Your child-safety compliance, run for you.
Wire your age signals in once. Phosra — the reference implementation of OCSS, the open child-safety standard — runs the whole layer and signs every decision. You never build the plumbing.
How it's priced: usage-based on the hosted router — you pay per signal it routes; $0 on the standard, the mark, or governance. See pricing →
One router. Every conformant platform behind it.
Phosra runs the routing-and-trust layer of OCSS — signed envelope, Trust List, conformance contract — so you call one API instead of building it.
N × M connectors never finish. OCSS collapses it to N + M.
Conform to the Trust Framework onceTrust Framework API
Age signal in, signed decision out over POST /v1/check — resolved against the 123-category rule registry, statute cited, no raw birthdate stored.
Regulator-replayable
Every decision lands on a durable event stream with rule, input, output, and statute citation — a regulator export in minutes, zero personal data.
§9.4 attestation CSV is live; full receipt API lands with/v1/checkOperated to a target, published in the open
A safety decision can't be best-effort. The router runs to a latency and availability target, with health on the public status page.
See live status →A signed succession record, not a press release
Steward of record and transfer status publish as a signed, machine-verifiable record at /.well-known/ocss/. A Phosra-only federation rates RED, by design.
Built, and exposed. We label the difference.
OCSS is a Draft 4, pre-release individual IETF Internet-Draft, and Phosra is implementing it in phases. Here is exactly what answers a request today versus what is illustrative until a later phase ships. No fake green checkmarks.
- Signed succession record at
/.well-known/ocss/— Ed25519, verifies against the steward key. - §9.4 attestation CSV export — the regulator-handoff artifact, generated from real decision records.
- The 123-category rule registry and 91-statute mapping — the vocabulary the router speaks, browsable now.
- Public status page — signed-endpoint health and conformance posture, live.
POST /v1/checkpublic API — age signal in, signed decision out. Ships P2 / P3.- Full receipt API — programmatic pull of replayable receipts, landing alongside
/v1/check. - The eIDAS-style Trust List with multi-operator federation — the root signing key is provisioned in a later phase.
- Live interim-steward designation — a governance act due 2026-07-09, not a software ship.
Where a panel above shows an API response, it is illustrative until the endpoint ships. The two signed endpoints, the registry, and the status page are the surfaces that answer a request today.
A connector is a liability. A conformance contract is an asset.
A point-to-point integration breaks every time a platform ships a new age-logic rule. Conforming to the Trust Framework once means your signal stays legible as the law changes — the router carries the 91-statute mapping and the 123-category vocabulary, so you don't re-derive age-appropriateness per jurisdiction.
Phosra runs one accredited networkof the several a healthy federation requires. That's the honest shape of it today — and the conformance suite is built to flag a single-operator federation as a single point of capture.
N + M, not N × M — illustrative.
Build on the standard you can't capture.
Start with the registry and the signed endpoints that are live today; wire /v1/check the moment it ships. Phosra is building toward OCSS Certified — earned from the standard, never issued by us.