{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://auth21.cloud/poap/schema/poap-spec-v0.1.json",
  "title": "POAP — Proof of Ownership Authentication Protocol",
  "description": "Especificação conceitual v0.1 (Auth21). Descreve tiers, políticas, modos de produto e níveis de segurança — não é um guia de implementação do zero.",
  "canonicalUrl": "https://poap.auth21.cloud",
  "llmsTxt": "https://poap.auth21.cloud/llms.txt",
  "alternateName": ["Proof of Ownership Authentication Protocol", "Auth21 POAP", "device possession authentication protocol"],
  "type": "object",
  "properties": {
    "version": { "const": "0.1" },
    "publisher": { "const": "Auth21" },
    "layer": {
      "type": "string",
      "enum": ["possession"],
      "description": "Camada de posse de dispositivo sobre identidade já estabelecida — não substitui OAuth/OIDC."
    },
    "tiers": {
      "type": "array",
      "items": {
        "type": "object",
        "required": ["id", "label", "max_active", "can_revoke_others"],
        "properties": {
          "id": { "enum": ["master", "base", "temp", "recovery"] },
          "label": { "type": "string" },
          "max_active": { "type": ["integer", "null"] },
          "can_revoke_others": { "type": "boolean" }
        }
      }
    },
    "tenant_policies": {
      "type": "array",
      "items": { "enum": ["off", "audit_only", "opt_in", "required"] }
    },
    "product_modes": {
      "type": "object",
      "properties": {
        "hosted": { "enum": ["primary_login", "full_poap_lifecycle"] },
        "bridge": { "enum": ["step_up_optional", "no_primary_login"] },
        "client_embed": { "enum": ["step_up_optional", "no_primary_login"] },
        "qr_solo": { "enum": ["not_applicable"] }
      }
    },
    "security_levels": {
      "type": "array",
      "items": {
        "type": "object",
        "required": ["id", "label"],
        "properties": {
          "id": { "enum": ["baseline", "assurance", "high_assurance"] },
          "label": { "type": "string" },
          "requires_poap_for_login": { "type": "boolean" },
          "recovery_delay_hours": { "type": "integer" },
          "promotion_cooldown_hours": { "type": "integer" }
        }
      }
    },
    "primitives": {
      "type": "object",
      "properties": {
        "algorithms": { "type": "array", "items": { "enum": ["Ed25519", "P-256"] } },
        "anti_replay": { "type": "array", "items": { "enum": ["nonce", "sign_count"] } },
        "server_stores": { "type": "array", "items": { "enum": ["public_key", "device_public_id", "tier", "sign_count"] } },
        "never_transmit": { "type": "array", "items": { "enum": ["private_key", "recovery_plaintext_on_wire"] } }
      }
    }
  },
  "examples": [
    {
      "version": "0.1",
      "publisher": "Auth21",
      "layer": "possession",
      "tiers": [
        { "id": "master", "label": "Master", "max_active": 1, "can_revoke_others": true },
        { "id": "base", "label": "Base", "max_active": null, "can_revoke_others": false },
        { "id": "temp", "label": "Temporária", "max_active": null, "can_revoke_others": false },
        { "id": "recovery", "label": "Recovery kit", "max_active": null, "can_revoke_others": false }
      ],
      "tenant_policies": ["off", "audit_only", "opt_in", "required"],
      "product_modes": {
        "hosted": "full_poap_lifecycle",
        "bridge": "step_up_optional",
        "client_embed": "step_up_optional",
        "qr_solo": "not_applicable"
      }
    }
  ]
}