@every-app/sdk 0.1.4 → 0.1.6

package/dist/cloudflare/server/gateway.d.ts

@@ -0,0 +1,29 @@
+interface GatewayFetcher {
+    fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+interface GatewayEnv {
+    GATEWAY_URL?: string;
+    EVERY_APP_GATEWAY?: GatewayFetcher;
+    GATEWAY_APP_API_TOKEN?: string;
+    APP_TOKEN?: string;
+}
+interface FetchGatewayOptions {
+    env: GatewayEnv;
+    /** The URL, path, or Request to send to the gateway. Typically the full URL
+     *  passed by a provider SDK's custom `fetch` override. */
+    url: string | URL | Request;
+    /** Standard `RequestInit` (method, headers, body, etc.) from the provider SDK. */
+    init?: RequestInit;
+}
+export declare function getGatewayUrl(env: GatewayEnv): string;
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export declare function fetchGateway({ env, url, init, }: FetchGatewayOptions): Promise<Response>;
+export {};
+//# sourceMappingURL=gateway.d.ts.map

package/dist/cloudflare/server/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/gateway.ts"],"names":[],"mappings":"AAGA,UAAU,cAAc;IACtB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACxE;AAED,UAAU,UAAU;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,cAAc,CAAC;IACnC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,GAAG,EAAE,UAAU,CAAC;IAChB;8DAC0D;IAC1D,GAAG,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC;IAC5B,kFAAkF;IAClF,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAMrD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAAC,EACjC,GAAG,EACH,GAAG,EACH,IAAI,GACL,EAAE,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAgBzC"}

package/dist/cloudflare/server/gateway.js

@@ -0,0 +1,63 @@
+const SERVICE_BINDING_ORIGIN = "http://localhost";
+const APP_TOKEN_HEADER = "x-every-app-token";
+export function getGatewayUrl(env) {
+    const gatewayUrl = env.GATEWAY_URL?.trim();
+    if (!gatewayUrl) {
+        throw new Error("GATEWAY_URL is required");
+    }
+    return gatewayUrl;
+}
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export async function fetchGateway({ env, url, init, }) {
+    const gatewayBaseUrl = getGatewayUrl(env);
+    const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
+    const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
+    // Use service binding when available for zero-latency internal routing
+    // (available in production Workers, not in local dev)
+    if (env.EVERY_APP_GATEWAY) {
+        const url = new URL(authenticatedRequest.url);
+        const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
+        const bindingRequest = new Request(bindingUrl, authenticatedRequest);
+        return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
+    }
+    // Fall back to HTTP fetch for local dev
+    return fetch(authenticatedRequest);
+}
+function applyAppTokenAuth(request, env) {
+    const appToken = getGatewayAppApiToken(env);
+    if (!appToken) {
+        throw new Error("GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.");
+    }
+    const headers = new Headers(request.headers);
+    headers.delete("authorization");
+    headers.set(APP_TOKEN_HEADER, appToken);
+    return new Request(request, { headers });
+}
+function getGatewayAppApiToken(env) {
+    const configuredToken = env.GATEWAY_APP_API_TOKEN?.trim();
+    if (configuredToken) {
+        return configuredToken;
+    }
+    const legacyToken = env.APP_TOKEN?.trim();
+    return legacyToken || null;
+}
+function toRequest(input, init, baseUrl) {
+    if (input instanceof Request) {
+        return init ? new Request(input, init) : input;
+    }
+    if (input instanceof URL) {
+        return new Request(input.toString(), init);
+    }
+    if (typeof input === "string" && baseUrl && !/^https?:\/\//i.test(input)) {
+        const normalizedPath = input.startsWith("/") ? input : `/${input}`;
+        return new Request(new URL(normalizedPath, baseUrl).toString(), init);
+    }
+    return new Request(input, init);
+}

package/dist/cloudflare/server/index.d.ts

@@ -1,2 +1,3 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway";
 //# sourceMappingURL=index.d.ts.map

package/dist/cloudflare/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC"}

package/dist/cloudflare/server/index.js

@@ -1 +1,2 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway";

