@dynamic-labs-sdk/client 0.24.0 → 0.25.0

package/dist/InvalidParamError-B5NwKSKU.native.esm.js

@@ -0,0 +1,1177 @@
+import { AuthStorageEnum, Configuration, SDKApi, isDeviceNonceSignatureRequiredForUrl } from "@dynamic-labs/sdk-api-core";
+
+//#region package.json
+var name = "@dynamic-labs-sdk/client";
+var version = "0.25.0";
+var dependencies = {
+	"@dynamic-labs-sdk/assert-package-version": "workspace:*",
+	"@dynamic-labs-wallet/browser-wallet-client": "0.0.325",
+	"@dynamic-labs/sdk-api-core": "0.0.941",
+	"@simplewebauthn/browser": "13.1.0",
+	"ably": "2.17.1",
+	"buffer": "6.0.3",
+	"eventemitter3": "5.0.1",
+	"zod": "4.0.5"
+};
+
+//#endregion
+//#region src/client/core/getCore/getCore.ts
+/** @not-instrumented */
+const getCore = (client) => {
+	return client.__core;
+};
+
+//#endregion
+//#region src/errors/base/BaseError.ts
+const getDetails = ({ details, cause }) => {
+	if (cause instanceof BaseError) return cause.details;
+	if (cause?.message) return cause.message;
+	return details;
+};
+/**
+* Formats the error message with all available information
+*/
+const formatMessage = ({ shortMessage, details, docsUrl, metaMessages }) => {
+	return [
+		"[Dynamic JS SDK]",
+		shortMessage,
+		"",
+		...metaMessages ? [...metaMessages, ""] : [],
+		...docsUrl ? [`Docs: ${docsUrl}`] : [],
+		...details ? [`Details: ${details}`] : [],
+		`Version: ${version}`,
+		`Timestamp: ${(/* @__PURE__ */ new Date()).toISOString()}`
+	].join("\n");
+};
+/**
+* Base error class that provides structured error handling with detailed information
+*/
+var BaseError = class BaseError extends Error {
+	/** The error unique code */
+	code;
+	details;
+	formattedMessage;
+	name = "BaseError";
+	cause;
+	constructor(args) {
+		const details = getDetails(args);
+		const formattedMessage = formatMessage({
+			...args,
+			details
+		});
+		super(args.shortMessage ?? formattedMessage, args.cause ? { cause: args.cause } : void 0);
+		this.formattedMessage = formattedMessage;
+		this.details = details;
+		this.name = args.name ?? this.name;
+		this.cause = args.cause ?? this.cause;
+		this.code = args.code;
+	}
+	/**
+	* Walks the cause chain of the error and returns the root error
+	*/
+	walk() {
+		const cause = this.cause;
+		if (cause instanceof BaseError) return cause.walk();
+		return cause;
+	}
+	toString() {
+		return this.formattedMessage;
+	}
+};
+
+//#endregion
+//#region src/errors/ClientNotFoundError.ts
+var ClientNotFoundError = class extends BaseError {
+	constructor() {
+		super({
+			cause: null,
+			code: "client_not_found_error",
+			docsUrl: null,
+			name: "ClientNotFoundError",
+			shortMessage: "No Dynamic client has been created yet. Make sure you have called createDynamicClient() first."
+		});
+	}
+};
+
+//#endregion
+//#region src/client/defaultClient/defaultClient.ts
+let defaultClient = null;
+let numOfInitializedClients = 0;
+/**
+* Returns the DynamicClient instance that was initialized with createDynamicClient.
+*
+* If more than one instance of DynamicClient was initialized, you should not use this function.
+* Instead, you should pass the client instance you stored to the function that needs it.
+* @not-instrumented
+*/
+const getDefaultClient = () => {
+	if (!defaultClient) throw new ClientNotFoundError();
+	if (numOfInitializedClients > 1) getCore(defaultClient).logger.debug("Multiple instances of DynamicClient found. If you are only using one client (recommended), make sure you are not calling \"createDynamicClient\" multiple times. If you are using multiple clients, make sure you are passing which client to use as the last param of all Dynamic functions.");
+	return defaultClient;
+};
+/** @not-instrumented */
+const setDefaultClient = (client) => {
+	defaultClient = client;
+	numOfInitializedClients++;
+};
+
+//#endregion
+//#region src/utils/getNonce/constants.ts
+const NONCE_POOL_EXPIRATION_TIME = 6e4 * 60 * 24;
+const NONCE_POOL_SIZE = 5;
+
+//#endregion
+//#region src/modules/apiClient/constants.ts
+const DYNAMIC_API_VERSION_HEADER = "x-dyn-api-version";
+const DYNAMIC_REQUEST_ID_HEADER = "x-dyn-request-id";
+const DYNAMIC_SDK_VERSION_HEADER = "x-dyn-version";
+const ELEVATED_ACCESS_TOKEN_HEADER = "x-dyn-elevated-access-token";
+const MFA_TOKEN_HEADER = "x-mfa-auth-token";
+const SESSION_PUBLIC_KEY_HEADER = "x-dyn-session-public-key";
+const DYNAMIC_SDK_API_VERSION = dependencies["@dynamic-labs/sdk-api-core"];
+const DYNAMIC_SDK_SESSION_ID_HEADER = "x-dyn-session-id";
+const CLIENT_SDK_NAME = "ClientSDK";
+
+//#endregion
+//#region src/utils/randomString/randomString.ts
+const DEFAULT_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+/** @not-instrumented */
+const randomString = ({ chars = DEFAULT_CHARS, length }) => {
+	const bytes = new Uint8Array(length);
+	crypto.getRandomValues(bytes);
+	let result = "";
+	for (let i = 0; i < length; i++) result += chars[bytes[i] % chars.length];
+	return result;
+};
+
+//#endregion
+//#region src/errors/ValueMustBeDefinedError.ts
+var ValueMustBeDefinedError = class extends BaseError {
+	constructor(message) {
+		super({
+			cause: null,
+			code: "value_must_be_defined_error",
+			docsUrl: null,
+			name: "ValueMustBeDefined",
+			shortMessage: message
+		});
+	}
+};
+
+//#endregion
+//#region src/utils/assertDefined/assertDefined.ts
+/**
+* Asserts that a value is not null or undefined, throwing an error if it is.
