@blazeo.com/calendar-client 1.0.27 → 1.0.29

package/README.md

@@ -24,23 +24,19 @@ Configure once at app startup, then use models and their methods:
 ```js
 import {
   configure,
-  setBaseUrl,
-  setConsumer,
-  setApiCredentials,
-  fetchAccessToken,
+  setAccessToken,
+  setGetAccessToken,
   CalendarModel,
   createRootStore,
 } from '@blazeo.com/calendar-client';
 
-configure({ baseUrl: 'https://your-appointment-api.example.com' });
-// or: setBaseUrl('https://localhost:7051');
-setConsumer('my-app');  // optional: sent as Consumer header (e.g. for lead source)
-
-// API JWT (for Authorized routes such as lead export)
-setApiCredentials('your-api-key', 'your-api-secret');
-await fetchAccessToken();
-// Or set a token you obtained elsewhere:
-// setAccessToken('eyJ...', '2026-05-19T12:00:00Z');
+configure({
+  baseUrl: 'https://your-appointment-api.example.com',
+  consumer: 'my-app', // optional Consumer header
+  accessToken: yourIdpAccessToken, // JWT from your identity provider
+  expiresAtUtc: '2026-05-21T12:00:00Z', // optional — used before auto-refresh
+  getAccessToken: async () => yourIdp.getAccessToken(), // optional refresh callback
+});
 
 // Calendar static methods (no store needed)
 const timezones = await CalendarModel.getTimeZones();
@@ -52,23 +48,22 @@ const cal = store.addCalendar({ calendarId: 'my-cal', name: 'My Calendar' });
 await cal.create(); // POST to backend
 ```
 
-### API JWT authentication
+### JWT authentication
 
-The backend issues JWTs via `POST Api/Auth/Token` (`api_key` + `api_secret`). There is no refresh endpoint; when the token expires (~1 hour), call `fetchAccessToken()` again.
+The Appointment API validates Bearer JWTs from your identity provider (`Authentication:Jwt:Authority` on the server). This package does **not** exchange api keys for tokens — pass the JWT your app already has.
 
 | Function | Purpose |
 |----------|---------|
-| `setApiCredentials(apiKey, apiSecret)` | Store credentials for token exchange |
-| `fetchAccessToken()` | Get JWT from API and store on config |
-| `setAccessToken(token, expiresAtUtc?)` | Use a token you already have |
-| `ensureValidAccessToken()` | Fetch only if missing or near expiry |
-| `clearAuth()` | Clear token and credentials |
+| `setAccessToken(token, expiresAtUtc?)` | Store JWT from your IdP |
+| `setGetAccessToken(fn)` | Async callback to refresh when missing/near expiry |
+| `ensureValidAccessToken()` | Resolve token before a request (uses callback if needed) |
+| `clearAuth()` | Clear token and refresh callback |
 
-All `reqGet` / `reqPost` calls automatically attach `Authorization: Bearer …` and re-issue the token before requests when credentials are configured.
+All `reqGet` / `reqPost` calls attach `Authorization: Bearer …` when a token is configured.
 
 ```js
-configure({ baseUrl: 'https://your-api', apiKey: 'key', apiSecret: 'secret' });
-await fetchAccessToken();
+setAccessToken(session.accessToken, session.expiresAt);
+setGetAccessToken(() => authService.acquireTokenSilent());
 await LeadModel.requestExport('company-key');
 ```
 

package/dist/index.d.ts

@@ -1,19 +1,8 @@
 /** @blazeo.com/calendar-client - type declarations */
 
-export type AccessTokenResult = {
-  status: string;
-  message?: string;
-  accessToken?: string;
-  expiresAtUtc?: string | null;
-  tokenType?: string;
-};
-
 export type AuthState = {
   accessToken?: string;
   tokenExpiresAt?: string;
-  apiKey?: string;
-  apiSecret?: string;
-  hasApiCredentials: boolean;
 };
 
 export function configure(env: {
@@ -25,10 +14,8 @@ export function configure(env: {
   expiresAtUtc?: string;
   tokenExpiresAt?: string;
   expires_at_utc?: string;
-  apiKey?: string;
-  api_key?: string;
-  apiSecret?: string;
-  api_secret?: string;
+  /** Called when the stored JWT is missing or near expiry; return a fresh token from your IdP. */
+  getAccessToken?: () => Promise<string | undefined>;
 }): void;
 
