@every-app/sdk 0.1.5 → 0.1.7

package/dist/cloudflare/server/gateway.d.ts

@@ -0,0 +1,29 @@
+interface GatewayFetcher {
+    fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+interface GatewayEnv {
+    GATEWAY_URL?: string;
+    EVERY_APP_GATEWAY?: GatewayFetcher;
+    GATEWAY_APP_API_TOKEN?: string;
+    APP_TOKEN?: string;
+}
+interface FetchGatewayOptions {
+    env: GatewayEnv;
+    /** The URL, path, or Request to send to the gateway. Typically the full URL
+     *  passed by a provider SDK's custom `fetch` override. */
+    url: string | URL | Request;
+    /** Standard `RequestInit` (method, headers, body, etc.) from the provider SDK. */
+    init?: RequestInit;
+}
+export declare function getGatewayUrl(env: GatewayEnv): string;
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export declare function fetchGateway({ env, url, init, }: FetchGatewayOptions): Promise<Response>;
+export {};
+//# sourceMappingURL=gateway.d.ts.map

package/dist/cloudflare/server/gateway.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/gateway.ts"],"names":[],"mappings":"AAGA,UAAU,cAAc;IACtB,KAAK,CAAC,KAAK,EAAE,WAAW,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACxE;AAED,UAAU,UAAU;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,cAAc,CAAC;IACnC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,GAAG,EAAE,UAAU,CAAC;IAChB;8DAC0D;IAC1D,GAAG,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC;IAC5B,kFAAkF;IAClF,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,MAAM,CAMrD;AAED;;;;;;;GAOG;AACH,wBAAsB,YAAY,CAAC,EACjC,GAAG,EACH,GAAG,EACH,IAAI,GACL,EAAE,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAiBzC"}

package/dist/cloudflare/server/gateway.js

@@ -0,0 +1,64 @@
+const SERVICE_BINDING_ORIGIN = "http://localhost";
+const APP_TOKEN_HEADER = "x-every-app-token";
+export function getGatewayUrl(env) {
+    const gatewayUrl = env.GATEWAY_URL?.trim();
+    if (!gatewayUrl) {
+        throw new Error("GATEWAY_URL is required");
+    }
+    return gatewayUrl;
+}
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export async function fetchGateway({ env, url, init, }) {
+    const gatewayBaseUrl = getGatewayUrl(env);
+    const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
+    const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
+    // Use service binding only in production for zero-latency internal routing.
+    // In local dev, service bindings can exist in config but still fail with:
+    // "Couldn't find a local dev session ... to proxy to".
+    if (import.meta.env.PROD && env.EVERY_APP_GATEWAY) {
+        const url = new URL(authenticatedRequest.url);
+        const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
+        const bindingRequest = new Request(bindingUrl, authenticatedRequest);
+        return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
+    }
+    // Fall back to HTTP fetch for local dev (and when no binding is present).
+    return fetch(authenticatedRequest);
+}
+function applyAppTokenAuth(request, env) {
+    const appToken = getGatewayAppApiToken(env);
+    if (!appToken) {
+        throw new Error("GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.");
+    }
+    const headers = new Headers(request.headers);
+    headers.delete("authorization");
+    headers.set(APP_TOKEN_HEADER, appToken);
+    return new Request(request, { headers });
+}
+function getGatewayAppApiToken(env) {
+    const configuredToken = env.GATEWAY_APP_API_TOKEN?.trim();
+    if (configuredToken) {
+        return configuredToken;
+    }
+    const legacyToken = env.APP_TOKEN?.trim();
+    return legacyToken || null;
+}
+function toRequest(input, init, baseUrl) {
+    if (input instanceof Request) {
+        return init ? new Request(input, init) : input;
+    }
+    if (input instanceof URL) {
+        return new Request(input.toString(), init);
+    }
+    if (typeof input === "string" && baseUrl && !/^https?:\/\//i.test(input)) {
+        const normalizedPath = input.startsWith("/") ? input : `/${input}`;
+        return new Request(new URL(normalizedPath, baseUrl).toString(), init);
+    }
+    return new Request(input, init);
+}

package/dist/cloudflare/server/index.d.ts

@@ -1,2 +1,3 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway";
 //# sourceMappingURL=index.d.ts.map

package/dist/cloudflare/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cloudflare/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC"}

package/dist/cloudflare/server/index.js

@@ -1 +1,2 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway";

package/dist/core/authenticatedFetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAaA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAmBvD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}
+{"version":3,"file":"authenticatedFetch.d.ts","sourceRoot":"","sources":["../../src/core/authenticatedFetch.ts"],"names":[],"mappings":"AAQA;;GAEG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC,CAevD;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAUnB"}

package/dist/core/authenticatedFetch.js

@@ -1,11 +1,7 @@
-import { DEMO_MODE_LOCAL_ONLY_TOKEN, isDemoModeLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 /**
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken() {
-    if (isDemoModeLocalOnlyClient()) {
-        return DEMO_MODE_LOCAL_ONLY_TOKEN;
-    }
     const windowWithSession = window;
     const sessionManager = windowWithSession.__embeddedSessionManager;
     if (!sessionManager) {

package/dist/core/sessionManager.d.ts

@@ -10,7 +10,6 @@ export declare class SessionManager {
     readonly parentOrigin: string;
     readonly appId: string;
     readonly isInIframe: boolean;
-    readonly isDemoModeLocalOnly: boolean;
     private token;
     private refreshPromise;
     constructor(config: SessionManagerConfig);

