@b3dotfun/sdk 0.1.70-alpha.2 → 0.1.70-alpha.4

package/dist/cjs/app.shared.d.ts

@@ -1,6 +1,14 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 import { AuthenticationClient } from "@feathersjs/authentication-client";
+/** Default API URL derived from environment variables. */
 export declare const B3_API_URL: string;
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+export declare function setB3ApiUrl(url: string | null): void;
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+export declare function getB3ApiUrl(): string;
 export declare const authenticate: (app: ClientApplication, accessToken: string, identityToken: string, params?: Record<string, any>) => Promise<import("@feathersjs/authentication").AuthenticationResult | null>;
 export declare class MyAuthenticationClient extends AuthenticationClient {
     getFromLocation(location: any): Promise<any>;

package/dist/cjs/app.shared.js

@@ -4,11 +4,30 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.clientOptions = exports.MyAuthenticationClient = exports.authenticate = exports.B3_API_URL = void 0;
+exports.setB3ApiUrl = setB3ApiUrl;
+exports.getB3ApiUrl = getB3ApiUrl;
 const authentication_client_1 = require("@feathersjs/authentication-client");
 const js_cookie_1 = __importDefault(require("js-cookie"));
 const constants_1 = require("./shared/constants");
 const session_duration_1 = require("./shared/utils/session-duration");
+/** Default API URL derived from environment variables. */
 exports.B3_API_URL = process.env.EXPO_PUBLIC_B3_API || process.env.NEXT_PUBLIC_B3_API || process.env.PUBLIC_B3_API || "https://api.b3.fun";
+/**
+ * Runtime-overridable API URL. Set by `B3Provider` when an `apiUrl` prop
+ * is provided. Falls back to the env-var-derived `B3_API_URL`.
+ */
+let _apiUrlOverride = null;
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+function setB3ApiUrl(url) {
+    _apiUrlOverride = url;
+}
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+function getB3ApiUrl() {
+    return _apiUrlOverride || exports.B3_API_URL;
+}
 const authenticate = async (app, accessToken, identityToken, params) => {
     const fullToken = `${accessToken}+${identityToken}`;
     // Do not authenticate if there is no token

package/dist/cjs/global-account/better-auth-client.d.ts

@@ -940,6 +940,14 @@ export declare function createB3BetterAuthClient(baseURL?: string): {
         };
     };
 };
+/** Get the shared BetterAuth client, creating it if needed. */
+export declare function getBetterAuthClient(): B3BetterAuthClient;
+/** Force-recreate the client on next access (e.g. after API URL change). */
+export declare function resetBetterAuthClient(): void;
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 export declare const betterAuthClient: {
     signIn: {
         social: <FetchOptions extends import("@better-auth/core").ClientFetchOption<Partial<{

package/dist/cjs/global-account/better-auth-client.js

@@ -2,16 +2,39 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.betterAuthClient = void 0;
 exports.createB3BetterAuthClient = createB3BetterAuthClient;
+exports.getBetterAuthClient = getBetterAuthClient;
+exports.resetBetterAuthClient = resetBetterAuthClient;
 const client_1 = require("better-auth/client");
 const app_shared_1 = require("../app.shared");
-function createB3BetterAuthClient(baseURL = app_shared_1.B3_API_URL) {
+function createB3BetterAuthClient(baseURL) {
     return (0, client_1.createAuthClient)({
-        baseURL,
+        baseURL: baseURL ?? (0, app_shared_1.getB3ApiUrl)(),
         basePath: "/auth",
         fetchOptions: {
             credentials: "include",
         },
     });
 }
-// Default singleton for standard usage
+// Lazily-initialized singleton. Recreated when the API URL changes via
+// `resetBetterAuthClient()` (called by B3Provider when `apiUrl` changes).
+let _client = null;
+let _clientUrl = null;
+/** Get the shared BetterAuth client, creating it if needed. */
+function getBetterAuthClient() {
+    const url = (0, app_shared_1.getB3ApiUrl)();
+    if (!_client || _clientUrl !== url) {
+        _client = createB3BetterAuthClient(url);
+        _clientUrl = url;
+    }
+    return _client;
+}
+/** Force-recreate the client on next access (e.g. after API URL change). */
+function resetBetterAuthClient() {
+    _client = null;
+    _clientUrl = null;
+}
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 exports.betterAuthClient = createB3BetterAuthClient();

package/dist/cjs/global-account/client-manager.d.ts

@@ -1,5 +1,7 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 export type ClientType = "socket" | "rest";
+/** Reset all cached clients (called when API URL changes). */
+export declare function resetClients(): void;
 /**
  * Sets the active client type and creates the appropriate client
  *

package/dist/cjs/global-account/client-manager.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.authenticateBoth = exports.authenticateWithClient = exports.authenticate = void 0;
+exports.resetClients = resetClients;
 exports.setClientType = setClientType;
 exports.getClient = getClient;
 exports.getClientType = getClientType;
@@ -21,15 +22,19 @@ let currentClient = null;
 // Socket client instance
 let socketClient = null;
 let socketInstance = null;
+let socketClientUrl = null;
 // REST client instance
 let restClient = null;
+let restClientUrl = null;
 /**
  * Creates a socket client
  */
 function createSocketClient() {
-    if (!socketClient) {
-        socketInstance = (0, socket_io_client_1.default)(app_shared_1.B3_API_URL, { transports: ["websocket"] });
+    const url = (0, app_shared_1.getB3ApiUrl)();
+    if (!socketClient || socketClientUrl !== url) {
+        socketInstance = (0, socket_io_client_1.default)(url, { transports: ["websocket"] });
         socketClient = (0, b3_api_1.createClient)((0, socketio_client_1.default)(socketInstance), app_shared_1.clientOptions);
+        socketClientUrl = url;
     }
     return socketClient;
 }
@@ -45,12 +50,22 @@ function resolveFetch() {
     return require("cross-fetch").fetch;
 }
 function createRestClient() {
-    if (!restClient) {
-        const connection = (0, rest_client_1.default)(app_shared_1.B3_API_URL).fetch(resolveFetch());
+    const url = (0, app_shared_1.getB3ApiUrl)();
+    if (!restClient || restClientUrl !== url) {
+        const connection = (0, rest_client_1.default)(url).fetch(resolveFetch());
         restClient = (0, b3_api_1.createClient)(connection, app_shared_1.clientOptions);
+        restClientUrl = url;
     }
     return restClient;
 }
+/** Reset all cached clients (called when API URL changes). */
+function resetClients() {
+    socketClient = null;
+    socketClientUrl = null;
+    restClient = null;
+    restClientUrl = null;
+    currentClient = null;
+}
 /**
  * Sets the active client type and creates the appropriate client
  *

