diff --git a/docs/src/components/marketing/sovereignty.astro b/docs/src/components/marketing/sovereignty.astro
index 92255c4..2d8a6b1 100644
--- a/docs/src/components/marketing/sovereignty.astro
+++ b/docs/src/components/marketing/sovereignty.astro
@@ -41,7 +41,7 @@ const base = import.meta.env.BASE_URL;
A lot of R&D goes into building beautiful self-sovereign distributed ledgers, yet the usability of your chain relies on a few extremely powerful middlemen.
This changes now.
- Features
+ Features
diff --git a/docs/src/content/docs/architecture.md b/docs/src/content/docs/architecture.md
new file mode 100644
index 0000000..3ca461c
--- /dev/null
+++ b/docs/src/content/docs/architecture.md
@@ -0,0 +1,101 @@
+---
+title: Architecture
+sidebar:
+ order: 6
+prev: false
+next: false
+---
+
+This is a high level overview of the sequence of events that happens while using Liquid Auth.
+See the [Getting Started](./guides/getting-started) section for more detailed information on each step.
+Diagrams are generated using [Mermaid](https://mermaid-js.github.io/mermaid/#/).
+
+## Authentication
+
+A user can link their device to a website by scanning a QR code.
+The website will subscribe to a WebSocket channel to receive the link status.
+The wallet will scan the QR code and send a [FIDO2 PublicKeyCredential]() to the server.
+The server will validate the FIDO2 credential and send a response to the wallet and website.
+
+```mermaid
+sequenceDiagram
+ participant Website as Answer Client
+ participant Server
+ participant Wallet as Offer Client
+ Website->>Server: Subscribe to 'wss:link'
+ Website-->>Website: Display QR Connect Request ID
+ Wallet->>Website: Scan QR Code
+ Server-->>Wallet: Get Challenge/Options
+ Wallet->>Server: POST FIDO2 Credential + Liquid Auth Extension
+ Server-->>Server: Validate Signatures
+ Server-->>Website: HTTPOnly Session
+ Server->>Wallet: Ok Response + HTTPOnly Session
+ Server->>Website: Emit to `wss:link` client
+```
+
+## Signaling
+
+The website and wallet can subscribe to an isolated WebSocket channel to broker [Session Description]() answers and offers.
+[ICE Candidates]() are discovered when any peer has both an offer and answer.
+
+```mermaid
+sequenceDiagram
+ participant Website as Answer Client
+ participant Server
+ participant Wallet as Offer Client
+ Website-->>Server: Subscribe to 'wss:offer-description'
+ Website-->>Server: Subscribe to 'wss:offer-candidate'
+ Wallet-->>Server: Subscribe to 'wss:answer-description'
+ Wallet-->>Server: Subscribe to 'wss:answer-candidate'
+```
+
+### Offer
+
+[Offers]() are created by a peer and sent through the signaling service.
+A client with an offer will listen for an answer description.
+Answers are only emitted in response to an offer.
+Offer clients are responsible for creating the [Data Channel]().
+
+```mermaid
+sequenceDiagram
+ participant Website as Answer Client
+ participant Server
+ participant Wallet as Offer Client
+ Wallet-->>Wallet: On answer-description, set Remote SDP
+ Wallet-->>Wallet: On answer-candidate, add ICE Candidate
+ Wallet-->>Wallet: Create Peer Offer & DataChannel
+ Wallet-->>Server: Emit `wss:offer-description`
+ Wallet-->>Server: Emit `wss:offer-candidate`
+```
+
+### Answer
+
+An [Answer]() is created by a peer in response to an offer.
+The answer description and candidates are emitted to the signaling service.
+
+```mermaid
+sequenceDiagram
+ participant Website as Answer Client
+ participant Server
+ participant Wallet as Offer Client
+ Website-->>Website: On offer-description, set Remote SDP and create Answer
+ Website-->>Website: On offer-candidate, add ICE Candidate
+ Website-->>Server: Emit `wss:answer-description`
+ Website-->>Server: Emit `wss:answer-candidate`
+```
+
+### Data Channel
+
+Once an Offer and Answer have been exchanged, a [Data Channel]() will be emitted to the peer who created the answer.
+This channel is used to send messages between the website and wallet in real-time over the established P2P connection.
+```mermaid
+sequenceDiagram
+ participant Website as Answer Client
+ participant Server
+ participant Wallet as Offer Client
+ Wallet-->>Website: Emit DataChannel
+ Wallet-->>Wallet: On Message, Handle Message
+ Website-->>Website: On DataChannel, listen for Messages
+ Website-->>Wallet: Emit Messages
+ Wallet-->>Website: Emit Messages
+```
diff --git a/docs/src/content/docs/architecture/deep-dive.md b/docs/src/content/docs/architecture/deep-dive.md
deleted file mode 100644
index b61a82f..0000000
--- a/docs/src/content/docs/architecture/deep-dive.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Deep Dive
----
-
-WIP
diff --git a/docs/src/content/docs/architecture/features.md b/docs/src/content/docs/architecture/features.md
deleted file mode 100644
index c1a48fe..0000000
--- a/docs/src/content/docs/architecture/features.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: Features
----
-
-WIP
diff --git a/docs/src/content/docs/clients/android/answer.mdx b/docs/src/content/docs/clients/android/answer.mdx
new file mode 100644
index 0000000..4b00c3c
--- /dev/null
+++ b/docs/src/content/docs/clients/android/answer.mdx
@@ -0,0 +1,34 @@
+---
+title: "Android: Peer Answer"
+---
+
+The answer client is used to respond to a remote client's offer.
+The remote client will have sent an offer to the answer client, which will then respond with an answer.
+
+### Who is this for?
+
+- **Mobile Apps** that want to leverage liquid-auth to connect to other mobile apps
+
+## Signaling
+
+```kotlin
+val requestID = SignalClient.generateRequestId() // Create a new Request ID
+val origin = "https://my-liquid-service.com" // Specify the origin of the service
+val client = SignalClient(origin, context, httpClient) // Create the Client
+
+// Display the QR Code
+val qrCode = signalClient.qrCode(requestId, BitmapFactory.decodeResource(getResources(), R.mipmap.ic_launcher_round))
+
+// Wait for peer to scan the QR Code
+val dc = signalClient.peer(requestId, "offer" )
+
+// Handle the data channel messages and state changes
+signalClient.handleDataChannel(dc!!, {
+ Log.d(TAG, "onMessage($it)")
+},{
+ Log.d(TAG, "onStateChange($it)")
+})
+
+// Send Message to Peer
+signalClient.peerClient.send("Hello World!")
+```
diff --git a/docs/src/content/docs/clients/android/authentication.mdx b/docs/src/content/docs/clients/android/authentication.mdx
new file mode 100644
index 0000000..2ff5b15
--- /dev/null
+++ b/docs/src/content/docs/clients/android/authentication.mdx
@@ -0,0 +1,122 @@
+---
+title: 'Android: Authentication'
+---
+
+import {Aside, Tabs, TabItem } from "@astrojs/starlight/components";
+
+Authenticate an existing [Passkey](../../guides/concepts#passkeys) with the [Service](../../server/introduction).
+
+Get started by initializing the AssertionApi with an OkHttpClient and CookieJar.
+```kotlin
+val httpClient = OkHttpClient.Builder()
+ .cookieJar(cookieJar) // Use Cookie jar to share cookies between requests
+ .build()
+val assertionApi = AssertionApi(httpClient)
+```
+
+## User Agent
+
+The User-Agent string is used to authenticate the device.
+
+```kotlin
+// UA used to authenticate the device
+val userAgent = "${BuildConfig.APPLICATION_ID}/${BuildConfig.VERSION_NAME} " +
+"(Android ${Build.VERSION.RELEASE}; ${Build.MODEL}; ${Build.BRAND})"
+```
+
+## Options
+
+Fetch assertion options from the service.
+```kotlin
+val response = assertionApi.postAssertionOptions(
+ origin, // Origin Server
+ userAgent, // Required for checking the authenticator fingerprint
+ credentialId // Base64URL Encoded Credential ID
+).await()
+```
+
+## Retrieving
+
+There are several ways to handle the retrieval of an existing Passkey.
