@cosmotech/core 3.0.0-dev.0 → 3.0.0

package/dist/index.cjs.js

@@ -7174,7 +7174,12 @@ var includesStringExports = includesString.exports;
 	        var before_at = before_slash.substring(0, at_position);
 	        var valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
 	        var is_valid_auth = valid_auth_regex.test(before_at);
-	        if (is_valid_auth) {
+
+	        // Check if this contains URL-encoded content that could be malicious
+	        // For example: javascript:%61%6c%65%72%74%28%31%29@example.com
+	        // The encoded part decodes to: alert(1)
+	        var has_encoded_content = /%[0-9a-fA-F]{2}/.test(before_at);
+	        if (is_valid_auth && !has_encoded_content) {
 	          // This looks like authentication (e.g., user:password@host), not a protocol
 	          if (options.require_protocol) {
 	            return false;
@@ -7183,6 +7188,7 @@ var includesStringExports = includesString.exports;
 	          // Don't consume the colon; let the auth parsing handle it later
 	        } else {
 	          // This looks like a malicious protocol (e.g., javascript:alert();@host)
+	          // or URL-encoded protocol handler (e.g., javascript:%61%6c%65%72%74%28%31%29@host)
 	          url = cleanUpProtocol(potential_protocol);
 	          if (url === false) {
 	            return false;
@@ -8429,11 +8435,18 @@ var isHexColor = {exports: {}};
 	});
 	exports$1.default = isHexColor;
 	var _assertString = _interopRequireDefault(assertStringExports);
+	var _merge = _interopRequireDefault(mergeExports);
 	function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 	var hexcolor = /^#?([0-9A-F]{3}|[0-9A-F]{4}|[0-9A-F]{6}|[0-9A-F]{8})$/i;
-	function isHexColor(str) {
+	var hexcolor_with_prefix = /^#([0-9A-F]{3}|[0-9A-F]{4}|[0-9A-F]{6}|[0-9A-F]{8})$/i;
+	var default_is_hexcolor_options = {
+	  require_hashtag: false
+	};
+	function isHexColor(str, options) {
 	  (0, _assertString.default)(str);
-	  return hexcolor.test(str);
+	  options = (0, _merge.default)(options, default_is_hexcolor_options);
+	  var hexcolor_regex = options.require_hashtag ? hexcolor_with_prefix : hexcolor;
+	  return hexcolor_regex.test(str);
 	}
 	module.exports = exports$1.default;
 	module.exports.default = exports$1.default; 
@@ -8591,7 +8604,7 @@ var ibanRegexThroughCountryCode = {
   IE: /^(IE[0-9]{2})[A-Z]{4}\d{14}$/,
   IL: /^(IL[0-9]{2})\d{19}$/,
   IQ: /^(IQ[0-9]{2})[A-Z]{4}\d{15}$/,
-  IR: /^(IR[0-9]{2})0\d{2}0\d{18}$/,
+  IR: /^(IR[0-9]{2})\d{22}$/,
   IS: /^(IS[0-9]{2})\d{22}$/,
   IT: /^(IT[0-9]{2})[A-Z]{1}\d{10}[A-Z0-9]{12}$/,
   JO: /^(JO[0-9]{2})[A-Z]{4}\d{22}$/,
@@ -13358,7 +13371,7 @@ function isVAT(str, countryCode) {
 	var _isVAT = _interopRequireDefault(isVAT$1);
 	function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r = new WeakMap(), n = new WeakMap(); return (_interopRequireWildcard = function _interopRequireWildcard(e, t) { if (!t && e && e.__esModule) return e; var o, i, f = { __proto__: null, default: e }; if (null === e || "object" != _typeof(e) && "function" != typeof e) return f; if (o = t ? n : r) { if (o.has(e)) return o.get(e); o.set(e, f); } for (var _t in e) "default" !== _t && {}.hasOwnProperty.call(e, _t) && ((i = (o = Object.defineProperty) && Object.getOwnPropertyDescriptor(e, _t)) && (i.get || i.set) ? o(f, _t, i) : f[_t] = e[_t]); return f; })(e, t); }
 	function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
-	var version = '13.15.23';
+	var version = '13.15.26';
 	var validator = {
 	  version: version,
 	  toDate: _toDate.default,
@@ -42489,7 +42502,7 @@ var AuthDev = {
   acquireTokensByRequest
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42763,7 +42776,7 @@ const JsonWebTokenTypes = {
 // Token renewal offset default in seconds
 const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42774,7 +42787,7 @@ const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 const unexpectedError = "unexpected_error";
 const postRequestFailed$1 = "post_request_failed";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42809,7 +42822,7 @@ function createAuthError(code, additionalMessage) {
         : AuthErrorMessages[code]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42860,7 +42873,7 @@ const methodNotImplemented = "method_not_implemented";
 const nestedAppAuthBridgeDisabled = "nested_app_auth_bridge_disabled";
 const platformBrokerError = "platform_broker_error";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42935,7 +42948,7 @@ function createClientAuthError(errorCode, additionalMessage) {
     return new ClientAuthError(errorCode, additionalMessage);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42974,7 +42987,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43165,12 +43178,12 @@ class Logger {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /* eslint-disable header/header */
 const name$2 = "@azure/msal-common";
-const version$1 = "15.13.3";
+const version$1 = "15.14.1";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43179,7 +43192,7 @@ const AzureCloudInstance = {
     // AzureCloudInstance is not specified.