package/dist/core/authenticatedFetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAaA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAmBvD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}
+{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAevD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}

package/dist/core/authenticatedFetch.js

@@ -1,11 +1,7 @@
-import { LOCAL_ONLY_TOKEN, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 /**
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken() {
-    if (isLocalOnlyClient()) {
-        return LOCAL_ONLY_TOKEN;
-    }
     const windowWithSession = window;
     const sessionManager = windowWithSession.__embeddedSessionManager;
     if (!sessionManager) {

package/dist/core/sessionManager.d.ts

@@ -10,7 +10,6 @@ export declare class SessionManager {
     readonly parentOrigin: string;
     readonly appId: string;
     readonly isInIframe: boolean;
-    readonly isDemoModeLocalOnly: boolean;
     private token;
     private refreshPromise;
     constructor(config: SessionManagerConfig);

package/dist/core/sessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAEtC,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAoCxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAsDlC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA+BpD"}
+{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAE7B,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAqBxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IA8ClC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAOjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAwBpD"}

package/dist/core/sessionManager.js

@@ -1,4 +1,3 @@
-import { LOCAL_ONLY_EMAIL, LOCAL_ONLY_TOKEN, LOCAL_ONLY_USER_ID, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
@@ -20,37 +19,25 @@ export class SessionManager {
     parentOrigin;
     appId;
     isInIframe;
-    isDemoModeLocalOnly;
     token = null;
     refreshPromise = null;
     constructor(config) {
         if (!config.appId) {
             throw new Error("[SessionManager] appId is required.");
         }
-        this.isDemoModeLocalOnly = isLocalOnlyClient();
         const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-        if (!this.isDemoModeLocalOnly) {
-            if (!gatewayUrl) {
-                throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
-            }
-            try {
-                new URL(gatewayUrl);
-            }
-            catch {
-                throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
-            }
+        if (!gatewayUrl) {
+            throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+        }
+        try {
+            new URL(gatewayUrl);
+        }
+        catch {
+            throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
         }
         this.appId = config.appId;
-        this.parentOrigin = this.isDemoModeLocalOnly
-            ? window.location.origin
-            : gatewayUrl;
+        this.parentOrigin = gatewayUrl;
         this.isInIframe = isRunningInIframe();
-        if (this.isDemoModeLocalOnly) {
-            this.token = {
-                token: LOCAL_ONLY_TOKEN,
-                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-            };
-        }
     }
     isTokenExpiringSoon(bufferMs = TOKEN_EXPIRY_BUFFER_MS) {
         if (!this.token)
@@ -90,13 +77,6 @@ export class SessionManager {
         });
     }
     async requestNewToken() {
-        if (this.isDemoModeLocalOnly) {
-            this.token = {
-                token: LOCAL_ONLY_TOKEN,
-                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-            };
-            return this.token.token;
-        }
         if (this.refreshPromise) {
             return this.refreshPromise;
         }
@@ -132,12 +112,6 @@ export class SessionManager {
         }
     }
     async getToken() {
-        if (this.isDemoModeLocalOnly) {
-            if (!this.token || this.isTokenExpiringSoon()) {
-                return this.requestNewToken();
-            }
-            return this.token.token;
-        }
         if (this.isTokenExpiringSoon()) {
             return this.requestNewToken();
         }
@@ -160,12 +134,6 @@ export class SessionManager {
      * Returns null if no valid token is available.
      */
     getUser() {
-        if (this.isDemoModeLocalOnly) {
-            return {
-                userId: LOCAL_ONLY_USER_ID,
-                email: LOCAL_ONLY_EMAIL,
-            };
-        }
         if (!this.token) {
             return null;
         }