+We recommend
+using the [FIDO2ApiClient](https://developers.google.com/identity/fido/android/native-apps) or [CredentialManager](https://developer.android.com/identity/sign-in/credential-manager)
+
+
+
+
+ ```kotlin
+ // MainActivity.kt
+ val fido2Client = Fido2ApiClient(context)
+
+ val origin = "https://my-liquid-service.com"
+ val credentialId = "Base64URL Encoded Credential ID"
+
+ // Fetch Attestation Options
+ val response = attestationApi.postAssertionOptions(origin, userAgent, credentialId).await()
+
+ // Parse the response to PublicKeyCredentialRequestOptions
+ val publicKeyCredentialRequestOptions = response.body.toPublicKeyCredentialRequestOptions()
+
+ // Activity Result Handler
+ fun handleAuthenticatorAssertionResult(activityResult: ActivityResult){
+ val bytes = activityResult.data?.getByteArrayExtra(Fido.FIDO2_KEY_CREDENTIAL_EXTRA)
+ when {
+ activityResult.resultCode != Activity.RESULT_OK ->
+ Log.d(TAG, "Not OK!")
+
+ bytes == null ->
+ Log.e(TAG, "Error!")
+
+ else -> {
+ /**
+ * Handle the PublicKeyCredential
+ *
+ * Now you can combine the PublicKeyCredential with the Liquid Extension JSON
+ * and submit it to the service for verification
+ */
+ val credential = PublicKeyCredential.deserializeFromBytes(bytes)
+ }
+ }
+ }
+
+ // Register/Attestation Intent Launcher
+ val assertionIntentLauncher = registerForActivityResult(
+ ActivityResultContracts.StartIntentSenderForResult(),
+ ::handleAuthenticatorAssertionResult
+ )
+
+ // Launch the FIDO2 Intent
+ val pendingIntent = fido2Client.getRegisterPendingIntent(publicKeyCredentialRequestOptions).await()
+ assertionIntentLauncher.launch(
+ IntentSenderRequest.Builder(pendingIntent).build()
+ )
+ ```
+
+
+ ```kotlin
+ // MainActivity.kt
+ import foundation.algorand.auth.fido2.*
+
+ val credential = PublicKeyCredential()
+ ```
+
+
+
+## Response
+
+```kotlin
+// MainActivity.kt
+
+val liquidExtJSON = JSONObject()
+liquidExtJSON.put("requestId", requestId)
+
+val response = assertionApi.postAssertionResponse(
+ origin, // Origin Server
+ userAgent, // Required for checking the authenticator fingerprint
+ credential, // PublicKeyCredential
+ liquidExtJSON // Liquid Extension JSON
+)
+```
diff --git a/docs/src/content/docs/clients/android/introduction.mdx b/docs/src/content/docs/clients/android/introduction.mdx
new file mode 100644
index 0000000..f47df2a
--- /dev/null
+++ b/docs/src/content/docs/clients/android/introduction.mdx
@@ -0,0 +1,89 @@
+---
+title: "Android: Introduction"
+prev: false
+---
+import { Aside, Tabs, TabItem } from "@astrojs/starlight/components";
+
+
+
+The Android Client is a library that allows you to interact with the Liquid Auth Service and provides
+utilities to integrate with the native platform.
+
+### Pre-requisites
+
+Install [Android Studio](https://developer.android.com/studio) and create or open an application.
+
+
+### Fingerprint
+
+Get the SHA256 fingerprint of your application.
+The Server uses the fingerprint to attest the credential.
+You can use the following command to get the SHA256 fingerprint of your application.
+
+```bash
+keytool -list -v -keystore -alias -storepass -keypass
+```
+
+
+
+
+## Getting Started
+
+Run a local instance
+or deploy the [Liquid Auth Service](../../../server/running-locally)
+using the SHA256 fingerprint and application name in the [environment configuration](../../server/environment-variables)
+
+### Install
+
+Add jitpack as a repository
+
+
+ ```kotlin
+ dependencyResolutionManagement {
+ repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
+ repositories {
+ google()
+ mavenCentral()
+ maven {
+ setUrl("https://jitpack.io")
+ }
+ }
+ }
+ ```
+
+
+ ```groovy
+ dependencyResolutionManagement {
+ repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
+ repositories {
+ google()
+ mavenCentral()
+ maven { url 'https://jitpack.io' }
+ }
+ }
+ ```
+
+
+
+Install the package
+
+
+
+ ```kotlin
+ dependencies {
+ implementation("com.github.algorandfoundation:liquid-auth-android:v1.0.0-canary.3")
+ }
+ ```
+
+
+ ```groovy
+ dependencies {
+ implementation 'com.github.algorandfoundation:liquid-auth-android:v1.0.0-canary.3'
+ }
+ ```
+
+
diff --git a/docs/src/content/docs/clients/android/offer.mdx b/docs/src/content/docs/clients/android/offer.mdx
new file mode 100644
index 0000000..e35434e
--- /dev/null
+++ b/docs/src/content/docs/clients/android/offer.mdx
@@ -0,0 +1,21 @@
+---
+title: 'Android: Peer Offer'
+---
+import {Aside} from "@astrojs/starlight/components";
+
+
+
+[Peer-to-Peer]() connections can only be done using the `SignalClient`.
+Wallets are responsible for creating offers to connect.
+
+## Signaling
+
+```kotlin
+val requestID = 12345 // Scanned from a QR Code or Deep Link
+val origin = "https://my-liquid-service.com" // Origin of the service
+val client = SignalClient(origin, context, httpClient)
+val dc = signalClient?.peer(requestId, "answer" )
+```
diff --git a/docs/src/content/docs/clients/android/provider-service/create-passkey.md b/docs/src/content/docs/clients/android/provider-service/create-passkey.md
new file mode 100644
index 0000000..9175cbc
--- /dev/null
+++ b/docs/src/content/docs/clients/android/provider-service/create-passkey.md
@@ -0,0 +1,18 @@
+---
+title: "Android: Create Service Passkey"
+---
+
+
+```kotlin
+val request = PendingIntentHandler.retrieveProviderGetCredentialRequest(intent)
+if (request != null) {
+ lifecycleScope.launch {
+ val result = viewModel.processGetPasskey(this@GetPasskeyActivity, request, intent.getBundleExtra("CREDENTIAL_DATA"))
+ Log.d(TAG, "result: $result")
+ setResult(Activity.RESULT_OK, result)
+ finish()
+ }
+} else {
+ binding.getPasskeyMessage.text = resources.getString(R.string.get_passkey_error)
+}
+```
diff --git a/docs/src/content/docs/clients/android/provider-service/get-passkey.md b/docs/src/content/docs/clients/android/provider-service/get-passkey.md
new file mode 100644
index 0000000..fca6c4f
--- /dev/null
+++ b/docs/src/content/docs/clients/android/provider-service/get-passkey.md
@@ -0,0 +1,13 @@
+---
+title: "Android: Get Service Passkey"
+---
+
+```kotlin
+// MainActivity.kt
+val request = PendingIntentHandler.retrieveProviderCreateCredentialRequest(intent)
+if (request.callingRequest is CreatePublicKeyCredentialRequest) {
+ val result = viewModel.processCreatePasskey(this@CreatePasskeyActivity, request)
+} else {
+ binding.createPasskeyMessage.text = resources.getString(R.string.get_passkey_error)
+}
+```
diff --git a/docs/src/content/docs/clients/android/provider-service/introduction.mdx b/docs/src/content/docs/clients/android/provider-service/introduction.mdx
new file mode 100644
index 0000000..a4751dc
--- /dev/null
+++ b/docs/src/content/docs/clients/android/provider-service/introduction.mdx
@@ -0,0 +1,156 @@
+---
+title: "Android: Provider Service"
+---
+
+import {Aside} from '@astrojs/starlight/components';
+
+
+
+Since Android 14, the [CredentialProviderService](https://developer.android.com/reference/android/service/credentials/CredentialProviderService) has been introduced to allow developers to create custom roaming authenticators.
+This allows applications to store and manage credentials outside Google Password Manager with full custody of the key material.
+
+It opens the doors to a new world of possibilities for developers to create secure and private authentication experiences using
+just their Android devices.
+
+
+### Who is this for?