     None: "none"};
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43209,7 +43222,7 @@ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
 const invalidAuthorizePostBodyParameters = "invalid_authorize_post_body_parameters";
 const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43255,7 +43268,7 @@ function createClientConfigurationError(errorCode) {
     return new ClientConfigurationError(errorCode);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43352,7 +43365,7 @@ class StringUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43547,7 +43560,7 @@ class ScopeSet {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43587,7 +43600,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43669,7 +43682,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
     return updatedAccountInfo;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43684,7 +43697,7 @@ const AuthorityType = {
     Ciam: 3,
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43706,7 +43719,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
     return null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43730,7 +43743,7 @@ const ProtocolMode = {
     EAR: "EAR",
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43764,6 +43777,13 @@ class AccountEntity {
      * Returns the AccountInfo interface for this account.
      */
     static getAccountInfo(accountEntity) {
+        const tenantProfiles = accountEntity.tenantProfiles || [];
+        // Ensure at least the home tenant profile exists
+        if (tenantProfiles.length === 0 &&
+            accountEntity.realm &&
+            accountEntity.localAccountId) {
+            tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
+        }
         return {
             homeAccountId: accountEntity.homeAccountId,
             environment: accountEntity.environment,
@@ -43775,7 +43795,7 @@ class AccountEntity {
             nativeAccountId: accountEntity.nativeAccountId,
             authorityType: accountEntity.authorityType,
             // Deserialize tenant profiles array into a Map
-            tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
+            tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
                 return [tenantProfile.tenantId, tenantProfile];
             })),
             dataBoundary: accountEntity.dataBoundary,
@@ -43876,7 +43896,14 @@ class AccountEntity {
         account.cloudGraphHostName = cloudGraphHostName;
         account.msGraphHost = msGraphHost;
         // Serialize tenant profiles map into an array
-        account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
+        const tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
+        // Ensure at least the home tenant profile exists
+        if (tenantProfiles.length === 0 &&
+            accountInfo.tenantId &&
+            accountInfo.localAccountId) {
+            tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
+        }
+        account.tenantProfiles = tenantProfiles;
         account.dataBoundary = accountInfo.dataBoundary;
         return account;
     }
@@ -43951,7 +43978,7 @@ class AccountEntity {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44032,7 +44059,7 @@ function checkMaxAge(authTime, maxAge) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44148,7 +44175,7 @@ function normalizeUrlForComparison(url) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44312,7 +44339,7 @@ class UrlString {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44451,7 +44478,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
     return null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -44459,7 +44486,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
 const cacheQuotaExceeded = "cache_quota_exceeded";
 const cacheErrorUnknown = "cache_error_unknown";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44504,7 +44531,7 @@ function createCacheError(e) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44674,15 +44701,16 @@ class CacheManager {
      * @param cacheRecord {CacheRecord}
      * @param correlationId {?string} correlation id
      * @param kmsi - Keep Me Signed In
+     * @param apiId - API identifier for telemetry tracking
      * @param storeInCache {?StoreInCache}
      */
-    async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
+    async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
         if (!cacheRecord) {
             throw createClientAuthError(invalidCacheRecord);
         }
         try {
             if (!!cacheRecord.account) {
-                await this.setAccount(cacheRecord.account, correlationId, kmsi);
+                await this.setAccount(cacheRecord.account, correlationId, kmsi, apiId);
             }
             if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
                 await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
@@ -45613,7 +45641,7 @@ class DefaultStorageClass extends CacheManager {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -45870,6 +45898,11 @@ const PerformanceEvents = {
     Decrypt: "decrypt",
     GenerateEarKey: "generateEarKey",
     DecryptEarResponse: "decryptEarResponse",
+    LoadExternalTokens: "LoadExternalTokens",
+    LoadAccount: "loadAccount",
+    LoadIdToken: "loadIdToken",
+    LoadAccessToken: "loadAccessToken",
+    LoadRefreshToken: "loadRefreshToken",
 };
 /**
  * State of the performance event.