package/dist/shared/demoModeLocalOnly.d.ts

@@ -1,9 +1,9 @@
-export declare const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
-export declare const LOCAL_ONLY_USER_ID = "demo-local-user";
-export declare const LOCAL_ONLY_EMAIL = "demo-local-user@local";
-export declare function isLocalOnlyClient(): boolean;
-export declare function isLocalOnlyServer(): boolean;
-export declare function createLocalOnlySessionPayload(audience: string): {
+export declare const DEMO_MODE_LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export declare const DEMO_MODE_LOCAL_ONLY_USER_ID = "demo-local-user";
+export declare const DEMO_MODE_LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export declare function isDemoModeLocalOnlyClient(): boolean;
+export declare function isDemoModeLocalOnlyServer(): boolean;
+export declare function createDemoModeLocalOnlySessionPayload(audience: string): {
     sub: string;
     email: string;
     iss: string;

package/dist/shared/demoModeLocalOnly.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"demoModeLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/demoModeLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,yBAAyB,CAAC;AACvD,eAAO,MAAM,kBAAkB,oBAAoB,CAAC;AACpD,eAAO,MAAM,gBAAgB,0BAA0B,CAAC;AAExD,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED,wBAAgB,iBAAiB,IAAI,OAAO,CAa3C;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAY7D"}
+{"version":3,"file":"demoModeLocalOnly.d.ts","sourceRoot":"","sources":["../../src/shared/demoModeLocalOnly.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,0BAA0B,yBAAyB,CAAC;AACjE,eAAO,MAAM,4BAA4B,oBAAoB,CAAC;AAC9D,eAAO,MAAM,0BAA0B,0BAA0B,CAAC;AAElE,wBAAgB,yBAAyB,IAAI,OAAO,CAEnD;AAED,wBAAgB,yBAAyB,IAAI,OAAO,CAiBnD;AAED,wBAAgB,qCAAqC,CAAC,QAAQ,EAAE,MAAM;;;;;;;EAYrE"}

package/dist/shared/demoModeLocalOnly.js

@@ -1,27 +1,28 @@
-export const LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
-export const LOCAL_ONLY_USER_ID = "demo-local-user";
-export const LOCAL_ONLY_EMAIL = "demo-local-user@local";
-export function isLocalOnlyClient() {
-    return import.meta.env.VITE_LOCAL_ONLY === "true";
+export const DEMO_MODE_LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
+export const DEMO_MODE_LOCAL_ONLY_USER_ID = "demo-local-user";
+export const DEMO_MODE_LOCAL_ONLY_EMAIL = "demo-local-user@local";
+export function isDemoModeLocalOnlyClient() {
+    return import.meta.env.VITE_DEMO_MODE_LOCAL_ONLY === "true";
 }
-export function isLocalOnlyServer() {
+export function isDemoModeLocalOnlyServer() {
     const metaEnv = import.meta
         .env;
-    const metaValue = metaEnv?.LOCAL_ONLY ?? metaEnv?.VITE_LOCAL_ONLY;
+    const metaValue = metaEnv?.DEMO_MODE_LOCAL_ONLY ?? metaEnv?.VITE_DEMO_MODE_LOCAL_ONLY;
     if (metaValue === "true") {
         return true;
     }
-    if (typeof process !== "undefined" && process.env?.LOCAL_ONLY === "true") {
+    if (typeof process !== "undefined" &&
+        process.env?.DEMO_MODE_LOCAL_ONLY === "true") {
         return true;
     }
     return false;
 }
-export function createLocalOnlySessionPayload(audience) {
+export function createDemoModeLocalOnlySessionPayload(audience) {
     const issuedAt = Math.floor(Date.now() / 1000);
     const expiresAt = issuedAt + 60 * 60;
     return {
-        sub: LOCAL_ONLY_USER_ID,
-        email: LOCAL_ONLY_EMAIL,
+        sub: DEMO_MODE_LOCAL_ONLY_USER_ID,
+        email: DEMO_MODE_LOCAL_ONLY_EMAIL,
         iss: "local",
         aud: audience,
         iat: issuedAt,

package/dist/tanstack/EmbeddedAppProvider.js

@@ -11,8 +11,8 @@ export function EmbeddedAppProvider({ children, ...config }) {
     useEveryAppRouter({ sessionManager });
     if (!sessionManager)
         return null;
-    // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
+    // Check if the app is running outside of the Gateway iframe
+    if (!sessionManager.isInIframe) {
         return (_jsx(GatewayRequiredError, { gatewayOrigin: sessionManager.parentOrigin, appId: config.appId }));
     }
     const value = {