 export function getConfig(): {
@@ -38,23 +25,18 @@ export function getConfig(): {
   getDefaultOffset?: () => number;
   accessToken?: string;
   tokenExpiresAt?: string;
-  hasApiCredentials?: boolean;
 } | null;
 
 export function setBaseUrl(baseUrl: string): void;
 export function setConsumer(consumer: string): void;
 export function setAccessToken(accessToken: string, expiresAtUtc?: string): void;
 export function clearAccessToken(): void;
-export function setApiCredentials(apiKey: string, apiSecret: string): void;
-export function clearApiCredentials(): void;
+export function setGetAccessToken(fn: () => Promise<string | undefined>): void;
 export function clearAuth(): void;
 export function getAuth(): AuthState;
-export function fetchAccessToken(apiKey?: string, apiSecret?: string): Promise<AccessTokenResult>;
 export function ensureValidAccessToken(): Promise<string | undefined>;
-export function requestAccessToken(apiKey: string, apiSecret: string, opts?: { baseUrl?: string; fetch?: typeof fetch }): Promise<AccessTokenResult>;
 export function isAccessTokenExpired(expiresAtUtc?: string | number | Date | null, skewMs?: number): boolean;
 export function buildAuthHeaders(extra?: Record<string, string>): Record<string, string>;
-export const TOKEN_PATH: '/Api/Auth/Token';
 export const DEFAULT_TOKEN_REFRESH_SKEW_MS: number;
 export function getConfigStore(): unknown;
 
@@ -336,6 +318,20 @@ export type ParticipantAuthorizationStatus = {
   providers: CalendarProviderAuthorizationState[];
 };
 
+export type ParticipantData = {
+  id?: number | null;
+  participantId: string;
+  companyKey?: string | null;
+  alias?: string;
+  email?: string;
+  isApproved: boolean;
+  isAvailable: boolean;
+  provider: number;
+  createdOn?: string | null;
+  modifiedOn?: string | null;
+  isDeleted?: boolean;
+};
+
 export const CALENDAR_AUTH_MESSAGE_TYPE: 'calendar-authorization';
 
 export const CalendarEmailProvider: {
@@ -366,6 +362,11 @@ export const AuthModel: {
     data?: ParticipantAuthorizationStatus;
     message?: string;
   }>;
+  IsAuthorized(participantId: string): Promise<{
+    status: string;
+    data?: ParticipantData;
+    message?: string;
+  }>;
   openOAuthPopup(
     authorizationUrl: string,
     opts?: { width?: number; height?: number }

