npm - @feelflow/ffid-sdk - Versions diffs - 1.10.0 → 1.13.0 - Mend

@feelflow/ffid-sdk 1.10.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-OAPA5VKR.cjs → chunk-7YV3SUEY.cjs} +810 -369
package/dist/{chunk-PSSNMEJB.js → chunk-KFOIVZEY.js} +810 -369
package/dist/components/index.cjs +7 -7
package/dist/components/index.d.cts +1 -1
package/dist/components/index.d.ts +1 -1
package/dist/components/index.js +1 -1
package/dist/{index-DsXjcF0i.d.cts → index-GrAWBpmf.d.cts} +32 -5
package/dist/{index-DsXjcF0i.d.ts → index-GrAWBpmf.d.ts} +32 -5
package/dist/index.cjs +22 -22
package/dist/index.d.cts +65 -9
package/dist/index.d.ts +65 -9
package/dist/index.js +2 -2
package/dist/server/index.cjs +814 -376
package/dist/server/index.d.cts +84 -9
package/dist/server/index.d.ts +84 -9
package/dist/server/index.js +814 -376
package/package.json +1 -1

package/dist/{chunk-OAPA5VKR.cjs → chunk-7YV3SUEY.cjs} RENAMED Viewed

@@ -9,6 +9,7 @@ var DEFAULT_API_BASE_URL = "https://id.feelflow.net";
 // src/auth/token-store.ts
 var STORAGE_KEY = "ffid_tokens";
+var TOKEN_STORE_LOG_PREFIX = "[FFID SDK] TokenStore:";
 var EXPIRY_BUFFER_SECONDS = 30;
 var EXPIRY_BUFFER_MS = EXPIRY_BUFFER_SECONDS * 1e3;
 function isLocalStorageAvailable() {
@@ -32,22 +33,33 @@ function createLocalStorageStore() {
         const raw = storage.getItem(STORAGE_KEY);
         if (!raw) return null;
         const parsed = JSON.parse(raw);
-        if (!isTokenData(parsed)) return null;
+        if (!isTokenData(parsed)) {
+          console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u30C7\u30FC\u30BF\u304C\u4E0D\u6B63\u306A\u5F62\u5F0F\u3067\u3059\u3002\u30B9\u30C8\u30EC\u30FC\u30B8\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059");
+          storage.removeItem(STORAGE_KEY);
+          return null;
+        }
         return parsed;
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u8AAD\u307F\u53D6\u308A\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002\u7834\u640D\u30C7\u30FC\u30BF\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059", error);
+        try {
+          storage.removeItem(STORAGE_KEY);
+        } catch {
+        }
         return null;
       }
     },
     setTokens(tokens) {
       try {
         storage.setItem(STORAGE_KEY, JSON.stringify(tokens));
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F\uFF08\u30B9\u30C8\u30EC\u30FC\u30B8\u5BB9\u91CF\u8D85\u904E\u306E\u53EF\u80FD\u6027\uFF09", error);
       }
     },
     clearTokens() {
       try {
         storage.removeItem(STORAGE_KEY);
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u524A\u9664\u306B\u5931\u6557\u3057\u307E\u3057\u305F", error);
       }
     },
     isAccessTokenExpired() {
@@ -90,54 +102,6 @@ function createTokenStore(storageType) {
   return createMemoryStore();
 }
-// src/auth/pkce.ts
-var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
-var CODE_VERIFIER_MIN_LENGTH = 43;
-var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
-function generateCodeVerifier() {
-  const length = CODE_VERIFIER_MIN_LENGTH;
-  const randomValues = new Uint8Array(length);
-  crypto.getRandomValues(randomValues);
-  let verifier = "";
-  for (let i = 0; i < length; i++) {
-    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
-  }
-  return verifier;
-}
-async function generateCodeChallenge(verifier) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(verifier);
-  const digest = await crypto.subtle.digest("SHA-256", data);
-  return base64UrlEncode(digest);
-}
-function storeCodeVerifier(verifier) {
-  try {
-    if (typeof window === "undefined") return;
-    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
-  } catch {
-  }
-}
-function retrieveCodeVerifier() {
-  try {
-    if (typeof window === "undefined") return null;
-    const verifier = window.sessionStorage.getItem(VERIFIER_STORAGE_KEY);
-    if (verifier) {
-      window.sessionStorage.removeItem(VERIFIER_STORAGE_KEY);
-    }
-    return verifier;
-  } catch {
-    return null;
-  }
-}
-function base64UrlEncode(buffer) {
-  const bytes = new Uint8Array(buffer);
-  let binary = "";
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
 // src/client/oauth-userinfo.ts
 var VALID_SUBSCRIPTION_STATUSES = ["trialing", "active", "past_due", "canceled", "paused"];
 function isValidSubscriptionStatus(value) {
@@ -241,6 +205,7 @@ var OAUTH_INTROSPECT_ENDPOINT = "/api/v1/oauth/introspect";
 var CACHE_KEY_PREFIX = "ffid:introspect:";
 var HEX_BASE = 16;
 var HEX_BYTE_WIDTH = 2;
+var TOKEN_LOG_PREFIX_LENGTH = 8;
 function createVerifyAccessToken(deps) {
   const { authMode, baseUrl, serviceCode, serviceApiKey, verifyStrategy, logger, createError, errorCodes, cache, timeout } = deps;
   let jwtVerify2 = null;
@@ -256,7 +221,7 @@ function createVerifyAccessToken(deps) {
     }
     return jwtVerify2;
   }
-  async function verifyAccessToken(accessToken) {
