@cosmotech/core 3.0.0-dev.0 → 3.0.0

package/dist/index.esm.js

@@ -7172,7 +7172,12 @@ var includesStringExports = includesString.exports;
 	        var before_at = before_slash.substring(0, at_position);
 	        var valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
 	        var is_valid_auth = valid_auth_regex.test(before_at);
-	        if (is_valid_auth) {
+
+	        // Check if this contains URL-encoded content that could be malicious
+	        // For example: javascript:%61%6c%65%72%74%28%31%29@example.com
+	        // The encoded part decodes to: alert(1)
+	        var has_encoded_content = /%[0-9a-fA-F]{2}/.test(before_at);
+	        if (is_valid_auth && !has_encoded_content) {
 	          // This looks like authentication (e.g., user:password@host), not a protocol
 	          if (options.require_protocol) {
 	            return false;
@@ -7181,6 +7186,7 @@ var includesStringExports = includesString.exports;
 	          // Don't consume the colon; let the auth parsing handle it later
 	        } else {
 	          // This looks like a malicious protocol (e.g., javascript:alert();@host)
+	          // or URL-encoded protocol handler (e.g., javascript:%61%6c%65%72%74%28%31%29@host)
 	          url = cleanUpProtocol(potential_protocol);
 	          if (url === false) {
 	            return false;
@@ -8427,11 +8433,18 @@ var isHexColor = {exports: {}};
 	});
 	exports$1.default = isHexColor;
 	var _assertString = _interopRequireDefault(assertStringExports);
+	var _merge = _interopRequireDefault(mergeExports);
 	function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 	var hexcolor = /^#?([0-9A-F]{3}|[0-9A-F]{4}|[0-9A-F]{6}|[0-9A-F]{8})$/i;
-	function isHexColor(str) {
+	var hexcolor_with_prefix = /^#([0-9A-F]{3}|[0-9A-F]{4}|[0-9A-F]{6}|[0-9A-F]{8})$/i;
+	var default_is_hexcolor_options = {
+	  require_hashtag: false
+	};
+	function isHexColor(str, options) {
 	  (0, _assertString.default)(str);
-	  return hexcolor.test(str);
+	  options = (0, _merge.default)(options, default_is_hexcolor_options);
+	  var hexcolor_regex = options.require_hashtag ? hexcolor_with_prefix : hexcolor;
+	  return hexcolor_regex.test(str);
 	}
 	module.exports = exports$1.default;
 	module.exports.default = exports$1.default; 
@@ -8589,7 +8602,7 @@ var ibanRegexThroughCountryCode = {
   IE: /^(IE[0-9]{2})[A-Z]{4}\d{14}$/,
   IL: /^(IL[0-9]{2})\d{19}$/,
   IQ: /^(IQ[0-9]{2})[A-Z]{4}\d{15}$/,
-  IR: /^(IR[0-9]{2})0\d{2}0\d{18}$/,
+  IR: /^(IR[0-9]{2})\d{22}$/,
   IS: /^(IS[0-9]{2})\d{22}$/,
   IT: /^(IT[0-9]{2})[A-Z]{1}\d{10}[A-Z0-9]{12}$/,
   JO: /^(JO[0-9]{2})[A-Z]{4}\d{22}$/,
@@ -13356,7 +13369,7 @@ function isVAT(str, countryCode) {
 	var _isVAT = _interopRequireDefault(isVAT$1);
 	function _interopRequireWildcard(e, t) { if ("function" == typeof WeakMap) var r = new WeakMap(), n = new WeakMap(); return (_interopRequireWildcard = function _interopRequireWildcard(e, t) { if (!t && e && e.__esModule) return e; var o, i, f = { __proto__: null, default: e }; if (null === e || "object" != _typeof(e) && "function" != typeof e) return f; if (o = t ? n : r) { if (o.has(e)) return o.get(e); o.set(e, f); } for (var _t in e) "default" !== _t && {}.hasOwnProperty.call(e, _t) && ((i = (o = Object.defineProperty) && Object.getOwnPropertyDescriptor(e, _t)) && (i.get || i.set) ? o(f, _t, i) : f[_t] = e[_t]); return f; })(e, t); }
 	function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
-	var version = '13.15.23';
+	var version = '13.15.26';
 	var validator = {
 	  version: version,
 	  toDate: _toDate.default,
@@ -42487,7 +42500,7 @@ var AuthDev = {
   acquireTokensByRequest
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42761,7 +42774,7 @@ const JsonWebTokenTypes = {
 // Token renewal offset default in seconds
 const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42772,7 +42785,7 @@ const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
 const unexpectedError = "unexpected_error";
 const postRequestFailed$1 = "post_request_failed";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42807,7 +42820,7 @@ function createAuthError(code, additionalMessage) {
         : AuthErrorMessages[code]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -42858,7 +42871,7 @@ const methodNotImplemented = "method_not_implemented";
 const nestedAppAuthBridgeDisabled = "nested_app_auth_bridge_disabled";
 const platformBrokerError = "platform_broker_error";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42933,7 +42946,7 @@ function createClientAuthError(errorCode, additionalMessage) {
     return new ClientAuthError(errorCode, additionalMessage);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -42972,7 +42985,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43163,12 +43176,12 @@ class Logger {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /* eslint-disable header/header */
 const name$2 = "@azure/msal-common";
-const version$1 = "15.13.3";
+const version$1 = "15.14.1";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43177,7 +43190,7 @@ const AzureCloudInstance = {
     // AzureCloudInstance is not specified.