package/dist/index.js

@@ -49,27 +49,23 @@ __export(index_exports, {
   RecurringFrequency: () => RecurringFrequency,
   RootStore: () => RootStore,
   SettingModel: () => Setting_default,
-  TOKEN_PATH: () => TOKEN_PATH,
   TimeFrameModel: () => TimeFrame_default,
   TimeSlotModel: () => TimeSlot_default,
   Unit: () => Unit,
   buildAuthHeaders: () => buildAuthHeaders,
   clearAccessToken: () => clearAccessToken,
-  clearApiCredentials: () => clearApiCredentials,
   clearAuth: () => clearAuth,
   configure: () => configure,
   createRootStore: () => createRootStore,
   ensureValidAccessToken: () => ensureValidAccessToken,
-  fetchAccessToken: () => fetchAccessToken2,
   getAuth: () => getAuth,
   getConfig: () => getConfig,
   getConfigStore: () => getConfigStore,
   isAccessTokenExpired: () => isAccessTokenExpired,
-  requestAccessToken: () => requestAccessToken,
   setAccessToken: () => setAccessToken,
-  setApiCredentials: () => setApiCredentials,
   setBaseUrl: () => setBaseUrl,
-  setConsumer: () => setConsumer
+  setConsumer: () => setConsumer,
+  setGetAccessToken: () => setGetAccessToken
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -85,8 +81,8 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
   fetch: void 0,
   accessToken: void 0,
   tokenExpiresAt: void 0,
-  apiKey: void 0,
-  apiSecret: void 0,
+  /** Host app supplies a fresh JWT (e.g. from your IdP) when the stored token is missing/expired. */
+  getAccessToken: void 0,
   getDefaultOffset: () => -(/* @__PURE__ */ new Date()).getTimezoneOffset()
 })).actions((self) => ({
   setBaseUrl(url) {
@@ -101,6 +97,9 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
   setGetDefaultOffset(fn) {
     self.getDefaultOffset = fn;
   },
+  setGetAccessToken(fn) {
+    self.getAccessToken = fn;
+  },
   setAccessToken(token, expiresAtUtc = void 0) {
     self.accessToken = token ? String(token) : void 0;
     self.tokenExpiresAt = expiresAtUtc != null && expiresAtUtc !== "" ? String(expiresAtUtc) : void 0;
@@ -109,40 +108,24 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
     self.accessToken = void 0;
     self.tokenExpiresAt = void 0;
   },
-  setApiCredentials(apiKey, apiSecret) {
-    self.apiKey = apiKey != null ? String(apiKey) : void 0;
-    self.apiSecret = apiSecret != null ? String(apiSecret) : void 0;
-  },
-  clearApiCredentials() {
-    self.apiKey = void 0;
-    self.apiSecret = void 0;
-  },
   clearAuth() {
     self.clearAccessToken();
-    self.clearApiCredentials();
+    self.getAccessToken = void 0;
   },
   configure(env) {
     if (env.baseUrl != null) self.baseUrl = env.baseUrl;
     if (env.consumer != null) self.consumer = env.consumer;
     if (env.fetch != null) self.fetch = env.fetch;
     if (env.getDefaultOffset != null) self.getDefaultOffset = env.getDefaultOffset;
+    if (env.getAccessToken != null) self.getAccessToken = env.getAccessToken;
     if (env.accessToken != null) {
       self.setAccessToken(
         env.accessToken,
         env.expiresAtUtc ?? env.tokenExpiresAt ?? env.expires_at_utc
       );
     }
-    if (env.apiKey != null || env.api_key != null) {
-      self.apiKey = String(env.apiKey ?? env.api_key);
-    }
-    if (env.apiSecret != null || env.api_secret != null) {
-      self.apiSecret = String(env.apiSecret ?? env.api_secret);
-    }
   }
 })).views((self) => ({
-  get hasApiCredentials() {
-    return Boolean(self.apiKey && self.apiSecret);
-  },
   getEnv() {
     return {
       baseUrl: self.baseUrl || void 0,
@@ -150,8 +133,7 @@ var ConfigModel = import_mobx_state_tree.types.model("Config", {
       fetch: self.fetch,
       getDefaultOffset: self.getDefaultOffset,
       accessToken: self.accessToken,
-      tokenExpiresAt: self.tokenExpiresAt,
-      hasApiCredentials: self.hasApiCredentials
+      tokenExpiresAt: self.tokenExpiresAt
     };
   }
 }));
@@ -163,26 +145,7 @@ function getConfigStore() {
 var ConfigModel_default = ConfigModel;
 