package/dist/cjs/global-account/react/components/B3Provider/B3Provider.d.ts

@@ -10,7 +10,7 @@ import { ClientType } from "../../../client-manager";
 /**
  * Main B3Provider component
  */
-export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, }: {
+export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, apiUrl, }: {
     theme: "light" | "dark";
     children: React.ReactNode;
     accountOverride?: Account;
@@ -39,4 +39,13 @@ export declare function B3Provider({ theme, children, accountOverride, environme
     queryClient?: QueryClient;
     /** Auth strategy: "thirdweb" (default, ecosystem wallet) or "better-auth" (email/password via Better Auth) */
     authStrategy?: AuthStrategy;
+    /**
+     * Override the B3 API URL. When provided, all SDK requests (auth, Feathers,
+     * BetterAuth) will use this URL instead of the `NEXT_PUBLIC_B3_API` env var.
+     *
+     * Useful for local development: pass `http://localhost:3031` to route
+     * OAuth callbacks and session checks through your local B3 API.
+     * If omitted, defaults to `NEXT_PUBLIC_B3_API` or `https://api.b3.fun`.
+     */
+    apiUrl?: string;
 }): import("react/jsx-runtime").JSX.Element;

package/dist/cjs/global-account/react/components/B3Provider/B3Provider.js

@@ -12,6 +12,8 @@ const react_2 = require("../../../../wallet/react");
 require("@relayprotocol/relay-kit-ui/styles.css");
 const react_3 = require("react");
 const client_manager_1 = require("../../../client-manager");
+const app_shared_1 = require("../../../../app.shared");
+const better_auth_client_1 = require("../../../better-auth-client");
 const StyleRoot_1 = require("../StyleRoot");
 const index_1 = require("../Toast/index");
 const AuthenticationProvider_1 = __importDefault(require("./AuthenticationProvider"));
@@ -23,7 +25,19 @@ const LocalSDKProvider_1 = require("./LocalSDKProvider");
  */
 function B3Provider({ theme = "light", children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, 
 // deprecated since v0.0.87
-toaster: _toaster, clientType = "rest", rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors = false, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication = false, queryClient, authStrategy = "thirdweb", }) {
+toaster: _toaster, clientType = "rest", rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors = false, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication = false, queryClient, authStrategy = "thirdweb", apiUrl, }) {
+    // Override the B3 API URL when the `apiUrl` prop is provided.
+    // Must run before client initialization and auth providers mount.
+    (0, react_3.useEffect)(() => {
+        (0, app_shared_1.setB3ApiUrl)(apiUrl ?? null);
+        if (apiUrl) {
+            (0, better_auth_client_1.resetBetterAuthClient)();
+            (0, client_manager_1.resetClients)();
+        }
+        return () => {
+            (0, app_shared_1.setB3ApiUrl)(null);
+        };
+    }, [apiUrl]);
     // Initialize Google Analytics on mount
     (0, react_3.useEffect)(() => {
         (0, analytics_1.loadGA4Script)();

package/dist/cjs/global-account/react/components/B3Provider/BetterAuthProvider.js

@@ -45,7 +45,7 @@ const BetterAuthProvider = ({ partnerId }) => {
         app_1.default.logout = async () => {
             debug("Patched logout: clearing Better Auth session");
             try {
-                await better_auth_client_1.betterAuthClient.signOut();
+                await (0, better_auth_client_1.getBetterAuthClient)().signOut();
             }
             catch {
                 debug("Better Auth signOut failed (non-critical)");
@@ -79,9 +79,50 @@ const BetterAuthProvider = ({ partnerId }) => {
             catch {
                 debug("No existing Feathers JWT");
             }
-            // 2. Check for a Better Auth session (e.g. after OAuth redirect sets a cookie)
+            // 2. Check for _ba_token in URL (OAuth callback with third-party cookie bypass).
+            //    When the API and frontend are on different domains, browsers with third-party
+            //    cookie blocking (Firefox TCP, Safari ITP, Chrome Privacy Sandbox) prevent the
+            //    better-auth.session_token cookie from being sent on cross-origin requests.
+            //    The B3 API injects the session token into the redirect URL as _ba_token,
+            //    allowing direct exchange without relying on cookies.
+            const params = new URLSearchParams(window.location.search);
+            const baToken = params.get("_ba_token");
+            if (baToken) {
+                debug("Found _ba_token in URL, exchanging for Feathers JWT");
+                // Clean the token from the URL immediately (security)
+                params.delete("_ba_token");
+                const cleanSearch = params.toString();
+                const cleanUrl = window.location.pathname + (cleanSearch ? `?${cleanSearch}` : "") + window.location.hash;
+                window.history.replaceState({}, "", cleanUrl);
+                try {
+                    const response = await app_1.default.authenticate({
+                        strategy: "better-auth",
+                        accessToken: baToken,
+                        partnerId,
+                    });
+                    if (response.accessToken) {
+                        js_cookie_1.default.set(constants_1.B3_AUTH_COOKIE_NAME, response.accessToken, {
+                            secure: true,
+                            sameSite: "Lax",
+                        });
+                    }
+                    if (response.user) {
+                        setUser(response.user);
+                        setIsAuthenticated(true);
+                        setIsConnected(true);
+                    }
+                    debug("_ba_token exchanged for Feathers JWT", { userId: response.user?.userId });
+                    setIsAuthenticating(false);
+                    return;
+                }
+                catch (err) {
+                    debug("_ba_token exchange failed", err);
+                }
+            }
+            // 3. Check for a Better Auth session via cookie (works when API and frontend
+            //    share a domain or when cookies aren't partitioned)
             try {
-                const session = await better_auth_client_1.betterAuthClient.getSession();
+                const session = await (0, better_auth_client_1.getBetterAuthClient)().getSession();
                 if (session.data?.session?.token) {
                     debug("Better Auth session found, exchanging for Feathers JWT", {
                         betterAuthUserId: session.data.user?.id,
@@ -110,7 +151,7 @@ const BetterAuthProvider = ({ partnerId }) => {
             catch {
                 debug("No Better Auth session to restore");
             }
-            // 3. Nothing found — show login UI
+            // 4. Nothing found — show login UI
             setIsAuthenticating(false);
         };
         restoreSession();

