# `AttestoPhoenix.Plug.Authenticate`
[🔗](https://github.com/XukuLLC/attesto_phoenix/blob/v0.19.0/lib/attesto_phoenix/plug/authenticate.ex#L1)

Phoenix-friendly protected-resource authentication.

This plug is a thin integration layer over `Attesto.Plug.Authenticate`. The
core plug owns the protocol work: parsing Bearer/DPoP credentials, verifying
the JWT access token, enforcing DPoP and mTLS sender-constraint bindings, and
rendering RFC 6750 / RFC 9449 failures. This wrapper derives the core options
from `AttestoPhoenix.Config`, resolves the verified subject through the
host's `:load_principal` callback, and assigns neutral values for downstream
Phoenix code.

Defaults:

  * `:claims_key` - `:attesto_claims`
  * `:principal_key` - `:attesto_principal`
  * `:context_key` - `:attesto_context`

The context assign is a map with `:subject`, `:client_id`, `:scope`, `:claims`,
`:cnf`, and `:principal`. It is deliberately protocol-shaped; application
policy such as accounts, roles, audit actors, and error envelopes belongs in
the host application.

---

*Consult [api-reference.md](api-reference.md) for complete listing*