 // src/apiAuth.js
-var TOKEN_PATH = "/Api/Auth/Token";
 var DEFAULT_TOKEN_REFRESH_SKEW_MS = 6e4;
-function defaultFetch() {
-  if (typeof fetch === "undefined") {
-    throw new Error("fetch not available");
-  }
-  return fetch;
-}
-function pickTokenPayload(data) {
-  if (!data || typeof data !== "object") return null;
-  const nested = data.data && typeof data.data === "object" ? data.data : data;
-  const accessToken = nested.access_token ?? nested.accessToken ?? nested.AccessToken ?? null;
-  if (!accessToken) return null;
-  const expiresAtUtc = nested.expires_at_utc ?? nested.expiresAtUtc ?? nested.ExpiresAtUtc ?? null;
-  return {
-    accessToken: String(accessToken),
-    expiresAtUtc: expiresAtUtc != null ? String(expiresAtUtc) : null,
-    tokenType: nested.token_type ?? nested.tokenType ?? "Bearer"
-  };
-}
 function isAccessTokenExpired(expiresAtUtc, skewMs = DEFAULT_TOKEN_REFRESH_SKEW_MS) {
   if (expiresAtUtc == null || expiresAtUtc === "") return false;
   const expMs = new Date(expiresAtUtc).getTime();
@@ -193,77 +156,22 @@ function getAuthState() {
   const store = getConfigStore();
   return {
     accessToken: store.accessToken ?? void 0,
-    tokenExpiresAt: store.tokenExpiresAt ?? void 0,
-    apiKey: store.apiKey ?? void 0,
-    apiSecret: store.apiSecret ?? void 0,
-    hasApiCredentials: Boolean(store.apiKey && store.apiSecret)
-  };
-}
-async function requestAccessToken(apiKey, apiSecret, opts = {}) {
-  const store = getConfigStore();
-  const baseUrl = opts.baseUrl ?? store.baseUrl;
-  if (!baseUrl) {
-    return { status: "failure", message: "baseUrl required. Call configure({ baseUrl }) first." };
-  }
-  const key = apiKey != null ? String(apiKey).trim() : "";
-  const secret = apiSecret != null ? String(apiSecret).trim() : "";
-  if (!key || !secret) {
-    return { status: "failure", message: "api_key and api_secret are required" };
-  }
-  const fetchFn = opts.fetch ?? store.fetch ?? defaultFetch();
-  const url = `${String(baseUrl).replace(/\/+$/, "")}${TOKEN_PATH}`;
-  const httpRes = await fetchFn(url, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ api_key: key, api_secret: secret })
-  });
-  const text = await httpRes.text();
-  let body;
-  try {
-    body = JSON.parse(text);
-  } catch {
-    body = { status: "failure", message: text || httpRes.statusText };
-  }
-  if (!httpRes.ok && body.status !== "failure") {
-    body.status = "failure";
-    body.message = body.message ?? `HTTP ${httpRes.status}`;
-  }
-  if (body.status !== "success") {
-    return {
-      status: "failure",
-      message: body.message ?? "Failed to obtain access token"
-    };
-  }
-  const parsed = pickTokenPayload(body);
-  if (!parsed) {
-    return { status: "failure", message: "Token response missing access_token" };
-  }
-  return {
-    status: "success",
-    accessToken: parsed.accessToken,
-    expiresAtUtc: parsed.expiresAtUtc,
-    tokenType: parsed.tokenType
+    tokenExpiresAt: store.tokenExpiresAt ?? void 0
   };
 }
-async function fetchAccessToken(apiKey, apiSecret) {
-  const store = getConfigStore();
-  const key = apiKey ?? store.apiKey;
-  const secret = apiSecret ?? store.apiSecret;
-  const result = await requestAccessToken(key, secret);
-  if (result.status === "success") {
-    store.setAccessToken(result.accessToken, result.expiresAtUtc);
-  }
-  return result;
-}
 async function ensureAccessToken() {
   const store = getConfigStore();
-  const { accessToken, tokenExpiresAt, apiKey, apiSecret } = getAuthState();
+  const { accessToken, tokenExpiresAt } = getAuthState();
   if (accessToken && !isAccessTokenExpired(tokenExpiresAt)) {
     return accessToken;
   }
-  if (apiKey && apiSecret) {
-    const result = await fetchAccessToken(apiKey, apiSecret);
-    if (result.status === "success") return result.accessToken;
+  const refresh = store.getAccessToken;
+  if (typeof refresh === "function") {
+    const next = await refresh();
+    if (next) {
+      store.setAccessToken(next);
+      return next;
+    }
   }
   return accessToken;
 }