package/dist/core/sessionManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAC7B,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IAEtC,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAoCxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAsDlC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAcjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CA+BpD"}
+{"version":3,"file":"sessionManager.d.ts","sourceRoot":"","sources":["../../src/core/sessionManager.ts"],"names":[],"mappings":"AAWA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAQ3C;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC;IAE7B,OAAO,CAAC,KAAK,CAA6B;IAC1C,OAAO,CAAC,cAAc,CAAgC;gBAE1C,MAAM,EAAE,oBAAoB;IAqBxC,OAAO,CAAC,mBAAmB;IAO3B,OAAO,CAAC,uBAAuB;IAuCzB,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IA8ClC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAOjC,aAAa,IAAI;QACf,MAAM,EAAE,UAAU,GAAG,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC;QACxD,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;KACtB;IAgBD;;;OAGG;IACH,OAAO,IAAI;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAwBpD"}

package/dist/core/sessionManager.js

@@ -1,4 +1,3 @@
-import { DEMO_MODE_LOCAL_ONLY_EMAIL, DEMO_MODE_LOCAL_ONLY_TOKEN, DEMO_MODE_LOCAL_ONLY_USER_ID, isDemoModeLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
@@ -20,37 +19,25 @@ export class SessionManager {
     parentOrigin;
     appId;
     isInIframe;
-    isDemoModeLocalOnly;
     token = null;
     refreshPromise = null;
     constructor(config) {
         if (!config.appId) {
             throw new Error("[SessionManager] appId is required.");
         }
-        this.isDemoModeLocalOnly = isDemoModeLocalOnlyClient();
         const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-        if (!this.isDemoModeLocalOnly) {
-            if (!gatewayUrl) {
-                throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
-            }
-            try {
-                new URL(gatewayUrl);
-            }
-            catch {
-                throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
-            }
+        if (!gatewayUrl) {
+            throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+        }
+        try {
+            new URL(gatewayUrl);
+        }
+        catch {
+            throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
         }
         this.appId = config.appId;
-        this.parentOrigin = this.isDemoModeLocalOnly
-            ? window.location.origin
-            : gatewayUrl;
+        this.parentOrigin = gatewayUrl;
         this.isInIframe = isRunningInIframe();
-        if (this.isDemoModeLocalOnly) {
-            this.token = {
-                token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-            };
-        }
     }
     isTokenExpiringSoon(bufferMs = TOKEN_EXPIRY_BUFFER_MS) {
         if (!this.token)
@@ -90,13 +77,6 @@ export class SessionManager {
         });
     }
     async requestNewToken() {
-        if (this.isDemoModeLocalOnly) {
-            this.token = {
-                token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-                expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-            };
-            return this.token.token;
-        }
         if (this.refreshPromise) {
             return this.refreshPromise;
         }
@@ -132,12 +112,6 @@ export class SessionManager {
         }
     }
     async getToken() {
-        if (this.isDemoModeLocalOnly) {
-            if (!this.token || this.isTokenExpiringSoon()) {
-                return this.requestNewToken();
-            }
-            return this.token.token;
-        }
         if (this.isTokenExpiringSoon()) {
             return this.requestNewToken();
         }
@@ -160,12 +134,6 @@ export class SessionManager {
      * Returns null if no valid token is available.
      */
     getUser() {
-        if (this.isDemoModeLocalOnly) {
-            return {
-                userId: DEMO_MODE_LOCAL_ONLY_USER_ID,
-                email: DEMO_MODE_LOCAL_ONLY_EMAIL,
-            };
-        }
         if (!this.token) {
             return null;
         }

package/dist/tanstack/EmbeddedAppProvider.d.ts

@@ -26,5 +26,17 @@ export declare function useCurrentUser(): {
     userId: string;
     email: string;
 } | null;
+interface UseSessionTokenOptions {
+    enabled?: boolean;
+    retryDelayMs?: number;
+}
+interface UseSessionTokenResult {
+    token: string | null;
+    isReady: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    refresh: () => Promise<string | null>;
+}
+export declare function useSessionToken({ enabled, retryDelayMs, }?: UseSessionTokenOptions): UseSessionTokenResult;
 export {};
 //# sourceMappingURL=EmbeddedAppProvider.d.ts.map

package/dist/tanstack/EmbeddedAppProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAA6C,MAAM,OAAO,CAAC;AAClE,OAAO,EAAkB,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAK9E,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAUD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDA6BxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAmBzE"}
+{"version":3,"file":"EmbeddedAppProvider.d.ts","sourceRoot":"","sources":["../../src/tanstack/EmbeddedAppProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAON,MAAM,OAAO,CAAC;AACf,OAAO,EAAkB,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAK9E,UAAU,sBAAuB,SAAQ,oBAAoB;IAC3D,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;CAC3B;AAsBD,wBAAgB,mBAAmB,CAAC,EAClC,QAAQ,EACR,GAAG,MAAM,EACV,EAAE,sBAAsB,kDA6BxB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAWzE;AAED,UAAU,sBAAsB;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,UAAU,qBAAqB;IAC7B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CACvC;AAED,wBAAgB,eAAe,CAAC,EAC9B,OAAc,EACd,YAAkB,GACnB,GAAE,sBAA2B,GAAG,qBAAqB,CAgGrD"}