     None: "none"};
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43207,7 +43220,7 @@ const invalidRequestMethodForEAR = "invalid_request_method_for_EAR";
 const invalidAuthorizePostBodyParameters = "invalid_authorize_post_body_parameters";
 const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43253,7 +43266,7 @@ function createClientConfigurationError(errorCode) {
     return new ClientConfigurationError(errorCode);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43350,7 +43363,7 @@ class StringUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43545,7 +43558,7 @@ class ScopeSet {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43585,7 +43598,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43667,7 +43680,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
     return updatedAccountInfo;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43682,7 +43695,7 @@ const AuthorityType = {
     Ciam: 3,
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43704,7 +43717,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
     return null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -43728,7 +43741,7 @@ const ProtocolMode = {
     EAR: "EAR",
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -43762,6 +43775,13 @@ class AccountEntity {
      * Returns the AccountInfo interface for this account.
      */
     static getAccountInfo(accountEntity) {
+        const tenantProfiles = accountEntity.tenantProfiles || [];
+        // Ensure at least the home tenant profile exists
+        if (tenantProfiles.length === 0 &&
+            accountEntity.realm &&
+            accountEntity.localAccountId) {
+            tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
+        }
         return {
             homeAccountId: accountEntity.homeAccountId,
             environment: accountEntity.environment,
@@ -43773,7 +43793,7 @@ class AccountEntity {
             nativeAccountId: accountEntity.nativeAccountId,
             authorityType: accountEntity.authorityType,
             // Deserialize tenant profiles array into a Map
-            tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
+            tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
                 return [tenantProfile.tenantId, tenantProfile];
             })),
             dataBoundary: accountEntity.dataBoundary,
@@ -43874,7 +43894,14 @@ class AccountEntity {
         account.cloudGraphHostName = cloudGraphHostName;
         account.msGraphHost = msGraphHost;
         // Serialize tenant profiles map into an array
-        account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
+        const tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
+        // Ensure at least the home tenant profile exists
+        if (tenantProfiles.length === 0 &&
+            accountInfo.tenantId &&
+            accountInfo.localAccountId) {
+            tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
+        }
+        account.tenantProfiles = tenantProfiles;
         account.dataBoundary = accountInfo.dataBoundary;
         return account;
     }
@@ -43949,7 +43976,7 @@ class AccountEntity {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44030,7 +44057,7 @@ function checkMaxAge(authTime, maxAge) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44146,7 +44173,7 @@ function normalizeUrlForComparison(url) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44310,7 +44337,7 @@ class UrlString {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44449,7 +44476,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
     return null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -44457,7 +44484,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
 const cacheQuotaExceeded = "cache_quota_exceeded";
 const cacheErrorUnknown = "cache_error_unknown";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44502,7 +44529,7 @@ function createCacheError(e) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -44672,15 +44699,16 @@ class CacheManager {
      * @param cacheRecord {CacheRecord}
      * @param correlationId {?string} correlation id
      * @param kmsi - Keep Me Signed In
+     * @param apiId - API identifier for telemetry tracking
      * @param storeInCache {?StoreInCache}
      */
-    async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
+    async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
         if (!cacheRecord) {
             throw createClientAuthError(invalidCacheRecord);
         }
         try {
             if (!!cacheRecord.account) {
-                await this.setAccount(cacheRecord.account, correlationId, kmsi);
+                await this.setAccount(cacheRecord.account, correlationId, kmsi, apiId);
             }
             if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
                 await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
@@ -45611,7 +45639,7 @@ class DefaultStorageClass extends CacheManager {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -45868,6 +45896,11 @@ const PerformanceEvents = {
     Decrypt: "decrypt",
     GenerateEarKey: "generateEarKey",
     DecryptEarResponse: "decryptEarResponse",
+    LoadExternalTokens: "LoadExternalTokens",
+    LoadAccount: "loadAccount",
+    LoadIdToken: "loadIdToken",
+    LoadAccessToken: "loadAccessToken",
+    LoadRefreshToken: "loadRefreshToken",
 };
 /**
  * State of the performance event.