@@ -300,11 +208,8 @@ function setAccessToken(accessToken, expiresAtUtc) {
 function clearAccessToken() {
   getConfigStore().clearAccessToken();
 }
-function setApiCredentials(apiKey, apiSecret) {
-  getConfigStore().setApiCredentials(apiKey, apiSecret);
-}
-function clearApiCredentials() {
-  getConfigStore().clearApiCredentials();
+function setGetAccessToken(fn) {
+  getConfigStore().setGetAccessToken(fn);
 }
 function clearAuth() {
   getConfigStore().clearAuth();
@@ -312,9 +217,6 @@ function clearAuth() {
 function getAuth() {
   return getAuthState();
 }
-function fetchAccessToken2(apiKey, apiSecret) {
-  return fetchAccessToken(apiKey, apiSecret);
-}
 function ensureValidAccessToken() {
   return ensureAccessToken();
 }
@@ -1587,23 +1489,27 @@ var ParticipantModel = import_mobx_state_tree11.types.model("Participant", {
     }
   };
 });
-function mapFromApi2(d) {
+function mapParticipantFromApi(d) {
   if (!d) return d;
   const pick2 = (...keys) => keys.reduce((v, k) => v ?? d[k], void 0);
   const n = (v) => v != null && v !== "" ? Number(v) : void 0;
   return {
+    id: n(pick2("id", "Id")) ?? null,
     participantId: String(pick2("participantId", "ParticipantId", "participant_id") ?? ""),
     companyKey: pick2("companyKey", "CompanyKey", "company_key") ?? null,
     alias: pick2("alias", "Alias") ?? "",
     email: pick2("email", "Email") ?? "",
     isApproved: Boolean(pick2("isApproved", "IsApproved", "is_approved")),
     isAvailable: Boolean(pick2("isAvailable", "IsAvailable", "is_available")),
-    provider: n(pick2("provider", "Provider")) ?? 0,
+    provider: n(pick2("provider", "Provider", "emailProvider", "EmailProvider", "email_provider")) ?? 0,
     createdOn: pick2("createdOn", "CreatedOn", "created_on") ?? null,
     modifiedOn: pick2("modifiedOn", "ModifiedOn", "modified_on") ?? null,
     isDeleted: Boolean(pick2("isDeleted", "IsDeleted", "is_deleted"))
   };
 }
+function mapFromApi2(d) {
+  return mapParticipantFromApi(d);
+}
 function toPayload(self) {
   return {
     participantId: self.participantId,
@@ -2944,6 +2850,22 @@ var AuthModel = {
     }
     return res;
   },
+  /**
+   * GET Auth/IsAuthorized — validates OAuth with the provider; clears isApproved when not authorized.
+   * Returns the updated participant record (same shape as participant/get).
+   * @param {string} participantId
+   * @returns {Promise<{ status: string, data?: object, message?: string }>}
+   */
+  async IsAuthorized(participantId) {
+    const id = participantId != null ? String(participantId).trim() : "";
+    if (!id) return { status: "failure", message: "participantId required" };
+    const { reqGet } = createRequestHelpersFromEnv(getConfig());
+    const res = await reqGet("/Auth/IsAuthorized", { participant_id: id });
+    if (res.status === "success" && res.data) {
+      res.data = mapParticipantFromApi(res.data);
+    }
+    return res;
+  },
   /**
    * Open Google/Microsoft OAuth in a centered popup.
    * @param {string} authorizationUrl — from getAuthorizationUrl().data.authorizationUrl
@@ -2964,6 +2886,8 @@ var AuthModel = {
   },
   /**
    * Subscribe to calendar-authorization postMessage from OAuth popup (Authorized.html / Error.html).
+   * Do not use popup.closed to detect completion — Cross-Origin-Opener-Policy on the parent app
+   * blocks that check after the popup navigates to Google/Microsoft.
    * @param {(payload: { type: string, status: 'success' | 'error', message?: string }) => void} handler
    * @returns {() => void} unsubscribe
    */
@@ -3035,25 +2959,21 @@ function createRootStore(initialState = {}) {
   RecurringFrequency,
   RootStore,
   SettingModel,
-  TOKEN_PATH,
   TimeFrameModel,
   TimeSlotModel,
   Unit,
   buildAuthHeaders,
   clearAccessToken,
-  clearApiCredentials,
   clearAuth,
   configure,
   createRootStore,
   ensureValidAccessToken,
-  fetchAccessToken,
   getAuth,
   getConfig,
   getConfigStore,
   isAccessTokenExpired,
-  requestAccessToken,
   setAccessToken,
-  setApiCredentials,
   setBaseUrl,
-  setConsumer
+  setConsumer,
+  setGetAccessToken
 });