package/dist/tanstack/EmbeddedAppProvider.js

@@ -1,9 +1,16 @@
 import { jsx as _jsx } from "react/jsx-runtime";
-import { createContext, useContext, useMemo } from "react";
+import { createContext, useCallback, useContext, useEffect, useMemo, useState, } from "react";
 import { useEveryAppSession } from "./_internal/useEveryAppSession";
 import { useEveryAppRouter } from "./useEveryAppRouter";
 import { GatewayRequiredError } from "./GatewayRequiredError";
 const EmbeddedAppContext = createContext(null);
+function useEmbeddedAppContextValue() {
+    const context = useContext(EmbeddedAppContext);
+    if (!context) {
+        throw new Error("Embedded SDK hooks must be used within an EmbeddedAppProvider");
+    }
+    return context;
+}
 export function EmbeddedAppProvider({ children, ...config }) {
     const { sessionManager, sessionTokenState } = useEveryAppSession({
         sessionManagerConfig: config,
@@ -11,8 +18,8 @@ export function EmbeddedAppProvider({ children, ...config }) {
     useEveryAppRouter({ sessionManager });
     if (!sessionManager)
         return null;
-    // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
+    // Check if the app is running outside of the Gateway iframe
+    if (!sessionManager.isInIframe) {
         return (_jsx(GatewayRequiredError, { gatewayOrigin: sessionManager.parentOrigin, appId: config.appId }));
     }
     const value = {
@@ -41,11 +48,7 @@ export function EmbeddedAppProvider({ children, ...config }) {
  * ```
  */
 export function useCurrentUser() {
-    const context = useContext(EmbeddedAppContext);
-    if (!context) {
-        throw new Error("useCurrentUser must be used within an EmbeddedAppProvider");
-    }
-    const { sessionManager, sessionTokenState } = context;
+    const { sessionManager, sessionTokenState } = useEmbeddedAppContextValue();
     return useMemo(() => {
         // Only return user if we have a valid token
         if (sessionTokenState.status !== "VALID") {
@@ -54,3 +57,87 @@ export function useCurrentUser() {
         return sessionManager.getUser();
     }, [sessionManager, sessionTokenState]);
 }
+export function useSessionToken({ enabled = true, retryDelayMs = 300, } = {}) {
+    const { sessionManager, sessionTokenState } = useEmbeddedAppContextValue();
+    const [token, setToken] = useState(sessionTokenState.status === "VALID" ? sessionTokenState.token : null);
+    const [isLoading, setIsLoading] = useState(enabled && !token);
+    const [error, setError] = useState(null);
+    const refresh = useCallback(async () => {
+        if (!enabled) {
+            setToken(null);
+            setError(null);
+            setIsLoading(false);
+            return null;
+        }
+        setIsLoading(true);
+        try {
+            const nextToken = await sessionManager.getToken();
+            setToken(nextToken);
+            setError(null);
+            return nextToken;
+        }
+        catch (err) {
+            const normalized = err instanceof Error
+                ? err
+                : new Error("Failed to resolve session token");
+            setError(normalized);
+            return null;
+        }
+        finally {
+            setIsLoading(false);
+        }
+    }, [enabled, sessionManager]);
+    useEffect(() => {
+        if (!enabled) {
+            setToken(null);
+            setIsLoading(false);
+            setError(null);
+            return;
+        }
+        if (sessionTokenState.status === "VALID" && sessionTokenState.token) {
+            setToken(sessionTokenState.token);
+            setError(null);
+            setIsLoading(false);
+        }
+    }, [enabled, sessionTokenState.status, sessionTokenState.token]);
+    useEffect(() => {
+        if (!enabled) {
+            return;
+        }
+        if (sessionTokenState.status === "VALID" && sessionTokenState.token) {
+            return;
+        }
+        let cancelled = false;
+        let retryTimeout = null;
+        const loadToken = async () => {
+            if (cancelled)
+                return;
+            const resolvedToken = await refresh();
+            if (cancelled || resolvedToken)
+                return;
+            retryTimeout = setTimeout(() => {
+                void loadToken();
+            }, retryDelayMs);
+        };
+        void loadToken();
+        return () => {
+            cancelled = true;
+            if (retryTimeout) {
+                clearTimeout(retryTimeout);
+            }
+        };
+    }, [
+        enabled,
+        refresh,
+        retryDelayMs,
+        sessionTokenState.status,
+        sessionTokenState.token,
+    ]);
+    return {
+        token,
+        isReady: !enabled || Boolean(token),
+        isLoading,
+        error,
+        refresh,
+    };
+}

package/dist/tanstack/_internal/useEveryAppSession.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAE3D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA+C1B"}
+{"version":3,"file":"useEveryAppSession.d.ts","sourceRoot":"","sources":["../../../src/tanstack/_internal/useEveryAppSession.tsx"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAE3D,UAAU,oBAAoB;IAC5B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,wBAAwB;IAChC,oBAAoB,EAAE,oBAAoB,CAAC;CAC5C;AAED,wBAAgB,kBAAkB,CAAC,EACjC,oBAAoB,GACrB,EAAE,wBAAwB;;;;;;EA8C1B"}

