable audit metadata. - [Lockspire.Security.Policy](Lockspire.Security.Policy.md): Shared security invariants for boot-time posture and protocol/runtime checks. - [Lockspire.Storage.ClientStore](Lockspire.Storage.ClientStore.md): Domain-level persistence contract for OAuth clients. - [Lockspire.Storage.ConsentStore](Lockspire.Storage.ConsentStore.md): Domain-level persistence contract for consent grants. - [Lockspire.Storage.Ecto.Repository](Lockspire.Storage.Ecto.Repository.md): Default Ecto-backed implementation for Lockspire's domain storage contracts. - [Lockspire.Storage.InteractionStore](Lockspire.Storage.InteractionStore.md): Domain-level persistence contract for authorization interactions. - [Lockspire.Storage.KeyStore](Lockspire.Storage.KeyStore.md): Domain-level persistence contract for signing keys. - [Lockspire.Storage.TokenStore](Lockspire.Storage.TokenStore.md): Domain-level persistence contract for access and refresh token state. - [Lockspire.Web.AuthorizeController](Lockspire.Web.AuthorizeController.md): Thin `/authorize` delivery adapter. - [Lockspire.Web.AuthorizeHTML](Lockspire.Web.AuthorizeHTML.md): First-party HTML rendering for unsafe authorization errors. - [Lockspire.Web.ConsentLive](Lockspire.Web.ConsentLive.md): Reference consent surface rendered from durable interaction state. - [Lockspire.Web.DiscoveryController](Lockspire.Web.DiscoveryController.md): Thin discovery delivery adapter. - [Lockspire.Web.InteractionController](Lockspire.Web.InteractionController.md): Delivery adapter for host login handoff and consent finalization. - [Lockspire.Web.IntrospectionController](Lockspire.Web.IntrospectionController.md): Thin `/introspect` delivery adapter over protocol-owned opaque token classification. - [Lockspire.Web.JwksController](Lockspire.Web.JwksController.md): Thin JWKS delivery adapter. - [Lockspire.Web.RevocationController](Lockspire.Web.RevocationController.md): Thin `/revoke` delivery adapter for client-bound lifecycle token revocation. - [Lockspire.Web.Router](Lockspire.Web.Router.md): Mountable Phoenix router exposing Lockspire's host-facing interaction entrypoints. - [Lockspire.Web.TokenController](Lockspire.Web.TokenController.md): Thin `/token` delivery adapter for authorization code exchange. - [Lockspire.Web.UserinfoController](Lockspire.Web.UserinfoController.md): Thin `/userinfo` delivery adapter over protocol-owned bearer validation. ## Mix Tasks - [mix lockspire.client.create](Mix.Tasks.Lockspire.Client.Create.md): Register a durable OAuth client from the command line. - [mix lockspire.install](Mix.Tasks.Lockspire.Install.md): Generate host-owned Lockspire integration files for a Phoenix application. - [mix lockspire.test.setup](Mix.Tasks.Lockspire.Test.Setup.md): Create and migrate the Lockspire test database used by automated checks.