@@ -45880,7 +45913,7 @@ const PerformanceEvents = {
 const PerformanceEventStatus = {
     InProgress: 1};
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -45959,7 +45992,7 @@ class StubPerformanceClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46059,7 +46092,7 @@ function isOidcProtocolMode(config) {
     return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46069,7 +46102,7 @@ const CcsCredentialType = {
     UPN: "UPN",
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46119,7 +46152,7 @@ const INSTANCE_AWARE = "instance_aware";
 const EAR_JWK = "ear_jwk";
 const EAR_JWE_CRYPTO = "ear_jwe_crypto";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46499,7 +46532,7 @@ function addPostBodyParameters(parameters, bodyParameters) {
     });
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46511,7 +46544,7 @@ function isOpenIdConfigResponse(response) {
         response.hasOwnProperty("jwks_uri"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46521,7 +46554,7 @@ function isCloudInstanceDiscoveryResponse(response) {
         response.hasOwnProperty("metadata"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46531,7 +46564,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
         response.hasOwnProperty("error_description"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46627,7 +46660,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
     };
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46733,7 +46766,7 @@ RegionDiscovery.IMDS_OPTIONS = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46798,7 +46831,7 @@ function wasClockTurnedBack(cachedAt) {
     return cachedAtSec > nowSeconds();
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47060,7 +47093,7 @@ function isAuthorityMetadataExpired(metadata) {
     return metadata.expiresAt <= nowSeconds();
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47899,7 +47932,7 @@ function buildStaticAuthorityOptions(authOptions) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47930,7 +47963,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47949,7 +47982,7 @@ class ServerError extends AuthError {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -47970,7 +48003,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48057,7 +48090,7 @@ class ThrottlingUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48088,7 +48121,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
     return new NetworkError(error, httpStatus, responseHeaders);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48236,7 +48269,7 @@ class BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48252,7 +48285,7 @@ const consentRequired = "consent_required";
 const loginRequired = "login_required";
 const badToken = "bad_token";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48324,7 +48357,7 @@ function createInteractionRequiredAuthError(errorCode) {
     return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48396,7 +48429,7 @@ class ProtocolUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48478,7 +48511,7 @@ class PopTokenGenerator {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48505,7 +48538,7 @@ class PopTokenGenerator {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48569,7 +48602,7 @@ class ResponseHandler {
      * @param serverTokenResponse
      * @param authority
      */
-    async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
+    async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
         // create an idToken object (not entity)
         let idTokenClaims;
@@ -48617,14 +48650,19 @@ class ResponseHandler {
             if (handlingRefreshTokenResponse &&
                 !forceCacheRefreshTokenResponse &&
                 cacheRecord.account) {
-                const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
-                const account = this.cacheStorage.getAccount(key, request.correlationId);
-                if (!account) {
+                const cachedAccounts = this.cacheStorage.getAllAccounts({
+                    homeAccountId: cacheRecord.account.homeAccountId,
+                    environment: cacheRecord.account.environment,
+                }, request.correlationId);
+                if (cachedAccounts.length < 1) {
                     this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
+                    this.performanceClient?.addFields({
+                        acntLoggedOut: true,
+                    }, request.correlationId);
                     return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
                 }
             }
-            await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
+            await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), apiId, request.storeInCache);
         }
         finally {
             if (this.persistencePlugin &&
@@ -48694,6 +48732,9 @@ class ResponseHandler {
                     ? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
                     : serverTokenResponse.refresh_token_expires_in;
                 rtExpiresOn = reqTimestamp + rtExpiresIn;
+                this.performanceClient?.addFields({
+                    ntwkRtExpiresOnSeconds: rtExpiresOn,
+                }, request.correlationId);
             }
             cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
         }
@@ -48836,7 +48877,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
     return baseAccount;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48854,7 +48895,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48876,8 +48917,9 @@ class AuthorizationCodeClient extends BaseClient {
      * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
      * authorization_code_grant
      * @param request
+     * @param apiId - API identifier for telemetry tracking
      */
-    async acquireToken(request, authCodePayload) {
+    async acquireToken(request, apiId, authCodePayload) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientAcquireToken, request.correlationId);
         if (!request.code) {
             throw createClientAuthError(requestCannotBeMade);
@@ -48889,7 +48931,7 @@ class AuthorizationCodeClient extends BaseClient {
         const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin, this.performanceClient);
         // Validate response. This function throws a server error if an error is returned by the server.
         responseHandler.validateTokenResponse(response.body);
-        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
+        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, apiId, authCodePayload, undefined, undefined, undefined, requestId);
     }
     /**
      * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
@@ -49089,7 +49131,7 @@ class AuthorizationCodeClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49104,7 +49146,7 @@ class RefreshTokenClient extends BaseClient {
     constructor(configuration, performanceClient) {
         super(configuration, performanceClient);
     }
-    async acquireToken(request) {
+    async acquireToken(request, apiId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
         const reqTimestamp = nowSeconds();
         const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
@@ -49112,13 +49154,13 @@ class RefreshTokenClient extends BaseClient {
         const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
         const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
         responseHandler.validateTokenResponse(response.body);
-        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
+        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, apiId, undefined, undefined, true, request.forceCache, requestId);
     }
     /**
      * Gets cached refresh token and attaches to request, then calls acquireToken API
      * @param request
      */
-    async acquireTokenByRefreshToken(request) {
+    async acquireTokenByRefreshToken(request, apiId) {
         // Cannot renew token if no request object is given.