package/dist/tanstack/_internal/useEveryAppSession.js

@@ -13,8 +13,8 @@ export function useEveryAppSession({ sessionManagerConfig, }) {
     useEffect(() => {
         if (!sessionManager)
             return;
-        // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-        if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
+        // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
+        if (!sessionManager.isInIframe)
             return;
         const interval = setInterval(() => {
             setSessionTokenState(sessionManager.getTokenState());

package/dist/tanstack/index.d.ts

@@ -1,4 +1,4 @@
 export { useSessionTokenClientMiddleware } from "./useSessionTokenClientMiddleware";
 export { useEveryAppRouter } from "./useEveryAppRouter";
-export { EmbeddedAppProvider, useCurrentUser } from "./EmbeddedAppProvider";
+export { EmbeddedAppProvider, useCurrentUser, useSessionToken, } from "./EmbeddedAppProvider";
 //# sourceMappingURL=index.d.ts.map

package/dist/tanstack/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tanstack/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,mCAAmC,CAAC;AACpF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tanstack/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,+BAA+B,EAAE,MAAM,mCAAmC,CAAC;AACpF,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,eAAe,GAChB,MAAM,uBAAuB,CAAC"}

package/dist/tanstack/index.js

@@ -1,3 +1,3 @@
 export { useSessionTokenClientMiddleware } from "./useSessionTokenClientMiddleware";
 export { useEveryAppRouter } from "./useEveryAppRouter";
-export { EmbeddedAppProvider, useCurrentUser } from "./EmbeddedAppProvider";
+export { EmbeddedAppProvider, useCurrentUser, useSessionToken, } from "./EmbeddedAppProvider";

package/dist/tanstack/server/authConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAI1C,wBAAgB,aAAa,IAAI,UAAU,CAW1C"}
+{"version":3,"file":"authConfig.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authConfig.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C,wBAAgB,aAAa,IAAI,UAAU,CAK1C"}

package/dist/tanstack/server/authConfig.js

@@ -1,12 +1,7 @@
 import { env } from "cloudflare:workers";
-import { isDemoModeLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 export function getAuthConfig() {
-    const demoModeLocalOnlyEnv = env
-        .DEMO_MODE_LOCAL_ONLY;
-    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
-    const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
     return {
-        issuer,
+        issuer: env.GATEWAY_URL,
         audience: import.meta.env.VITE_APP_ID,
     };
 }

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAQ1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA4CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAG1C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8BrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -1,27 +1,16 @@
 import { getRequest } from "@tanstack/react-start/server";
 import { createLocalJWKSet, jwtVerify, } from "jose";
 import { env } from "cloudflare:workers";
-import { DEMO_MODE_LOCAL_ONLY_TOKEN, createDemoModeLocalOnlySessionPayload, isDemoModeLocalOnlyServer, } from "../../shared/demoModeLocalOnly";
 export async function authenticateRequest(authConfig, providedRequest) {
     const request = providedRequest || getRequest();
     const authHeader = request.headers.get("authorization");
-    const demoModeLocalOnlyEnv = env
-        .DEMO_MODE_LOCAL_ONLY;
-    const isDemoModeLocalOnly = demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
     if (!authHeader) {
-        console.log("No auth header found");
         return null;
     }
     const token = extractBearerToken(authHeader);
     if (!token) {
         return null;
     }
-    if (isDemoModeLocalOnly) {
-        if (token !== DEMO_MODE_LOCAL_ONLY_TOKEN) {
-            return null;
-        }
-        return createDemoModeLocalOnlySessionPayload(authConfig.audience);
-    }
     try {
         const session = await verifySessionToken(token, authConfig);
         return session;

package/dist/tanstack/server/index.d.ts

@@ -1,4 +1,5 @@
 export { authenticateRequest } from "./authenticateRequest";
 export type { AuthConfig } from "./types";
 export { getAuthConfig } from "./authConfig";
+export { withBearerTokenFromQuery } from "./withBearerTokenFromQuery";
 //# sourceMappingURL=index.d.ts.map

package/dist/tanstack/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,4BAA4B,CAAC"}

package/dist/tanstack/server/index.js

@@ -1,2 +1,3 @@
 export { authenticateRequest } from "./authenticateRequest";
 export { getAuthConfig } from "./authConfig";
+export { withBearerTokenFromQuery } from "./withBearerTokenFromQuery";

package/dist/tanstack/server/withBearerTokenFromQuery.d.ts

@@ -0,0 +1,2 @@
+export declare function withBearerTokenFromQuery(request: Request, queryParam?: string): Request;
+//# sourceMappingURL=withBearerTokenFromQuery.d.ts.map