package/dist/cjs/global-account/react/hooks/useAuthentication.js

@@ -192,7 +192,7 @@ function useAuthentication(partnerId, { skipAutoConnect = false } = {}) {
             localStorage.removeItem("lastAuthProvider");
             localStorage.removeItem("b3-user");
         }
-        app_1.default.logout();
+        await app_1.default.logout();
         debug("@@logout:loggedOut");
         setIsAuthenticated(false);
         setIsConnected(false);

package/dist/cjs/global-account/react/hooks/useBetterAuth.js

@@ -57,7 +57,7 @@ function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await better_auth_client_1.betterAuthClient.signIn.email({ email, password });
+            const result = await (0, better_auth_client_1.getBetterAuthClient)().signIn.email({ email, password });
             if (result.error) {
                 throw new Error(result.error.message || "Sign in failed");
             }
@@ -78,7 +78,7 @@ function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await better_auth_client_1.betterAuthClient.signUp.email({ email, password, name });
+            const result = await (0, better_auth_client_1.getBetterAuthClient)().signUp.email({ email, password, name });
             if (result.error) {
                 throw new Error(result.error.message || "Sign up failed");
             }
@@ -87,7 +87,7 @@ function useBetterAuth() {
                 // requireEmailVerification is enabled — send verification email with
                 // a callbackURL Better Auth redirects to after server-side verify.
                 // Pass verifyCallbackURL to land on a dedicated confirmation page.
-                await better_auth_client_1.betterAuthClient.sendVerificationEmail({
+                await (0, better_auth_client_1.getBetterAuthClient)().sendVerificationEmail({
                     email,
                     callbackURL: verifyCallbackURL || `${window.location.origin}?authStrategy=better-auth`,
                 });
@@ -106,7 +106,7 @@ function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await better_auth_client_1.betterAuthClient.signIn.social({
+            const result = await (0, better_auth_client_1.getBetterAuthClient)().signIn.social({
                 provider,
                 callbackURL: window.location.href,
             });
@@ -124,7 +124,7 @@ function useBetterAuth() {
     }, [setIsAuthenticating, setHasStartedConnecting]);
     const requestPasswordReset = (0, react_2.useCallback)(async (email, redirectTo) => {
         debug("Requesting password reset", { email });
-        const result = await better_auth_client_1.betterAuthClient.requestPasswordReset({
+        const result = await (0, better_auth_client_1.getBetterAuthClient)().requestPasswordReset({
             email,
             redirectTo,
         });
@@ -136,7 +136,7 @@ function useBetterAuth() {
     }, []);
     const resetPassword = (0, react_2.useCallback)(async (newPassword, token) => {
         debug("Resetting password");
-        const result = await better_auth_client_1.betterAuthClient.resetPassword({
+        const result = await (0, better_auth_client_1.getBetterAuthClient)().resetPassword({
             newPassword,
             token,
         });
@@ -153,6 +153,6 @@ function useBetterAuth() {
         requestPasswordReset,
         resetPassword,
         exchangeForFeathersJWT,
-        betterAuthClient: better_auth_client_1.betterAuthClient,
+        betterAuthClient: (0, better_auth_client_1.getBetterAuthClient)(),
     };
 }

package/dist/esm/app.shared.d.ts

@@ -1,6 +1,14 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 import { AuthenticationClient } from "@feathersjs/authentication-client";
+/** Default API URL derived from environment variables. */
 export declare const B3_API_URL: string;
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+export declare function setB3ApiUrl(url: string | null): void;
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+export declare function getB3ApiUrl(): string;
 export declare const authenticate: (app: ClientApplication, accessToken: string, identityToken: string, params?: Record<string, any>) => Promise<import("@feathersjs/authentication").AuthenticationResult | null>;
 export declare class MyAuthenticationClient extends AuthenticationClient {
     getFromLocation(location: any): Promise<any>;

package/dist/esm/app.shared.js

@@ -2,7 +2,24 @@ import { AuthenticationClient } from "@feathersjs/authentication-client";
 import Cookies from "js-cookie";
 import { B3_AUTH_COOKIE_NAME } from "./shared/constants/index.js";
 import { getSessionDurationDays } from "./shared/utils/session-duration.js";
+/** Default API URL derived from environment variables. */
 export const B3_API_URL = process.env.EXPO_PUBLIC_B3_API || process.env.NEXT_PUBLIC_B3_API || process.env.PUBLIC_B3_API || "https://api.b3.fun";
+/**
+ * Runtime-overridable API URL. Set by `B3Provider` when an `apiUrl` prop
+ * is provided. Falls back to the env-var-derived `B3_API_URL`.
+ */
+let _apiUrlOverride = null;
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+export function setB3ApiUrl(url) {
+    _apiUrlOverride = url;
+}
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+export function getB3ApiUrl() {
+    return _apiUrlOverride || B3_API_URL;
+}
 export const authenticate = async (app, accessToken, identityToken, params) => {
     const fullToken = `${accessToken}+${identityToken}`;
     // Do not authenticate if there is no token

package/dist/esm/global-account/better-auth-client.d.ts

@@ -940,6 +940,14 @@ export declare function createB3BetterAuthClient(baseURL?: string): {
         };
     };
 };
+/** Get the shared BetterAuth client, creating it if needed. */
+export declare function getBetterAuthClient(): B3BetterAuthClient;
+/** Force-recreate the client on next access (e.g. after API URL change). */
+export declare function resetBetterAuthClient(): void;
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 export declare const betterAuthClient: {
     signIn: {
         social: <FetchOptions extends import("@better-auth/core").ClientFetchOption<Partial<{