@@ -45878,7 +45911,7 @@ const PerformanceEvents = {
 const PerformanceEventStatus = {
     InProgress: 1};
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -45957,7 +45990,7 @@ class StubPerformanceClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46057,7 +46090,7 @@ function isOidcProtocolMode(config) {
     return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46067,7 +46100,7 @@ const CcsCredentialType = {
     UPN: "UPN",
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46117,7 +46150,7 @@ const INSTANCE_AWARE = "instance_aware";
 const EAR_JWK = "ear_jwk";
 const EAR_JWE_CRYPTO = "ear_jwe_crypto";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46497,7 +46530,7 @@ function addPostBodyParameters(parameters, bodyParameters) {
     });
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46509,7 +46542,7 @@ function isOpenIdConfigResponse(response) {
         response.hasOwnProperty("jwks_uri"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46519,7 +46552,7 @@ function isCloudInstanceDiscoveryResponse(response) {
         response.hasOwnProperty("metadata"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46529,7 +46562,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
         response.hasOwnProperty("error_description"));
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46625,7 +46658,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
     };
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -46731,7 +46764,7 @@ RegionDiscovery.IMDS_OPTIONS = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -46796,7 +46829,7 @@ function wasClockTurnedBack(cachedAt) {
     return cachedAtSec > nowSeconds();
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47058,7 +47091,7 @@ function isAuthorityMetadataExpired(metadata) {
     return metadata.expiresAt <= nowSeconds();
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47897,7 +47930,7 @@ function buildStaticAuthorityOptions(authOptions) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47928,7 +47961,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -47947,7 +47980,7 @@ class ServerError extends AuthError {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -47968,7 +48001,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
     };
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48055,7 +48088,7 @@ class ThrottlingUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48086,7 +48119,7 @@ function createNetworkError(error, httpStatus, responseHeaders, additionalError)
     return new NetworkError(error, httpStatus, responseHeaders);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48234,7 +48267,7 @@ class BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48250,7 +48283,7 @@ const consentRequired = "consent_required";
 const loginRequired = "login_required";
 const badToken = "bad_token";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48322,7 +48355,7 @@ function createInteractionRequiredAuthError(errorCode) {
     return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48394,7 +48427,7 @@ class ProtocolUtils {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48476,7 +48509,7 @@ class PopTokenGenerator {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48503,7 +48536,7 @@ class PopTokenGenerator {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48567,7 +48600,7 @@ class ResponseHandler {
      * @param serverTokenResponse
      * @param authority
      */
-    async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
+    async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
         // create an idToken object (not entity)
         let idTokenClaims;
@@ -48615,14 +48648,19 @@ class ResponseHandler {
             if (handlingRefreshTokenResponse &&
                 !forceCacheRefreshTokenResponse &&
                 cacheRecord.account) {
-                const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
-                const account = this.cacheStorage.getAccount(key, request.correlationId);
-                if (!account) {
+                const cachedAccounts = this.cacheStorage.getAllAccounts({
+                    homeAccountId: cacheRecord.account.homeAccountId,
+                    environment: cacheRecord.account.environment,
+                }, request.correlationId);
+                if (cachedAccounts.length < 1) {
                     this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
+                    this.performanceClient?.addFields({
+                        acntLoggedOut: true,
+                    }, request.correlationId);
                     return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
                 }
             }
-            await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
+            await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), apiId, request.storeInCache);
         }
         finally {
             if (this.persistencePlugin &&
@@ -48692,6 +48730,9 @@ class ResponseHandler {
                     ? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
                     : serverTokenResponse.refresh_token_expires_in;
                 rtExpiresOn = reqTimestamp + rtExpiresIn;
+                this.performanceClient?.addFields({
+                    ntwkRtExpiresOnSeconds: rtExpiresOn,
+                }, request.correlationId);
             }
             cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
         }
@@ -48834,7 +48875,7 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
     return baseAccount;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -48852,7 +48893,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -48874,8 +48915,9 @@ class AuthorizationCodeClient extends BaseClient {
      * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
      * authorization_code_grant
      * @param request
+     * @param apiId - API identifier for telemetry tracking
      */
-    async acquireToken(request, authCodePayload) {
+    async acquireToken(request, apiId, authCodePayload) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientAcquireToken, request.correlationId);
         if (!request.code) {
             throw createClientAuthError(requestCannotBeMade);
@@ -48887,7 +48929,7 @@ class AuthorizationCodeClient extends BaseClient {
         const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin, this.performanceClient);
         // Validate response. This function throws a server error if an error is returned by the server.
         responseHandler.validateTokenResponse(response.body);
-        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
+        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, apiId, authCodePayload, undefined, undefined, undefined, requestId);
     }
     /**
      * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
@@ -49087,7 +49129,7 @@ class AuthorizationCodeClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49102,7 +49144,7 @@ class RefreshTokenClient extends BaseClient {
     constructor(configuration, performanceClient) {
         super(configuration, performanceClient);
     }
-    async acquireToken(request) {
+    async acquireToken(request, apiId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
         const reqTimestamp = nowSeconds();
         const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
@@ -49110,13 +49152,13 @@ class RefreshTokenClient extends BaseClient {
         const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
         const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
         responseHandler.validateTokenResponse(response.body);
-        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
+        return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, apiId, undefined, undefined, true, request.forceCache, requestId);
     }
     /**
      * Gets cached refresh token and attaches to request, then calls acquireToken API
      * @param request
      */
-    async acquireTokenByRefreshToken(request) {
+    async acquireTokenByRefreshToken(request, apiId) {
         // Cannot renew token if no request object is given.