package/dist/tanstack/server/withBearerTokenFromQuery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"withBearerTokenFromQuery.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/withBearerTokenFromQuery.ts"],"names":[],"mappings":"AAAA,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,OAAO,EAChB,UAAU,GAAE,MAAgB,GAC3B,OAAO,CAWT"}

package/dist/tanstack/server/withBearerTokenFromQuery.js

@@ -0,0 +1,9 @@
+export function withBearerTokenFromQuery(request, queryParam = "token") {
+    const token = new URL(request.url).searchParams.get(queryParam);
+    if (!token || request.headers.has("Authorization")) {
+        return request;
+    }
+    const headers = new Headers(request.headers);
+    headers.set("Authorization", `Bearer ${token}`);
+    return new Request(request, { headers });
+}

package/dist/tanstack/useSessionTokenClientMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,+BAA+B,6GAmC1C,CAAC"}
+{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,+BAA+B,6GA2B1C,CAAC"}

package/dist/tanstack/useSessionTokenClientMiddleware.js

@@ -1,15 +1,7 @@
 import { createMiddleware } from "@tanstack/react-start";
-import { DEMO_MODE_LOCAL_ONLY_TOKEN, isDemoModeLocalOnlyClient, } from "../shared/demoModeLocalOnly";
 export const useSessionTokenClientMiddleware = createMiddleware({
     type: "function",
 }).client(async ({ next }) => {
-    if (isDemoModeLocalOnlyClient()) {
-        return next({
-            headers: {
-                Authorization: `Bearer ${DEMO_MODE_LOCAL_ONLY_TOKEN}`,
-            },
-        });
-    }
     // Get the global sessionManager - this MUST be available for embedded apps
     const sessionManager = window
         .__embeddedSessionManager;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "license": "MIT",
   "type": "module",
   "exports": {
@@ -35,7 +35,8 @@
     "format:check": "prettier --check .",
     "format:write": "prettier . --write",
     "test": "vitest run --silent",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "check:esm-relative-imports": "node ./scripts/check-esm-relative-imports.mjs"
   },
   "dependencies": {
     "jsonc-parser": "^3.3.1"

package/src/cloudflare/index.ts

@@ -1 +1 @@
-export { lazyInitForWorkers } from "./lazyInit";
+export { lazyInitForWorkers } from "./lazyInit.js";

package/src/cloudflare/server/gateway.test.ts

@@ -0,0 +1,183 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { fetchGateway, getGatewayUrl } from "./gateway";
+
+type TestFetcher = {
+  fetch: ReturnType<typeof vi.fn>;
+};
+
+type TestEnv = {
+  GATEWAY_URL?: string;
+  EVERY_APP_GATEWAY?: TestFetcher;
+  GATEWAY_APP_API_TOKEN?: string;
+  APP_TOKEN?: string;
+};
+
+describe("gateway server helpers", () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("returns gateway URL and throws when missing", () => {
+    expect(getGatewayUrl({ GATEWAY_URL: "https://gateway.example.com" })).toBe(
+      "https://gateway.example.com",
+    );
+
+    expect(() => getGatewayUrl({} as TestEnv)).toThrow(
+      "GATEWAY_URL is required",
+    );
+  });
+
+  it("fetches via HTTP when service binding is unavailable", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses?stream=true",
+      init: { method: "POST" },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.url).toBe(
+      "https://gateway.example.com/api/ai/openai/v1/responses?stream=true",
+    );
+  });
+
+  it("fetches via service binding when available", async () => {
+    const bindingFetch = vi
+      .fn()
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      EVERY_APP_GATEWAY: { fetch: bindingFetch },
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/chat/completions",
+      init: { method: "POST" },
+    });
+
+    expect(bindingFetch).toHaveBeenCalledTimes(1);
+    const [requestArg] = bindingFetch.mock.calls[0];
+    const request = requestArg as Request;
+    expect(request.url).toBe(
+      "http://localhost/api/ai/openai/v1/chat/completions",
+    );
+  });
+
+  it("always injects app token and strips Authorization header", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_my_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses",
+      init: {
+        method: "POST",
+        headers: {
+          authorization: "Bearer some-sdk-dummy-value",
+        },
+      },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.headers.get("x-every-app-token")).toBe("eat_my_token");
+    expect(request.headers.get("authorization")).toBeNull();
+  });
+
+  it("throws when app token is missing", async () => {
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+    };
+
+    await expect(
+      fetchGateway({
+        env,
+        url: "/api/ai/openai/v1/responses",
+      }),
+    ).rejects.toThrow("GATEWAY_APP_API_TOKEN is required");
+  });
+
+  it("supports legacy APP_TOKEN env variable", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      APP_TOKEN: "eat_legacy_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/responses",
+      init: { method: "POST" },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+
+    expect(request.headers.get("x-every-app-token")).toBe("eat_legacy_token");
+    expect(request.headers.get("authorization")).toBeNull();
+  });
+
+  it("supports Request input and preserves method/body", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    const sourceRequest = new Request(