+  async function verifyAccessToken(accessToken, options) {
     if (authMode !== "service-key") {
       return {
         error: createError(
@@ -273,12 +238,24 @@ function createVerifyAccessToken(deps) {
         )
       };
     }
+    if (options?.includeProfile && verifyStrategy === "jwt" && !serviceApiKey) {
+      return {
+        error: createError(
+          errorCodes.TOKEN_VERIFICATION_ERROR,
+          "includeProfile: true \u3092\u4F7F\u7528\u3059\u308B\u306B\u306F serviceApiKey \u306E\u8A2D\u5B9A\u304C\u5FC5\u8981\u3067\u3059"
+        )
+      };
+    }
     if (verifyStrategy === "jwt") {
-      return getJwtVerifier()(accessToken);
+      const jwtResult = await getJwtVerifier()(accessToken);
+      if (!options?.includeProfile || jwtResult.error) {
+        return jwtResult;
+      }
+      return verifyViaIntrospect(accessToken, "profile");
     }
     return verifyViaIntrospect(accessToken);
   }
-  async function verifyViaIntrospect(accessToken) {
+  async function verifyViaIntrospect(accessToken, cacheKeySuffix) {
     if (!serviceApiKey) {
       return {
         error: createError(
@@ -289,7 +266,7 @@ function createVerifyAccessToken(deps) {
     }
     const url = `${baseUrl}${OAUTH_INTROSPECT_ENDPOINT}`;
     logger.debug("Verifying access token:", url);
-    const cacheKey = await buildCacheKey(accessToken);
+    const cacheKey = cache ? await buildCacheKey(accessToken, cacheKeySuffix) : "";
     if (cache) {
       try {
         const cached = await cache.adapter.get(cacheKey);
@@ -391,16 +368,23 @@ function createVerifyAccessToken(deps) {
     }
     return { data: userinfo };
   }
-  async function buildCacheKey(token) {
+  async function buildCacheKey(token, suffix) {
+    let key;
     if (typeof globalThis.crypto?.subtle?.digest === "function") {
       const encoder = new TextEncoder();
       const data = encoder.encode(token);
       const hashBuffer = await crypto.subtle.digest("SHA-256", data);
       const hashArray = Array.from(new Uint8Array(hashBuffer));
       const hashHex = hashArray.map((b) => b.toString(HEX_BASE).padStart(HEX_BYTE_WIDTH, "0")).join("");
-      return CACHE_KEY_PREFIX + hashHex;
+      key = CACHE_KEY_PREFIX + hashHex;
+    } else {
+      const tokenPrefix = token.length > TOKEN_LOG_PREFIX_LENGTH ? token.substring(0, TOKEN_LOG_PREFIX_LENGTH) + "..." : "***";
+      logger.warn(
+        `crypto.subtle \u304C\u5229\u7528\u3067\u304D\u306A\u3044\u305F\u3081\u3001\u30AD\u30E3\u30C3\u30B7\u30E5\u30AD\u30FC\u306B\u30CF\u30C3\u30B7\u30E5\u5316\u3055\u308C\u3066\u3044\u306A\u3044\u30C8\u30FC\u30AF\u30F3\u3092\u4F7F\u7528\u3057\u307E\u3059 (token prefix: ${tokenPrefix})`
+      );
+      key = CACHE_KEY_PREFIX + token;
     }
-    return CACHE_KEY_PREFIX + token;
+    return suffix ? `${key}:${suffix}` : key;
   }
   return verifyAccessToken;
 }
@@ -453,9 +437,15 @@ function createBillingMethods(deps) {
 }
 // src/client/version-check.ts
-var SDK_VERSION = "1.10.0";
+var SDK_VERSION = "1.13.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
+function sdkHeaders() {
+  return {
+    "User-Agent": SDK_USER_AGENT,
+    [SDK_VERSION_HEADER]: SDK_VERSION
+  };
+}
 var LATEST_VERSION_HEADER = "X-FFID-SDK-Latest-Version";
 var SEMVER_PATTERN = /^\d+(\.\d+)*$/;
 var _versionWarningShown = false;
@@ -489,178 +479,249 @@ npm install @feelflow/ffid-sdk@latest \u3067\u30A2\u30C3\u30D7\u30C7\u30FC\u30C8
   }
 }
-// src/client/ffid-client.ts
-var NO_CONTENT_STATUS = 204;
-var SESSION_ENDPOINT = "/api/v1/auth/session";
-var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+// src/client/oauth-token.ts
 var OAUTH_TOKEN_ENDPOINT = "/api/v1/oauth/token";
-var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
-var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var OAUTH_REVOKE_ENDPOINT = "/api/v1/oauth/revoke";
-var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
-var SDK_LOG_PREFIX = "[FFID SDK]";
 var MS_PER_SECOND = 1e3;
-var UNAUTHORIZED_STATUS = 401;
-var STATE_RANDOM_BYTES = 16;
-var HEX_BASE2 = 16;
-var noopLogger = {
-  debug: () => {
-  },
-  info: () => {
-  },
-  warn: () => {
-  },
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var consoleLogger = {
-  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
-  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
-  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var FFID_ERROR_CODES = {
-  NETWORK_ERROR: "NETWORK_ERROR",
-  PARSE_ERROR: "PARSE_ERROR",
-  UNKNOWN_ERROR: "UNKNOWN_ERROR",
-  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
-  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
-  NO_TOKENS: "NO_TOKENS",
-  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
-};
-function createFFIDClient(config) {
-  if (!config.serviceCode || !config.serviceCode.trim()) {
-    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