+* This function acts as a type guard, narrowing the type to exclude null and undefined.
+*
+* @template T - The type of the value being checked
+* @param value - The value to check for null or undefined
+* @param message - The error message to throw if the value is null or undefined
+* @throws Throws an error with the provided message if value is null or undefined
+* @example
+* ```typescript
+* const maybeString: string | null = getValue();
+* assertDefined(maybeString, 'String value is required');
+* // maybeString is now typed as string (null is excluded)
+* ```
+*/
+function assertDefined(value, message) {
+	if (value === null || value === void 0) throw new ValueMustBeDefinedError(message);
+}
+
+//#endregion
+//#region src/modules/projectSettings/isCookieEnabled/isCookieEnabled.ts
+/**
+* Returns true if the client is using Dynamic cookies or a BYO JWT cookie.
+* @not-instrumented
+*/
+const isCookieEnabled = (client) => {
+	assertDefined(client.projectSettings, "Project settings are not defined");
+	const securitySettings = client.projectSettings.security;
+	if (!securitySettings) return false;
+	const dynamicCookiesEnabled = (securitySettings.auth?.storage || []).includes(AuthStorageEnum.Cookie);
+	const byoJwtCookieEnabled = Boolean(securitySettings.externalAuth?.cookieName);
+	return dynamicCookiesEnabled || byoJwtCookieEnabled;
+};
+
+//#endregion
+//#region src/modules/auth/extractSessionId/extractSessionId.ts
+/**
+* Extracts the session ID (`sid` claim) from a JWT token string.
+*
+* Decodes the base64url-encoded payload segment of the token and reads the
+* `sid` field. This is used to correlate instrumentation events with the
+* authenticated session, without ever forwarding the full token.
+*
+* Returns `null` when no token is present, when the token is malformed, or
+* when the payload does not contain a `sid` claim.
+* @not-instrumented
+*/
+const extractSessionId = (token) => {
+	try {
+		const payload = token.split(".")[1];
+		return JSON.parse(atob(payload)).sid ?? null;
+	} catch {
+		return null;
+	}
+};
+
+//#endregion
+//#region src/utils/getUserAgent/getUserAgent.ts
+/**
+* Returns the browser's `navigator.userAgent` string for inclusion in
+* instrumentation events.
+*
+* Falls back to an empty string in environments where `navigator` is not
+* available (e.g., Node.js SSR, service workers) so that callers never need
+* to guard against undefined.
+* @not-instrumented
+*/
+const getUserAgent = () => {
+	try {
+		return navigator.userAgent;
+	} catch {
+		return "";
+	}
+};
+
+//#endregion
+//#region src/services/instrumentation/constants.ts
+const DEFAULT_PII_FIELDS = [
+	"password",
+	"token",
+	"secret",
+	"privateKey",
+	"mnemonic",
+	"seed",
+	"email",
+	"phone",
+	"ssn",
+	"address",
+	"authorization"
+];
+const REDACTED_VALUE = "[REDACTED]";
+const MAX_STRING_LENGTH = 500;
+const TRUNCATED_SUFFIX = "...[truncated]";
+/**
+* Label prefix for binary data placeholders. The full placeholder includes the
+* byte length, e.g. `[Binary:16 bytes]`, so consumers can gauge data size
+* without the actual bytes appearing in logs.
+*/
+const BINARY_LABEL = "Binary";
+/**
+* Placeholder emitted when a circular reference is detected in the value tree.
+* Using a named constant makes it easy to search for or filter in downstream
+* log tooling.