+      "https://gateway.example.com/api/ai/openai/v1/responses",
+      {
+        method: "POST",
+        body: JSON.stringify({ model: "gpt-5.2" }),
+        headers: { "content-type": "application/json" },
+      },
+    );
+
+    await fetchGateway({
+      env,
+      url: sourceRequest,
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+    expect(request.url).toBe(
+      "https://gateway.example.com/api/ai/openai/v1/responses",
+    );
+    expect(request.method).toBe("POST");
+    expect(request.headers.get("content-type")).toBe("application/json");
+  });
+});

package/src/cloudflare/server/gateway.ts

@@ -0,0 +1,105 @@
+const SERVICE_BINDING_ORIGIN = "http://localhost";
+const APP_TOKEN_HEADER = "x-every-app-token";
+
+interface GatewayFetcher {
+  fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+
+interface GatewayEnv {
+  GATEWAY_URL?: string;
+  EVERY_APP_GATEWAY?: GatewayFetcher;
+  GATEWAY_APP_API_TOKEN?: string;
+  APP_TOKEN?: string;
+}
+
+interface FetchGatewayOptions {
+  env: GatewayEnv;
+  /** The URL, path, or Request to send to the gateway. Typically the full URL
+   *  passed by a provider SDK's custom `fetch` override. */
+  url: string | URL | Request;
+  /** Standard `RequestInit` (method, headers, body, etc.) from the provider SDK. */
+  init?: RequestInit;
+}
+
+export function getGatewayUrl(env: GatewayEnv): string {
+  const gatewayUrl = env.GATEWAY_URL?.trim();
+  if (!gatewayUrl) {
+    throw new Error("GATEWAY_URL is required");
+  }
+  return gatewayUrl;
+}
+
+/**
+ * Fetch from the gateway proxy, authenticating with the app token.
+ *
+ * - Strips any existing `Authorization` header (the gateway only accepts
+ *   app token auth via `x-every-app-token`).
+ * - Requires `GATEWAY_APP_API_TOKEN` (or legacy `APP_TOKEN`) in the env.
+ * - Routes via service binding in production, falls back to HTTP in dev.
+ */
+export async function fetchGateway({
+  env,
+  url,
+  init,
+}: FetchGatewayOptions): Promise<Response> {
+  const gatewayBaseUrl = getGatewayUrl(env);
+  const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
+  const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
+
+  // Use service binding when available for zero-latency internal routing
+  // (available in production Workers, not in local dev)
+  if (env.EVERY_APP_GATEWAY) {
+    const url = new URL(authenticatedRequest.url);
+    const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
+    const bindingRequest = new Request(bindingUrl, authenticatedRequest);
+    return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
+  }
+
+  // Fall back to HTTP fetch for local dev
+  return fetch(authenticatedRequest);
+}
+
+function applyAppTokenAuth(request: Request, env: GatewayEnv): Request {
+  const appToken = getGatewayAppApiToken(env);
+  if (!appToken) {
+    throw new Error(
+      "GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.",
+    );
+  }
+
+  const headers = new Headers(request.headers);
+  headers.delete("authorization");
+  headers.set(APP_TOKEN_HEADER, appToken);
+  return new Request(request, { headers });
+}
+
+function getGatewayAppApiToken(env: GatewayEnv): string | null {
+  const configuredToken = env.GATEWAY_APP_API_TOKEN?.trim();
+  if (configuredToken) {
+    return configuredToken;
+  }
+
+  const legacyToken = env.APP_TOKEN?.trim();
+  return legacyToken || null;
+}
+
+function toRequest(
+  input: RequestInfo | URL,
+  init?: RequestInit,
+  baseUrl?: string,
+): Request {
+  if (input instanceof Request) {
+    return init ? new Request(input, init) : input;
+  }
+
+  if (input instanceof URL) {
+    return new Request(input.toString(), init);
+  }
+
+  if (typeof input === "string" && baseUrl && !/^https?:\/\//i.test(input)) {
+    const normalizedPath = input.startsWith("/") ? input : `/${input}`;
+    return new Request(new URL(normalizedPath, baseUrl).toString(), init);
+  }
+
+  return new Request(input, init);
+}

package/src/cloudflare/server/index.ts

@@ -1 +1,2 @@
 export { getLocalD1Url } from "../getLocalD1Url.js";
+export { fetchGateway, getGatewayUrl } from "./gateway.js";

package/src/core/authenticatedFetch.ts

@@ -1,8 +1,3 @@
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
-
 interface SessionManager {
   getToken(): Promise<string>;
 }
@@ -15,10 +10,6 @@ interface WindowWithSessionManager extends Window {
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken(): Promise<string> {
-  if (isDemoModeLocalOnlyClient()) {
-    return DEMO_MODE_LOCAL_ONLY_TOKEN;
-  }
-
   const windowWithSession = window as WindowWithSessionManager;
   const sessionManager = windowWithSession.__embeddedSessionManager;
 

package/src/core/index.ts

@@ -1,4 +1,4 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager";
-export type { SessionManagerConfig } from "./sessionManager";
+export { SessionManager, isRunningInIframe } from "./sessionManager.js";
+export type { SessionManagerConfig } from "./sessionManager.js";
 
-export { authenticatedFetch, getSessionToken } from "./authenticatedFetch";
+export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/src/core/sessionManager.ts