+
+- **Mobile Wallets** that want to act as a roaming authenticator for non-crypto sites
+
+
+## Provider Service
+
+```kotlin
+@RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
+class LiquidCredentialProviderService: CredentialProviderService() {
+ private val credentialRepository = CredentialRepository()
+ private val job = SupervisorJob()
+ private val scope = CoroutineScope(Dispatchers.IO + job)
+
+ companion object {
+ const val TAG = "LiquidCredentialProviderService"
+ //TODO: App Lock Intents
+ const val GET_PASSKEY_INTENT = 1
+ const val CREATE_PASSKEY_INTENT = 2
+ const val GET_PASSKEY_ACTION = "foundation.algorand.demo.GET_PASSKEY"
+ const val CREATE_PASSKEY_ACTION = "foundation.algorand.demo.CREATE_PASSKEY"
+ }
+ /**
+ * Handle Create Credential Requests
+ */
+ override fun onBeginCreateCredentialRequest(
+ request: BeginCreateCredentialRequest,
+ cancellationSignal: CancellationSignal,
+ callback: OutcomeReceiver
+ ) {
+ val response: BeginCreateCredentialResponse? = processCreateCredentialRequest(request)
+ if (response != null) {
+ callback.onResult(response)
+ } else {
+ callback.onError(CreateCredentialUnknownException())
+ }
+ }
+
+ /**
+ * Process incoming Create Credential Requests
+ */
+ private fun processCreateCredentialRequest(request: BeginCreateCredentialRequest): BeginCreateCredentialResponse? {
+ when (request) {
+ is BeginCreatePublicKeyCredentialRequest -> {
+ return handleCreatePasskeyQuery(request)
+ }
+ }
+ return null
+ }
+
+ /**
+ * Create a new PassKey Entry
+ *
+ * This returns an Entry list for the user to interact with.
+ * A PendingIntent must be configured to receive the data from the WebAuthn client
+ */
+ private fun handleCreatePasskeyQuery(
+ request: BeginCreatePublicKeyCredentialRequest
+ ): BeginCreateCredentialResponse {
+ Log.d(TAG, request.requestJson)
+
+
+ val createEntries: MutableList = mutableListOf()
+ val name = JSONObject(request.requestJson).getJSONObject("user").get("name").toString()
+
+ createEntries.add( CreateEntry(
+ name,
+ createNewPendingIntent(CREATE_PASSKEY_ACTION, CREATE_PASSKEY_INTENT, null)
+ )
+ )
+ return BeginCreateCredentialResponse(createEntries)
+ }
+ /**
+ * Handle Get Credential Requests
+ */
+ override fun onBeginGetCredentialRequest(
+ request: BeginGetCredentialRequest,
+ cancellationSignal: CancellationSignal,
+ callback: OutcomeReceiver,
+ ) {
+ try {
+ callback.onResult(processGetCredentialRequest(request))
+ } catch (e: GetCredentialException) {
+ callback.onError(GetCredentialUnknownException())
+ }
+ }
+
+ /**
+ * Fake a list of available PublicKeyCredential Entries
+ */
+ private fun processGetCredentialRequest(request: BeginGetCredentialRequest): BeginGetCredentialResponse{
+ Log.v(TAG, "processing GetCredentialRequest")
+ val deferredCredentials: Deferred> = scope.async {
+ credentialRepository.getDatabase(this@LiquidCredentialProviderService).credentialDao().getAllRegular()
+ }
+ val credentials = runBlocking {
+ deferredCredentials.await()
+ }
+ return BeginGetCredentialResponse(credentials.map {
+ val data = Bundle()
+ data.putString("credentialId", it.credentialId)
+ data.putString("userHandle", it.userHandle)
+ PublicKeyCredentialEntry.Builder(
+ this@LiquidCredentialProviderService,
+ it.userHandle,
+ createNewPendingIntent(GET_PASSKEY_ACTION, GET_PASSKEY_INTENT, data),
+ // TODO: filter the request for PublicKeyCredentialOptions
+ request.beginGetCredentialOptions[0] as BeginGetPublicKeyCredentialOption
+ )
+ .setIcon(Icon.createWithResource(this@LiquidCredentialProviderService, R.mipmap.ic_launcher))
+ .build()
+ })
+ }
+ override fun onClearCredentialStateRequest(
+ request: ProviderClearCredentialStateRequest,
+ cancellationSignal: CancellationSignal,
+ callback: OutcomeReceiver
+ ) {
+ Log.d(TAG, "onClearCredentialStateRequest")
+ TODO("Not yet implemented")
+ }
+
+ private fun createNewPendingIntent(action: String, requestCode: Int, extra: Bundle?): PendingIntent{
+ val intent = Intent(action).setPackage("foundation.algorand.demo")
+ if (extra != null) {
+ intent.putExtra("CREDENTIAL_DATA", extra)
+ }
+ return PendingIntent.getActivity(
+ applicationContext, requestCode,
+ intent, (PendingIntent.FLAG_MUTABLE or PendingIntent.FLAG_UPDATE_CURRENT)
+ )
+ }
+ override fun onDestroy() {
+ super.onDestroy()
+ job.cancel()
+ }
+}
+```
diff --git a/docs/src/content/docs/clients/android/registration.mdx b/docs/src/content/docs/clients/android/registration.mdx
new file mode 100644
index 0000000..82b09b3
--- /dev/null
+++ b/docs/src/content/docs/clients/android/registration.mdx
@@ -0,0 +1,144 @@
+---
+title: "Android: Registration"
+---
+
+import {Aside, Tabs, TabItem } from "@astrojs/starlight/components";
+
+Register a [Passkey](../../guides/concepts#passkeys) with the [Service](../../server/introduction)
+and attest the knowledge of a KeyPair.
+
+Get started by initializing the AttestationApi with an OkHttpClient and CookieJar.
+```kotlin
+val httpClient = OkHttpClient.Builder()
+ .cookieJar(cookieJar) // Use Cookie jar to share cookies between requests
+ .build()
+val attestationApi = AttestationApi(httpClient)
+```
+
+## User Agent
+
+The User-Agent string is used to authenticate the device.
+
+```kotlin
+// UA used to authenticate the device
+val userAgent = "${BuildConfig.APPLICATION_ID}/${BuildConfig.VERSION_NAME} " +
+"(Android ${Build.VERSION.RELEASE}; ${Build.MODEL}; ${Build.BRAND})"
+```
+
+## Options
+
+Fetch attestation options from the service.
+```kotlin
+// Create Options for FIDO2 Server
+val options = JSONObject()
+options.put("username", account.address.toString())
+options.put("displayName", "Liquid Auth User")
+options.put("authenticatorSelection", JSONObject().put("userVerification", "required"))
+
+// Enable Liquid Extension
+val extensions = JSONObject()
+extensions.put("liquid", true)
+options.put("extensions", extensions)
+
+val response = attestationApi.postAttestationOptions(
+ origin, // Origin Server
+ userAgent, // Required for checking the authenticator fingerprint
+ options // Additional Request Options
+)
+```
+
+## Creating
+
+There are several ways to handle the creation of a new Passkey.
+We recommend
+using the [FIDO2ApiClient](https://developers.google.com/identity/fido/android/native-apps) or [CredentialManager](https://developer.android.com/identity/sign-in/credential-manager)
+
+
+
+
+```kotlin
+// MainActivity.kt
+
+val fido2Client = Fido2ApiClient(context)
+
+val origin = "https://my-liquid-service.com"
+
+// Fetch Attestation Options
+val response = attestationApi.postAttestationOptions(origin, userAgent, options).await()
+
+// Parse the response to PublicKeyCredentialCreationOptions
+val pubKeyCredentialCreationOptions = response.body!!.toPublicKeyCredentialCreationOptions()
+
+// Sign the challenge with the additional keypair you have custody of
+val signature = KeyPairs.rawSignBytes(
+ pubKeyCredentialCreationOptions.challenge,
+ keyPair.private
+)
+
+// Activity Result Handler
+fun handleAuthenticatorAttestationResult(activityResult: ActivityResult){
+ val bytes = activityResult.data?.getByteArrayExtra(Fido.FIDO2_KEY_CREDENTIAL_EXTRA)
+ when {
+ activityResult.resultCode != Activity.RESULT_OK ->
+ Log.d(TAG, "Not OK!")
