Lockspire + Sigra (same Phoenix host)

Lockspire is an embedded OAuth/OIDC authorization server for third-party clients of your API. Sigra is your end-user authentication stack (sessions, passwords, MFA, passkeys, “login with Google” via Assent, admin, audit).

This document is the Lockspire-side counterpart to Sigra’s recipe Companion OAuth provider (guides/recipes/companion-oauth-provider.md on hexdocs).

Boundaries (do not blur)

Own in Sigra / host	Own in Lockspire
User table, sessions, MFA, passkeys, login UX	Clients, codes, tokens, consent protocol, JWKS, discovery
`sub` identity for your users	Authorization decisions for external OAuth clients

Lockspire must not import Sigra at compile time. Integration is host-generated code: your AccountResolver reads the same session Sigra established.

Install hint

mix lockspire.install --sigra-host

This adds Sigra-oriented comments (and @moduledoc) to the generated AccountResolver stub. You still implement real resolve_current_account/2 and claim building.

Recommended sequencing

Ship Sigra end-user auth first (register, login, orgs if needed).
Add Lockspire; complete Phase 3 (OIDC + token lifecycle) before exposing third-party integrations broadly.
Point login_path at your real Sigra login route; preserve return_to / interaction_id query params Lockspire needs.

Planning

Cross-repo sequencing lives in Lockspire .planning/ECOSYSTEM-SIGRA.md.

← Previous Page Supported Surface

Next Page → Changelog