package/dist/tanstack/_internal/useEveryAppSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAE3D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA+C1B"}
+{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAE3D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA8C1B"}

package/dist/tanstack/_internal/useEveryAppSession.js

@@ -13,8 +13,8 @@ export function useEveryAppSession({ sessionManagerConfig, }) {
     useEffect(() => {
         if (!sessionManager)
             return;
-        // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-        if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
+        // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
+        if (!sessionManager.isInIframe)
             return;
         const interval = setInterval(() => {
             setSessionTokenState(sessionManager.getTokenState());

package/dist/tanstack/server/authConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAI1C,wBAAgB,aAAa,IAAI,UAAU,CAU1C"}
+{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C,wBAAgB,aAAa,IAAI,UAAU,CAK1C"}

package/dist/tanstack/server/authConfig.js

@@ -1,11 +1,7 @@
 import { env } from "cloudflare:workers";
-import { isLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 export function getAuthConfig() {
-    const demoModeLocalOnlyEnv = env.LOCAL_ONLY;
-    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isLocalOnlyServer() === true;
-    const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
     return {
-        issuer,
+        issuer: env.GATEWAY_URL,
         audience: import.meta.env.VITE_APP_ID,
     };
 }

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA2CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8BrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -1,26 +1,16 @@
 import { getRequest } from "@tanstack/react-start/server";
 import { createLocalJWKSet, jwtVerify, } from "jose";
 import { env } from "cloudflare:workers";
-import { LOCAL_ONLY_TOKEN, createLocalOnlySessionPayload, isLocalOnlyServer, } from "../../shared/demoModeLocalOnly";
 export async function authenticateRequest(authConfig, providedRequest) {
     const request = providedRequest || getRequest();
     const authHeader = request.headers.get("authorization");
-    const demoModeLocalOnlyEnv = env.LOCAL_ONLY;
-    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isLocalOnlyServer() === true;
     if (!authHeader) {
-        console.log("No auth header found");
         return null;
     }
     const token = extractBearerToken(authHeader);
     if (!token) {
         return null;
     }
-    if (isDemoModeLocalOnly) {
-        if (token !== LOCAL_ONLY_TOKEN) {
-            return null;
-        }
-        return createLocalOnlySessionPayload(authConfig.audience);
-    }
     try {
         const session = await verifySessionToken(token, authConfig);
         return session;

package/dist/tanstack/useSessionTokenClientMiddleware.d.ts

@@ -1,2 +1,6 @@
-export declare const useSessionTokenClientMiddleware: import("@tanstack/react-start").FunctionMiddlewareAfterClient<{}, unknown, undefined, undefined, undefined>;
+/**
+ * Exported as `any` to avoid cross-package type identity issues when apps and
+ * the SDK resolve different `@tanstack/react-start` instances in a monorepo.
+ */
+export declare const useSessionTokenClientMiddleware: any;
 //# sourceMappingURL=useSessionTokenClientMiddleware.d.ts.map

package/dist/tanstack/useSessionTokenClientMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,+BAA+B,6GAmC1C,CAAC"}
+{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAgCA;;;GAGG;AACH,eAAO,MAAM,+BAA+B,EAAE,GACZ,CAAC"}

package/dist/tanstack/useSessionTokenClientMiddleware.js

@@ -1,15 +1,7 @@
 import { createMiddleware } from "@tanstack/react-start";
-import { LOCAL_ONLY_TOKEN, isLocalOnlyClient, } from "../shared/demoModeLocalOnly";
-export const useSessionTokenClientMiddleware = createMiddleware({
+const _useSessionTokenClientMiddleware = createMiddleware({
     type: "function",
 }).client(async ({ next }) => {
-    if (isLocalOnlyClient()) {
-        return next({
-            headers: {
-                Authorization: `Bearer ${LOCAL_ONLY_TOKEN}`,
-            },
-        });
-    }
     // Get the global sessionManager - this MUST be available for embedded apps
     const sessionManager = window
         .__embeddedSessionManager;
@@ -27,3 +19,8 @@ export const useSessionTokenClientMiddleware = createMiddleware({
         },
     });
 });
+/**
+ * Exported as `any` to avoid cross-package type identity issues when apps and
+ * the SDK resolve different `@tanstack/react-start` instances in a monorepo.
+ */
+export const useSessionTokenClientMiddleware = _useSessionTokenClientMiddleware;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/cloudflare/server/gateway.test.ts