         if (!request) {
             throw createClientConfigurationError(tokenRequestEmpty);
@@ -49131,7 +49173,7 @@ class RefreshTokenClient extends BaseClient {
         // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
         if (isFOCI) {
             try {
-                return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
+                return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true, apiId);
             }
             catch (e) {
                 const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
@@ -49142,7 +49184,7 @@ class RefreshTokenClient extends BaseClient {
                     e.subError === Errors.CLIENT_MISMATCH_ERROR;
                 // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
                 if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
-                    return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
+                    return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false, apiId);
                     // throw in all other cases
                 }
                 else {
@@ -49151,26 +49193,30 @@ class RefreshTokenClient extends BaseClient {
             }
         }
         // fall back to application refresh token acquisition
-        return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
+        return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false, apiId);
     }
     /**
      * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
      * @param request
      */
-    async acquireTokenWithCachedRefreshToken(request, foci) {
+    async acquireTokenWithCachedRefreshToken(request, foci, apiId) {
         this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
         // fetches family RT or application RT based on FOCI value
         const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined, this.performanceClient);
         if (!refreshToken) {
             throw createInteractionRequiredAuthError(noTokensFound);
         }
-        if (refreshToken.expiresOn &&
-            isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
-                DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
-            this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
-            throw createInteractionRequiredAuthError(refreshTokenExpired);
+        if (refreshToken.expiresOn) {
+            const offset = request.refreshTokenExpirationOffsetSeconds ||
+                DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS;
+            this.performanceClient?.addFields({
+                cacheRtExpiresOnSeconds: Number(refreshToken.expiresOn),
+                rtOffsetSeconds: offset,
+            }, request.correlationId);
+            if (isTokenExpired(refreshToken.expiresOn, offset)) {
+                throw createInteractionRequiredAuthError(refreshTokenExpired);
+            }
         }
-        // attach cached RT size to the current measurement
         const refreshTokenRequest = {
             ...request,
             refreshToken: refreshToken.secret,
@@ -49181,11 +49227,10 @@ class RefreshTokenClient extends BaseClient {
             },
         };
         try {
-            return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
+            return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest, apiId);
         }
         catch (e) {
             if (e instanceof InteractionRequiredAuthError) {
-                this.performanceClient?.addFields({ rtExpiresOnMs: Number(refreshToken.expiresOn) }, request.correlationId);
                 if (e.subError === badToken) {
                     // Remove bad refresh token from cache
                     this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
@@ -49296,7 +49341,7 @@ class RefreshTokenClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49394,7 +49439,7 @@ class SilentFlowClient extends BaseClient {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49409,7 +49454,7 @@ const StubbedNetworkModule = {
     },
 };
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49633,7 +49678,7 @@ function extractLoginHint(account) {
     return account.loginHint || account.idTokenClaims?.login_hint || null;
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49896,7 +49941,7 @@ class ServerTelemetryManager {
     }
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -49904,7 +49949,7 @@ class ServerTelemetryManager {
 const missingKidError = "missing_kid_error";
 const missingAlgError = "missing_alg_error";
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49929,7 +49974,7 @@ function createJoseHeaderError(code) {
     return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
 }
 
-/*! @azure/msal-common v15.13.3 2025-12-04 */
+/*! @azure/msal-common v15.14.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -49969,7 +50014,7 @@ class JoseHeader {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50026,7 +50071,7 @@ const failedToParseHeaders = "failed_to_parse_headers";
 const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
 const timedOut = "timed_out";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50103,7 +50148,7 @@ function createBrowserAuthError(errorCode, subError) {
     return new BrowserAuthError(errorCode, subError);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50190,9 +50235,9 @@ const InMemoryCacheKeys = {
 };
 /**
  * API Codes for Telemetry purposes.
- * Before adding a new code you must claim it in the MSAL Telemetry tracker as these number spaces are shared across all MSALs
  * 0-99 Silent Flow
  * 800-899 Auth Code Flow
+ * 900-999 Miscellaneous
  */
 const ApiId = {
     acquireTokenRedirect: 861,
@@ -50204,6 +50249,30 @@ const ApiId = {
     acquireTokenSilent_silentFlow: 61,
     logout: 961,
     logoutPopup: 962,
+    hydrateCache: 963,
+    loadExternalTokens: 964,
+};
+/**
+ * API Names for Telemetry purposes.