+
+ bytes == null ->
+ Log.e(TAG, "Error!")
+
+ else -> {
+ /**
+ * Handle the PublicKeyCredential
+ *
+ * Now you can combine the PublicKeyCredential with the Liquid Extension JSON
+ * and submit it to the service for verification
+ */
+ val credential = PublicKeyCredential.deserializeFromBytes(bytes)
+ }
+ }
+}
+
+// Register/Attestation Intent Launcher
+val attestationIntentLauncher = registerForActivityResult(
+ ActivityResultContracts.StartIntentSenderForResult(),
+ ::handleAuthenticatorAttestationResult
+)
+
+// Launch the FIDO2 Intent
+val pendingIntent = fido2Client.getRegisterPendingIntent(pubKeyCredentialCreationOptions).await()
+attestationIntentLauncher.launch(
+ IntentSenderRequest.Builder(pendingIntent).build()
+)
+
+```
+
+
+ ```kotlin
+ // MainActivity.kt
+ import foundation.algorand.auth.fido2.*
+
+ val credential = PublicKeyCredential()
+ ```
+
+
+
+## Response
+
+```kotlin
+// Create the Liquid Extension JSON
+val liquidExtJSON = JSONObject()
+liquidExtJSON.put("type", "algorand")
+liquidExtJSON.put("requestId", msg.requestId)
+liquidExtJSON.put("address", account.address.toString())
+liquidExtJSON.put("signature", Base64.encodeBase64URLSafeString(signature!!))
+liquidExtJSON.put("device", Build.MODEL)
+
+val response = attestationApi.postAttestationResponse(
+ origin, // Origin Server
+ "User-Agent-String", // Required for checking the authenticator fingerprint
+ credential, // PublicKeyCredential
+ liquidExtJSON // Liquid Extension JSON
+)
+```
diff --git a/docs/src/content/docs/clients/browser/answer.mdx b/docs/src/content/docs/clients/browser/answer.mdx
new file mode 100644
index 0000000..bd28498
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/answer.mdx
@@ -0,0 +1,38 @@
+---
+title: 'Browser: Peer Answer'
+---
+
+The answer client is used to respond to a remote client's offer.
+The remote client will have sent an offer to the answer client, which will then respond with an answer.
+
+### Who is this for?
+
+- **dApps** that want to leverage liquid-auth to connect to other clients
+- **Mobile Wallets** that want to tailor the onboarding and connect experience
+- **Browser Wallets** that want to communicate with other clients
+
+### Request ID
+
+Answer clients are responsible for creating the request id.
+Request IDs are given to the remote peer, usually as a deep-link encoded into a QR Code.
+This ID is used by the remote peer to authenticate the current client.
+
+```typescript
+import { SignalClient } from '@algorandfoundation/liquid-client';
+const requestId = SignalClient.generateRequestId();
+```
+
+## Signaling
+
+```typescript
+client
+ .peer(requestId, 'offer')
+ .then((dataChannel: RTCDataChannel)=>{
+ // Handle the data channel
+ dataChannel.onmessage = (event: MessageEvent) => {
+ console.log(event.data)
+ }
+ })
+const blob = await client.qrCode()
+// Display QR Code
+```
diff --git a/docs/src/content/docs/clients/browser/authentication.md b/docs/src/content/docs/clients/browser/authentication.md
new file mode 100644
index 0000000..563aeb0
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/authentication.md
@@ -0,0 +1,35 @@
+---
+title: 'Browser: Authentication'
+---
+
+Authenticate an existing [Passkey](../../guides/concepts#passkeys) with the [Service](../../server/introduction).
+
+### Who is this for?
+
+- **dApps** logging back into the service without connecting to another client
+- **Browser Wallets** that want to communicate with other clients
+
+## Client
+
+Sign in with an existing account using an instance of the `SignalClient`
+```typescript
+//app.ts
+await client.assertion(
+ credentialId, // Some known credential ID
+ {requestId: 12345} // Optional requestId to link
+)
+```
+
+## Stateless
+
+Using the stateless method without a `SignalClient`
+
+```typescript
+//app.ts
+import {assertion} from '@algorandfoundation/liquid-auth/assertion'
+await assertion(
+ "https://my-liquid-service.com",
+ credentialId, // Some known credential ID
+ {requestId: 12345} // Optional requestId to link
+)
+```
diff --git a/docs/src/content/docs/clients/browser/example.md b/docs/src/content/docs/clients/browser/example.md
new file mode 100644
index 0000000..63530fa
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/example.md
@@ -0,0 +1,64 @@
+---
+title: 'Browser: Example'
+next: false
+---
+
+You can check the example in the GitHub repository for a working browser based application
+
+
+## Answer Client
+A dApp that wants a remote wallet to log into the service and create a peer-to-peer connection.
+```typescript
+import { SignalClient } from "@algorandfoundation/liquid-client";
+const client = new SignalClient(window.origin);
+
+const requestId = SignalClient.generateRequestId() // 12345
+
+// Wait for the Offer Client to connect
+client.peer(requestId, 'offer').then((dc)=>{
+ // Handle Peer Messages
+ dc.onmessage = (event: MessageEvent) => {
+ console.log(event.data)
+ }
+ // Send Messages to Peer
+ dc.send('Hello World')
+})
+
+// Generate a QR Code
+const qrData = await client.qrCode()
+```
+
+## Offer Client
+
+The remote browser-based wallet. This could be an extension or hybrid mobile application.
+
+```typescript
+import * as nacl from 'tweetnacl'
+import { SignalClient, toBase64URL } from "@algorandfoundation/liquid-client";
+
+const requestId = 12345 // A known request ID from a Answer Client
+const origin = "https://example.com" // Some known origin
+const address = "encoded-address" // Some known address
+const secretKey = new Uint8Array(32) // Some secret key
+
+// Sign in to the service with a new credential
+await client.attestation(async (challenge: Uint8Array) => ({
+ type: 'algorand',
+ requestId,
+ origin,
+ address,
+ signature: toBase64URL(nacl.sign.detached(challenge, secretKey)),
+ device: 'Demo Web Wallet'
+}))
+
+// Wait for the Answer Client to connect
+client.peer(requestId, 'answer').then((dc)=>{
+ // Handle Peer Messages
+ dc.onmessage = (event: MessageEvent) => {
+ console.log(event.data)
+ }
+ // Send Messages to Peer
+ dc.send('Hello World')
+})
+```
+
diff --git a/docs/src/content/docs/clients/browser/introduction.mdx b/docs/src/content/docs/clients/browser/introduction.mdx
new file mode 100644
index 0000000..069cf45
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/introduction.mdx
@@ -0,0 +1,35 @@
+---
+title: "Browser: Introduction"
+prev: false
+---
+import {Aside} from "@astrojs/starlight/components";
+
+The `SignalClient` is an EventEmitter interface
+that can be used
+to communicate with the [Service](../../server/introduction).
+It's designed to facilitate authentication and peer-to-peer communications.
+The interface is composed of methods that can be manually executed.
+
+## Install
+```bash
+npm install algorandfoundation/liquid-auth-js --save
+````
+
+## Get Started
+
+
+
+### Use-Wallet [WIP]
+We recommend using [use-wallet](https://github.com/TxnLab/use-wallet) from [TxnLabs](https://www.txnlab.dev/).
+Check back soon for more details.
+
+### Manual Integration
+
+
+
+```typescript
+//app.ts
+import {SignalClient} from '@algorandfoundation/liquid-client';
+const client = new SignalClient(window.origin);
+```
+
diff --git a/docs/src/content/docs/clients/browser/offer.mdx b/docs/src/content/docs/clients/browser/offer.mdx
new file mode 100644
index 0000000..265af12
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/offer.mdx
@@ -0,0 +1,48 @@
+---
+title: 'Browser: Peer Offer'
+sidebar:
+ order: 3
+ label: 'Peer Offer'
+---
+import {Aside} from "@astrojs/starlight/components";
+
+
+
+[Peer-to-Peer]() connections can only be done using the `SignalClient`.
+Wallets are responsible for creating offers to connect.
+
+### Who is this for?
