Lockspire is an embedded OAuth/OIDC authorization server for third-party clients of your API. Sigra is your end-user authentication stack (sessions, passwords, MFA, passkeys, “login with Google” via Assent, admin, audit).
This document is the Lockspire-side counterpart to Sigra’s recipe Companion OAuth provider (guides/recipes/companion-oauth-provider.md on hexdocs).
| Own in Sigra / host | Own in Lockspire |
|---|---|
| User table, sessions, MFA, passkeys, login UX | Clients, codes, tokens, consent protocol, JWKS, discovery |
sub identity for your users |
Authorization decisions for external OAuth clients |
Lockspire must not import Sigra at compile time. Integration is host-generated code: your AccountResolver reads the same session Sigra established.
mix lockspire.install --sigra-hostThis adds Sigra-oriented comments (and @moduledoc) to the generated AccountResolver stub. You still implement real resolve_current_account/2 and claim building.
- Ship Sigra end-user auth first (register, login, orgs if needed).
- Add Lockspire; complete Phase 3 (OIDC + token lifecycle) before exposing third-party integrations broadly.
- Point
login_pathat your real Sigra login route; preservereturn_to/interaction_idquery params Lockspire needs.
Cross-repo sequencing lives in Lockspire .planning/ECOSYSTEM-SIGRA.md.