+*/
+const CIRCULAR_VALUE = "[Circular]";
+
+//#endregion
+//#region src/services/instrumentation/scrubParameters/scrubParameters.ts
+const scrubString = ({ key, piiFieldsLower, redactAll, value }) => {
+	if (piiFieldsLower.includes(key.toLowerCase())) return REDACTED_VALUE;
+	if (redactAll) return REDACTED_VALUE;
+	if (value.length > MAX_STRING_LENGTH) return value.slice(0, MAX_STRING_LENGTH) + TRUNCATED_SUFFIX;
+	return value;
+};
+const scrubArray = ({ context, value }) => {
+	if (context.visited.has(value)) return [CIRCULAR_VALUE];
+	context.visited.add(value);
+	const result = value.map((item, index) => scrubValue({
+		context,
+		key: String(index),
+		value: item
+	}));
+	context.visited.delete(value);
+	return result;
+};
+const scrubObject = ({ context, value }) => {
+	if (context.visited.has(value)) return { [CIRCULAR_VALUE]: true };
+	context.visited.add(value);
+	const result = Object.create(null);
+	for (const key of Object.keys(value)) result[key] = scrubValue({
+		context,
+		key,
+		value: value[key]
+	});
+	context.visited.delete(value);
+	return result;
+};
+const scrubValue = ({ context, key, value }) => {
+	if (value === null || value === void 0) return value;
+	if (value instanceof Uint8Array) return `[${BINARY_LABEL}:${value.byteLength} bytes]`;
+	if (context.piiFieldsLower.includes(key.toLowerCase())) return REDACTED_VALUE;
+	if (typeof value === "string") return scrubString({
+		key,
+		piiFieldsLower: context.piiFieldsLower,
+		redactAll: context.redactAll,
+		value
+	});
+	if (Array.isArray(value)) return scrubArray({
+		context,
+		value
+	});
+	if (value instanceof Set) {
+		if (context.visited.has(value)) return [CIRCULAR_VALUE];
+		context.visited.add(value);
+		const setResult = scrubArray({
+			context,
+			value: [...value]
+		});
+		context.visited.delete(value);
+		return setResult;
+	}
+	if (value instanceof Map) {
+		if (context.visited.has(value)) return { [CIRCULAR_VALUE]: true };
+		context.visited.add(value);
+		const asObject = Object.create(null);
+		for (const [k, v] of value.entries()) asObject[String(k)] = v;
+		const mapResult = scrubObject({
+			context,
+			value: asObject
+		});
+		context.visited.delete(value);
+		return mapResult;
+	}
+	if (value instanceof WeakMap) return "[WeakMap]";
+	if (value instanceof WeakSet) return "[WeakSet]";
+	if (value instanceof Date) return value.toISOString();
+	if (value instanceof Error) return `[Error: ${value.message}]`;
+	if (typeof value === "object") return scrubObject({
+		context,
+		value
+	});
+	return value;
+};
+/** @not-instrumented */
+const scrubParameters = ({ piiFields, redactAll, value }) => {
+	return scrubObject({
+		context: {
+			piiFieldsLower: piiFields.map((field) => field.toLowerCase()),
+			redactAll,
+			visited: /* @__PURE__ */ new WeakSet()
+		},
+		value
+	});
+};
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/extractParams/extractParams.ts
+/**
+* Normalises the raw positional arguments of an instrumented function call
+* into a flat `Record<string, unknown>` suitable for structured logging.
+*
+* ## Why this is needed
+*
+* Instrumented functions are wrapped with `(...args: unknown[])`, so their
+* parameters arrive as an array. Logging a raw array loses the semantic names
+* of each argument. This function recovers a named representation:
+*
+* - **No arguments** → `{}`
+* - **Single plain-object argument** → that object is returned as-is, because
+*   SDK functions follow the single-object-parameter convention, so the object
+*   already carries named keys (`{ amount, to }`, etc.).
+* - **Everything else** (multiple args, a single primitive, a single array) →
+*   each value is indexed as `arg0`, `arg1`, …
+*
+* ## Why arrays are NOT treated as plain objects
+*
+* `typeof [] === 'object'` and `[] !== null`, so without the `Array.isArray`
+* guard a single-array argument would be returned as-is. That would produce
+* an object with numeric string keys (`{ '0': ..., '1': ... }`), which is
+* misleading and inconsistent with how multi-arg calls are handled. Instead,
+* arrays fall through to the indexed `arg0` path.
+* @not-instrumented
+*/
+const extractParams = (args) => {
+	if (args.length === 0) return {};
+	if (args.length === 1 && typeof args[0] === "object" && args[0] !== null && !Array.isArray(args[0])) return args[0];
+	const result = {};
+	for (let i = 0; i < args.length; i++) result[`arg${i}`] = args[i];
+	return result;
+};
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/scrubResolvedValue/scrubResolvedValue.ts
+/**
+* Scrubs a resolved return value of any type before logging it.
+* Routes through `scrubParameters` by wrapping the value so that strings,
+* arrays, Dates, Errors, and all other types are handled identically to
+* nested object fields.
+* @not-instrumented
+*/
+const scrubResolvedValue = ({ piiFields, redactAll, value }) => scrubParameters({
+	piiFields,
+	redactAll,
+	value: { result: value }
+}).result;
+
+//#endregion
+//#region src/services/instrumentation/instrumentFunction/instrumentFunction.ts
+const serializeError = (error) => {
+	if (error instanceof Error) return {
+		message: error.message,
+		name: error.name,
+		stack: error.stack
+	};
+	return {
+		message: String(error),
+		name: "UnknownError"
+	};
+};
+/**
+* Wraps a function so that each invocation emits a structured
+* `FunctionInstrumentationEvent` at three lifecycle points:
+*
+* - **started** — immediately before the function body executes, with the
+*   PII-scrubbed call parameters.
+* - **resolved** — after the function (or its returned Promise) settles
+*   successfully, with the PII-scrubbed return value.
+* - **rejected** — if the function throws synchronously or its returned
+*   Promise rejects.
+*
+* The original return value (or thrown error) is always forwarded to the
+* caller unchanged — instrumentation is purely observational.