@@ -0,0 +1,183 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { fetchGateway, getGatewayUrl } from "./gateway";
+
+type TestFetcher = {
+  fetch: ReturnType<typeof vi.fn>;
+};
+
+type TestEnv = {
+  GATEWAY_URL?: string;
+  EVERY_APP_GATEWAY?: TestFetcher;
+  GATEWAY_APP_API_TOKEN?: string;
+  APP_TOKEN?: string;
+};
+
+describe("gateway server helpers", () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("returns gateway URL and throws when missing", () => {
+    expect(getGatewayUrl({ GATEWAY_URL: "https://gateway.example.com" })).toBe(
+      "https://gateway.example.com",
+    );
+
+    expect(() => getGatewayUrl({} as TestEnv)).toThrow(
+      "GATEWAY_URL is required",
+    );
+  });
+
+  it("fetches via HTTP when service binding is unavailable", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses?stream=true",
+      init: { method: "POST" },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.url).toBe(
+      "https://gateway.example.com/api/ai/openai/v1/responses?stream=true",
+    );
+  });
+
+  it("fetches via service binding when available", async () => {
+    const bindingFetch = vi
+      .fn()
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      EVERY_APP_GATEWAY: { fetch: bindingFetch },
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/chat/completions",
+      init: { method: "POST" },
+    });
+
+    expect(bindingFetch).toHaveBeenCalledTimes(1);
+    const [requestArg] = bindingFetch.mock.calls[0];
+    const request = requestArg as Request;
+    expect(request.url).toBe(
+      "http://localhost/api/ai/openai/v1/chat/completions",
+    );
+  });
+
+  it("always injects app token and strips Authorization header", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_my_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses",
+      init: {
+        method: "POST",
+        headers: {
+          authorization: "Bearer some-sdk-dummy-value",
+        },
+      },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.headers.get("x-every-app-token")).toBe("eat_my_token");
+    expect(request.headers.get("authorization")).toBeNull();
+  });
+
+  it("throws when app token is missing", async () => {
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+    };
+
+    await expect(
+      fetchGateway({
+        env,
+        url: "/api/ai/openai/v1/responses",
+      }),
+    ).rejects.toThrow("GATEWAY_APP_API_TOKEN is required");
+  });
+
+  it("supports legacy APP_TOKEN env variable", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      APP_TOKEN: "eat_legacy_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses",
+      init: { method: "POST" },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.headers.get("x-every-app-token")).toBe("eat_legacy_token");
+    expect(request.headers.get("authorization")).toBeNull();
+  });
+
+  it("supports Request input and preserves method/body", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    const sourceRequest = new Request(
+      "https://gateway.example.com/api/ai/openai/v1/responses",
+      {
+        method: "POST",
+        body: JSON.stringify({ model: "gpt-5.2" }),
+        headers: { "content-type": "application/json" },
+      },
+    );
+
+    await fetchGateway({
+      env,
+      url: sourceRequest,
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+    expect(request.url).toBe(
+      "https://gateway.example.com/api/ai/openai/v1/responses",
+    );
+    expect(request.method).toBe("POST");
+    expect(request.headers.get("content-type")).toBe("application/json");
+  });
+});