+
+- **Browser Wallets** that want to communicate with other clients
+
+## Signaling
+
+```typescript
+import { SignalClient } from "@algorandfoundation/liquid-client";
+const client = new SignalClient("")
+
+// Receive the RequestID from the Peer willing to Answer this offer
+const requestId = 12345
+
+// Register or create a new credential,
+// ensure the requestId is included in the call
+// ...
+
+// Create the Peer Connection and await the remote client's answer
+client.peer(
+ // Request ID from the Peer,
+ // usually displayed as a Deep Link or QR Code
+ requestId,
+ // Type of remote client
+ 'answer'
+).then((dataChannel: RTCDataChannel) => {
+ // Handle the data channel
+ dataChannel.onmessage = (event: MessageEvent) => {
+ console.log(event.data)
+ }
+ dataChannel.send('Hello world!')
+})
+```
diff --git a/docs/src/content/docs/clients/browser/registration.mdx b/docs/src/content/docs/clients/browser/registration.mdx
new file mode 100644
index 0000000..be2a8f1
--- /dev/null
+++ b/docs/src/content/docs/clients/browser/registration.mdx
@@ -0,0 +1,64 @@
+---
+title: "Browser: Registration"
+sidebar:
+ order: 1
+---
+
+Register a [Passkey](../../guides/concepts#passkeys) with the [Service](../../server/introduction) and attest the knowledge of a KeyPair.
+
+### Who is this for?
+
+- **Browser Wallets** that want to communicate with the service and other clients
+
+## Client
+
+Creating a passkey and registering it with the service using an instance of the `SignalClient`
+
+```typescript
+// browser.client.ts
+import * as nacl from 'tweetnacl'
+import {toBase64URL} from '@algorandfoundation/liquid-client/encoding'
+
+// Sign in to the service with a new credential and wallet
+await client.attestation(
+ // Callback when a challenge is received, return a signed challenge
+ async (challenge: Uint8Array) => ({
+ // The type of signature and public key
+ type: 'algorand',
+ // The address of the account
+ address: account.addr,
+ // The signature of the challenge, signed by the account
+ signature: toBase64URL(nacl.sign.detached(challenge, account.sk)),
+ // Optionally authenticate a remote peer
+ requestId: 12345,
+ // Optional device name
+ device: 'Demo Web Wallet'
+ })
+)
+
+```
+
+## Stateless
+
+Creating a passkey without using the `SignalClient`
+
+```typescript
+import {attestation} from '@algorandfoundation/liquid-client/attestation'
+import {toBase64URL} from '@algorandfoundation/liquid-client/encoding'
+await attestation(
+ "https://my-liquid-service.com",
+ // Callback when a challenge is received, return a signed challenge
+ async (challenge: Uint8Array) => ({
+ // The type of signature and public key
+ type: 'algorand',
+ // The address of the account
+ address: account.addr,
+ // The signature of the challenge, signed by the account
+ signature: toBase64URL(nacl.sign.detached(challenge, account.sk)),
+ // Optionally authenticate a remote peer
+ requestId: 12345,
+ // Optional device name
+ device: 'Demo Web Wallet'
+ })
+)
+```
diff --git a/docs/src/content/docs/guides/Passkey/authentication.mdx b/docs/src/content/docs/guides/Passkey/authentication.mdx
new file mode 100644
index 0000000..13ba917
--- /dev/null
+++ b/docs/src/content/docs/guides/Passkey/authentication.mdx
@@ -0,0 +1,123 @@
+---
+title: Authentication Guide
+sidebar:
+ order: 11
+ label: Authentication
+ badge:
+ text: "WIP"
+ variant: caution
+tags:
+ - Passkey
+ - Registration
+ - Android
+ - Browser
+ - Server
+---
+import { Tabs, TabItem, Steps, Aside} from '@astrojs/starlight/components';
+
+Authenticating with a previously created [Passkey](../../concepts#passkeys) is a three-step process.
+
+
+ 1. Fetch the **Request Options** from the [Server](../../../server/introduction).
+ 2. Retrieve the [Passkey](../../concepts#passkeys) using the **Request Options**.
+ 3. Post the **Assertion Response** from an authenticator to the [Server](../../../server/introduction).
+
+
+## ⚙️ Options
+
+[PublicKeyCredentialRequestOptions](https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options) are used
+to retrieve existing Passkey and are generated by the service.
+The URI for this request is [/assertion/request/:credId](../../../server/api/operations/assertioncontroller_request)
+using the `POST` method.
+
+
+
+ ```bash
+ export CRED_ID="AWwK7bcWvbQ4plHok9mOIzuMdDKmLTKog2mgqhe2X48C40ISsvt7xK9CJmjjWbWF7EnNVGxDPb51WHGfN1ac1_w"
+ curl -X POST \
+ --header "Content-Type: application/json" \
+ https://my-liquid-auth-service.com/attestation/request/$CRED_ID
+ ```
+
+
+ ```typescript
+ //app.js
+ // TODO
+ ```
+ See the [Browser](../../../clients/browser/registration) registration guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ import foundation.algorand.auth.fido2.*
+ // TODO
+ ```
+ See the [Android](../../../clients/android/registration) registration guide for more details.
+
+
+
+## 🎉 Retrieving
+
+Getting the existing Passkey from an authenticator can vary depending on the platform.
+Most platforms will accept the **Request Options**
+and return an [AuthenticatorAssertionResponse](https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse).
+
+
+
+
+ ```typescript
+ //app.ts
+ const response: AuthenticatorAssertionResponse = await navigator.credentials.get({
+ publicKey: options
+ })
+ ```
+ See the [Browser](../../../clients/browser/authentication) authentication guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ // Retrieve the PublicKeyCredential from the
+ // FIDO2Client or CredentialManager
+ val credential = PublicKeyCredential()
+ ```
+ See the [Android](../../../clients/android/authentication) authentication guide for more details.
+
+
+
+## 🚚 Response
+
+Registering a new Passkey with the service.
+Prove the authenticity of the Passkey by sending the **Attestation Response** to the service.
+The URI for this request is [/assertion/response](../../../server/api/operations/assertioncontroller_response)
+using the `POST` method.
+
+
+ ```bash
+ # TODO
+ curl -X POST \
+ --header "Content-Type: application/json" \
+ --data '{"clientDataJSON": "", "extension"}' \
+ https://my-liquid-auth-service.com/attestation/response
+ ```
+
+
+ ```typescript
+ //app.ts
+ // TODO
+ ```
+ See the [Browser](../../../clients/browser/authentication) authentication guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ val response = attestationApi.postAssertionResponse(
+ origin, // Origin Server
+ "User-Agent-String", // Required for checking the authenticator fingerprint
+ credential // PublicKeyCredential
+ liquidExtension // Liquid Extension
+ )
+ ```
+ See the [Android](../../../clients/android/authentication) authentication guide for more details.
+
+
+
diff --git a/docs/src/content/docs/guides/Passkey/registration.mdx b/docs/src/content/docs/guides/Passkey/registration.mdx
new file mode 100644
index 0000000..05705cf
--- /dev/null
+++ b/docs/src/content/docs/guides/Passkey/registration.mdx
@@ -0,0 +1,130 @@
+---
+title: Registration Guide
+sidebar:
+ order: 10
+ badge:
+ text: "WIP"
+ variant: caution
+ label: Registration
+tags:
+ - Passkey
+ - Registration
+ - Wallet
+ - Android
+ - Browser
+ - Server
+---
+import { Tabs, TabItem, Steps, Aside} from '@astrojs/starlight/components';
+
+Registering a [Passkey](../../concepts#passkeys) is a three-step process.
+
+
+ 1. Fetch the **Creation Options** from the [Server](../../../server/introduction).
+ 2. Create a new [Passkey](../../concepts#passkeys)() using the **Creation Options**.
+ 3. Post the **Attestation Response** from an authenticator to the [Server](../../../server/introduction).
+
+
+## ⚙️ Options
+
+
+
+[PublicKeyCredentialCreationOptions](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions) are used to create a new Passkey and are generated by the service.
+This allows the service to define what options are required for registration.
+The URI for this request is [/attestation/request](../../../server/api/operations/attestationcontroller_request) using the `POST` method.