+*
+* ## Usage
+*
+* ```ts
+* const transfer = instrumentFunction({
+*   fn: rawTransfer,
+*   functionName: 'transfer',
+*   getCore: () => core,
+* });
+*
+* // When called, three events are emitted automatically:
+* await transfer({ amount: 1, to: '0xabc' });
+* ```
+*
+* ## How functions are wrapped
+*
+* `instrumentFunction` is not called manually in application code. Instead,
+* the esbuild instrumentation plugin (`tools/instrumentation-plugin`) injects
+* it at build time: any exported function annotated with `@instrumented` in its
+* JSDoc is automatically wrapped by the plugin during the build step.
+* The plugin strips the original `export`, renames the function, and re-exports
+* it under the original name via `instrumentFunction(...)` — so the public API
+* is unchanged and no call sites need to be updated.
+*
+* ## Opting out
+*
+* Instrumentation is skipped entirely when:
+* - `getCore()` returns `undefined` (SDK not initialised), or
+* - `core.instrumentation.config.enabled` is `false`.
+*
+* In both cases the original function is called directly with no overhead.
+*
+* ## PII scrubbing
+*
+* All string values whose key appears in `piiFields` are replaced with
+* `"[redacted]"` before events are emitted. Pass `redactAll: true` to redact
+* every field, regardless of key name.
+* @not-instrumented
+*/
+const instrumentFunction = ({ fn, functionName, getCore: getCore$1, redactAll }) => {
+	const wrapped = (...args) => {
+		const core = getCore$1();
+		if (!core) return fn(...args);
+		if (!core.instrumentation.config.enabled) return fn(...args);
+		const instrumentation = core.instrumentation;
+		const state = core.state.get();
+		const baseEvent = {
+			environmentId: core.environmentId,
+			functionName,
+			parameters: scrubParameters({
+				piiFields: instrumentation.config.piiFields,
+				redactAll,
+				value: extractParams(args)
+			}),
+			sdkSessionId: core.sdkSessionId,
+			sdkVersion: core.version,
+			status: "info",
+			tokenSessionId: state.token ? extractSessionId(state.token) : null,
+			userAgent: getUserAgent(),
+			userId: state.user?.id ?? null
+		};
+		instrumentation.logFunction({
+			...baseEvent,
+			phase: "started",
+			timestamp: (/* @__PURE__ */ new Date()).toISOString()
+		});
+		try {
+			const result = fn(...args);
+			if (result instanceof Promise) return result.then((value) => {
+				instrumentation.logFunction({
+					...baseEvent,
+					phase: "resolved",
+					resolvedValue: scrubResolvedValue({
+						piiFields: instrumentation.config.piiFields,
+						redactAll,
+						value
+					}),
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				return value;
+			}).catch((error) => {
+				instrumentation.logFunction({
+					...baseEvent,
+					phase: "rejected",
+					rejectedError: serializeError(error),
+					timestamp: (/* @__PURE__ */ new Date()).toISOString()
+				});
+				throw error;
+			});
+			instrumentation.logFunction({
+				...baseEvent,
+				phase: "resolved",
+				resolvedValue: scrubResolvedValue({
+					piiFields: instrumentation.config.piiFields,
+					redactAll,
+					value: result
+				}),
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			return result;
+		} catch (error) {
+			instrumentation.logFunction({
+				...baseEvent,
+				phase: "rejected",
+				rejectedError: serializeError(error),
+				timestamp: (/* @__PURE__ */ new Date()).toISOString()
+			});
+			throw error;
+		}
+	};
+	return wrapped;
+};
+
+//#endregion
+//#region src/modules/sessionKeys/getSessionKeys/getSessionKeys.ts
+/** @instrumented */
+const getSessionKeys = (client) => {
+	const publicKey = getCore(client).state.get().sessionKeys;
+	if (!publicKey) return;
+	return { publicKey };
+};
+const __getSessionKeys_impl = getSessionKeys;
+const __getSessionKeys_wrapped = instrumentFunction({
+	fn: __getSessionKeys_impl,
+	functionName: "getSessionKeys",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/modules/auth/getElevatedAccessToken/getElevatedAccessToken.ts
+/**
+* Gets an elevated access token by scope.
+*
+* This function retrieves an elevated access token that contains the specified scope.
+* Expired tokens are automatically filtered out.
+*
+* By default, if the token has `singleUse: true`, it will be automatically
+* consumed (removed from state) after retrieval. Pass `consume: false` to
+* check for token existence without consuming it.
+*
+* @param params - The parameters object.
+* @param params.scope - The scope to match (e.g., 'wallet:export').
+* @param params.consume - Whether to consume single-use tokens (default: true).
+* @param [client] - The Dynamic client instance. Only required when using multiple Dynamic clients.
+* @returns The elevated access token if found and not expired, or undefined if not found or expired.