package/dist/esm/global-account/better-auth-client.js

@@ -1,13 +1,34 @@
 import { createAuthClient } from "better-auth/client";
-import { B3_API_URL } from "../app.shared.js";
-export function createB3BetterAuthClient(baseURL = B3_API_URL) {
+import { getB3ApiUrl } from "../app.shared.js";
+export function createB3BetterAuthClient(baseURL) {
     return createAuthClient({
-        baseURL,
+        baseURL: baseURL ?? getB3ApiUrl(),
         basePath: "/auth",
         fetchOptions: {
             credentials: "include",
         },
     });
 }
-// Default singleton for standard usage
+// Lazily-initialized singleton. Recreated when the API URL changes via
+// `resetBetterAuthClient()` (called by B3Provider when `apiUrl` changes).
+let _client = null;
+let _clientUrl = null;
+/** Get the shared BetterAuth client, creating it if needed. */
+export function getBetterAuthClient() {
+    const url = getB3ApiUrl();
+    if (!_client || _clientUrl !== url) {
+        _client = createB3BetterAuthClient(url);
+        _clientUrl = url;
+    }
+    return _client;
+}
+/** Force-recreate the client on next access (e.g. after API URL change). */
+export function resetBetterAuthClient() {
+    _client = null;
+    _clientUrl = null;
+}
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 export const betterAuthClient = createB3BetterAuthClient();

package/dist/esm/global-account/client-manager.d.ts

@@ -1,5 +1,7 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 export type ClientType = "socket" | "rest";
+/** Reset all cached clients (called when API URL changes). */
+export declare function resetClients(): void;
 /**
  * Sets the active client type and creates the appropriate client
  *

package/dist/esm/global-account/client-manager.js

@@ -2,22 +2,26 @@ import { createClient } from "@b3dotfun/b3-api";
 import rest from "@feathersjs/rest-client";
 import socketio from "@feathersjs/socketio-client";
 import io from "socket.io-client";
-import { authenticate as authenticateB3, B3_API_URL, clientOptions } from "../app.shared.js";
+import { authenticate as authenticateB3, getB3ApiUrl, clientOptions } from "../app.shared.js";
 // Global state to track which client type is active
 let currentClientType = "rest";
 let currentClient = null;
 // Socket client instance
 let socketClient = null;
 let socketInstance = null;
+let socketClientUrl = null;
 // REST client instance
 let restClient = null;
+let restClientUrl = null;
 /**
  * Creates a socket client
  */
 function createSocketClient() {
-    if (!socketClient) {
-        socketInstance = io(B3_API_URL, { transports: ["websocket"] });
+    const url = getB3ApiUrl();
+    if (!socketClient || socketClientUrl !== url) {
+        socketInstance = io(url, { transports: ["websocket"] });
         socketClient = createClient(socketio(socketInstance), clientOptions);
+        socketClientUrl = url;
     }
     return socketClient;
 }
@@ -33,12 +37,22 @@ function resolveFetch() {
     return require("cross-fetch").fetch;
 }
 function createRestClient() {
-    if (!restClient) {
-        const connection = rest(B3_API_URL).fetch(resolveFetch());
+    const url = getB3ApiUrl();
+    if (!restClient || restClientUrl !== url) {
+        const connection = rest(url).fetch(resolveFetch());
         restClient = createClient(connection, clientOptions);
+        restClientUrl = url;
     }
     return restClient;
 }
+/** Reset all cached clients (called when API URL changes). */
+export function resetClients() {
+    socketClient = null;
+    socketClientUrl = null;
+    restClient = null;
+    restClientUrl = null;
+    currentClient = null;
+}
 /**
  * Sets the active client type and creates the appropriate client
  *

package/dist/esm/global-account/react/components/B3Provider/B3Provider.d.ts

@@ -10,7 +10,7 @@ import { ClientType } from "../../../client-manager";
 /**
  * Main B3Provider component
  */
-export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, }: {
+export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, apiUrl, }: {
     theme: "light" | "dark";
     children: React.ReactNode;
     accountOverride?: Account;
@@ -39,4 +39,13 @@ export declare function B3Provider({ theme, children, accountOverride, environme
     queryClient?: QueryClient;
     /** Auth strategy: "thirdweb" (default, ecosystem wallet) or "better-auth" (email/password via Better Auth) */
     authStrategy?: AuthStrategy;
+    /**
+     * Override the B3 API URL. When provided, all SDK requests (auth, Feathers,
+     * BetterAuth) will use this URL instead of the `NEXT_PUBLIC_B3_API` env var.
+     *
+     * Useful for local development: pass `http://localhost:3031` to route
+     * OAuth callbacks and session checks through your local B3 API.
+     * If omitted, defaults to `NEXT_PUBLIC_B3_API` or `https://api.b3.fun`.
+     */
+    apiUrl?: string;
 }): import("react/jsx-runtime").JSX.Element;

package/dist/esm/global-account/react/components/B3Provider/B3Provider.js

@@ -5,7 +5,9 @@ import { loadGA4Script } from "../../../../global-account/utils/analytics.js";
 import { WalletProvider } from "../../../../wallet/react/index.js";
 import "@relayprotocol/relay-kit-ui/styles.css";
 import { useEffect, useMemo } from "react";
-import { setClientType } from "../../../client-manager.js";
+import { resetClients, setClientType } from "../../../client-manager.js";
+import { setB3ApiUrl } from "../../../../app.shared.js";
+import { resetBetterAuthClient } from "../../../better-auth-client.js";
 import { StyleRoot } from "../StyleRoot.js";
 import { setToastContext, ToastProvider, useToastContext } from "../Toast/index.js";
 import AuthenticationProvider from "./AuthenticationProvider.js";
@@ -17,7 +19,19 @@ import { LocalSDKProvider } from "./LocalSDKProvider.js";
  */
 export function B3Provider({ theme = "light", children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, 
 // deprecated since v0.0.87
-toaster: _toaster, clientType = "rest", rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors = false, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication = false, queryClient, authStrategy = "thirdweb", }) {
+toaster: _toaster, clientType = "rest", rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors = false, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication = false, queryClient, authStrategy = "thirdweb", apiUrl, }) {
+    // Override the B3 API URL when the `apiUrl` prop is provided.
+    // Must run before client initialization and auth providers mount.
+    useEffect(() => {
+        setB3ApiUrl(apiUrl ?? null);
+        if (apiUrl) {
+            resetBetterAuthClient();
+            resetClients();
+        }
+        return () => {
+            setB3ApiUrl(null);
+        };
+    }, [apiUrl]);
     // Initialize Google Analytics on mount
     useEffect(() => {
         loadGA4Script();

package/dist/esm/global-account/react/components/B3Provider/BetterAuthProvider.js