package/src/cloudflare/server/gateway.ts

@@ -0,0 +1,105 @@
+const SERVICE_BINDING_ORIGIN = "http://localhost";
+const APP_TOKEN_HEADER = "x-every-app-token";
+
+interface GatewayFetcher {
+  fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+
+interface GatewayEnv {
+  GATEWAY_URL?: string;
+  EVERY_APP_GATEWAY?: GatewayFetcher;
+  GATEWAY_APP_API_TOKEN?: string;
+  APP_TOKEN?: string;
+}
+
+interface FetchGatewayOptions {
+  env: GatewayEnv;
+  /** The URL, path, or Request to send to the gateway. Typically the full URL
+   *  passed by a provider SDK's custom `fetch` override. */
+  url: string | URL | Request;
+  /** Standard `RequestInit` (method, headers, body, etc.) from the provider SDK. */
+  init?: RequestInit;
+}
+
+export function getGatewayUrl(env: GatewayEnv): string {
+  const gatewayUrl = env.GATEWAY_URL?.trim();
+  if (!gatewayUrl) {
+    throw new Error("GATEWAY_URL is required");
+  }
+  return gatewayUrl;
+}
+
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export async function fetchGateway({
+  env,
+  url,
+  init,
+}: FetchGatewayOptions): Promise<Response> {
+  const gatewayBaseUrl = getGatewayUrl(env);
+  const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
+  const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
+
+  // Use service binding when available for zero-latency internal routing
+  // (available in production Workers, not in local dev)
+  if (env.EVERY_APP_GATEWAY) {
+    const url = new URL(authenticatedRequest.url);
+    const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
+    const bindingRequest = new Request(bindingUrl, authenticatedRequest);
+    return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
+  }
+
+  // Fall back to HTTP fetch for local dev
+  return fetch(authenticatedRequest);
+}
+
+function applyAppTokenAuth(request: Request, env: GatewayEnv): Request {
+  const appToken = getGatewayAppApiToken(env);
+  if (!appToken) {
+    throw new Error(
+      "GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.",
+    );
+  }
+
+  const headers = new Headers(request.headers);
+  headers.delete("authorization");
+  headers.set(APP_TOKEN_HEADER, appToken);
+  return new Request(request, { headers });
+}
+
+function getGatewayAppApiToken(env: GatewayEnv): string | null {
+  const configuredToken = env.GATEWAY_APP_API_TOKEN?.trim();
+  if (configuredToken) {
+    return configuredToken;
+  }
+
+  const legacyToken = env.APP_TOKEN?.trim();
+  return legacyToken || null;
+}
+
+function toRequest(
+  input: RequestInfo | URL,
+  init?: RequestInit,
+  baseUrl?: string,
+): Request {
+  if (input instanceof Request) {
+    return init ? new Request(input, init) : input;
+  }
+
+  if (input instanceof URL) {
+    return new Request(input.toString(), init);
+  }
+
+  if (typeof input === "string" && baseUrl && !/^https?:\/\//i.test(input)) {
+    const normalizedPath = input.startsWith("/") ? input : `/${input}`;
+    return new Request(new URL(normalizedPath, baseUrl).toString(), init);
+  }
+
+  return new Request(input, init);
+}

package/src/cloudflare/server/index.ts

@@ -1 +1,2 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway";

package/src/core/authenticatedFetch.ts

@@ -1,8 +1,3 @@
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
-
 interface SessionManager {
   getToken(): Promise<string>;
 }
@@ -15,10 +10,6 @@ interface WindowWithSessionManager extends Window {
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken(): Promise<string> {
-  if (isDemoModeLocalOnlyClient()) {
-    return DEMO_MODE_LOCAL_ONLY_TOKEN;
-  }
-
   const windowWithSession = window as WindowWithSessionManager;
   const sessionManager = windowWithSession.__embeddedSessionManager;
 

package/src/core/sessionManager.ts

@@ -1,10 +1,3 @@
-import {
-  DEMO_MODE_LOCAL_ONLY_EMAIL,
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  DEMO_MODE_LOCAL_ONLY_USER_ID,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
-
 interface SessionToken {
   token: string;
   expiresAt: number;
@@ -42,7 +35,6 @@ export class SessionManager {
   readonly parentOrigin: string;
   readonly appId: string;
   readonly isInIframe: boolean;
-  readonly isDemoModeLocalOnly: boolean;
 
   private token: SessionToken | null = null;
   private refreshPromise: Promise<string> | null = null;
@@ -52,35 +44,20 @@ export class SessionManager {
       throw new Error("[SessionManager] appId is required.");
     }
 