+*
+* @example
+* ```typescript
+* // Retrieve and consume (default)
+* const token = getElevatedAccessToken({ scope: 'wallet:export' });
+*
+* // Check existence without consuming
+* const token = getElevatedAccessToken({ scope: 'credential:unlink', consume: false });
+* ```
+* @not-instrumented
+*/
+const getElevatedAccessToken = ({ consume = true, scope }, client = getDefaultClient()) => {
+	const core = getCore(client);
+	const now = /* @__PURE__ */ new Date();
+	const elevatedAccessTokens = core.state.get().elevatedAccessTokens || [];
+	const validTokens = elevatedAccessTokens.filter((token$1) => !token$1.expiresAt || token$1.expiresAt > now);
+	if (validTokens.length !== elevatedAccessTokens.length) core.state.set({ elevatedAccessTokens: validTokens });
+	const token = validTokens.find((token$1) => token$1.scopes.includes(scope));
+	if (!token) return;
+	if (consume && token.singleUse) {
+		const updatedTokens = validTokens.filter((t) => t !== token);
+		core.state.set({ elevatedAccessTokens: updatedTokens });
+	}
+	return token.token;
+};
+const __getElevatedAccessToken_impl = getElevatedAccessToken;
+const __getElevatedAccessToken_wrapped = instrumentFunction({
+	fn: __getElevatedAccessToken_impl,
+	functionName: "getElevatedAccessToken",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/errors/APIError/APIError.ts
+var APIError = class APIError extends BaseError {
+	status;
+	constructor(message, code, status) {
+		super({
+			cause: null,
+			code,
+			docsUrl: null,
+			name: "APIError",
+			shortMessage: message
+		});
+		this.status = status;
+	}
+	static async fromResponse(response) {
+		try {
+			const errorBody = await response.clone().json();
+			if (errorBody && "error" in errorBody && typeof errorBody.error === "string") {
+				const errorCode = "code" in errorBody && typeof errorBody.code === "string" ? errorBody.code : "unknown_error";
+				return new APIError(errorBody.error, errorCode, response.status);
+			}
+			return null;
+		} catch {
+			return null;
+		}
+	}
+};
+
+//#endregion
+//#region src/errors/InvalidExternalAuthError.ts
+var InvalidExternalAuthError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "invalid_external_auth_error",
+			docsUrl: "https://www.dynamic.xyz/docs/external-auth/third-party-auth-overview",
+			name: "InvalidExternalAuthError",
+			shortMessage: "Error authenticating with external JWT"
+		});
+	}
+};
+
+//#endregion
+//#region src/errors/LinkCredentialError.ts
+var LinkCredentialError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "link_credential_error",
+			docsUrl: null,
+			name: "LinkCredentialError",
+			shortMessage: "The credential you are trying to link is associated with another account and cannot be reassigned."
+		});
+	}
+};
+
+//#endregion
+//#region src/errors/MfaInvalidOtpError.ts
+var MfaInvalidOtpError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "mfa_invalid_otp_error",
+			docsUrl: null,
+			name: "MfaInvalidOtpError",
+			shortMessage: "Invalid OTP"
+		});
+	}
+};
+
+//#endregion
+//#region src/errors/MfaRateLimitedError.ts
+var MfaRateLimitedError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "mfa_rate_limited_error",
+			docsUrl: null,
+			name: "MfaRateLimitedError",
+			shortMessage: "Rate limited"
+		});
+	}
+};
+
+//#endregion
+//#region src/errors/SandboxMaximumThresholdReachedError.ts
+var SandboxMaximumThresholdReachedError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "sandbox_maximum_threshold_reached_error",
+			docsUrl: "https://www.dynamic.xyz/docs/developer-dashboard/sandbox-vs-live#sandbox-vs-live",
+			name: "SandboxMaximumThresholdReachedError",
+			shortMessage: "Your sandbox environment has reached the maximum MAU. Please use a live environment for production traffic."
+		});
+	}
+};
+
+//#endregion
+//#region src/modules/apiClient/utils/clientErrorMapper/clientErrorMapper.ts
+/**
+* Default error mapper for the client that handles common API error codes.
+*
+* This mapper transforms specific API error codes into more specific error types:
+* - `mfa_invalid_code` → `MfaInvalidOtpError`
+* - `mfa_rate_limited` → `MfaRateLimitedError`
+*
+* @param error - The error to be mapped
+* @returns A transformed error if the error code matches a known pattern, or null if no transformation is needed
+*
+* @example
+* ```typescript
+* // This will be automatically applied to all API errors
+* const apiClient = createApiClient({}, client);
+*
+* // The clientErrorMapper will automatically convert mfa_invalid_code errors
+* // to MfaInvalidOtpError instances
+* ```
+* @not-instrumented
+*/
+const clientErrorMapper = (error) => {
+	if (error instanceof APIError) {
+		if (error.code === "mfa_invalid_code") return new MfaInvalidOtpError({ cause: error });
+		if (error.code === "mfa_rate_limited") return new MfaRateLimitedError({ cause: error });
+		if (error.code === "invalid_external_auth") return new InvalidExternalAuthError({ cause: error });
+		if (error.code === "sandbox_maximum_threshold_reached") return new SandboxMaximumThresholdReachedError({ cause: error });
+		if (error.code === "merge_accounts_invalid" || error.code === "reassign_wallet_error") return new LinkCredentialError({ cause: error });
+	}
+	return null;
+};
+
+//#endregion
+//#region src/modules/apiClient/utils/convertToApiErrorMiddleware/convertToApiErrorMiddleware.ts
+/**
+* Creates middleware that converts HTTP error responses to APIError instances
+* and optionally applies custom error mappers to transform them into specific error types.