+
+
+
+ ```bash
+ curl -X POST \
+ --header "Content-Type: application/json" \
+ --data '{"extensions": {"liquid": true}}' \
+ https://my-liquid-auth-service.com/attestation/request
+ ```
+
+
+ ```typescript
+ //app.js
+ import { fetchAttestationRequest } from '@algorandfoundation/liquid-client/attestation'
+ const options = await fetchAttestationRequest("https://my-liquid-auth-service.com")
+ ```
+ See the [Browser](../../../clients/browser/registration) registration guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ import foundation.algorand.auth.fido2.*
+ // TODO
+ ```
+ See the [Android](../../../clients/android/registration) registration guide for more details.
+
+
+
+## ✨ Creating
+
+Generating a new Passkey from an authenticator can vary depending on the platform.
+Most platforms will accept the **Creation Options** and return an [AuthenticatorAttestationResponse](https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse).
+
+
+
+
+ ```typescript
+ //app.ts
+ const response: AuthenticatorAttestationResponse = await navigator.credentials.create({
+ publicKey: options
+ })
+ ```
+ See the [Browser](../../../clients/browser/registration) registration guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ // Create a new PublicKeyCredential using
+ // FIDO2Client or CredentialManager
+ val credential = PublicKeyCredential()
+ ```
+ See the [Android](../../../clients/android/registration) registration guide for more details.
+
+
+
+## 🚚 Response
+
+
+
+Registering a new Passkey with the service.
+Prove the authenticity of the Passkey by sending the **Attestation Response** to the service.
+The URI for this request is [/attestation/response](../../../server/api/operations/attestationcontroller_response) using the `POST` method.
+
+
+
+ ```bash
+ # TODO
+ curl -X POST \
+ --header "Content-Type: application/json" \
+ --data '{"attestationResponse": "", "clientDataJSON": "", "extension"}' \
+ https://my-liquid-auth-service.com/attestation/response
+ ```
+
+
+ ```typescript
+ //app.ts
+ import { fetchAttestationResponse } from '@algorandfoundation/liquid-client/attestation'
+ // TODO
+ ```
+ See the [Browser](../../../clients/browser/registration) registration guide for more details.
+
+
+ ```kotlin
+ //app.kt
+ val response = attestationApi.postAttestationResponse(
+ origin, // Origin Server
+ "User-Agent-String", // Required for checking the authenticator fingerprint
+ credential // PublicKeyCredential
+ liquidExtension // Liquid Extension
+ )
+ ```
+ See the [Android](../../../clients/android/registration) registration guide for more details.
+
+
+
diff --git a/docs/src/content/docs/guides/Peer to Peer/answer.mdx b/docs/src/content/docs/guides/Peer to Peer/answer.mdx
new file mode 100644
index 0000000..06125e8
--- /dev/null
+++ b/docs/src/content/docs/guides/Peer to Peer/answer.mdx
@@ -0,0 +1,30 @@
+---
+title: "Answer Guide"
+sidebar:
+ order: 21
+ label: "Answer"
+ badge:
+ text: "WIP"
+ variant: caution
+---
+
+An **Answer** is a type of session that is initiated by a client
+and is used to respond to an **Offer** from another client.
+```mermaid
+sequenceDiagram
+ participant A as Answer Client
+ participant B as Offer Client
+ B->>A: Offer
+ A->>B: Answer
+```
+
+## Peering
+
+TODO: add Tabs
+
+```typescript
+// Wait for the Offer and send the Answer
+client.peer(requestId, "offer").then((dc)=>{
+ // Handle the Data Channel
+})
+```
diff --git a/docs/src/content/docs/guides/Peer to Peer/offer.mdx b/docs/src/content/docs/guides/Peer to Peer/offer.mdx
new file mode 100644
index 0000000..636a68b
--- /dev/null
+++ b/docs/src/content/docs/guides/Peer to Peer/offer.mdx
@@ -0,0 +1,33 @@
+---
+title: "Offer Guide"
+sidebar:
+ order: 20
+ label: "Offer"
+ badge:
+ text: "WIP"
+ variant: caution
+---
+import {Aside} from '@astrojs/starlight/components';
+
+
+
+An **Offer** is a type of session that is initiated by a client
+and is used to request an **Answer** from another client.
+```mermaid
+sequenceDiagram
+ participant A as Offer Client
+ participant B as Answer Client
+ A->>B: Offer
+ B->>A: Answer
+```
+
+## Peering
+
+TODO: add Tabs
+
+```typescript
+// Send the Offer and wait for the Answer
+client.peer(requestId, "answer").then((dc)=>{
+ // Handle the Data Channel
+})
+```
diff --git a/docs/src/content/docs/guides/components.mdx b/docs/src/content/docs/guides/components.mdx
new file mode 100644
index 0000000..11f3392
--- /dev/null
+++ b/docs/src/content/docs/guides/components.mdx
@@ -0,0 +1,41 @@
+---
+title: Components
+sidebar:
+ order: 1
+pagefind: false
+---
+import { Aside } from '@astrojs/starlight/components';
+
+### Server
+
+
+
+The responsibilities of the service are limited to authentication and brokering connections between peers.
+Authentication is handled using [Passkeys](../concepts#passkeys) with a custom `Liquid Extension`
+which attests an additional KeyPair (ie Algorand Account).
+Once a client is authenticated, the service can be used to broker a [Peer to Peer](../concepts#peer-to-peer) connection.
+
+
+#### Who should use this service?
+
+The service should be deployed by decentralized applications
+that want to leverage `Passkeys` and `Signaling` between peers.
+
+#### Why should I deploy this service?
+
+The majority of communications on the internet are centralized.
+**Liquid Auth Server** offloads communication from the server and allows for direct communication between peers.
+Not only is this generally more secure and decentralized, it also reduces the load on the server.
+
+
+
+### Clients
+
+
+
+The **Liquid Auth Clients** are libraries that provide a simple way to interact with the service and other peers.
+Clients use the service to authenticate and broker a connection between peers.
+
+#### Who should use the clients?
+
+The clients should be used by developers who want to integrate the **Liquid Auth Service** into their applications and wallets.
diff --git a/docs/src/content/docs/guides/concepts.md b/docs/src/content/docs/guides/concepts.md
new file mode 100644
index 0000000..07a7523
--- /dev/null
+++ b/docs/src/content/docs/guides/concepts.md
@@ -0,0 +1,42 @@
+---
+title: Key Concepts
+sidebar:
+ order: 1
+ badge:
+ text: "WIP"
+ variant: caution
+---
+
+There are a few key concepts that are important to understand when working with Liquid Auth.
+The main concepts are `Linking`, `Passkeys`, and `Peer-to-Peer`.
+See the full details in the [Architecture Reference](../../architecture).
+
+## Linking
+
+A link will authorize a remote client to access the service. This is done by generating a `RequestId` by the remote device and waiting
+for a device to attest a Passkey. We recommend displaying a QR code with a [liquid deep-link]() to the user to scan with their device.
+
+See how to implement Linking in the [Android]() and [Browser]() client documentation
+
+## Passkeys
+
+Passkeys are also known as FIDO2/WebAuthn [PublicKeyCredential](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential).
+This KeyPair is used to register or authenticate a user and is generated by an authenticator device.
+Passkeys/Authenticators must also support the `Liquid Extension` which is used to attest a `KeyPair` not controlled by the authenticator.
+
+## Peer-to-Peer
+
+[WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API) is used for establishing a peer-to-peer connection between two clients.
+
+#### Offer
+
+Session Description Protocol (SDP) message sent from the client to the server. The offer contains information about the client's media capabilities and information about the datachannel.
+
+#### Answer
+
+Session Description Protocol (SDP) message sent back to a client who created the Offer.
+An Answer client can then use this information to generate an answer, which is sent back to the offer client.
+
+#### Candidate
+
+ICE Candidate is a network address that can be used to communicate with the peer.
diff --git a/docs/src/content/docs/guides/getting-started.md b/docs/src/content/docs/guides/getting-started.md
deleted file mode 100644
index b33618b..0000000
--- a/docs/src/content/docs/guides/getting-started.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Getting Started
----
-
-Liquid Auth is a self-hosted authentication service that provides a simple way to associate Passkeys to KeyPair(s) commonly found in cryptocurrencies.