         if (!request) {
             throw createClientConfigurationError(tokenRequestEmpty);
@@ -49133,7 +49175,7 @@ class RefreshTokenClient extends BaseClient {
         // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
         if (isFOCI) {
             try {
-                return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
+                return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true, apiId);
             }
             catch (e) {
                 const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
@@ -49144,7 +49186,7 @@ class RefreshTokenClient extends BaseClient {
                     e.subError === Errors.CLIENT_MISMATCH_ERROR;
                 // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
                 if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
-                    return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
+                    return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false, apiId);
                     // throw in all other cases
                 }
                 else {
@@ -49153,26 +49195,30 @@ class RefreshTokenClient extends BaseClient {
             }
         }
         // fall back to application refresh token acquisition
-        return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
+        return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false, apiId);
     }
     /**
      * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
      * @param request
      */
-    async acquireTokenWithCachedRefreshToken(request, foci) {
+    async acquireTokenWithCachedRefreshToken(request, foci, apiId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
         // fetches family RT or application RT based on FOCI value
         const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined, this.performanceClient);
         if (!refreshToken) {
             throw createInteractionRequiredAuthError(noTokensFound);
         }
-        if (refreshToken.expiresOn &&
-            isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
-                DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
-            this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
-            throw createInteractionRequiredAuthError(refreshTokenExpired);
+        if (refreshToken.expiresOn) {
+            const offset = request.refreshTokenExpirationOffsetSeconds ||
+                DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS;
+            this.performanceClient?.addFields({
+                cacheRtExpiresOnSeconds: Number(refreshToken.expiresOn),
+                rtOffsetSeconds: offset,
+            }, request.correlationId);
+            if (isTokenExpired(refreshToken.expiresOn, offset)) {
+                throw createInteractionRequiredAuthError(refreshTokenExpired);
+            }
         }
-        // attach cached RT size to the current measurement
         const refreshTokenRequest = {
             ...request,
             refreshToken: refreshToken.secret,
@@ -49183,11 +49229,10 @@ class RefreshTokenClient extends BaseClient {
             },
         };
         try {
-            return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
+            return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest, apiId);
         }
         catch (e) {
             if (e instanceof InteractionRequiredAuthError) {
-                this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
                 if (e.subError === badToken) {
                     // Remove bad refresh token from cache
                     this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
@@ -49298,7 +49343,7 @@ class RefreshTokenClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49396,7 +49441,7 @@ class SilentFlowClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49411,7 +49456,7 @@ const StubbedNetworkModule = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49635,7 +49680,7 @@ function extractLoginHint(account) {
     return account.loginHint || account.idTokenClaims?.login_hint || null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49898,7 +49943,7 @@ class ServerTelemetryManager {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -49906,7 +49951,7 @@ class ServerTelemetryManager {
 const missingKidError = "missing_kid_error";
 const missingAlgError = "missing_alg_error";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49931,7 +49976,7 @@ function createJoseHeaderError(code) {
     return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49971,7 +50016,7 @@ class JoseHeader {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50028,7 +50073,7 @@ const failedToParseHeaders = "failed_to_parse_headers";
 const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
 const timedOut = "timed_out";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50105,7 +50150,7 @@ function createBrowserAuthError(errorCode, subError) {
     return new BrowserAuthError(errorCode, subError);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50192,9 +50237,9 @@ const InMemoryCacheKeys = {
 };
 /**
  * API Codes for Telemetry purposes.
- * Before adding a new code you must claim it in the MSAL Telemetry tracker as these number spaces are shared across all MSALs
  * 0-99 Silent Flow
  * 800-899 Auth Code Flow
+ * 900-999 Miscellaneous
  */
 const ApiId = {
     acquireTokenRedirect: 861,
@@ -50206,6 +50251,30 @@ const ApiId = {
     acquireTokenSilent_silentFlow: 61,
     logout: 961,
     logoutPopup: 962,
+    hydrateCache: 963,
+    loadExternalTokens: 964,
+};
+/**
+ * API Names for Telemetry purposes.