+function validateTokenResponse(tokenResponse) {
+  const invalid = [];
+  if (!tokenResponse.access_token) {
+    invalid.push("access_token");
   }
-  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
-  const authMode = config.authMode ?? "cookie";
-  const clientId = config.clientId ?? config.serviceCode;
-  const resolvedRedirectUri = config.redirectUri ?? null;
-  const serviceApiKey = config.serviceApiKey?.trim();
-  const verifyStrategy = config.verifyStrategy ?? "jwt";
-  const cache = config.cache;
-  const timeout = config.timeout;
-  if (authMode === "service-key" && !serviceApiKey) {
-    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
+  if (!tokenResponse.refresh_token) {
+    invalid.push("refresh_token");
   }
-  if (cache && cache.ttl <= 0) {
-    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  if (typeof tokenResponse.expires_in !== "number" || tokenResponse.expires_in <= 0) {
+    invalid.push("expires_in");
   }
-  if (timeout !== void 0 && timeout <= 0) {
-    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  if (invalid.length > 0) {
+    return `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306B\u4E0D\u6B63\u306A\u30D5\u30A3\u30FC\u30EB\u30C9\u304C\u3042\u308A\u307E\u3059: ${invalid.join(", ")}`;
   }
-  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
-  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
-  async function fetchWithAuth(endpoint, options = {}) {
-    const url = `${baseUrl}${endpoint}`;
-    logger.debug("Fetching:", url);
-    const fetchOptions = buildFetchOptions(options);
+  return null;
+}
+function createOAuthTokenMethods(deps) {
+  const {
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes
+  } = deps;
+  async function exchangeCodeForTokens(code, codeVerifier) {
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Exchanging code for tokens:", url);
+    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
+    if (!effectiveRedirectUri) {
+      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
+      return {
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
+        }
+      };
+    }
+    const body = {
+      grant_type: "authorization_code",
+      code,
+      client_id: clientId,
+      redirect_uri: effectiveRedirectUri
+    };
+    if (codeVerifier) {
+      body.code_verifier = codeVerifier;
+    }
     let response;
     try {
-      response = await fetch(url, fetchOptions);
+      response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams(body).toString()
+      });
     } catch (error) {
-      logger.error("Network error:", error);
+      logger.error("Network error during token exchange:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS) {
-      const refreshResult = await refreshAccessToken();
-      if (!refreshResult.error) {
-        logger.debug("Token refreshed, retrying request");
-        const retryOptions = buildFetchOptions(options);
-        try {
-          response = await fetch(url, retryOptions);
-        } catch (retryError) {
-          logger.error("Network error on retry:", retryError);
-          return {
-            error: {
-              code: FFID_ERROR_CODES.NETWORK_ERROR,
-              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
-            }
-          };
-        }
-      }
-    }
-    let raw;
+    let tokenResponse;
     try {
-      raw = await response.json();
+      tokenResponse = await response.json();
     } catch (parseError) {
-      logger.error("Parse error:", parseError, "Status:", response.status);
+      logger.error("Parse error during token exchange:", parseError);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
-    logger.debug("Response:", response.status, raw);
-    checkVersionHeader(response, logger);
     if (!response.ok) {
+      const errorBody = tokenResponse;
       return {
-        error: raw.error ?? {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        error: {
+          code: errorBody.error ?? errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (raw.data === void 0) {
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token exchange validation failed:", validationError);
       return {
         error: {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: validationError
         }
       };
     }
-    return { data: raw.data };
-  }
-  function sdkHeaders() {
-    return {
-      "User-Agent": SDK_USER_AGENT,
-      [SDK_VERSION_HEADER]: SDK_VERSION
-    };
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token exchange successful");
+    return { data: void 0 };
   }
-  function buildFetchOptions(options) {
-    if (authMode === "service-key") {
+  async function refreshAccessToken() {
+    const tokens = tokenStore.getTokens();
+    if (!tokens) {
       return {
-        ...options,
-        credentials: "omit",
-        headers: {