package/dist/index.mjs

@@ -10,8 +10,8 @@ var ConfigModel = types.model("Config", {
   fetch: void 0,
   accessToken: void 0,
   tokenExpiresAt: void 0,
-  apiKey: void 0,
-  apiSecret: void 0,
+  /** Host app supplies a fresh JWT (e.g. from your IdP) when the stored token is missing/expired. */
+  getAccessToken: void 0,
   getDefaultOffset: () => -(/* @__PURE__ */ new Date()).getTimezoneOffset()
 })).actions((self) => ({
   setBaseUrl(url) {
@@ -26,6 +26,9 @@ var ConfigModel = types.model("Config", {
   setGetDefaultOffset(fn) {
     self.getDefaultOffset = fn;
   },
+  setGetAccessToken(fn) {
+    self.getAccessToken = fn;
+  },
   setAccessToken(token, expiresAtUtc = void 0) {
     self.accessToken = token ? String(token) : void 0;
     self.tokenExpiresAt = expiresAtUtc != null && expiresAtUtc !== "" ? String(expiresAtUtc) : void 0;
@@ -34,40 +37,24 @@ var ConfigModel = types.model("Config", {
     self.accessToken = void 0;
     self.tokenExpiresAt = void 0;
   },
-  setApiCredentials(apiKey, apiSecret) {
-    self.apiKey = apiKey != null ? String(apiKey) : void 0;
-    self.apiSecret = apiSecret != null ? String(apiSecret) : void 0;
-  },
-  clearApiCredentials() {
-    self.apiKey = void 0;
-    self.apiSecret = void 0;
-  },
   clearAuth() {
     self.clearAccessToken();
-    self.clearApiCredentials();
+    self.getAccessToken = void 0;
   },
   configure(env) {
     if (env.baseUrl != null) self.baseUrl = env.baseUrl;
     if (env.consumer != null) self.consumer = env.consumer;
     if (env.fetch != null) self.fetch = env.fetch;
     if (env.getDefaultOffset != null) self.getDefaultOffset = env.getDefaultOffset;
+    if (env.getAccessToken != null) self.getAccessToken = env.getAccessToken;
     if (env.accessToken != null) {
       self.setAccessToken(
         env.accessToken,
         env.expiresAtUtc ?? env.tokenExpiresAt ?? env.expires_at_utc
       );
     }
-    if (env.apiKey != null || env.api_key != null) {
-      self.apiKey = String(env.apiKey ?? env.api_key);
-    }
-    if (env.apiSecret != null || env.api_secret != null) {
-      self.apiSecret = String(env.apiSecret ?? env.api_secret);
-    }
   }
 })).views((self) => ({
-  get hasApiCredentials() {
-    return Boolean(self.apiKey && self.apiSecret);
-  },
   getEnv() {
     return {
       baseUrl: self.baseUrl || void 0,
@@ -75,8 +62,7 @@ var ConfigModel = types.model("Config", {
       fetch: self.fetch,
       getDefaultOffset: self.getDefaultOffset,
       accessToken: self.accessToken,
-      tokenExpiresAt: self.tokenExpiresAt,
-      hasApiCredentials: self.hasApiCredentials
+      tokenExpiresAt: self.tokenExpiresAt
     };
   }
 }));
@@ -88,26 +74,7 @@ function getConfigStore() {
 var ConfigModel_default = ConfigModel;
 