+*
+* @param options.errorMappers - Array of error mappers to apply to API errors
+* @returns A middleware function that handles error conversion and mapping
+* @not-instrumented
+*/
+const createConvertToApiErrorMiddleware = ({ errorMappers = [] }) => ({ post: async (context) => {
+	if (context.response.status >= 400) {
+		const apiError = await APIError.fromResponse(context.response);
+		if (apiError) {
+			let errorToThrow = apiError;
+			for (const mapper of errorMappers) {
+				const newError = mapper(apiError);
+				if (newError) {
+					errorToThrow = newError;
+					break;
+				}
+			}
+			throw errorToThrow;
+		}
+	}
+	return context.response;
+} });
+
+//#endregion
+//#region src/utils/getNonce/getNonce.ts
+/**
+* Returns a nonce for wallet ownership verification.
+*
+* Pops the first nonce from the prefetched pool. When the pool is running low
+* (≤1 remaining after pop) a background refetch is triggered. If the pool is
+* empty, nonces are fetched on-demand before returning.
+* @instrumented
+*/
+const getNonce = async (client) => {
+	const core = getCore(client);
+	const pool = core.state.get().prefetchedNonces;
+	if (pool.length > 0) {
+		const [nonce, ...remaining] = pool;
+		core.state.set({ prefetchedNonces: remaining });
+		if (remaining.length <= 1) fetchAndStoreNonces(client);
+		return nonce;
+	}
+	await fetchAndStoreNonces(client);
+	return getNonce(client);
+};
+const __getNonce_impl = getNonce;
+const __getNonce_wrapped = instrumentFunction({
+	fn: __getNonce_impl,
+	functionName: "getNonce",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/modules/deviceRegistration/getDeviceSigner/getDeviceSigner.ts
+/** @instrumented */
+const getDeviceSigner = async (client) => {
+	const { deviceSigner, keychain } = getCore(client);
+	/**
+	* If the device signer is available, it should handle the device signing.
+	* This is used for mobile devices with secure enclave.
+	*/
+	if (deviceSigner) return deviceSigner;
+	const keyName = "device";
+	if (!await keychain.getPublicKey(keyName)) await keychain.generateKey(keyName);
+	return {
+		getPublicKey: () => keychain.getPublicKey(keyName),
+		sign: (payload) => keychain.sign(keyName, payload)
+	};
+};
+const __getDeviceSigner_impl = getDeviceSigner;
+const __getDeviceSigner_wrapped = instrumentFunction({
+	fn: __getDeviceSigner_impl,
+	functionName: "getDeviceSigner",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/modules/deviceRegistration/getHeadersForNonceSignedByDeviceSigners/getHeadersForNonceSignedByDeviceSigners.ts
+/** @instrumented */
+const getHeadersForNonceSignedByDeviceSigners = async (client) => {
+	const { projectSettings } = client;
+	assertDefined(projectSettings, "Project settings not found");
+	/**
+	* For cookie based environments, the device registration is handled
+	* by settings the cookie in the browser.
+	* Then we dont need to provide the headers
+	*/
+	if (isCookieEnabled(client)) return {};
+	const deviceSigner = await __getDeviceSigner_wrapped(client);
+	const nonce = await __getNonce_wrapped(client);
+	const signedNonce = await deviceSigner.sign(nonce);
+	const publicKey = await deviceSigner.getPublicKey();
+	return {
+		"x-dynamic-device-nonce": nonce,
+		"x-dynamic-device-publickey": publicKey,
+		"x-dynamic-device-signed-nonce": signedNonce
+	};
+};
+const __getHeadersForNonceSignedByDeviceSigners_impl = getHeadersForNonceSignedByDeviceSigners;
+const __getHeadersForNonceSignedByDeviceSigners_wrapped = instrumentFunction({
+	fn: __getHeadersForNonceSignedByDeviceSigners_impl,
+	functionName: "getHeadersForNonceSignedByDeviceSigners",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/modules/apiClient/utils/deviceSignatureHeadersMiddleware/createDeviceSignatureHeadersMiddleware.ts
+/** @instrumented */
+const createDeviceSignatureHeadersMiddleware = (client) => {
+	return { pre: async (context) => {
+		/**
+		* The signed nonce is not required for cookie based environments.
+		*/
+		if (isDeviceNonceSignatureRequiredForUrl(context.url) && !isCookieEnabled(client)) {
+			const deviceSignerHeaders = await __getHeadersForNonceSignedByDeviceSigners_wrapped(client);
+			return {
+				init: {
+					...context.init,
+					headers: {
+						...context.init.headers,
+						...deviceSignerHeaders
+					}
+				},
+				url: context.url
+			};
+		}
+	} };
+};
+const __createDeviceSignatureHeadersMiddleware_impl = createDeviceSignatureHeadersMiddleware;
+const __createDeviceSignatureHeadersMiddleware_wrapped = instrumentFunction({
+	fn: __createDeviceSignatureHeadersMiddleware_impl,
+	functionName: "createDeviceSignatureHeadersMiddleware",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/errors/UnauthorizedError.ts
+var UnauthorizedError = class extends BaseError {
+	constructor({ cause }) {
+		super({
+			cause,
+			code: "unauthorized_error",
+			docsUrl: null,
+			name: "UnauthorizedError",
+			shortMessage: "Unauthorized"
+		});
+	}
+};
+
+//#endregion
+//#region src/modules/apiClient/utils/unauthorizedMiddleware/createUnauthorizedMiddleware.ts
+/** @not-instrumented */
+const createUnauthorizedMiddleware = () => ({ post: async (context) => {
+	if (context.response.status === 401) {
+		let cause = null;
+		try {
+			const errorBody = await context.response.clone().json();
+			if (errorBody && "error" in errorBody && typeof errorBody.error === "string") cause = new Error(errorBody.error);
+		} catch {}
+		throw new UnauthorizedError({ cause });
+	}
+	return context.response;
+} });
+
+//#endregion
+//#region src/modules/apiClient/createApiClient.ts
+/**
+* Returns a new instance of the SDK API client.