+ */
+const ApiName = {
+    861: "acquireTokenRedirect",
+    862: "acquireTokenPopup",
+    863: "ssoSilent",
+    864: "acquireTokenSilent_authCode",
+    865: "handleRedirectPromise",
+    866: "acquireTokenByCode",
+    61: "acquireTokenSilent_silentFlow",
+    961: "logout",
+    962: "logoutPopup",
+    963: "hydrateCache",
+    964: "loadExternalTokens",
+};
+const apiIdToName = (id) => {
+    if (typeof id === "number" && id in ApiName) {
+        return ApiName[id];
+    }
+    return "unknown";
 };
 /*
  * Interaction type of the API - used for state and telemetry
@@ -50268,7 +50337,7 @@ const iFrameRenewalPolicies = [
     CacheLookupPolicy.RefreshTokenAndNetwork,
 ];
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50313,7 +50382,7 @@ function base64EncArr(aBytes) {
     return btoa(binString);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50352,7 +50421,7 @@ function base64DecToArr(base64String) {
     return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50651,7 +50720,7 @@ async function hashString(plainText) {
     return urlEncodeArr(hashBytes);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -50660,7 +50729,7 @@ const storageNotSupported = "storage_not_supported";
 const stubbedPublicClientApplicationCalled = "stubbed_public_client_application_called";
 const inMemRedirectUnavailable = "in_mem_redirect_unavailable";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50700,7 +50769,7 @@ function createBrowserConfigurationAuthError(errorCode) {
     return new BrowserConfigurationAuthError(errorCode, BrowserConfigurationAuthErrorMessages[errorCode]);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50862,7 +50931,7 @@ function createGuid() {
     return createNewGuid();
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -50905,7 +50974,7 @@ class NavigationClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51026,7 +51095,7 @@ function getHeaderDict(headers) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51161,12 +51230,12 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
     return overlayedConfig;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /* eslint-disable header/header */
 const name$1 = "@azure/msal-browser";
-const version = "4.27.0";
+const version = "4.28.1";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51194,7 +51263,7 @@ function getTokenKeysCacheKey(clientId, schema = CREDENTIAL_SCHEMA_VERSION) {
     return `${PREFIX}.${schema}.${TOKEN_KEYS}.${clientId}`;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51291,7 +51360,7 @@ class BaseOperatingContext {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51337,7 +51406,7 @@ StandardOperatingContext.MODULE_NAME = "";
  */
 StandardOperatingContext.ID = "StandardOperatingContext";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51540,7 +51609,7 @@ class DatabaseStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -51586,7 +51655,7 @@ class MemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51720,7 +51789,7 @@ class AsyncMemoryStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51901,7 +51970,7 @@ function getSortedObjectString(obj) {
     return JSON.stringify(obj, Object.keys(obj).sort());
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -51979,7 +52048,7 @@ function getCookieExpirationTime(cookieLifeDays) {
     return expr.toUTCString();
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52021,7 +52090,7 @@ function getTokenKeys(clientId, storage, schemaVersion) {
     };
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52032,7 +52101,7 @@ function isEncrypted(data) {
         data.hasOwnProperty("data"));
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52322,7 +52391,7 @@ class LocalStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52364,7 +52433,7 @@ class SessionStorage {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52399,7 +52468,7 @@ const EventType = {
     BROKER_CONNECTION_ESTABLISHED: "msal:brokerConnectionEstablished",
 };
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -52416,7 +52485,7 @@ function removeElementFromArray(array, element) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -52973,17 +53042,21 @@ class BrowserCacheManager extends CacheManager {
         if (!parsedAccount || !AccountEntity.isAccountEntity(parsedAccount)) {
             return null;
         }
+        this.performanceClient.addFields({
+            accountCachedBy: apiIdToName(parsedAccount.cachedByApiId),
+        }, correlationId);
         return CacheManager.toObject(new AccountEntity(), parsedAccount);
     }
     /**
      * set account entity in the platform cache
      * @param account
      */
-    async setAccount(account, correlationId, kmsi) {
+    async setAccount(account, correlationId, kmsi, apiId) {
         this.logger.trace("BrowserCacheManager.setAccount called");
         const key = this.generateAccountKey(AccountEntity.getAccountInfo(account));
         const timestamp = Date.now().toString();
         account.lastUpdatedAt = timestamp;
+        account.cachedByApiId = apiId;
         await this.setUserData(key, JSON.stringify(account), correlationId, timestamp, kmsi);
         const wasAdded = this.addAccountKeyToMap(key, correlationId);
         this.performanceClient.addFields({ kmsi: kmsi }, correlationId);
@@ -53738,7 +53811,7 @@ class BrowserCacheManager extends CacheManager {
      * @param request
      */
     async hydrateCache(result, request) {
-        const idTokenEntity = createIdTokenEntity(result.account?.homeAccountId, result.account?.environment, result.idToken, this.clientId, result.tenantId);
+        const idTokenEntity = createIdTokenEntity(result.account.homeAccountId, result.account.environment, result.idToken, this.clientId, result.tenantId);
         let claimsHash;
         if (request.claims) {
             claimsHash = await this.cryptoImpl.hashString(request.claims);
@@ -53750,7 +53823,7 @@ class BrowserCacheManager extends CacheManager {
          *
          * The next MSAL VFuture should map these both to same value if possible
          */
-        const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), 
+        const accessTokenEntity = createAccessTokenEntity(result.account.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), 
         // Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
         result.expiresOn
             ? toSecondsFromDate(result.expiresOn)
@@ -53763,7 +53836,7 @@ class BrowserCacheManager extends CacheManager {
             idToken: idTokenEntity,
             accessToken: accessTokenEntity,
         };
-        return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)));
+        return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)), ApiId.hydrateCache);
     }
     /**
      * saves a cache record
@@ -53771,9 +53844,9 @@ class BrowserCacheManager extends CacheManager {
      * @param storeInCache {?StoreInCache}
      * @param correlationId {?string} correlation id
      */
-    async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
+    async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
         try {
-            await super.saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache);
+            await super.saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache);
         }
         catch (e) {
             if (e instanceof CacheError &&
@@ -53827,7 +53900,7 @@ const DEFAULT_BROWSER_CACHE_MANAGER = (clientId, logger, performanceClient, even
     return new BrowserCacheManager(clientId, cacheOptions, DEFAULT_CRYPTO_IMPLEMENTATION, logger, performanceClient, eventHandler);
 };
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -53952,7 +54025,7 @@ function getActiveAccount(browserStorage, correlationId) {
     return browserStorage.getActiveAccount(correlationId);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54058,7 +54131,7 @@ class EventHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54174,7 +54247,7 @@ class BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54259,7 +54332,7 @@ function validateRequestMethod(interactionRequest, protocolMode) {
     return httpMethod;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54463,7 +54536,7 @@ class StandardInteractionClient extends BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54487,7 +54560,7 @@ function extractBrowserRequestState(browserCrypto, state) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54526,7 +54599,7 @@ function validateInteractionType(response, browserCrypto, interactionType) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54547,7 +54620,7 @@ class InteractionHandler {
      * Function to handle response parameters from hash.