@@ -1,10 +1,3 @@
-import {
-  DEMO_MODE_LOCAL_ONLY_EMAIL,
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  DEMO_MODE_LOCAL_ONLY_USER_ID,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
-
 interface SessionToken {
   token: string;
   expiresAt: number;
@@ -42,7 +35,6 @@ export class SessionManager {
   readonly parentOrigin: string;
   readonly appId: string;
   readonly isInIframe: boolean;
-  readonly isDemoModeLocalOnly: boolean;
 
   private token: SessionToken | null = null;
   private refreshPromise: Promise<string> | null = null;
@@ -52,35 +44,20 @@ export class SessionManager {
       throw new Error("[SessionManager] appId is required.");
     }
 
-    this.isDemoModeLocalOnly = isDemoModeLocalOnlyClient();
-
     const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
-    if (!this.isDemoModeLocalOnly) {
-      if (!gatewayUrl) {
-        throw new Error(
-          "[SessionManager] VITE_GATEWAY_URL env var is required.",
-        );
-      }
+    if (!gatewayUrl) {
+      throw new Error("[SessionManager] VITE_GATEWAY_URL env var is required.");
+    }
 
-      try {
-        new URL(gatewayUrl);
-      } catch {
-        throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
-      }
+    try {
+      new URL(gatewayUrl);
+    } catch {
+      throw new Error(`[SessionManager] Invalid gateway URL: ${gatewayUrl}`);
     }
 
     this.appId = config.appId;
-    this.parentOrigin = this.isDemoModeLocalOnly
-      ? window.location.origin
-      : gatewayUrl;
+    this.parentOrigin = gatewayUrl;
     this.isInIframe = isRunningInIframe();
-
-    if (this.isDemoModeLocalOnly) {
-      this.token = {
-        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-      };
-    }
   }
 
   private isTokenExpiringSoon(
@@ -130,14 +107,6 @@ export class SessionManager {
   }
 
   async requestNewToken(): Promise<string> {
-    if (this.isDemoModeLocalOnly) {
-      this.token = {
-        token: DEMO_MODE_LOCAL_ONLY_TOKEN,
-        expiresAt: Date.now() + DEFAULT_TOKEN_LIFETIME_MS,
-      };
-      return this.token.token;
-    }
-
     if (this.refreshPromise) {
       return this.refreshPromise;
     }
@@ -184,13 +153,6 @@ export class SessionManager {
   }
 
   async getToken(): Promise<string> {
-    if (this.isDemoModeLocalOnly) {
-      if (!this.token || this.isTokenExpiringSoon()) {
-        return this.requestNewToken();
-      }
-      return this.token.token;
-    }
-
     if (this.isTokenExpiringSoon()) {
       return this.requestNewToken();
     }
@@ -221,13 +183,6 @@ export class SessionManager {
    * Returns null if no valid token is available.
    */
   getUser(): { userId: string; email: string } | null {
-    if (this.isDemoModeLocalOnly) {
-      return {
-        userId: DEMO_MODE_LOCAL_ONLY_USER_ID,
-        email: DEMO_MODE_LOCAL_ONLY_EMAIL,
-      };
-    }
-
     if (!this.token) {
       return null;
     }

package/src/env.d.ts

@@ -5,6 +5,8 @@ declare namespace Cloudflare {
   interface Env {
     GATEWAY_URL: string;
     EVERY_APP_GATEWAY?: Fetcher;
+    GATEWAY_APP_API_TOKEN?: string;
+    APP_TOKEN?: string;
   }
 }
 

package/src/tanstack/EmbeddedAppProvider.tsx

@@ -1,8 +1,8 @@
 import React, { createContext, useContext, useMemo } from "react";
-import { SessionManager, SessionManagerConfig } from "../core/sessionManager";
-import { useEveryAppSession } from "./_internal/useEveryAppSession";
-import { useEveryAppRouter } from "./useEveryAppRouter";
-import { GatewayRequiredError } from "./GatewayRequiredError";
+import { SessionManager, SessionManagerConfig } from "../core/sessionManager.js";
+import { useEveryAppSession } from "./_internal/useEveryAppSession.js";
+import { useEveryAppRouter } from "./useEveryAppRouter.js";
+import { GatewayRequiredError } from "./GatewayRequiredError.js";
 
 interface EmbeddedProviderConfig extends SessionManagerConfig {
   children: React.ReactNode;
@@ -27,8 +27,8 @@ export function EmbeddedAppProvider({
 
   if (!sessionManager) return null;
 
-  // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-  if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly) {
+  // Check if the app is running outside of the Gateway iframe
+  if (!sessionManager.isInIframe) {
     return (
       <GatewayRequiredError
         gatewayOrigin={sessionManager.parentOrigin}

package/src/tanstack/_internal/useEveryAppSession.tsx

@@ -1,5 +1,5 @@
 import { useEffect, useRef, useState } from "react";
-import { SessionManager } from "../../core/sessionManager";
+import { SessionManager } from "../../core/sessionManager.js";
 
 interface SessionManagerConfig {
   appId: string;
@@ -28,9 +28,8 @@ export function useEveryAppSession({
 
   useEffect(() => {
     if (!sessionManager) return;
-    // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-    if (!sessionManager.isInIframe && !sessionManager.isDemoModeLocalOnly)
-      return;
+    // Skip token requests when not in iframe - the app will show GatewayRequiredError instead
+    if (!sessionManager.isInIframe) return;
 
     const interval = setInterval(() => {
       setSessionTokenState(sessionManager.getTokenState());

package/src/tanstack/index.ts