@@ -4,7 +4,7 @@ import { B3_AUTH_COOKIE_NAME } from "../../../../shared/constants/index.js";
 import { debugB3React } from "../../../../shared/utils/debug.js";
 import Cookies from "js-cookie";
 import { useEffect, useRef } from "react";
-import { betterAuthClient } from "../../../better-auth-client.js";
+import { getBetterAuthClient } from "../../../better-auth-client.js";
 import { useUserQuery } from "../../hooks/useUserQuery.js";
 const debug = debugB3React("BetterAuthProvider");
 /**
@@ -40,7 +40,7 @@ const BetterAuthProvider = ({ partnerId }) => {
         app.logout = async () => {
             debug("Patched logout: clearing Better Auth session");
             try {
-                await betterAuthClient.signOut();
+                await getBetterAuthClient().signOut();
             }
             catch {
                 debug("Better Auth signOut failed (non-critical)");
@@ -74,9 +74,50 @@ const BetterAuthProvider = ({ partnerId }) => {
             catch {
                 debug("No existing Feathers JWT");
             }
-            // 2. Check for a Better Auth session (e.g. after OAuth redirect sets a cookie)
+            // 2. Check for _ba_token in URL (OAuth callback with third-party cookie bypass).
+            //    When the API and frontend are on different domains, browsers with third-party
+            //    cookie blocking (Firefox TCP, Safari ITP, Chrome Privacy Sandbox) prevent the
+            //    better-auth.session_token cookie from being sent on cross-origin requests.
+            //    The B3 API injects the session token into the redirect URL as _ba_token,
+            //    allowing direct exchange without relying on cookies.
+            const params = new URLSearchParams(window.location.search);
+            const baToken = params.get("_ba_token");
+            if (baToken) {
+                debug("Found _ba_token in URL, exchanging for Feathers JWT");
+                // Clean the token from the URL immediately (security)
+                params.delete("_ba_token");
+                const cleanSearch = params.toString();
+                const cleanUrl = window.location.pathname + (cleanSearch ? `?${cleanSearch}` : "") + window.location.hash;
+                window.history.replaceState({}, "", cleanUrl);
+                try {
+                    const response = await app.authenticate({
+                        strategy: "better-auth",
+                        accessToken: baToken,
+                        partnerId,
+                    });
+                    if (response.accessToken) {
+                        Cookies.set(B3_AUTH_COOKIE_NAME, response.accessToken, {
+                            secure: true,
+                            sameSite: "Lax",
+                        });
+                    }
+                    if (response.user) {
+                        setUser(response.user);
+                        setIsAuthenticated(true);
+                        setIsConnected(true);
+                    }
+                    debug("_ba_token exchanged for Feathers JWT", { userId: response.user?.userId });
+                    setIsAuthenticating(false);
+                    return;
+                }
+                catch (err) {
+                    debug("_ba_token exchange failed", err);
+                }
+            }
+            // 3. Check for a Better Auth session via cookie (works when API and frontend
+            //    share a domain or when cookies aren't partitioned)
             try {
-                const session = await betterAuthClient.getSession();
+                const session = await getBetterAuthClient().getSession();
                 if (session.data?.session?.token) {
                     debug("Better Auth session found, exchanging for Feathers JWT", {
                         betterAuthUserId: session.data.user?.id,
@@ -105,7 +146,7 @@ const BetterAuthProvider = ({ partnerId }) => {
             catch {
                 debug("No Better Auth session to restore");
             }
-            // 3. Nothing found — show login UI
+            // 4. Nothing found — show login UI
             setIsAuthenticating(false);
         };
         restoreSession();

package/dist/esm/global-account/react/hooks/useAuthentication.js

@@ -186,7 +186,7 @@ export function useAuthentication(partnerId, { skipAutoConnect = false } = {}) {
             localStorage.removeItem("lastAuthProvider");
             localStorage.removeItem("b3-user");
         }
-        app.logout();
+        await app.logout();
         debug("@@logout:loggedOut");
         setIsAuthenticated(false);
         setIsConnected(false);

package/dist/esm/global-account/react/hooks/useBetterAuth.js

@@ -2,7 +2,7 @@ import app from "../../../global-account/app.js";
 import { useAuthStore, useB3Config } from "../../../global-account/react/index.js";
 import { debugB3React } from "../../../shared/utils/debug.js";
 import { useCallback } from "react";
-import { betterAuthClient } from "../../better-auth-client.js";
+import { getBetterAuthClient } from "../../better-auth-client.js";
 import { useUserQuery } from "./useUserQuery.js";
 const debug = debugB3React("useBetterAuth");
 /** Thrown when email verification is required before the user can sign in. */
@@ -49,7 +49,7 @@ export function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await betterAuthClient.signIn.email({ email, password });
+            const result = await getBetterAuthClient().signIn.email({ email, password });
             if (result.error) {
                 throw new Error(result.error.message || "Sign in failed");
             }
@@ -70,7 +70,7 @@ export function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await betterAuthClient.signUp.email({ email, password, name });
+            const result = await getBetterAuthClient().signUp.email({ email, password, name });
             if (result.error) {
                 throw new Error(result.error.message || "Sign up failed");
             }
@@ -79,7 +79,7 @@ export function useBetterAuth() {
                 // requireEmailVerification is enabled — send verification email with
                 // a callbackURL Better Auth redirects to after server-side verify.
                 // Pass verifyCallbackURL to land on a dedicated confirmation page.
-                await betterAuthClient.sendVerificationEmail({
+                await getBetterAuthClient().sendVerificationEmail({
                     email,
                     callbackURL: verifyCallbackURL || `${window.location.origin}?authStrategy=better-auth`,
                 });
@@ -98,7 +98,7 @@ export function useBetterAuth() {
         setHasStartedConnecting(true);
         setIsAuthenticating(true);
         try {
-            const result = await betterAuthClient.signIn.social({
+            const result = await getBetterAuthClient().signIn.social({
                 provider,
                 callbackURL: window.location.href,
             });
@@ -116,7 +116,7 @@ export function useBetterAuth() {
     }, [setIsAuthenticating, setHasStartedConnecting]);
     const requestPasswordReset = useCallback(async (email, redirectTo) => {
         debug("Requesting password reset", { email });
-        const result = await betterAuthClient.requestPasswordReset({
+        const result = await getBetterAuthClient().requestPasswordReset({
             email,
             redirectTo,
         });
@@ -128,7 +128,7 @@ export function useBetterAuth() {
     }, []);
     const resetPassword = useCallback(async (newPassword, token) => {
         debug("Resetting password");
-        const result = await betterAuthClient.resetPassword({
+        const result = await getBetterAuthClient().resetPassword({
             newPassword,
             token,
         });
@@ -145,6 +145,6 @@ export function useBetterAuth() {
         requestPasswordReset,
         resetPassword,
         exchangeForFeathersJWT,
-        betterAuthClient,
+        betterAuthClient: getBetterAuthClient(),
     };
 }