+*
+* This is not meant for storing, as it is very light we can create it whenever needed.
+* @instrumented
+*/
+const createApiClient = (options = {}, client) => {
+	const core = getCore(client);
+	const coreState = core.state.get();
+	const settings = {
+		basePath: core.apiBaseUrl,
+		headers: {
+			"Content-Type": "application/json",
+			[DYNAMIC_API_VERSION_HEADER]: `API/${DYNAMIC_SDK_API_VERSION}`,
+			[DYNAMIC_REQUEST_ID_HEADER]: randomString({ length: 50 }),
+			[DYNAMIC_SDK_SESSION_ID_HEADER]: core.sdkSessionId,
+			[DYNAMIC_SDK_VERSION_HEADER]: `${CLIENT_SDK_NAME}/${version}`,
+			...core.getApiHeaders(),
+			...options.headers
+		}
+	};
+	if (client.token) settings.headers.Authorization = `Bearer ${client.token}`;
+	if (client.projectSettings && isCookieEnabled(client)) settings.credentials = "include";
+	if (options.includeMfaToken && coreState.mfaToken) settings.headers[MFA_TOKEN_HEADER] = coreState.mfaToken;
+	if (options.elevatedAccessTokenScope) {
+		const elevatedToken = __getElevatedAccessToken_wrapped({ scope: options.elevatedAccessTokenScope }, client);
+		if (elevatedToken) settings.headers[ELEVATED_ACCESS_TOKEN_HEADER] = elevatedToken;
+	}
+	const sessionPublicKey = __getSessionKeys_wrapped(client)?.publicKey;
+	const isSessionPublicKeyHeaderPresent = settings.headers[SESSION_PUBLIC_KEY_HEADER] !== void 0;
+	if (sessionPublicKey && !isSessionPublicKeyHeaderPresent) settings.headers[SESSION_PUBLIC_KEY_HEADER] = sessionPublicKey;
+	return new SDKApi(new Configuration({
+		...settings,
+		fetchApi: core.fetch,
+		middleware: [
+			__createDeviceSignatureHeadersMiddleware_wrapped(client),
+			createConvertToApiErrorMiddleware({ errorMappers: [...options.errorMappers || [], clientErrorMapper] }),
+			createUnauthorizedMiddleware()
+		]
+	}));
+};
+const __createApiClient_impl = createApiClient;
+const __createApiClient_wrapped = instrumentFunction({
+	fn: __createApiClient_impl,
+	functionName: "createApiClient",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/utils/getNonce/fetchAndStoreNonces/fetchAndStoreNonces.ts
+/**
+* Fetches a batch of nonces from the API.
+*
+* Prefetching is critical for iOS deep link wallet providers (e.g. Phantom
+* redirect). On iOS, a network request (like fetching a nonce) between a user
+* action and a deeplink call will break the gesture chain, causing iOS to
+* silently ignore the deeplink. By prefetching nonces ahead of time,
+* `getNonce` can return synchronously from cache and the deeplink fires
+* without an interrupting network round-trip.
+*
+* New nonces are **appended** to the existing pool so that unconsumed entries
+* are not discarded by a background refetch.
+* @not-instrumented
+*/
+const fetchAndStoreNonces = async (client) => {
+	const core = getCore(client);
+	const { environmentId } = core;
+	const { nonces } = await __createApiClient_wrapped({}, client).getNonces({
+		count: NONCE_POOL_SIZE,
+		environmentId
+	});
+	const existing = core.state.get().prefetchedNonces;
+	core.state.set({
+		prefetchedNonces: [...existing, ...nonces],
+		prefetchedNoncesExpiration: Date.now() + NONCE_POOL_EXPIRATION_TIME
+	});
+};
+
+//#endregion
+//#region src/modules/wallets/constants.ts
+const CHAINS_INFO_MAP = {
+	ALEO: {
+		apiChainName: "aleo",
+		blockchainName: "Aleo",
+		verifiedCredentialChainName: "aleo"
+	},
+	ALGO: {
+		apiChainName: "algo",
+		blockchainName: "Algorand",
+		verifiedCredentialChainName: "algorand"
+	},
+	APTOS: {
+		apiChainName: "aptos",
+		blockchainName: "Aptos",
+		verifiedCredentialChainName: "aptos"
+	},
+	BTC: {
+		apiChainName: "bitcoin",
+		blockchainName: "Bitcoin",
+		verifiedCredentialChainName: "bip122"
+	},
+	COSMOS: {
+		apiChainName: "cosmos",
+		blockchainName: "Cosmos",
+		verifiedCredentialChainName: "cosmos"
+	},
+	ECLIPSE: {
+		apiChainName: "eclipse",
+		blockchainName: "Eclipse",
+		verifiedCredentialChainName: "eclipse"
+	},
+	EVM: {
+		apiChainName: "evm",
+		blockchainName: "Ethereum",
+		verifiedCredentialChainName: "eip155"
