# Vectra wpClaimToken Phase 3 Deployment Notes

## New server files

- `lib/vectra_wp_claim_token.php`
- `claim_token_validate.php`
- `tests/test_phase3_wp_claim_token_fixtures.py`

## Config required

Add to `/home/audinhcv/staging.audionerdz.net/private/vectra_env.php`:

```php
'claim_tokens' => [
    'secret' => 'SAME_LONG_SECRET_AS_WORDPRESS_BRIDGE',
    'issuer' => 'https://audionerdz.net',
    'audience' => 'vectra-drm-staging',
    'scope' => 'account_binding',
    'kid' => 'staging-2026-05',
    'ttl_seconds' => 600,
    'max_future_iat_seconds' => 60,
],
```

Generate a secret with:

```bash
openssl rand -hex 32
```

Use the same value in the WordPress bridge claim-token settings or `VECTRA_DRM_CLAIM_TOKEN_SECRET`.

## Validate

```bash
cd ~/staging.audionerdz.net/api/vectra
php -l claim_token_validate.php
php -l lib/vectra_wp_claim_token.php
/opt/alt/python39/bin/python3 tests/test_phase3_wp_claim_token_fixtures.py
```

## Test endpoint

```bash
curl -sS -X POST \
  -H 'Content-Type: application/json' \
  -d '{"wpClaimToken":"PASTE_TOKEN_HERE"}' \
  https://staging.audionerdz.net/api/vectra/claim_token_validate.php
```

Expected first use: `ok: true`.
Expected second use of the same token: `token_replayed`.

The token is single-use for DRM validation. Generate a new token for every retry.