-
-## Running Locally
-
-The Android authenticator requires a secure connection, make sure to run the service behind a valid certificate.
-
-### SSL using [ngrok]()
-```bash
-ngrok http 3000
-```
-
-
-### Running the Service
-
-To run Liquid Auth locally, you can use the following command:
-
-```
-#run.sh
-docker run -d -p 3000:3000 --env-file .docker.env liquid-auth:latest
-```
-
-#### Environment Variables
-```env
-#.docker.env
-
-# FIDO2
-RP_NAME= # e.g. Liquid dApp
-HOSTNAME= # e.g. my-liquid-auth-service.com or .ngrok.io
-ORIGIN= # e.g. https://my-liquid-auth-service.com or https://.ngrok.io
-
-# Database
-DB_HOST=
-DB_USERNAME=
-DB_PASSWORD=
-DB_NAME=
-DB_ATLAS=
-
-# Events
-REDIS_HOST=
-REDIS_PORT=
-REDIS_USERNAME=
-REDIS_PASSWORD=
-```
-
-See more details about deployments in the [Server](/server/introduction) guide.
\ No newline at end of file
diff --git a/docs/src/content/docs/guides/getting-started.mdx b/docs/src/content/docs/guides/getting-started.mdx
new file mode 100644
index 0000000..9b24322
--- /dev/null
+++ b/docs/src/content/docs/guides/getting-started.mdx
@@ -0,0 +1,22 @@
+---
+title: Getting Started
+sidebar:
+ order: 0
+pagefind: false
+---
+import { LinkCard, CardGrid, Aside } from '@astrojs/starlight/components';
+
+Liquid Auth is composed of two main components, the **Liquid Auth Server** and the **Liquid Auth Clients**.
+They are used together to provide authentication and signaling services for decentralized applications (dApps).
+
+## Quick Links
+
+
+
+
+
+
diff --git a/docs/src/content/docs/guides/qr-code.md b/docs/src/content/docs/guides/qr-code.md
new file mode 100644
index 0000000..f4f1c57
--- /dev/null
+++ b/docs/src/content/docs/guides/qr-code.md
@@ -0,0 +1,10 @@
+---
+title: "QR Code Guide"
+sidebar:
+ label: "QR Code"
+ badge:
+ text: "TODO"
+ variant: danger
+next: false
+---
+
diff --git a/docs/src/content/docs/guides/registration.md b/docs/src/content/docs/guides/registration.md
deleted file mode 100644
index 097be0b..0000000
--- a/docs/src/content/docs/guides/registration.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Passkey Registration
----
-
-The service has two endpoints for Passkey registration with the following schema from the [OpenApi documentation](/reference/api):
-
-
-
-- `POST /attestation/request` - Fetch PublicKeyCredentialCreationOptions
-- `POST /attestation/response` - Register a new Passkey using an AuthenticatorAttestationResponse
-
-
-**There are currently two clients available for the service:**
-
-### Android
-
-```kotlin
-//MainActivity.kt
-import foundation.algorand.auth.fido2.*
-
-class MainActivity {
- private var httpClient = OkHttpClient.Builder()
- .cookieJar(cookieJar) // Use Cookie jar to share cookies between requests
- .build()
- private var attestationApi = AttestationApi(httpClient)
-
- private fun onCreate(){
- val origin = "https://my-liquid-auth-service.com"
-
- val options = attestationApi.postAttestationOptions(
- origin, // Origin Server
- "User-Agent-String", // Required for checking the authenticator fingerprint
- JSONObject() // Additional Request Options
- )
-
- // Handle the FIDO2 Intent in FIDO2Client or CredentialManager
- // This is a simplified version of the code
- val credential = PublicKeyCredential()
-
- val response = attestationApi.postAttestationResponse(
- origin, // Origin Server
- "User-Agent-String", // Required for checking the authenticator fingerprint
- credential // PublicKeyCredential
- )
- }
-
-}
-
-```
-
-Find out more in the [kotlin client](/clients/typescript/attestation) documentation.
-
-### Browser
-
-```typescript
-//app.ts
-import {fetchAttestationRequest, fetchAttestationResponse} from '@liquid/auth-client';
-
-const origin = 'https://my-liquid-auth-service.com';
-// Get Credential Options
-const options = await fetchAttestationRequest(origin, {
- userVerification: 'required',
- extensions: {
- liquid: true
- }
-})
-
-// Create Credential
-const credential = await navigator.credentials.create({
- publicKey: options
-});
-
-// Register Credential
-const response = await fetchAttestationResponse(origin, credential)
-```
-Find out more in the [typescript client](/clients/typescript/attestation) documentation.
\ No newline at end of file
diff --git a/docs/src/content/docs/introduction.md b/docs/src/content/docs/introduction.md
index e5267a4..188c60b 100644
--- a/docs/src/content/docs/introduction.md
+++ b/docs/src/content/docs/introduction.md
@@ -1,7 +1,18 @@
---
title: Introduction
description: Welcome to the Liquid Auth documentation.
+pagefind: false
---
-Liquid Auth is a service that provides authentication and authorization for your applications.
-It is designed to be run in front or behind your application and can be used in a variety of ways.
\ No newline at end of file
+Liquid Auth aims to give the user full control over their data and privacy.
+There are far too many services that act as a middle man between the end user and the wallet provider.
+
+By combining the security of FIDO2/WebAuthn with the decentralized nature of WebRTC, Liquid Auth provides a secure and private way for users to communicate.
+
+
+## What is Liquid Auth?
+
+Liquid Auth is a self-hosted authentication service that provides a simple way to associate Passkeys to KeyPair(s) commonly found in cryptocurrencies.
+
+In addition to authentication, Liquid Auth provides a Peer to Peer signaling service.
+Not only can you authenticate users, but you can also establish secure connections between them.
diff --git a/docs/src/content/docs/reference/kotlin-api.md b/docs/src/content/docs/reference/kotlin-api.md
deleted file mode 100644
index 6b45c29..0000000
--- a/docs/src/content/docs/reference/kotlin-api.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "Android"
----
-
-WIP
diff --git a/docs/src/content/docs/reference/ts-api.md b/docs/src/content/docs/reference/ts-api.md
deleted file mode 100644
index 3991594..0000000
--- a/docs/src/content/docs/reference/ts-api.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-title: "TypeScript"
----
-
-WIP
diff --git a/docs/src/content/docs/server/environment-variables.md b/docs/src/content/docs/server/environment-variables.md
new file mode 100644
index 0000000..ff3b5e1
--- /dev/null
+++ b/docs/src/content/docs/server/environment-variables.md
@@ -0,0 +1,75 @@
+---
+title: "Server: Configuration"
+sidebar:
+ order: 2
+ label: 'Configuration'
+---
+
+All configurations are set using environment variables.
+Creating a `.env.docker` file is recommended to store all the environment variables required to run the server.
+
+The following sections describe the environment variables required to run the server.
+
+## Environment Variables
+
+Attestations and Assertions require a valid `RP_NAME`, `HOSTNAME`, and `ORIGIN` to be set.
+`ORIGIN` and `HOSTNAME` must be set to a valid domain secured with HTTPS.
+
+```sh
+RP_NAME= # Friendly name of the service
+HOSTNAME= # Hostname of the service
+ORIGIN=https:// # Origin of the service
+```
+
+If you are using a custom Android client, make sure to update the `SHA256` fingerprint.