-          "Content-Type": "application/json",
-          ...sdkHeaders(),
-          "X-Service-Api-Key": serviceApiKey,
-          ...options.headers
+        error: {
+          code: errorCodes.NO_TOKENS,
+          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
         }
       };
     }
-    if (authMode === "token") {
-      const tokens = tokenStore.getTokens();
-      const headers = {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
-      };
-      if (tokens) {
-        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
-      }
-      return {
-        ...options,
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Refreshing access token:", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
         credentials: "omit",
-        headers
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: tokens.refreshToken,
+          client_id: clientId
+        }).toString()
+      });
+    } catch (error) {
+      logger.error("Network error during token refresh:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
       };
     }
-    return {
-      ...options,
-      credentials: "include",
-      headers: {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
+    let tokenResponse;
+    try {
+      tokenResponse = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error during token refresh:", parseError);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    if (!response.ok) {
+      const errorBody = tokenResponse;
+      logger.error("Token refresh failed:", errorBody);
+      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
+      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
+        tokenStore.clearTokens();
+        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
       }
-    };
+      return {
+        error: {
+          code: errorBody.error ?? errorCodes.TOKEN_REFRESH_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token refresh validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_REFRESH_ERROR,
+          message: validationError
+        }
+      };
+    }
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token refresh successful");
+    return { data: void 0 };
   }
+  async function signOutToken() {
+    const tokens = tokenStore.getTokens();
+    tokenStore.clearTokens();
+    if (!tokens) {
+      logger.debug("No tokens to revoke");
+      return { data: void 0 };
+    }
+    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
+    logger.debug("Revoking token:", url);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          token: tokens.accessToken,
+          client_id: clientId
+        }).toString()
+      });
+      if (!response.ok) {
+        logger.warn(
+          "\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u30EA\u30AF\u30A8\u30B9\u30C8\u304C\u30B5\u30FC\u30D0\u30FC\u3067\u5931\u6557\u3057\u307E\u3057\u305F:",
+          `status=${response.status}`
+        );
+      }
+    } catch (error) {
+      logger.warn("\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u306E\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30EA\u30AF\u30A8\u30B9\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    }
+    logger.debug("Token sign-out completed");
+    return { data: void 0 };
+  }
+  return { exchangeCodeForTokens, refreshAccessToken, signOutToken };
+}
+// src/client/session.ts
+var SESSION_ENDPOINT = "/api/v1/auth/session";
+var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
+var NO_CONTENT_STATUS = 204;
+var UNAUTHORIZED_STATUS = 401;
+function normalizeFFIDUser(user) {
+  return {
+    ...user,
+    locale: user.locale ?? null,
+    timezone: user.timezone ?? null
+  };
+}
+function createSessionMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes
+  } = deps;
   async function getSession() {
     if (authMode === "token") {
       return getSessionFromUserinfo();
@@ -677,19 +738,12 @@ function createFFIDClient(config) {
     }
     return result;
   }
-  function normalizeFFIDUser(user) {
-    return {
-      ...user,
-      locale: user.locale ?? null,
-      timezone: user.timezone ?? null
-    };
-  }
   async function getSessionFromUserinfo() {
     const tokens = tokenStore.getTokens();
     if (!tokens) {
       return {
         error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
+          code: errorCodes.NO_TOKENS,
           message: "\u30C8\u30FC\u30AF\u30F3\u304C\u4FDD\u5B58\u3055\u308C\u3066\u3044\u307E\u305B\u3093"
         }
       };
@@ -710,7 +764,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -733,7 +787,7 @@ function createFFIDClient(config) {
             logger.error("Network error on retry:", retryError);
             return {
               error: {
-                code: FFID_ERROR_CODES.NETWORK_ERROR,
+                code: errorCodes.NETWORK_ERROR,
                 message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