package/dist/types/app.shared.d.ts

@@ -1,6 +1,14 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 import { AuthenticationClient } from "@feathersjs/authentication-client";
+/** Default API URL derived from environment variables. */
 export declare const B3_API_URL: string;
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+export declare function setB3ApiUrl(url: string | null): void;
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+export declare function getB3ApiUrl(): string;
 export declare const authenticate: (app: ClientApplication, accessToken: string, identityToken: string, params?: Record<string, any>) => Promise<import("@feathersjs/authentication").AuthenticationResult | null>;
 export declare class MyAuthenticationClient extends AuthenticationClient {
     getFromLocation(location: any): Promise<any>;

package/dist/types/global-account/better-auth-client.d.ts

@@ -940,6 +940,14 @@ export declare function createB3BetterAuthClient(baseURL?: string): {
         };
     };
 };
+/** Get the shared BetterAuth client, creating it if needed. */
+export declare function getBetterAuthClient(): B3BetterAuthClient;
+/** Force-recreate the client on next access (e.g. after API URL change). */
+export declare function resetBetterAuthClient(): void;
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 export declare const betterAuthClient: {
     signIn: {
         social: <FetchOptions extends import("@better-auth/core").ClientFetchOption<Partial<{

package/dist/types/global-account/client-manager.d.ts

@@ -1,5 +1,7 @@
 import { ClientApplication } from "@b3dotfun/b3-api";
 export type ClientType = "socket" | "rest";
+/** Reset all cached clients (called when API URL changes). */
+export declare function resetClients(): void;
 /**
  * Sets the active client type and creates the appropriate client
  *

package/dist/types/global-account/react/components/B3Provider/B3Provider.d.ts

@@ -10,7 +10,7 @@ import { ClientType } from "../../../client-manager";
 /**
  * Main B3Provider component
  */
-export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, }: {
+export declare function B3Provider({ theme, children, accountOverride, environment, automaticallySetFirstEoa, defaultEoaProvider, simDuneApiKey, toaster: _toaster, clientType, rpcUrls, partnerId, stripePublishableKey, onConnect, onLogout, connectors, overrideDefaultConnectors, createClientReferenceId, defaultPermissions, disableBSMNTAuthentication, queryClient, authStrategy, apiUrl, }: {
     theme: "light" | "dark";
     children: React.ReactNode;
     accountOverride?: Account;
@@ -39,4 +39,13 @@ export declare function B3Provider({ theme, children, accountOverride, environme
     queryClient?: QueryClient;
     /** Auth strategy: "thirdweb" (default, ecosystem wallet) or "better-auth" (email/password via Better Auth) */
     authStrategy?: AuthStrategy;
+    /**
+     * Override the B3 API URL. When provided, all SDK requests (auth, Feathers,
+     * BetterAuth) will use this URL instead of the `NEXT_PUBLIC_B3_API` env var.
+     *
+     * Useful for local development: pass `http://localhost:3031` to route
+     * OAuth callbacks and session checks through your local B3 API.
+     * If omitted, defaults to `NEXT_PUBLIC_B3_API` or `https://api.b3.fun`.
+     */
+    apiUrl?: string;
 }): import("react/jsx-runtime").JSX.Element;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@b3dotfun/sdk",
-  "version": "0.1.70-alpha.2",
+  "version": "0.1.70-alpha.4",
   "source": "src/index.ts",
   "main": "./dist/cjs/index.js",
   "react-native": "./dist/cjs/index.native.js",

package/src/app.shared.ts

@@ -4,9 +4,29 @@ import Cookies from "js-cookie";
 import { B3_AUTH_COOKIE_NAME } from "./shared/constants";
 import { getSessionDurationDays } from "./shared/utils/session-duration";
 
+/** Default API URL derived from environment variables. */
 export const B3_API_URL =
   process.env.EXPO_PUBLIC_B3_API || process.env.NEXT_PUBLIC_B3_API || process.env.PUBLIC_B3_API || "https://api.b3.fun";
 
+/**
+ * Runtime-overridable API URL. Set by `B3Provider` when an `apiUrl` prop
+ * is provided. Falls back to the env-var-derived `B3_API_URL`.
+ */
+let _apiUrlOverride: string | null = null;
+
+/**
+ * Override the B3 API URL at runtime. Called by `B3Provider` when an
+ * `apiUrl` prop is provided. Pass `null` to revert to the default.
+ */
+export function setB3ApiUrl(url: string | null): void {
+  _apiUrlOverride = url;
+}
+
+/** Get the current B3 API URL (prefers runtime override, then env var). */
+export function getB3ApiUrl(): string {
+  return _apiUrlOverride || B3_API_URL;
+}
+
 export const authenticate = async (
   app: ClientApplication,
   accessToken: string,

package/src/global-account/better-auth-client.ts

@@ -1,11 +1,11 @@
 import { createAuthClient } from "better-auth/client";
-import { B3_API_URL } from "../app.shared";
+import { getB3ApiUrl } from "../app.shared";
 
 export type B3BetterAuthClient = ReturnType<typeof createB3BetterAuthClient>;
 
-export function createB3BetterAuthClient(baseURL: string = B3_API_URL) {
+export function createB3BetterAuthClient(baseURL?: string) {
   return createAuthClient({
-    baseURL,
+    baseURL: baseURL ?? getB3ApiUrl(),
     basePath: "/auth",
     fetchOptions: {
       credentials: "include",
@@ -13,5 +13,29 @@ export function createB3BetterAuthClient(baseURL: string = B3_API_URL) {
   });
 }
 