@@ -1,3 +1,3 @@
-export { useSessionTokenClientMiddleware } from "./useSessionTokenClientMiddleware";
-export { useEveryAppRouter } from "./useEveryAppRouter";
-export { EmbeddedAppProvider, useCurrentUser } from "./EmbeddedAppProvider";
+export { useSessionTokenClientMiddleware } from "./useSessionTokenClientMiddleware.js";
+export { useEveryAppRouter } from "./useEveryAppRouter.js";
+export { EmbeddedAppProvider, useCurrentUser } from "./EmbeddedAppProvider.js";

package/src/tanstack/server/authConfig.ts

@@ -1,16 +1,9 @@
-import type { AuthConfig } from "./types";
+import type { AuthConfig } from "./types.js";
 import { env } from "cloudflare:workers";
-import { isDemoModeLocalOnlyServer } from "../../shared/demoModeLocalOnly";
 
 export function getAuthConfig(): AuthConfig {
-  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
-    .DEMO_MODE_LOCAL_ONLY;
-  const isDemoModeLocalOnly =
-    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
-  const issuer = env.GATEWAY_URL || (isDemoModeLocalOnly ? "local" : "");
-
   return {
-    issuer,
+    issuer: env.GATEWAY_URL,
     audience: import.meta.env.VITE_APP_ID,
   };
 }

package/src/tanstack/server/authenticateRequest.ts

@@ -6,13 +6,8 @@ import {
   JSONWebKeySet,
 } from "jose";
 
-import type { AuthConfig } from "./types";
+import type { AuthConfig } from "./types.js";
 import { env } from "cloudflare:workers";
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  createDemoModeLocalOnlySessionPayload,
-  isDemoModeLocalOnlyServer,
-} from "../../shared/demoModeLocalOnly";
 
 /**
  * JWT payload structure for embedded app session tokens.
@@ -40,13 +35,7 @@ export async function authenticateRequest(
   const request = providedRequest || getRequest();
   const authHeader = request.headers.get("authorization");
 
-  const demoModeLocalOnlyEnv = (env as { DEMO_MODE_LOCAL_ONLY?: string })
-    .DEMO_MODE_LOCAL_ONLY;
-  const isDemoModeLocalOnly =
-    demoModeLocalOnlyEnv === "true" || isDemoModeLocalOnlyServer() === true;
-
   if (!authHeader) {
-    console.log("No auth header found");
     return null;
   }
 
@@ -56,14 +45,6 @@ export async function authenticateRequest(
     return null;
   }
 
-  if (isDemoModeLocalOnly) {
-    if (token !== DEMO_MODE_LOCAL_ONLY_TOKEN) {
-      return null;
-    }
-
-    return createDemoModeLocalOnlySessionPayload(authConfig.audience);
-  }
-
   try {
     const session = await verifySessionToken(token, authConfig);
     return session;

package/src/tanstack/server/index.ts

@@ -1,3 +1,3 @@
-export { authenticateRequest } from "./authenticateRequest";
-export type { AuthConfig } from "./types";
-export { getAuthConfig } from "./authConfig";
+export { authenticateRequest } from "./authenticateRequest.js";
+export type { AuthConfig } from "./types.js";
+export { getAuthConfig } from "./authConfig.js";

package/src/tanstack/useEveryAppRouter.tsx

@@ -1,5 +1,5 @@
 import { useEffect } from "react";
-import { SessionManager } from "../core/sessionManager";
+import { SessionManager } from "../core/sessionManager.js";
 import { useRouter } from "@tanstack/react-router";
 
 interface UseEveryAppRouterParams {

package/src/tanstack/useSessionTokenClientMiddleware.ts

@@ -1,21 +1,9 @@
 import { createMiddleware } from "@tanstack/react-start";
-import type { SessionManager } from "../core/sessionManager";
-import {
-  DEMO_MODE_LOCAL_ONLY_TOKEN,
-  isDemoModeLocalOnlyClient,
-} from "../shared/demoModeLocalOnly";
+import type { SessionManager } from "../core/sessionManager.js";
 
 export const useSessionTokenClientMiddleware = createMiddleware({
   type: "function",
 }).client(async ({ next }) => {
-  if (isDemoModeLocalOnlyClient()) {
-    return next({
-      headers: {
-        Authorization: `Bearer ${DEMO_MODE_LOCAL_ONLY_TOKEN}`,
-      },
-    });
-  }
-
   // Get the global sessionManager - this MUST be available for embedded apps
   const sessionManager = (window as any)
     .__embeddedSessionManager as SessionManager;

package/src/shared/demoModeLocalOnly.ts

@@ -1,40 +0,0 @@
-export const DEMO_MODE_LOCAL_ONLY_TOKEN = "DEMO_MODE_LOCAL_ONLY";
-export const DEMO_MODE_LOCAL_ONLY_USER_ID = "demo-local-user";
-export const DEMO_MODE_LOCAL_ONLY_EMAIL = "demo-local-user@local";
-
-export function isDemoModeLocalOnlyClient(): boolean {
-  return import.meta.env.VITE_DEMO_MODE_LOCAL_ONLY === "true";
-}
-
-export function isDemoModeLocalOnlyServer(): boolean {
-  const metaEnv = (import.meta as { env?: Record<string, string | undefined> })
-    .env;
-  const metaValue =
-    metaEnv?.DEMO_MODE_LOCAL_ONLY ?? metaEnv?.VITE_DEMO_MODE_LOCAL_ONLY;
-  if (metaValue === "true") {
-    return true;
-  }
-
-  if (
-    typeof process !== "undefined" &&
-    process.env?.DEMO_MODE_LOCAL_ONLY === "true"
-  ) {
-    return true;
-  }
-
-  return false;
-}
-
-export function createDemoModeLocalOnlySessionPayload(audience: string) {
-  const issuedAt = Math.floor(Date.now() / 1000);
-  const expiresAt = issuedAt + 60 * 60;
-
-  return {
-    sub: DEMO_MODE_LOCAL_ONLY_USER_ID,
-    email: DEMO_MODE_LOCAL_ONLY_EMAIL,
-    iss: "local",
-    aud: audience,
-    iat: issuedAt,
-    exp: expiresAt,
-  };
-}