-    this.isDemoModeLocalOnly = isDemoModeLocalOnlyClient();
-
     const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-    if (!this.isDemoModeLocalOnly) {
-      if (!gatewayUrl) {
-        throw new Error(
-          "[SessionManager] VITE_GATEWAY_URL env var is required.",
-        );
-      }
+    if (!gatewayUrl) {
+      throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+    }
 
-      try {
-        new URL(gatewayUrl);
-      } catch {
-        throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
-      }
+    try {
+      new URL(gatewayUrl);
+    } catch {
+      throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
     }
 
     this.appId = config.appId;
-    this.parentOrigin = this.isDemoModeLocalOnly
-      ? window.location.origin
-      : gatewayUrl;
+    this.parentOrigin = gatewayUrl;
     this.isInIframe = isRunningInIframe();
-
-    if (this.isDemoModeLocalOnly) {
-      this.token = {
-        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-      };
-    }
   }
 
   private isTokenExpiringSoon(
@@ -130,14 +107,6 @@ export class SessionManager {
   }
 
   async requestNewToken(): Promise<string> {
-    if (this.isDemoModeLocalOnly) {
-      this.token = {
-        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-      };
-      return this.token.token;
-    }
-
     if (this.refreshPromise) {
       return this.refreshPromise;
     }
@@ -184,13 +153,6 @@ export class SessionManager {
   }
 
   async getToken(): Promise<string> {
-    if (this.isDemoModeLocalOnly) {
-      if (!this.token || this.isTokenExpiringSoon()) {
-        return this.requestNewToken();
-      }
-      return this.token.token;
-    }
-
     if (this.isTokenExpiringSoon()) {
       return this.requestNewToken();
     }
@@ -221,13 +183,6 @@ export class SessionManager {
    * Returns null if no valid token is available.
    */
   getUser(): { userId: string; email: string } | null {
-    if (this.isDemoModeLocalOnly) {
-      return {
-        userId: DEMO_MODE_LOCAL_ONLY_USER_ID,
-        email: DEMO_MODE_LOCAL_ONLY_EMAIL,
-      };
-    }
-
     if (!this.token) {
       return null;
     }

package/src/env.d.ts

@@ -5,6 +5,8 @@ declare namespace Cloudflare {
   interface Env {
     GATEWAY_URL: string;
     EVERY_APP_GATEWAY?: Fetcher;
+    GATEWAY_APP_API_TOKEN?: string;
+    APP_TOKEN?: string;
   }
 }
 

package/src/tanstack/EmbeddedAppProvider.tsx

@@ -27,8 +27,8 @@ export function EmbeddedAppProvider({
 
   if (!sessionManager) return null;
 
-  // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-  if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
+  // Check if the app is running outside of the Gateway iframe
+  if (!sessionManager.isInIframe) {
     return (
       <GatewayRequiredError
         gatewayOrigin={sessionManager.parentOrigin}

package/src/tanstack/_internal/useEveryAppSession.tsx

@@ -28,9 +28,8 @@ export function useEveryAppSession({
 
   useEffect(() => {
     if (!sessionManager) return;
-    // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
-      return;
+    // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
+    if (!sessionManager.isInIframe) return;
 
     const interval = setInterval(() => {
       setSessionTokenState(sessionManager.getTokenState());

package/src/tanstack/server/authConfig.ts

@@ -1,16 +1,9 @@
 import type { AuthConfig } from "./types";
 import { env } from "cloudflare:workers";
-import { isDemoModeLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 
 export function getAuthConfig(): AuthConfig {
-  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
-    .DEMO_MODE_LOCAL_ONLY;
-  const isDemoModeLocalOnly =
-    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
-  const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
-
   return {
-    issuer,
+    issuer: env.GATEWAY_URL,
     audience: import.meta.env.VITE_APP_ID,
   };
 }

package/src/tanstack/server/authenticateRequest.ts

@@ -8,11 +8,6 @@ import {
 
 import type { AuthConfig } from "./types";
 import { env } from "cloudflare:workers";
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  createDemoModeLocalOnlySessionPayload,
-  isDemoModeLocalOnlyServer,
-} from "../../shared/demoModeLocalOnly";
 