      * @param locationHash
      */
-    async handleCodeResponse(response, request) {
+    async handleCodeResponse(response, request, apiId) {
         this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
         let authCodeResponse;
         try {
@@ -54563,7 +54636,7 @@ class InteractionHandler {
                 throw e;
             }
         }
-        return invokeAsync(this.handleCodeResponseFromServer.bind(this), PerformanceEvents.HandleCodeResponseFromServer, this.logger, this.performanceClient, request.correlationId)(authCodeResponse, request);
+        return invokeAsync(this.handleCodeResponseFromServer.bind(this), PerformanceEvents.HandleCodeResponseFromServer, this.logger, this.performanceClient, request.correlationId)(authCodeResponse, request, apiId);
     }
     /**
      * Process auth code response from AAD
@@ -54573,7 +54646,7 @@ class InteractionHandler {
      * @param networkModule
      * @returns
      */
-    async handleCodeResponseFromServer(authCodeResponse, request, validateNonce = true) {
+    async handleCodeResponseFromServer(authCodeResponse, request, apiId, validateNonce = true) {
         this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponseFromServer, request.correlationId);
         this.logger.trace("InteractionHandler.handleCodeResponseFromServer called");
         // Assign code to request
@@ -54599,7 +54672,7 @@ class InteractionHandler {
             }
         }
         // Acquire token with retrieved code.
-        const tokenResponse = (await invokeAsync(this.authModule.acquireToken.bind(this.authModule), PerformanceEvents.AuthClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(this.authCodeRequest, authCodeResponse));
+        const tokenResponse = (await invokeAsync(this.authModule.acquireToken.bind(this.authModule), PerformanceEvents.AuthClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(this.authCodeRequest, apiId, authCodeResponse));
         return tokenResponse;
     }
     /**
@@ -54622,7 +54695,7 @@ class InteractionHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54631,7 +54704,7 @@ const contentError = "ContentError";
 const pageException = "PageException";
 const userSwitch = "user_switch";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -54644,7 +54717,7 @@ const DISABLED = "DISABLED";
 const ACCOUNT_UNAVAILABLE = "ACCOUNT_UNAVAILABLE";
 const UX_NOT_ALLOWED = "UX_NOT_ALLOWED";
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54709,7 +54782,7 @@ function createNativeAuthError(code, description, ext) {
     return new NativeAuthError(code, NativeAuthErrorMessages[code] || description, ext);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -54759,7 +54832,7 @@ class SilentCacheClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55155,7 +55228,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
      */
     async cacheAccount(accountEntity, correlationId, kmsi) {
         // Store the account info and hence `nativeAccountId` in browser cache
-        await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi);
+        await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi, this.apiId);
         // Remove any existing cached tokens for this account in browser storage
         this.browserStorage.removeAccountContext(AccountEntity.getAccountInfo(accountEntity), correlationId);
     }
@@ -55184,7 +55257,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
             idToken: cachedIdToken,
             accessToken: cachedAccessToken,
         };
-        return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), request.storeInCache);
+        return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), this.apiId, request.storeInCache);
     }
     getExpiresInValue(tokenType, expiresIn) {
         return tokenType === AuthenticationScheme.POP
@@ -55386,7 +55459,7 @@ class PlatformAuthInteractionClient extends BaseInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55561,7 +55634,7 @@ async function handleResponseCode(request, response, codeVerifier, apiId, config
     // Create popup interaction handler.
     const interactionHandler = new InteractionHandler(authClient, browserStorage, authCodeRequest, logger, performanceClient);
     // Handle response from hash string.