-// Default singleton for standard usage
+// Lazily-initialized singleton. Recreated when the API URL changes via
+// `resetBetterAuthClient()` (called by B3Provider when `apiUrl` changes).
+let _client: B3BetterAuthClient | null = null;
+let _clientUrl: string | null = null;
+
+/** Get the shared BetterAuth client, creating it if needed. */
+export function getBetterAuthClient(): B3BetterAuthClient {
+  const url = getB3ApiUrl();
+  if (!_client || _clientUrl !== url) {
+    _client = createB3BetterAuthClient(url);
+    _clientUrl = url;
+  }
+  return _client;
+}
+
+/** Force-recreate the client on next access (e.g. after API URL change). */
+export function resetBetterAuthClient(): void {
+  _client = null;
+  _clientUrl = null;
+}
+
+/**
+ * @deprecated Use `getBetterAuthClient()` instead. This static singleton
+ * does not reflect runtime API URL changes via `B3Provider apiUrl` prop.
+ */
 export const betterAuthClient = createB3BetterAuthClient();

package/src/global-account/client-manager.ts

@@ -2,7 +2,7 @@ import { ClientApplication, createClient } from "@b3dotfun/b3-api";
 import rest from "@feathersjs/rest-client";
 import socketio from "@feathersjs/socketio-client";
 import io from "socket.io-client";
-import { authenticate as authenticateB3, B3_API_URL, clientOptions } from "../app.shared";
+import { authenticate as authenticateB3, getB3ApiUrl, clientOptions } from "../app.shared";
 
 export type ClientType = "socket" | "rest";
 
@@ -13,17 +13,21 @@ let currentClient: ClientApplication | null = null;
 // Socket client instance
 let socketClient: ClientApplication | null = null;
 let socketInstance: any = null;
+let socketClientUrl: string | null = null;
 
 // REST client instance
 let restClient: ClientApplication | null = null;
+let restClientUrl: string | null = null;
 
 /**
  * Creates a socket client
  */
 function createSocketClient(): ClientApplication {
-  if (!socketClient) {
-    socketInstance = io(B3_API_URL, { transports: ["websocket"] });
+  const url = getB3ApiUrl();
+  if (!socketClient || socketClientUrl !== url) {
+    socketInstance = io(url, { transports: ["websocket"] });
     socketClient = createClient(socketio(socketInstance), clientOptions);
+    socketClientUrl = url;
   }
   return socketClient;
 }
@@ -40,13 +44,24 @@ function resolveFetch(): typeof fetch {
 }
 
 function createRestClient(): ClientApplication {
-  if (!restClient) {
-    const connection = rest(B3_API_URL).fetch(resolveFetch());
+  const url = getB3ApiUrl();
+  if (!restClient || restClientUrl !== url) {
+    const connection = rest(url).fetch(resolveFetch());
     restClient = createClient(connection, clientOptions);
+    restClientUrl = url;
   }
   return restClient;
 }
 
+/** Reset all cached clients (called when API URL changes). */
+export function resetClients(): void {
+  socketClient = null;
+  socketClientUrl = null;
+  restClient = null;
+  restClientUrl = null;
+  currentClient = null;
+}
+
 /**
  * Sets the active client type and creates the appropriate client
  *

package/src/global-account/react/components/B3Provider/B3Provider.tsx

@@ -11,7 +11,9 @@ import { QueryClient } from "@tanstack/react-query";
 import { useEffect, useMemo } from "react";
 import { Account, EIP1193, Wallet } from "thirdweb/wallets";
 import { CreateConnectorFn } from "wagmi";
-import { ClientType, setClientType } from "../../../client-manager";
+import { ClientType, resetClients, setClientType } from "../../../client-manager";
+import { setB3ApiUrl } from "../../../../app.shared";
+import { resetBetterAuthClient } from "../../../better-auth-client";
 import { StyleRoot } from "../StyleRoot";
 import { setToastContext, ToastProvider, useToastContext } from "../Toast/index";
 import AuthenticationProvider from "./AuthenticationProvider";
@@ -45,6 +47,7 @@ export function B3Provider({
   disableBSMNTAuthentication = false,
   queryClient,
   authStrategy = "thirdweb",
+  apiUrl,
 }: {
   theme: "light" | "dark";
   children: React.ReactNode;
@@ -74,7 +77,29 @@ export function B3Provider({
   queryClient?: QueryClient;
   /** Auth strategy: "thirdweb" (default, ecosystem wallet) or "better-auth" (email/password via Better Auth) */
   authStrategy?: AuthStrategy;
+  /**
+   * Override the B3 API URL. When provided, all SDK requests (auth, Feathers,
+   * BetterAuth) will use this URL instead of the `NEXT_PUBLIC_B3_API` env var.
+   *
+   * Useful for local development: pass `http://localhost:3031` to route
+   * OAuth callbacks and session checks through your local B3 API.
+   * If omitted, defaults to `NEXT_PUBLIC_B3_API` or `https://api.b3.fun`.
+   */
+  apiUrl?: string;
 }) {
+  // Override the B3 API URL when the `apiUrl` prop is provided.
+  // Must run before client initialization and auth providers mount.
+  useEffect(() => {
+    setB3ApiUrl(apiUrl ?? null);
+    if (apiUrl) {
+      resetBetterAuthClient();
+      resetClients();
+    }
+    return () => {
+      setB3ApiUrl(null);
+    };
+  }, [apiUrl]);
+
   // Initialize Google Analytics on mount
   useEffect(() => {
     loadGA4Script();

package/src/global-account/react/components/B3Provider/BetterAuthProvider.tsx

@@ -4,7 +4,7 @@ import { B3_AUTH_COOKIE_NAME } from "@b3dotfun/sdk/shared/constants";
 import { debugB3React } from "@b3dotfun/sdk/shared/utils/debug";
 import Cookies from "js-cookie";
 import { useEffect, useRef } from "react";
-import { betterAuthClient } from "../../../better-auth-client";
+import { getBetterAuthClient } from "../../../better-auth-client";
 import { useUserQuery } from "../../hooks/useUserQuery";
 
 const debug = debugB3React("BetterAuthProvider");
@@ -43,7 +43,7 @@ const BetterAuthProvider = ({ partnerId }: { partnerId: string }) => {
     (app as any).logout = async () => {
       debug("Patched logout: clearing Better Auth session");
       try {
-        await betterAuthClient.signOut();
+        await getBetterAuthClient().signOut();
       } catch {
         debug("Better Auth signOut failed (non-critical)");
       }
@@ -79,9 +79,55 @@ const BetterAuthProvider = ({ partnerId }: { partnerId: string }) => {
         debug("No existing Feathers JWT");
       }
 