+ */
+const ApiName = {
+    861: "acquireTokenRedirect",
+    862: "acquireTokenPopup",
+    863: "ssoSilent",
+    864: "acquireTokenSilent_authCode",
+    865: "handleRedirectPromise",
+    866: "acquireTokenByCode",
+    61: "acquireTokenSilent_silentFlow",
+    961: "logout",
+    962: "logoutPopup",
+    963: "hydrateCache",
+    964: "loadExternalTokens",
+};
+const apiIdToName = (id) => {
+    if (typeof id === "number" && id in ApiName) {
+        return ApiName[id];
+    }
+    return "unknown";
 };
 /*
  * Interaction type of the API - used for state and telemetry
@@ -50270,7 +50339,7 @@ const iFrameRenewalPolicies = [
     CacheLookupPolicy.RefreshTokenAndNetwork,
 ];
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50315,7 +50384,7 @@ function base64EncArr(aBytes) {
     return btoa(binString);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50354,7 +50423,7 @@ function base64DecToArr(base64String) {
     return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50653,7 +50722,7 @@ async function hashString(plainText) {
     return urlEncodeArr(hashBytes);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50662,7 +50731,7 @@ const storageNotSupported = "storage_not_supported";
 const stubbedPublicClientApplicationCalled = "stubbed_public_client_application_called";
 const inMemRedirectUnavailable = "in_mem_redirect_unavailable";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50702,7 +50771,7 @@ function createBrowserConfigurationAuthError(errorCode) {
     return new BrowserConfigurationAuthError(errorCode, BrowserConfigurationAuthErrorMessages[errorCode]);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50864,7 +50933,7 @@ function createGuid() {
     return createNewGuid();
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50907,7 +50976,7 @@ class NavigationClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51028,7 +51097,7 @@ function getHeaderDict(headers) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51163,12 +51232,12 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
     return overlayedConfig;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /* eslint-disable header/header */
 const name$1 = "@azure/msal-browser";
-const version = "4.27.0";
+const version = "4.28.1";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51196,7 +51265,7 @@ function getTokenKeysCacheKey(clientId, schema = CREDENTIAL_SCHEMA_VERSION) {
     return `${PREFIX}.${schema}.${TOKEN_KEYS}.${clientId}`;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51293,7 +51362,7 @@ class BaseOperatingContext {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51339,7 +51408,7 @@ StandardOperatingContext.MODULE_NAME = "";
  */
 StandardOperatingContext.ID = "StandardOperatingContext";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51542,7 +51611,7 @@ class DatabaseStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51588,7 +51657,7 @@ class MemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51722,7 +51791,7 @@ class AsyncMemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51903,7 +51972,7 @@ function getSortedObjectString(obj) {
     return JSON.stringify(obj, Object.keys(obj).sort());
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51981,7 +52050,7 @@ function getCookieExpirationTime(cookieLifeDays) {
     return expr.toUTCString();
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52023,7 +52092,7 @@ function getTokenKeys(clientId, storage, schemaVersion) {
     };
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52034,7 +52103,7 @@ function isEncrypted(data) {
         data.hasOwnProperty("data"));
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52324,7 +52393,7 @@ class LocalStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52366,7 +52435,7 @@ class SessionStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52401,7 +52470,7 @@ const EventType = {
     BROKER_CONNECTION_ESTABLISHED: "msal:brokerConnectionEstablished",
 };
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52418,7 +52487,7 @@ function removeElementFromArray(array, element) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52975,17 +53044,21 @@ class BrowserCacheManager extends CacheManager {
         if (!parsedAccount || !AccountEntity.isAccountEntity(parsedAccount)) {
             return null;
         }
+        this.performanceClient.addFields({
+            accountCachedBy: apiIdToName(parsedAccount.cachedByApiId),
+        }, correlationId);
         return CacheManager.toObject(new AccountEntity(), parsedAccount);
     }
     /**
      * set account entity in the platform cache
      * @param account
      */
-    async setAccount(account, correlationId, kmsi) {
+    async setAccount(account, correlationId, kmsi, apiId) {
         this.logger.trace("BrowserCacheManager.setAccount called");
         const key = this.generateAccountKey(AccountEntity.getAccountInfo(account));
         const timestamp = Date.now().toString();
         account.lastUpdatedAt = timestamp;
+        account.cachedByApiId = apiId;
         await this.setUserData(key, JSON.stringify(account), correlationId, timestamp, kmsi);
         const wasAdded = this.addAccountKeyToMap(key, correlationId);
         this.performanceClient.addFields({ kmsi: kmsi }, correlationId);
@@ -53740,7 +53813,7 @@ class BrowserCacheManager extends CacheManager {
      * @param request
      */
     async hydrateCache(result, request) {
-        const idTokenEntity = createIdTokenEntity(result.account?.homeAccountId, result.account?.environment, result.idToken, this.clientId, result.tenantId);
+        const idTokenEntity = createIdTokenEntity(result.account.homeAccountId, result.account.environment, result.idToken, this.clientId, result.tenantId);
         let claimsHash;
         if (request.claims) {
             claimsHash = await this.cryptoImpl.hashString(request.claims);
@@ -53752,7 +53825,7 @@ class BrowserCacheManager extends CacheManager {
          *
          * The next MSAL VFuture should map these both to same value if possible
          */
-        const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), 
+        const accessTokenEntity = createAccessTokenEntity(result.account.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), 
         // Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
         result.expiresOn
             ? toSecondsFromDate(result.expiresOn)
@@ -53765,7 +53838,7 @@ class BrowserCacheManager extends CacheManager {
             idToken: idTokenEntity,
             accessToken: accessTokenEntity,
         };
-        return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)));
+        return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)), ApiId.hydrateCache);
     }
     /**
      * saves a cache record
@@ -53773,9 +53846,9 @@ class BrowserCacheManager extends CacheManager {
      * @param storeInCache {?StoreInCache}
      * @param correlationId {?string} correlation id
      */
-    async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
+    async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
         try {
-            await super.saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache);
+            await super.saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache);
         }
         catch (e) {
             if (e instanceof CacheError &&
@@ -53829,7 +53902,7 @@ const DEFAULT_BROWSER_CACHE_MANAGER = (clientId, logger, performanceClient, even
     return new BrowserCacheManager(clientId, cacheOptions, DEFAULT_CRYPTO_IMPLEMENTATION, logger, performanceClient, eventHandler);
 };
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -53954,7 +54027,7 @@ function getActiveAccount(browserStorage, correlationId) {
     return browserStorage.getActiveAccount(correlationId);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54060,7 +54133,7 @@ class EventHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54176,7 +54249,7 @@ class BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54261,7 +54334,7 @@ function validateRequestMethod(interactionRequest, protocolMode) {
     return httpMethod;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54465,7 +54538,7 @@ class StandardInteractionClient extends BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54489,7 +54562,7 @@ function extractBrowserRequestState(browserCrypto, state) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54528,7 +54601,7 @@ function validateInteractionType(response, browserCrypto, interactionType) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54549,7 +54622,7 @@ class InteractionHandler {
      * Function to handle response parameters from hash.