-    const result = await invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, logger, performanceClient, request.correlationId)(response, request);
+    const result = await invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, logger, performanceClient, request.correlationId)(response, request, apiId);
     return result;
 }
 /**
@@ -55608,10 +55681,10 @@ async function handleResponseEAR(request, response, apiId, config, authority, br
         cloud_instance_name: decryptedData.cloud_instance_name,
         msgraph_host: decryptedData.msgraph_host,
     };
-    return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, additionalData, undefined, undefined, undefined, undefined));
+    return (await invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, logger, performanceClient, request.correlationId)(decryptedData, authority, nowSeconds(), request, apiId, additionalData, undefined, undefined, undefined, undefined));
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55668,7 +55741,7 @@ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceCl
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -55933,7 +56006,7 @@ class PlatformAuthExtensionHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56070,7 +56143,7 @@ class PlatformAuthDOMHandler {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 async function getPlatformAuthProvider(logger, performanceClient, correlationId, nativeBrokerHandshakeTimeout, enablePlatformBrokerDOMSupport) {
     logger.trace("getPlatformAuthProvider called", correlationId);
     logger.trace("Has client allowed platform auth via DOM API: " +
@@ -56135,7 +56208,7 @@ function isPlatformAuthAllowed(config, logger, platformAuthProvider, authenticat
     return true;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -56632,7 +56705,7 @@ class PopupClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57072,7 +57145,7 @@ class RedirectClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57228,7 +57301,7 @@ function removeHiddenIframe(iframe) {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57389,7 +57462,7 @@ class SilentIframeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57419,7 +57492,7 @@ class SilentRefreshClient extends StandardInteractionClient {
             account: silentRequest.account,
         });
         // Send request to renew token. Auth module will throw errors if token cannot be renewed.
-        return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest).catch((e) => {
+        return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest, ApiId.acquireTokenSilent_silentFlow).catch((e) => {
             e.setCorrelationId(this.correlationId);
             serverTelemetryManager.cacheFailedRequest(e);
             throw e;
@@ -57455,7 +57528,7 @@ class SilentRefreshClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57465,12 +57538,13 @@ class SilentRefreshClient extends StandardInteractionClient {
  * Token cache manager
  */
 class TokenCache {
-    constructor(configuration, storage, logger, cryptoObj) {
+    constructor(configuration, storage, logger, cryptoObj, performanceClient) {
         this.isBrowserEnvironment = typeof window !== "undefined";
         this.config = configuration;
         this.storage = storage;
         this.logger = logger;
         this.cryptoObj = cryptoObj;
+        this.performanceClient = performanceClient;
     }
     // Move getAllAccounts here and cache utility APIs
     /**
@@ -57485,30 +57559,37 @@ class TokenCache {
             throw createBrowserAuthError(nonBrowserEnvironment);
         }
         const correlationId = request.correlationId || createNewGuid();
-        const idTokenClaims = response.id_token
-            ? extractTokenClaims(response.id_token, base64Decode)
-            : undefined;
-        const kmsi = isKmsi(idTokenClaims || {});
-        const authorityOptions = {
-            protocolMode: this.config.auth.protocolMode,
-            knownAuthorities: this.config.auth.knownAuthorities,
-            cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
-            authorityMetadata: this.config.auth.authorityMetadata,
-            skipAuthorityMetadataCache: this.config.auth.skipAuthorityMetadataCache,
-        };
-        const authority = request.authority
-            ? new Authority(Authority.generateAuthority(request.authority, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, request.correlationId || createNewGuid())
-            : undefined;
-        const cacheRecordAccount = await this.loadAccount(request, options.clientInfo || response.client_info || "", correlationId, idTokenClaims, authority);
-        const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
-        const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
-        const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
-        return this.generateAuthenticationResult(request, {
-            account: cacheRecordAccount,
-            idToken,
-            accessToken,
-            refreshToken,
-        }, idTokenClaims, authority);
+        const rootMeasurement = this.performanceClient.startMeasurement(PerformanceEvents.LoadExternalTokens, correlationId);
+        try {
+            const idTokenClaims = response.id_token
+                ? extractTokenClaims(response.id_token, base64Decode)
+                : undefined;
+            const kmsi = isKmsi(idTokenClaims || {});
+            const authorityOptions = {
+                protocolMode: this.config.auth.protocolMode,
+                knownAuthorities: this.config.auth.knownAuthorities,
+                cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
+                authorityMetadata: this.config.auth.authorityMetadata,
+                skipAuthorityMetadataCache: this.config.auth.skipAuthorityMetadataCache,
+            };
+            const authorityString = request.authority || this.config.auth.authority;
+            const authority = await createDiscoveredInstance(Authority.generateAuthority(authorityString, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, correlationId, this.performanceClient);
+            const cacheRecordAccount = await invokeAsync(this.loadAccount.bind(this), PerformanceEvents.LoadAccount, this.logger, this.performanceClient, correlationId)(request, options.clientInfo || response.client_info || "", correlationId, authority, idTokenClaims);
+            const idToken = await invokeAsync(this.loadIdToken.bind(this), PerformanceEvents.LoadIdToken, this.logger, this.performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
+            const accessToken = await invokeAsync(this.loadAccessToken.bind(this), PerformanceEvents.LoadAccessToken, this.logger, this.performanceClient, correlationId)(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