-      // 2. Check for a Better Auth session (e.g. after OAuth redirect sets a cookie)
+      // 2. Check for _ba_token in URL (OAuth callback with third-party cookie bypass).
+      //    When the API and frontend are on different domains, browsers with third-party
+      //    cookie blocking (Firefox TCP, Safari ITP, Chrome Privacy Sandbox) prevent the
+      //    better-auth.session_token cookie from being sent on cross-origin requests.
+      //    The B3 API injects the session token into the redirect URL as _ba_token,
+      //    allowing direct exchange without relying on cookies.
+      const params = new URLSearchParams(window.location.search);
+      const baToken = params.get("_ba_token");
+      if (baToken) {
+        debug("Found _ba_token in URL, exchanging for Feathers JWT");
+
+        // Clean the token from the URL immediately (security)
+        params.delete("_ba_token");
+        const cleanSearch = params.toString();
+        const cleanUrl = window.location.pathname + (cleanSearch ? `?${cleanSearch}` : "") + window.location.hash;
+        window.history.replaceState({}, "", cleanUrl);
+
+        try {
+          const response = await app.authenticate({
+            strategy: "better-auth",
+            accessToken: baToken,
+            partnerId,
+          } as any);
+
+          if (response.accessToken) {
+            Cookies.set(B3_AUTH_COOKIE_NAME, response.accessToken, {
+              secure: true,
+              sameSite: "Lax",
+            });
+          }
+
+          if (response.user) {
+            setUser(response.user);
+            setIsAuthenticated(true);
+            setIsConnected(true);
+          }
+
+          debug("_ba_token exchanged for Feathers JWT", { userId: response.user?.userId });
+          setIsAuthenticating(false);
+          return;
+        } catch (err) {
+          debug("_ba_token exchange failed", err);
+        }
+      }
+
+      // 3. Check for a Better Auth session via cookie (works when API and frontend
+      //    share a domain or when cookies aren't partitioned)
       try {
-        const session = await betterAuthClient.getSession();
+        const session = await getBetterAuthClient().getSession();
         if (session.data?.session?.token) {
           debug("Better Auth session found, exchanging for Feathers JWT", {
             betterAuthUserId: session.data.user?.id,
@@ -114,7 +160,7 @@ const BetterAuthProvider = ({ partnerId }: { partnerId: string }) => {
         debug("No Better Auth session to restore");
       }
 
-      // 3. Nothing found — show login UI
+      // 4. Nothing found — show login UI
       setIsAuthenticating(false);
     };
 

package/src/global-account/react/hooks/useAuthentication.ts

@@ -216,7 +216,7 @@ export function useAuthentication(partnerId: string, { skipAutoConnect = false }
         localStorage.removeItem("b3-user");
       }
 
-      app.logout();
+      await app.logout();
       debug("@@logout:loggedOut");
 
       setIsAuthenticated(false);

package/src/global-account/react/hooks/useBetterAuth.ts

@@ -2,7 +2,7 @@ import app from "@b3dotfun/sdk/global-account/app";
 import { useAuthStore, useB3Config } from "@b3dotfun/sdk/global-account/react";
 import { debugB3React } from "@b3dotfun/sdk/shared/utils/debug";
 import { useCallback } from "react";
-import { betterAuthClient } from "../../better-auth-client";
+import { getBetterAuthClient } from "../../better-auth-client";
 import { useUserQuery } from "./useUserQuery";
 
 const debug = debugB3React("useBetterAuth");
@@ -65,7 +65,7 @@ export function useBetterAuth() {
       setIsAuthenticating(true);
 
       try {
-        const result = await betterAuthClient.signIn.email({ email, password });
+        const result = await getBetterAuthClient().signIn.email({ email, password });
 
         if (result.error) {
           throw new Error(result.error.message || "Sign in failed");
@@ -93,7 +93,7 @@ export function useBetterAuth() {
       setIsAuthenticating(true);
 
       try {
-        const result = await betterAuthClient.signUp.email({ email, password, name });
+        const result = await getBetterAuthClient().signUp.email({ email, password, name });
 
         if (result.error) {
           throw new Error(result.error.message || "Sign up failed");
@@ -104,7 +104,7 @@ export function useBetterAuth() {
           // requireEmailVerification is enabled — send verification email with
           // a callbackURL Better Auth redirects to after server-side verify.
           // Pass verifyCallbackURL to land on a dedicated confirmation page.
-          await betterAuthClient.sendVerificationEmail({
+          await getBetterAuthClient().sendVerificationEmail({
             email,
             callbackURL: verifyCallbackURL || `${window.location.origin}?authStrategy=better-auth`,
           });
@@ -128,7 +128,7 @@ export function useBetterAuth() {
       setIsAuthenticating(true);
 
       try {
-        const result = await betterAuthClient.signIn.social({
+        const result = await getBetterAuthClient().signIn.social({
           provider,
           callbackURL: window.location.href,
         });
@@ -151,7 +151,7 @@ export function useBetterAuth() {
   const requestPasswordReset = useCallback(async (email: string, redirectTo?: string) => {
     debug("Requesting password reset", { email });
 
-    const result = await betterAuthClient.requestPasswordReset({
+    const result = await getBetterAuthClient().requestPasswordReset({
       email,
       redirectTo,
     });
@@ -167,7 +167,7 @@ export function useBetterAuth() {
   const resetPassword = useCallback(async (newPassword: string, token: string) => {
     debug("Resetting password");
 
-    const result = await betterAuthClient.resetPassword({
+    const result = await getBetterAuthClient().resetPassword({
       newPassword,
       token,
     });
@@ -187,6 +187,6 @@ export function useBetterAuth() {
     requestPasswordReset,
     resetPassword,
     exchangeForFeathersJWT,
-    betterAuthClient,
+    betterAuthClient: getBetterAuthClient(),
   };
 }