# `mix attesto_phoenix.install`
[🔗](https://github.com/XukuLLC/attesto_phoenix/blob/v0.19.0/lib/mix/tasks/attesto_phoenix.install.ex#L60)

Installs the attesto_phoenix authorization-server layer into a Phoenix app

Wires the OAuth 2.0 / OpenID Connect authorization-server layer this library
provides into the host Phoenix application:

  * adds an `AttestoPhoenix.Config` config skeleton (issuer, keystore, repo,
    the Ecto-backed token stores, a chosen `:oauth_path_prefix`, and neutral
    defaults) to the host config,
  * mounts the server routes (`attesto_routes/1`) at the chosen prefix into
    the host router,
  * scaffolds host callback modules implementing the recommended production
    behaviours (`AttestoPhoenix.ClientStore`, `PrincipalStore`,
    `ScopePolicy`, `ConsentPolicy`, `RegistrationStore`, `EventSink`) with
    documented stub callbacks the host fills in,
  * points the host at `mix attesto_phoenix.gen.migration` for the Ecto
    tables the bundled stores read.

Every step is idempotent: re-running the task does not duplicate the config,
the route, or the scaffolded modules. The task never decides authorization
policy; it scaffolds the contract the host owns (RFC 6749 §2/§3.3/§4.1.1,
RFC 7591 §3, OpenID Connect Core §3.1.2/§5.3) and emits notices telling the
host exactly what to fill in.

## Example

```sh
mix attesto_phoenix.install
```

## Options

  * `--oauth-path-prefix` - the client-visible mount prefix for the OAuth
    endpoints (RFC 8414 §3 advertises the absolute URLs; the mounted routes
    and the advertised metadata derive from the same prefix so they cannot
    drift). Defaults to `/oauth`, reproducing the historic surface. A host
    avoiding a collision with a legacy provider may pass, for example,
    `--oauth-path-prefix /mcp/oauth`. The well-known documents (RFC 8615)
    and the JWKS document stay anchored at the host root and are NOT
    relocated by this prefix.
  * `--callbacks-module` - the base module the scaffolded callback modules
    are generated under. Defaults to `<App>.AuthZ`, yielding
    `<App>.AuthZ.ClientStore` and friends.

---

*Consult [api-reference.md](api-reference.md) for complete listing*