               }
             };
@@ -750,7 +804,7 @@ function createFFIDClient(config) {
       logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
+          code: errorCodes.PARSE_ERROR,
           message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
@@ -759,7 +813,7 @@ function createFFIDClient(config) {
       const errorBody = rawUserinfo;
       return {
         error: {
-          code: errorBody.code ?? FFID_ERROR_CODES.UNKNOWN_ERROR,
+          code: errorBody.code ?? errorCodes.UNKNOWN_ERROR,
           message: errorBody.message ?? "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -778,16 +832,10 @@ function createFFIDClient(config) {
       data: {
         user,
         organizations: [],
-        subscriptions: mapUserinfoSubscriptionToSession(userinfo, config.serviceCode)
+        subscriptions: mapUserinfoSubscriptionToSession(userinfo, serviceCode)
       }
     };
   }
-  async function signOut() {
-    if (authMode === "token") {
-      return signOutToken();
-    }
-    return signOutCookie();
-  }
   async function signOutCookie() {
     const url = `${baseUrl}${LOGOUT_ENDPOINT}`;
     logger.debug("Fetching:", url);
@@ -802,7 +850,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -816,14 +864,20 @@ function createFFIDClient(config) {
         const raw = await response.json();
         return {
           error: raw.error ?? {
-            code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+            code: errorCodes.UNKNOWN_ERROR,
             message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
           }
         };
-      } catch {
+      } catch (parseError) {
+        logger.error(
+          "\u30B5\u30A4\u30F3\u30A2\u30A6\u30C8\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F:",
+          parseError,
+          "Status:",
+          response.status
+        );
         return {
           error: {
-            code: FFID_ERROR_CODES.PARSE_ERROR,
+            code: errorCodes.PARSE_ERROR,
             message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
           }
         };
@@ -832,125 +886,496 @@ function createFFIDClient(config) {
     logger.debug("Response:", response.status);
     return { data: void 0 };
   }
-  async function signOutToken() {
-    const tokens = tokenStore.getTokens();
-    tokenStore.clearTokens();
-    if (!tokens) {
-      logger.debug("No tokens to revoke");
-      return { data: void 0 };
+  return { getSession, signOutCookie };
+}
+// src/auth/pkce.ts
+var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
+var CODE_VERIFIER_MIN_LENGTH = 43;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function generateCodeVerifier() {
+  const length = CODE_VERIFIER_MIN_LENGTH;
+  const randomValues = new Uint8Array(length);
+  crypto.getRandomValues(randomValues);
+  let verifier = "";
+  for (let i = 0; i < length; i++) {
+    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
+  }
+  return verifier;
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+function storeCodeVerifier(verifier, logger) {
+  try {
+    if (typeof window === "undefined") {
+      logger?.warn("storeCodeVerifier: sessionStorage is not available in SSR context");
+      return false;
     }
-    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
-    logger.debug("Revoking token:", url);
+    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
+    return true;
+  } catch (error) {
+    logger?.warn("storeCodeVerifier: sessionStorage \u3078\u306E\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    return false;
+  }
+}
+function retrieveCodeVerifier(logger) {
+  try {
+    if (typeof window === "undefined") return null;
+    const verifier = window.sessionStorage.getItem(VERIFIER_STORAGE_KEY);
+    if (verifier) {
+      window.sessionStorage.removeItem(VERIFIER_STORAGE_KEY);
+    }
+    return verifier;
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: sessionStorage \u304B\u3089\u306E\u53D6\u5F97\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    return null;
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// src/client/redirect.ts
+var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
+var STATE_RANDOM_BYTES = 16;
+var HEX_BASE2 = 16;
+function generateRandomState() {
+  const array = new Uint8Array(STATE_RANDOM_BYTES);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
+}
+function createRedirectMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode,
+    resolvedRedirectUri,
+    logger
+  } = deps;
+  async function redirectToAuthorize() {
+    const verifier = generateCodeVerifier();
+    storeCodeVerifier(verifier, logger);
+    let challenge;
     try {
-      await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          token: tokens.accessToken,
-          client_id: clientId
-        }).toString()
-      });