 // src/apiAuth.js
-var TOKEN_PATH = "/Api/Auth/Token";
 var DEFAULT_TOKEN_REFRESH_SKEW_MS = 6e4;
-function defaultFetch() {
-  if (typeof fetch === "undefined") {
-    throw new Error("fetch not available");
-  }
-  return fetch;
-}
-function pickTokenPayload(data) {
-  if (!data || typeof data !== "object") return null;
-  const nested = data.data && typeof data.data === "object" ? data.data : data;
-  const accessToken = nested.access_token ?? nested.accessToken ?? nested.AccessToken ?? null;
-  if (!accessToken) return null;
-  const expiresAtUtc = nested.expires_at_utc ?? nested.expiresAtUtc ?? nested.ExpiresAtUtc ?? null;
-  return {
-    accessToken: String(accessToken),
-    expiresAtUtc: expiresAtUtc != null ? String(expiresAtUtc) : null,
-    tokenType: nested.token_type ?? nested.tokenType ?? "Bearer"
-  };
-}
 function isAccessTokenExpired(expiresAtUtc, skewMs = DEFAULT_TOKEN_REFRESH_SKEW_MS) {
   if (expiresAtUtc == null || expiresAtUtc === "") return false;
   const expMs = new Date(expiresAtUtc).getTime();
@@ -118,77 +85,22 @@ function getAuthState() {
   const store = getConfigStore();
   return {
     accessToken: store.accessToken ?? void 0,
-    tokenExpiresAt: store.tokenExpiresAt ?? void 0,
-    apiKey: store.apiKey ?? void 0,
-    apiSecret: store.apiSecret ?? void 0,
-    hasApiCredentials: Boolean(store.apiKey && store.apiSecret)
-  };
-}
-async function requestAccessToken(apiKey, apiSecret, opts = {}) {
-  const store = getConfigStore();
-  const baseUrl = opts.baseUrl ?? store.baseUrl;
-  if (!baseUrl) {
-    return { status: "failure", message: "baseUrl required. Call configure({ baseUrl }) first." };
-  }
-  const key = apiKey != null ? String(apiKey).trim() : "";
-  const secret = apiSecret != null ? String(apiSecret).trim() : "";
-  if (!key || !secret) {
-    return { status: "failure", message: "api_key and api_secret are required" };
-  }
-  const fetchFn = opts.fetch ?? store.fetch ?? defaultFetch();
-  const url = `${String(baseUrl).replace(/\/+$/, "")}${TOKEN_PATH}`;
-  const httpRes = await fetchFn(url, {
-    method: "POST",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ api_key: key, api_secret: secret })
-  });
-  const text = await httpRes.text();
-  let body;
-  try {
-    body = JSON.parse(text);
-  } catch {
-    body = { status: "failure", message: text || httpRes.statusText };
-  }
-  if (!httpRes.ok && body.status !== "failure") {
-    body.status = "failure";
-    body.message = body.message ?? `HTTP ${httpRes.status}`;
-  }
-  if (body.status !== "success") {
-    return {
-      status: "failure",
-      message: body.message ?? "Failed to obtain access token"
-    };
-  }
-  const parsed = pickTokenPayload(body);
-  if (!parsed) {
-    return { status: "failure", message: "Token response missing access_token" };
-  }
-  return {
-    status: "success",
-    accessToken: parsed.accessToken,
-    expiresAtUtc: parsed.expiresAtUtc,
-    tokenType: parsed.tokenType
+    tokenExpiresAt: store.tokenExpiresAt ?? void 0
   };
 }
-async function fetchAccessToken(apiKey, apiSecret) {
-  const store = getConfigStore();
-  const key = apiKey ?? store.apiKey;
-  const secret = apiSecret ?? store.apiSecret;
-  const result = await requestAccessToken(key, secret);
-  if (result.status === "success") {
-    store.setAccessToken(result.accessToken, result.expiresAtUtc);
-  }
-  return result;
-}
 async function ensureAccessToken() {
   const store = getConfigStore();
-  const { accessToken, tokenExpiresAt, apiKey, apiSecret } = getAuthState();
+  const { accessToken, tokenExpiresAt } = getAuthState();
   if (accessToken && !isAccessTokenExpired(tokenExpiresAt)) {
     return accessToken;
   }
-  if (apiKey && apiSecret) {
-    const result = await fetchAccessToken(apiKey, apiSecret);
-    if (result.status === "success") return result.accessToken;
+  const refresh = store.getAccessToken;
+  if (typeof refresh === "function") {
+    const next = await refresh();
+    if (next) {
+      store.setAccessToken(next);
+      return next;
+    }
   }
   return accessToken;
 }
@@ -225,11 +137,8 @@ function setAccessToken(accessToken, expiresAtUtc) {
 function clearAccessToken() {
   getConfigStore().clearAccessToken();