+	},
+	FLOW: {
+		apiChainName: "flow",
+		blockchainName: "Flow",
+		verifiedCredentialChainName: "flow"
+	},
+	MIDNIGHT: {
+		apiChainName: "midnight",
+		blockchainName: "Midnight",
+		verifiedCredentialChainName: "midnight"
+	},
+	SOL: {
+		apiChainName: "solana",
+		blockchainName: "Solana",
+		verifiedCredentialChainName: "solana",
+		waasChainNameOverride: "SVM"
+	},
+	SPARK: {
+		apiChainName: "spark",
+		blockchainName: "Spark",
+		verifiedCredentialChainName: "spark"
+	},
+	STARK: {
+		apiChainName: "starknet",
+		blockchainName: "Starknet",
+		verifiedCredentialChainName: "starknet"
+	},
+	STELLAR: {
+		apiChainName: "stellar",
+		blockchainName: "Stellar",
+		verifiedCredentialChainName: "stellar"
+	},
+	SUI: {
+		apiChainName: "sui",
+		blockchainName: "Sui",
+		verifiedCredentialChainName: "sui"
+	},
+	TEMPO: {
+		apiChainName: "tempo",
+		blockchainName: "Tempo",
+		verifiedCredentialChainName: "tempo"
+	},
+	TON: {
+		apiChainName: "ton",
+		blockchainName: "TON",
+		verifiedCredentialChainName: "ton"
+	},
+	TRON: {
+		apiChainName: "tron",
+		blockchainName: "Tron",
+		verifiedCredentialChainName: "tron"
+	}
+};
+
+//#endregion
+//#region src/utils/getChainFromVerifiedCredentialChain/getChainFromVerifiedCredentialChain.ts
+/** @instrumented */
+const getChainFromVerifiedCredentialChain = (verifiedCredentialChain) => {
+	const chain = Object.keys(CHAINS_INFO_MAP).find((chain$1) => CHAINS_INFO_MAP[chain$1].verifiedCredentialChainName === verifiedCredentialChain);
+	assertDefined(chain, `Unknown chain: ${verifiedCredentialChain}`);
+	return chain;
+};
+const __getChainFromVerifiedCredentialChain_impl = getChainFromVerifiedCredentialChain;
+const __getChainFromVerifiedCredentialChain_wrapped = instrumentFunction({
+	fn: __getChainFromVerifiedCredentialChain_impl,
+	functionName: "getChainFromVerifiedCredentialChain",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
+//#endregion
+//#region src/constants.ts
+const SDK_API_CORE_VERSION = dependencies["@dynamic-labs/sdk-api-core"];
+const DYNAMIC_ICONIC_SPRITE_URL = "https://iconic.dynamic-static-assets.com/icons/sprite.svg";
+
+//#endregion
+//#region src/modules/waas/constants.ts
+const DEFAULT_WAAS_BASE_API_URL = "https://app.dynamicauth.com";
+const DEFAULT_WAAS_BASE_MPC_RELAY_API_URL = "https://relay.dynamicauth.com";
+const DYNAMIC_WAAS_METADATA = {
+	displayName: "Dynamic WaaS",
+	icon: `${DYNAMIC_ICONIC_SPRITE_URL}#dynamicwaas`,
+	normalizedWalletName: "dynamicwaas"
+};
+
+//#endregion
+//#region src/errors/InvalidParamError.ts
+var InvalidParamError = class extends BaseError {
+	constructor(message) {
+		super({
+			cause: null,
+			code: "invalid_param_error",
+			docsUrl: null,
+			name: "InvalidParamError",
+			shortMessage: message
+		});
+	}
+};
+
+//#endregion
+export { ValueMustBeDefinedError as A, name as B, __getSessionKeys_wrapped as C, extractSessionId as D, getUserAgent as E, getDefaultClient as F, setDefaultClient as I, ClientNotFoundError as L, CLIENT_SDK_NAME as M, DYNAMIC_SDK_API_VERSION as N, isCookieEnabled as O, NONCE_POOL_SIZE as P, BaseError as R, __getElevatedAccessToken_wrapped as S, DEFAULT_PII_FIELDS as T, version as V, MfaRateLimitedError as _, DYNAMIC_ICONIC_SPRITE_URL as a, InvalidExternalAuthError as b, CHAINS_INFO_MAP as c, UnauthorizedError as d, __createDeviceSignatureHeadersMiddleware_wrapped as f, SandboxMaximumThresholdReachedError as g, __getNonce_wrapped as h, DYNAMIC_WAAS_METADATA as i, randomString as j, assertDefined as k, fetchAndStoreNonces as l, __getDeviceSigner_wrapped as m, DEFAULT_WAAS_BASE_API_URL as n, SDK_API_CORE_VERSION as o, __getHeadersForNonceSignedByDeviceSigners_wrapped as p, DEFAULT_WAAS_BASE_MPC_RELAY_API_URL as r, __getChainFromVerifiedCredentialChain_wrapped as s, InvalidParamError as t, __createApiClient_wrapped as u, MfaInvalidOtpError as v, instrumentFunction as w, APIError as x, LinkCredentialError as y, getCore as z };
+//# sourceMappingURL=InvalidParamError-B5NwKSKU.native.esm.js.map