      * @param locationHash
      */
-    async handleCodeResponse(response, request) {
+    async handleCodeResponse(response, request, apiId) {
         this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
         let authCodeResponse;
         try {
@@ -54565,7 +54638,7 @@ class InteractionHandler {
                 throw e;
             }
         }
-        return invokeAsync(this.handleCodeResponseFromServer.bind(this), PerformanceEvents.HandleCodeResponseFromServer, this.logger, this.performanceClient, request.correlationId)(authCodeResponse, request);
+        return invokeAsync(this.handleCodeResponseFromServer.bind(this), PerformanceEvents.HandleCodeResponseFromServer, this.logger, this.performanceClient, request.correlationId)(authCodeResponse, request, apiId);
     }
     /**
      * Process auth code response from AAD
@@ -54575,7 +54648,7 @@ class InteractionHandler {
      * @param networkModule
      * @returns
      */
-    async handleCodeResponseFromServer(authCodeResponse, request, validateNonce = true) {
+    async handleCodeResponseFromServer(authCodeResponse, request, apiId, validateNonce = true) {
         this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponseFromServer, request.correlationId);
         this.logger.trace("InteractionHandler.handleCodeResponseFromServer called");
         // Assign code to request
@@ -54601,7 +54674,7 @@ class InteractionHandler {
             }
         }
         // Acquire token with retrieved code.
-        const tokenResponse = (await invokeAsync(this.authModule.acquireToken.bind(this.authModule), PerformanceEvents.AuthClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(this.authCodeRequest, authCodeResponse));
+        const tokenResponse = (await invokeAsync(this.authModule.acquireToken.bind(this.authModule), PerformanceEvents.AuthClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(this.authCodeRequest, apiId, authCodeResponse));
         return tokenResponse;
     }
     /**
@@ -54624,7 +54697,7 @@ class InteractionHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54633,7 +54706,7 @@ const contentError = "ContentError";
 const pageException = "PageException";
 const userSwitch = "user_switch";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54646,7 +54719,7 @@ const DISABLED = "DISABLED";
 const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
 const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54711,7 +54784,7 @@ function createNativeAuthError(code, description, ext) {
     return new NativeAuthError(code, NativeAuthErrorMessages[code] || description, ext);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54761,7 +54834,7 @@ class SilentCacheClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55157,7 +55230,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
      */
     async cacheAccount(accountEntity, correlationId, kmsi) {
         // Store the account info and hence `nativeAccountId` in browser cache
-        await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi);
+        await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi, this.apiId);
         // Remove any existing cached tokens for this account in browser storage
         this.browserStorage.removeAccountContext(AccountEntity.getAccountInfo(accountEntity), correlationId);
     }
@@ -55186,7 +55259,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
             idToken: cachedIdToken,
             accessToken: cachedAccessToken,
         };
-        return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), request.storeInCache);
+        return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), this.apiId, request.storeInCache);
     }
     getExpiresInValue(tokenType, expiresIn) {
         return tokenType === AuthenticationScheme.POP
@@ -55388,7 +55461,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55563,7 +55636,7 @@ async function handleResponseCode(request, response, codeVerifier, apiId, config
     // Create popup interaction handler.
     const interactionHandler = new InteractionHandler(authClient, browserStorage, authCodeRequest, logger, performanceClient);
     // Handle response from hash string.