 }
-function setApiCredentials(apiKey, apiSecret) {
-  getConfigStore().setApiCredentials(apiKey, apiSecret);
-}
-function clearApiCredentials() {
-  getConfigStore().clearApiCredentials();
+function setGetAccessToken(fn) {
+  getConfigStore().setGetAccessToken(fn);
 }
 function clearAuth() {
   getConfigStore().clearAuth();
@@ -237,9 +146,6 @@ function clearAuth() {
 function getAuth() {
   return getAuthState();
 }
-function fetchAccessToken2(apiKey, apiSecret) {
-  return fetchAccessToken(apiKey, apiSecret);
-}
 function ensureValidAccessToken() {
   return ensureAccessToken();
 }
@@ -1512,23 +1418,27 @@ var ParticipantModel = types11.model("Participant", {
     }
   };
 });
-function mapFromApi2(d) {
+function mapParticipantFromApi(d) {
   if (!d) return d;
   const pick2 = (...keys) => keys.reduce((v, k) => v ?? d[k], void 0);
   const n = (v) => v != null && v !== "" ? Number(v) : void 0;
   return {
+    id: n(pick2("id", "Id")) ?? null,
     participantId: String(pick2("participantId", "ParticipantId", "participant_id") ?? ""),
     companyKey: pick2("companyKey", "CompanyKey", "company_key") ?? null,
     alias: pick2("alias", "Alias") ?? "",
     email: pick2("email", "Email") ?? "",
     isApproved: Boolean(pick2("isApproved", "IsApproved", "is_approved")),
     isAvailable: Boolean(pick2("isAvailable", "IsAvailable", "is_available")),
-    provider: n(pick2("provider", "Provider")) ?? 0,
+    provider: n(pick2("provider", "Provider", "emailProvider", "EmailProvider", "email_provider")) ?? 0,
     createdOn: pick2("createdOn", "CreatedOn", "created_on") ?? null,
     modifiedOn: pick2("modifiedOn", "ModifiedOn", "modified_on") ?? null,
     isDeleted: Boolean(pick2("isDeleted", "IsDeleted", "is_deleted"))
   };
 }
+function mapFromApi2(d) {
+  return mapParticipantFromApi(d);
+}
 function toPayload(self) {
   return {
     participantId: self.participantId,
@@ -2869,6 +2779,22 @@ var AuthModel = {
     }
     return res;
   },
+  /**
+   * GET Auth/IsAuthorized — validates OAuth with the provider; clears isApproved when not authorized.
+   * Returns the updated participant record (same shape as participant/get).
+   * @param {string} participantId
+   * @returns {Promise<{ status: string, data?: object, message?: string }>}
+   */
+  async IsAuthorized(participantId) {
+    const id = participantId != null ? String(participantId).trim() : "";
+    if (!id) return { status: "failure", message: "participantId required" };
+    const { reqGet } = createRequestHelpersFromEnv(getConfig());
+    const res = await reqGet("/Auth/IsAuthorized", { participant_id: id });
+    if (res.status === "success" && res.data) {
+      res.data = mapParticipantFromApi(res.data);
+    }
+    return res;
+  },
   /**
    * Open Google/Microsoft OAuth in a centered popup.
    * @param {string} authorizationUrl — from getAuthorizationUrl().data.authorizationUrl
@@ -2889,6 +2815,8 @@ var AuthModel = {
   },
   /**
    * Subscribe to calendar-authorization postMessage from OAuth popup (Authorized.html / Error.html).
+   * Do not use popup.closed to detect completion — Cross-Origin-Opener-Policy on the parent app
+   * blocks that check after the popup navigates to Google/Microsoft.
    * @param {(payload: { type: string, status: 'success' | 'error', message?: string }) => void} handler
    * @returns {() => void} unsubscribe
    */
@@ -2959,25 +2887,21 @@ export {
   RecurringFrequency,
   RootStore,
   Setting_default as SettingModel,
-  TOKEN_PATH,
   TimeFrame_default as TimeFrameModel,
   TimeSlot_default as TimeSlotModel,
   Unit,
   buildAuthHeaders,
   clearAccessToken,
-  clearApiCredentials,
   clearAuth,
   configure,
   createRootStore,
   ensureValidAccessToken,
-  fetchAccessToken2 as fetchAccessToken,
   getAuth,
   getConfig,
   getConfigStore,
   isAccessTokenExpired,
-  requestAccessToken,
   setAccessToken,
-  setApiCredentials,
   setBaseUrl,
-  setConsumer
+  setConsumer,
+  setGetAccessToken
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blazeo.com/calendar-client",
-  "version": "1.0.27",
+  "version": "1.0.29",
   "description": "Blazeo Calendar / Appointment API client with MobX State Tree models",
   "exports": {
     ".": {