+
+```bash
+ANDROID_SHA256HASH=<00:00:...> # SHA256 fingerprint of the Android client
+ANDROID_PACKAGENAME= # Package name of the Android client
+```
+
+Configuration for MongoDB
+
+```bash
+DB_HOST= # Hostname of the MongoDB instance
+DB_USERNAME= # Username for the MongoDB instance
+DB_PASSWORD= # Password for the MongoDB instance
+DB_NAME= # Database name
+DB_ATLAS=false # Set to true if using MongoDB Atlas
+```
+
+Configuration for Redis
+
+```bash
+REDIS_HOST= # Hostname of the Redis instance
+REDIS_PORT= # Port for the Redis instance
+REDIS_USERNAME= # Username for the Redis instance
+REDIS_PASSWORD= # Password for the Redis instance
+```
+
+## Full Example
+
+```bash
+# .env.docker
+
+# Database
+DB_HOST=mongo:27017
+DB_USERNAME=algorand
+DB_PASSWORD=algorand
+DB_NAME=fido
+DB_ATLAS=false
+
+# Events
+REDIS_HOST=redis
+REDIS_PORT=6379
+REDIS_USERNAME=default
+REDIS_PASSWORD=
+
+# FIDO2
+RP_NAME="Auth Server"
+HOSTNAME=my-static-domain.ngrok-free.app
+ORIGIN=https://my-static-domain.ngrok-free.app
+
+ANDROID_SHA256HASH=47:CC:4E:EE:B9:50:59:A5:8B:E0:19:45:CA:0A:6D:59:16:F9:A9:C2:96:75:F8:F3:64:86:92:46:2B:7D:5D:5C
+ANDROID_PACKAGENAME=foundation.algorand.demo
+```
diff --git a/docs/src/content/docs/server/integrations.md b/docs/src/content/docs/server/integrations.md
new file mode 100644
index 0000000..cbe7dfc
--- /dev/null
+++ b/docs/src/content/docs/server/integrations.md
@@ -0,0 +1,90 @@
+---
+title: "Server: Integrations"
+sidebar:
+ order: 3
+ label: 'Integrations'
+ badge:
+ text: "WIP"
+ variant: caution
+next: false
+---
+
+### Vite
+
+```typescript
+//vite.config.ts
+
+const DEFAULT_PROXY_URL = 'http://localhost:3000';
+const DEFAULT_WSS_PROXY_URL = 'ws://localhost:3000';
+export default defineConfig({
+ server: {
+ proxy: {
+ '^/auth/.*': process.env.PROXY_URL || DEFAULT_PROXY_URL,
+ '^/.well-known/.*': process.env.PROXY_URL || DEFAULT_PROXY_URL,
+ '^/attestation/.*': process.env.PROXY_URL || DEFAULT_PROXY_URL,
+ '^/assertion/.*': process.env.PROXY_URL || DEFAULT_PROXY_URL,
+ '/socket.io': {
+ target: process.env.WSS_PROXY_SERVER || DEFAULT_WSS_PROXY_URL,
+ ws: true,
+ },
+ }
+ },
+})
+```
+
+### Nest.js[WIP]
+
+```javascript
+//server.js
+// import {AppModule} from '@algorandfoundation/liquid-auth-api'
+```
+
+### Next.js[WIP]
+
+```javascript
+//next.config.js
+// module.exports = {
+// async rewrites() {
+// return [
+// {
+// source: '/blog',
+// destination: 'https://acme.com/blog',
+// },
+// ]
+// },
+// }
+```
+
+### Express.js[WIP]
+
+```javascript
+//server.js
+// import {AppModule} from '@algorandfoundation/liquid-auth-api'
+```
+
+### Vercel[WIP]
+
+```json
+//vercel.json
+{
+ "rewrites": [
+ {
+ "source": "/blog",
+ "destination": "https://acme.com/blog"
+ }
+ ]
+}
+```
+
+### Cloudflare[WIP]
+
+```toml
+#wrangler.toml
+
+```
+
+### NGINX [WIP]
+```nginx
+//default.conf
+#todo Add Nginx proxy configuration
+```
diff --git a/docs/src/content/docs/server/introduction.md b/docs/src/content/docs/server/introduction.md
new file mode 100644
index 0000000..5c2be42
--- /dev/null
+++ b/docs/src/content/docs/server/introduction.md
@@ -0,0 +1,19 @@
+---
+title: 'Server: Introduction'
+prev: false
+sidebar:
+ order: 0
+ label: 'Introduction'
+ badge:
+ text: "WIP"
+ variant: caution
+---
+
+Liquid Auth is a self-hosted authentication service that provides a simple way to associate Passkeys to KeyPair(s) commonly found in cryptocurrencies.
+
+#### Technical Details
+
+It is built using the [NestJS](https://nestjs.com/) framework
+and uses [mongoose](https://docs.nestjs.com/techniques/mongodb) to interact with MongoDB.
+Signaling is handled using [Socket.IO](https://docs.nestjs.com/websockets/gateways)
+backed by a [Redis Adapter](https://socket.io/docs/v4/redis-adapter/).
diff --git a/docs/src/content/docs/server/running-locally.md b/docs/src/content/docs/server/running-locally.md
new file mode 100644
index 0000000..8c401bd
--- /dev/null
+++ b/docs/src/content/docs/server/running-locally.md
@@ -0,0 +1,88 @@
+---
+title: 'Server: Running Locally'
+sidebar:
+ order: 1
+ label: "Running Locally"
+---
+
+The Liquid Auth service is distributed as a Docker image. FIDO2 and WebRTC require a secure connection, we recommend [using ngrok](#ngrok) to create a secure tunnel to your local server.
+See the server [integrations](./integrations) guide for examples of how to add Liquid Auth to a web application.
+
+### Prerequisites
+
+[Install Docker]() and [login to the GitHub Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-with-a-personal-access-token-classic).
+```bash
+export CR_PAT=
+echo $CR_PAT | docker login ghcr.io -u --password-stdin
+```
+
+## Docker Image
+
+The service is designed to be run in a Docker container, it requires a [MongoDB]() and [Redis]() instance to be running.
+See the [Environment Variables](../environment-variables) section for more information about crafting a `.env.docker` file.
+
+```bash
+docker run -d --env-file .env.docker -p 3000:3000 ghcr.io/algorandfoundation/liquid-auth:develop
+```
+
+### Compose Example
+> Example of using Docker Compose to run the Liquid Auth service.
+
+```yaml
+#docker-compose.yml
+services:
+ liquid-auth:
+ image: ghcr.io/algorandfoundation/liquid-auth:develop
+ env_file:
+ - .env.docker
+ ports:
+ - "3000:3000"
+ depends_on:
+ - redis
+ - mongo
+ redis:
+ image: redis
+ ports:
+ - "6379:6379"
+ mongo:
+ image: mongo:7.0
+ environment:
+ - MONGO_INITDB_DATABASE=${DB_NAME:-fido}
+ - MONGO_INITDB_ROOT_USERNAME=${DB_USERNAME:-algorand}
+ - MONGO_INITDB_ROOT_PASSWORD=${DB_PASSWORD:-algorand}
+ ports:
+ - "27017:27017"
+ volumes:
+ - mongo:/data/db
+volumes:
+ mongo:
+```
+
+### Building
+
+Optionally, create the Docker image locally from the source:
+
+```bash
+git clone git@github.com:algorandfoundation/liquid-auth.git && cd liquid-auth
+docker build -t my-amazing-liquid-auth:latest .
+```
+
+## NGROK
+
+Sign up for a free account at [ngrok](https://ngrok.com/) and follow the instructions to get your `` and ``.
+
+#### Configuration
+ngrok will ask you to add your auth token to your configuration file.
+
+``` bash
+ngrok config add-authtoken
+```
+
+It will then ask you to deploy your static domain, make sure to change the port to **3000** like this:
+
+``` bash
+ngrok http --domain= 3000
+```
+
+
+Ensure the service's `ORIGIN` and `HOSTNAME` [environment variables](../environment-variables) are configured correctly with the ngrok domain.
diff --git a/docs/src/styles/mermaid.css b/docs/src/styles/mermaid.css
new file mode 100644
index 0000000..67abc5b
--- /dev/null
+++ b/docs/src/styles/mermaid.css
@@ -0,0 +1,4 @@
+svg[aria-roledescription="sequence"] {
+ border-radius: 25px;
+ background-color: white;
+}
diff --git a/docs/tsconfig.json b/docs/tsconfig.json
index 77da9dd..69b4fc1 100644
--- a/docs/tsconfig.json
+++ b/docs/tsconfig.json
@@ -1,3 +1,8 @@
{
- "extends": "astro/tsconfigs/strict"
-}
\ No newline at end of file
+ "extends": "astro/tsconfigs/strict",
+ "exclude": ["./clients/**/*"],
+ "compilerOptions": {
+ "jsx": "react-jsx",
+ "jsxImportSource": "react"
+ }
+}
+ 
+