-    const result = await invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, logger, performanceClient, request.correlationId)(response, request);
+    const result = await invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, logger, performanceClient, request.correlationId)(response, request, apiId);
     return result;
 }
 /**
@@ -55610,10 +55683,10 @@ async function handleResponseEAR(request, response, apiId, config, authority, br
         cloud_instance_name: decryptedData.cloud_instance_name,
         msgraph_host: decryptedData.msgraph_host,
     };
-    return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, additionalData, undefined, undefined, undefined, undefined));
+    return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, apiId, additionalData, undefined, undefined, undefined, undefined));
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55670,7 +55743,7 @@ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceCl
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55935,7 +56008,7 @@ class PlatformAuthExtensionHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56072,7 +56145,7 @@ class PlatformAuthDOMHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout, enablePlatformBrokerDOMSupport) {
     logger.trace("getPlatformAuthProvider called", correlationId);
     logger.trace("Has client allowed platform auth via DOM API: " +
@@ -56137,7 +56210,7 @@ function isPlatformAuthAllowed(config, logger, platformAuthProvider, authenticat
     return true;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56634,7 +56707,7 @@ class PopupClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57074,7 +57147,7 @@ class RedirectClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57230,7 +57303,7 @@ function removeHiddenIframe(iframe) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57391,7 +57464,7 @@ class SilentIframeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57421,7 +57494,7 @@ class SilentRefreshClient extends StandardInteractionClient {
             account: silentRequest.account,
         });
         // Send request to renew token. Auth module will throw errors if token cannot be renewed.
-        return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest).catch((e) => {
+        return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest, ApiId.acquireTokenSilent_silentFlow).catch((e) => {
             e.setCorrelationId(this.correlationId);
             serverTelemetryManager.cacheFailedRequest(e);
             throw e;
@@ -57457,7 +57530,7 @@ class SilentRefreshClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57467,12 +57540,13 @@ class SilentRefreshClient extends StandardInteractionClient {
  * Token cache manager
  */
 class TokenCache {
-    constructor(configuration, storage, logger, cryptoObj) {
+    constructor(configuration, storage, logger, cryptoObj, performanceClient) {
         this.isBrowserEnvironment = typeof window !== "undefined";
         this.config = configuration;
         this.storage = storage;
         this.logger = logger;
         this.cryptoObj = cryptoObj;
+        this.performanceClient = performanceClient;
     }
     // Move getAllAccounts here and cache utility APIs
     /**
@@ -57487,30 +57561,37 @@ class TokenCache {
             throw createBrowserAuthError(nonBrowserEnvironment);
         }
         const correlationId = request.correlationId || createNewGuid();
-        const idTokenClaims = response.id_token
-            ? extractTokenClaims(response.id_token, base64Decode)
-            : undefined;
-        const kmsi = isKmsi(idTokenClaims || {});
-        const authorityOptions = {
-            protocolMode: this.config.auth.protocolMode,
-            knownAuthorities: this.config.auth.knownAuthorities,
-            cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
-            authorityMetadata: this.config.auth.authorityMetadata,
-            skipAuthorityMetadataCache: this.config.auth.skipAuthorityMetadataCache,
-        };
-        const authority = request.authority
-            ? new Authority(Authority.generateAuthority(request.authority, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, request.correlationId || createNewGuid())
-            : undefined;
-        const cacheRecordAccount = await this.loadAccount(request, options.clientInfo || response.client_info || "", correlationId, idTokenClaims, authority);
-        const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
-        const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
-        const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
-        return this.generateAuthenticationResult(request, {
-            account: cacheRecordAccount,
-            idToken,
-            accessToken,
-            refreshToken,
-        }, idTokenClaims, authority);
+        const rootMeasurement = this.performanceClient.startMeasurement(PerformanceEvents.LoadExternalTokens, correlationId);
+        try {
+            const idTokenClaims = response.id_token
+                ? extractTokenClaims(response.id_token, base64Decode)
+                : undefined;
+            const kmsi = isKmsi(idTokenClaims || {});
+            const authorityOptions = {
+                protocolMode: this.config.auth.protocolMode,
+                knownAuthorities: this.config.auth.knownAuthorities,
+                cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
+                authorityMetadata: this.config.auth.authorityMetadata,
+                skipAuthorityMetadataCache: this.config.auth.skipAuthorityMetadataCache,
+            };
+            const authorityString = request.authority || this.config.auth.authority;
+            const authority = await createDiscoveredInstance(Authority.generateAuthority(authorityString, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, correlationId, this.performanceClient);
+            const cacheRecordAccount = await invokeAsync(this.loadAccount.bind(this), PerformanceEvents.LoadAccount, this.logger, this.performanceClient, correlationId)(request, options.clientInfo || response.client_info || "", correlationId, authority, idTokenClaims);
+            const idToken = await invokeAsync(this.loadIdToken.bind(this), PerformanceEvents.LoadIdToken, this.logger, this.performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
+            const accessToken = await invokeAsync(this.loadAccessToken.bind(this), PerformanceEvents.LoadAccessToken, this.logger, this.performanceClient, correlationId)(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