+            const refreshToken = await invokeAsync(this.loadRefreshToken.bind(this), PerformanceEvents.LoadRefreshToken, this.logger, this.performanceClient, correlationId)(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
+            rootMeasurement.end({ success: true }, undefined, AccountEntity.getAccountInfo(cacheRecordAccount));
+            return this.generateAuthenticationResult(request, {
+                account: cacheRecordAccount,
+                idToken,
+                accessToken,
+                refreshToken,
+            }, authority, idTokenClaims);
+        }
+        catch (error) {
+            rootMeasurement.end({ success: false }, error);
+            throw error;
+        }
     }
     /**
      * Helper function to load account to msal-browser cache
@@ -57519,23 +57600,23 @@ class TokenCache {
      * @param requestHomeAccountId
      * @returns `AccountEntity`
      */
-    async loadAccount(request, clientInfo, correlationId, idTokenClaims, authority) {
+    async loadAccount(request, clientInfo, correlationId, authority, idTokenClaims) {
         this.logger.verbose("TokenCache - loading account");
         if (request.account) {
             const accountEntity = AccountEntity.createFromAccountInfo(request.account);
-            await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}));
+            await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}), ApiId.loadExternalTokens);
             return accountEntity;
         }
-        else if (!authority || (!clientInfo && !idTokenClaims)) {
-            this.logger.error("TokenCache - if an account is not provided on the request, authority and either clientInfo or idToken must be provided instead.");
+        else if (!clientInfo && !idTokenClaims) {
+            this.logger.error("TokenCache - if an account is not provided on the request, clientInfo or idToken must be provided instead.");
             throw createBrowserAuthError(unableToLoadToken);
         }
         const homeAccountId = AccountEntity.generateHomeAccountId(clientInfo, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
         const claimsTenantId = idTokenClaims?.tid;
-        const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.hostnameAndPort, claimsTenantId, undefined, // authCodePayload
+        const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.getPreferredCache(), claimsTenantId, undefined, // authCodePayload
         undefined, // nativeAccountId
         this.logger);
-        await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}));
+        await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}), ApiId.loadExternalTokens);
         return cachedAccount;
     }
     /**
@@ -57604,9 +57685,15 @@ class TokenCache {
             this.logger.verbose("TokenCache - no refresh token found in response");
             return null;
         }
+        const expiresOn = response.refresh_token_expires_in
+            ? response.refresh_token_expires_in + nowSeconds()
+            : undefined;
+        this.performanceClient.addFields({
+            extRtExpiresOnSeconds: expiresOn,
+        }, correlationId);
         this.logger.verbose("TokenCache - loading refresh token");
         const refreshTokenEntity = createRefreshTokenEntity(homeAccountId, environment, response.refresh_token, this.config.auth.clientId, response.foci, undefined, // userAssertionHash
-        response.refresh_token_expires_in);
+        expiresOn);
         await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId, kmsi);
         return refreshTokenEntity;
     }
@@ -57618,7 +57705,7 @@ class TokenCache {
      * @param authority
      * @returns `AuthenticationResult`
      */
-    generateAuthenticationResult(request, cacheRecord, idTokenClaims, authority) {
+    generateAuthenticationResult(request, cacheRecord, authority, idTokenClaims) {
         let accessToken = "";
         let responseScopes = [];
         let expiresOn = null;
@@ -57655,7 +57742,7 @@ class TokenCache {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57668,7 +57755,7 @@ class HybridSpaAuthorizationCodeClient extends AuthorizationCodeClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57715,7 +57802,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
                 msgraph_host: request.msGraphHost,
                 cloud_graph_host_name: request.cloudGraphHostName,
                 cloud_instance_host_name: request.cloudInstanceHostName,
-            }, silentRequest, false);
+            }, silentRequest, this.apiId, false);
         }
         catch (e) {
             if (e instanceof AuthError) {
@@ -57734,7 +57821,7 @@ class SilentAuthCodeClient extends StandardInteractionClient {
     }
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
  * Licensed under the MIT License.
@@ -57754,7 +57841,7 @@ function collectInstanceStats(currentClientId, performanceEvent, logger) {
     });
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -57831,7 +57918,7 @@ class StandardController {
         };
         this.nativeInternalStorage = new BrowserCacheManager(this.config.auth.clientId, nativeCacheOptions, this.browserCrypto, this.logger, this.performanceClient, this.eventHandler);
         // Initialize the token cache
-        this.tokenCache = new TokenCache(this.config, this.browserStorage, this.logger, this.browserCrypto);
+        this.tokenCache = new TokenCache(this.config, this.browserStorage, this.logger, this.browserCrypto, this.performanceClient);
         this.activeSilentTokenRequests = new Map();
         // Register listener functions
         this.trackPageVisibility = this.trackPageVisibility.bind(this);
@@ -58661,7 +58748,7 @@ class StandardController {
         this.logger.verbose("hydrateCache called");
         // Account gets saved to browser storage regardless of native or not
         const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
-        await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
+        await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims), ApiId.hydrateCache);
         if (result.fromNativeBroker) {
             this.logger.verbose("Response was from native broker, storing in-memory");
             // Tokens from native broker are stored in-memory
@@ -59207,7 +59294,7 @@ function checkIfRefreshTokenErrorCanBeResolvedSilently(refreshTokenError, cacheL
     return isSilentlyResolvable && tryIframeRenewal;
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -59219,7 +59306,7 @@ async function createV3Controller(config, request) {
     return StandardController.createController(standard, request);
 }
 
-/*! @azure/msal-browser v4.27.0 2025-12-04 */
+/*! @azure/msal-browser v4.28.1 2026-01-17 */
 
 /*
  * Copyright (c) Microsoft Corporation. All rights reserved.