 /**
  * JWT payload structure for embedded app session tokens.
@@ -40,13 +35,7 @@ export async function authenticateRequest(
   const request = providedRequest || getRequest();
   const authHeader = request.headers.get("authorization");
 
-  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
-    .DEMO_MODE_LOCAL_ONLY;
-  const isDemoModeLocalOnly =
-    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
-
   if (!authHeader) {
-    console.log("No auth header found");
     return null;
   }
 
@@ -56,14 +45,6 @@ export async function authenticateRequest(
     return null;
   }
 
-  if (isDemoModeLocalOnly) {
-    if (token !== DEMO_MODE_LOCAL_ONLY_TOKEN) {
-      return null;
-    }
-
-    return createDemoModeLocalOnlySessionPayload(authConfig.audience);
-  }
-
   try {
     const session = await verifySessionToken(token, authConfig);
     return session;

package/src/tanstack/useSessionTokenClientMiddleware.ts

@@ -1,21 +1,9 @@
 import { createMiddleware } from "@tanstack/react-start";
 import type { SessionManager } from "../core/sessionManager";
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
 
-export const useSessionTokenClientMiddleware = createMiddleware({
+const _useSessionTokenClientMiddleware = createMiddleware({
   type: "function",
 }).client(async ({ next }) => {
-  if (isDemoModeLocalOnlyClient()) {
-    return next({
-      headers: {
-        Authorization: `Bearer ${DEMO_MODE_LOCAL_ONLY_TOKEN}`,
-      },
-    });
-  }
-
   // Get the global sessionManager - this MUST be available for embedded apps
   const sessionManager = (window as any)
     .__embeddedSessionManager as SessionManager;
@@ -41,3 +29,10 @@ export const useSessionTokenClientMiddleware = createMiddleware({
     },
   });
 });
+
+/**
+ * Exported as `any` to avoid cross-package type identity issues when apps and
+ * the SDK resolve different `@tanstack/react-start` instances in a monorepo.
+ */
+export const useSessionTokenClientMiddleware: any =
+  _useSessionTokenClientMiddleware;

package/src/shared/demoModeLocalOnly.ts

@@ -1,40 +0,0 @@
-export const DEMO_MODE_LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
-export const DEMO_MODE_LOCAL_ONLY_USER_ID = "demo-local-user";
-export const DEMO_MODE_LOCAL_ONLY_EMAIL = "demo-local-user@local";
-
-export function isDemoModeLocalOnlyClient(): boolean {
-  return import.meta.env.VITE_DEMO_MODE_LOCAL_ONLY === "true";
-}
-
-export function isDemoModeLocalOnlyServer(): boolean {
-  const metaEnv = (import.meta as { env?: Record<string, string | undefined> })
-    .env;
-  const metaValue =
-    metaEnv?.DEMO_MODE_LOCAL_ONLY ?? metaEnv?.VITE_DEMO_MODE_LOCAL_ONLY;
-  if (metaValue === "true") {
-    return true;
-  }
-
-  if (
-    typeof process !== "undefined" &&
-    process.env?.DEMO_MODE_LOCAL_ONLY === "true"
-  ) {
-    return true;
-  }
-
-  return false;
-}
-
-export function createDemoModeLocalOnlySessionPayload(audience: string) {
-  const issuedAt = Math.floor(Date.now() / 1000);
-  const expiresAt = issuedAt + 60 * 60;
-
-  return {
-    sub: DEMO_MODE_LOCAL_ONLY_USER_ID,
-    email: DEMO_MODE_LOCAL_ONLY_EMAIL,
-    iss: "local",
-    aud: audience,
-    iat: issuedAt,
-    exp: expiresAt,
-  };
-}