+            const refreshToken = await invokeAsync(this.loadRefreshToken.bind(this), PerformanceEvents.LoadRefreshToken, this.logger, this.performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
+            rootMeasurement.end({ success: true }, undefined, AccountEntity.getAccountInfo(cacheRecordAccount));
+            return this.generateAuthenticationResult(request, {
+                account: cacheRecordAccount,
+                idToken,
+                accessToken,
+                refreshToken,
+            }, authority, idTokenClaims);
+        }
+        catch (error) {
+            rootMeasurement.end({ success: false }, error);
+            throw error;
+        }
     }
     /**
      * Helper function to load account to msal-browser cache
@@ -57521,23 +57602,23 @@ class TokenCache {
      * @param requestHomeAccountId
      * @returns `AccountEntity`
      */
-    async loadAccount(request, clientInfo, correlationId, idTokenClaims, authority) {
+    async loadAccount(request, clientInfo, correlationId, authority, idTokenClaims) {
         this.logger.verbose("TokenCache - loading account");
         if (request.account) {
             const accountEntity = AccountEntity.createFromAccountInfo(request.account);
-            await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}));
+            await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}), ApiId.loadExternalTokens);
             return accountEntity;
         }
-        else if (!authority || (!clientInfo && !idTokenClaims)) {
-            this.logger.error("TokenCache - if an account is not provided on the request, authority and either clientInfo or idToken must be provided instead.");
+        else if (!clientInfo && !idTokenClaims) {
+            this.logger.error("TokenCache - if an account is not provided on the request, clientInfo or idToken must be provided instead.");
             throw createBrowserAuthError(unableToLoadToken);
         }
         const homeAccountId = AccountEntity.generateHomeAccountId(clientInfo, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
         const claimsTenantId = idTokenClaims?.tid;
-        const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.hostnameAndPort, claimsTenantId, undefined, // authCodePayload
+        const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.getPreferredCache(), claimsTenantId, undefined, // authCodePayload
         undefined, // nativeAccountId
         this.logger);
-        await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}));
+        await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}), ApiId.loadExternalTokens);
         return cachedAccount;
     }
     /**
@@ -57606,9 +57687,15 @@ class TokenCache {
             this.logger.verbose("TokenCache - no refresh token found in response");
             return null;
         }
+        const expiresOn = response.refresh_token_expires_in
+            ? response.refresh_token_expires_in + nowSeconds()
+            : undefined;
+        this.performanceClient.addFields({
+            extRtExpiresOnSeconds: expiresOn,
+        }, correlationId);
         this.logger.verbose("TokenCache - loading refresh token");
         const refreshTokenEntity = createRefreshTokenEntity(homeAccountId, environment, response.refresh_token, this.config.auth.clientId, response.foci, undefined, // userAssertionHash
-        response.refresh_token_expires_in);
+        expiresOn);
         await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId, kmsi);
         return refreshTokenEntity;
     }
@@ -57620,7 +57707,7 @@ class TokenCache {
      * @param authority
      * @returns `AuthenticationResult`
      */
-    generateAuthenticationResult(request, cacheRecord, idTokenClaims, authority) {
+    generateAuthenticationResult(request, cacheRecord, authority, idTokenClaims) {
         let accessToken = "";
         let responseScopes = [];
         let expiresOn = null;
@@ -57657,7 +57744,7 @@ class TokenCache {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57670,7 +57757,7 @@ class HybridSpaAuthorizationCodeClient extends AuthorizationCodeClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57717,7 +57804,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
                 msgraph_host: request.msGraphHost,
                 cloud_graph_host_name: request.cloudGraphHostName,
                 cloud_instance_host_name: request.cloudInstanceHostName,
-            }, silentRequest, false);
+            }, silentRequest, this.apiId, false);
         }
         catch (e) {
             if (e instanceof AuthError) {
@@ -57736,7 +57823,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -57756,7 +57843,7 @@ function collectInstanceStats(currentClientId, performanceEvent, logger) {
     });
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57833,7 +57920,7 @@ class StandardController {
         };
         this.nativeInternalStorage = new BrowserCacheManager(this.config.auth.clientId, nativeCacheOptions, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler);
         // Initialize the token cache
-        this.tokenCache = new TokenCache(this.config, this.browserStorage, this.logger, this.browserCrypto);
+        this.tokenCache = new TokenCache(this.config, this.browserStorage, this.logger, this.browserCrypto, this.performanceClient);
         this.activeSilentTokenRequests = new Map();
         // Register listener functions
         this.trackPageVisibility = this.trackPageVisibility.bind(this);
@@ -58663,7 +58750,7 @@ class StandardController {
         this.logger.verbose("hydrateCache called");
         // Account gets saved to browser storage regardless of native or not
         const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
-        await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
+        await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims), ApiId.hydrateCache);
         if (result.fromNativeBroker) {
             this.logger.verbose("Response was from native broker, storing in-memory");
             // Tokens from native broker are stored in-memory
@@ -59209,7 +59296,7 @@ function checkIfRefreshTokenErrorCanBeResolvedSilently(refreshTokenError, cacheL
     return isSilentlyResolvable && tryIframeRenewal;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -59221,7 +59308,7 @@ async function createV3Controller(config, request) {
     return StandardController.createController(standard, request);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.