+      challenge = await generateCodeChallenge(verifier);
     } catch (error) {
-      logger.warn("Token revocation failed:", error);
+      const errorMessage = error instanceof Error ? error.message : "PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F";
+      logger.error("PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+      return { success: false, error: errorMessage };
+    }
+    const state = generateRandomState();
+    const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+    logger.debug("Redirecting to authorize:", authorizeUrl);
+    window.location.href = authorizeUrl;
+    return { success: true };
+  }
+  async function redirectToLogin() {
+    if (typeof window === "undefined") {
+      logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
+      return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
-    logger.debug("Token sign-out completed");
-    return { data: void 0 };
+    if (authMode === "token") {
+      return redirectToAuthorize();
+    }
+    const currentUrl = window.location.href;
+    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(serviceCode)}`;
+    logger.debug("Redirecting to login:", loginUrl);
+    window.location.href = loginUrl;
+    return { success: true };
   }
-  async function exchangeCodeForTokens(code, codeVerifier) {
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Exchanging code for tokens:", url);
-    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
-    if (!effectiveRedirectUri) {
-      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
+  function getLoginUrl(redirectUrl) {
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getLoginUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
+    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  function getSignupUrl(redirectUrl) {
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getSignupUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
+    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl };
+}
+// src/client/password-reset.ts
+var RESET_PASSWORD_BASE = "/api/v1/auth/reset-password";
+function isBlank(value) {
+  return !value || !value.trim();
+}
+function createPasswordResetMethods(deps) {
+  const { baseUrl, logger, createError, fetchWithAuth, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    const body = {
-      grant_type: "authorization_code",
-      code,
-      client_id: clientId,
-      redirect_uri: effectiveRedirectUri
-    };
-    if (codeVerifier) {
-      body.code_verifier = codeVerifier;
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30D1\u30B9\u30EF\u30FC\u30C9\u30EA\u30BB\u30C3\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function requestPasswordReset(email) {
+    if (isBlank(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      RESET_PASSWORD_BASE,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  async function verifyPasswordResetToken(accessToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
     }
+    const query = new URLSearchParams({
+      access_token: accessToken,
+      type: "recovery"
+    });
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/verify?${query.toString()}`
+    );
+  }
+  async function establishResetSession(accessToken, refreshToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    if (isBlank(refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/session`,
+      {
+        method: "POST",
+        body: JSON.stringify({ accessToken, refreshToken })
+      }
+    );
+  }
+  async function confirmPasswordReset(password) {
+    if (isBlank(password)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30D1\u30B9\u30EF\u30FC\u30C9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchWithAuth(
+      `${RESET_PASSWORD_BASE}/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({ password })
+      }
+    );
+  }
+  return {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  };
+}
+// src/client/otp.ts
+var OTP_BASE = "/api/v1/auth/otp";
+function isBlank2(value) {
+  return !value || !value.trim();
+}
+function createOtpMethods(deps) {
+  const { baseUrl, logger, createError, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
     let response;
     try {
       response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams(body).toString()
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
       });
     } catch (error) {
-      logger.error("Network error during token exchange:", error);
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "OTP\u8A8D\u8A3C\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function sendOtp(email, options) {
+    if (isBlank2(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/send`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email,
+          ...options?.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+        })
+      }
+    );
+  }
+  async function verifyOtp(params) {
+    if (isBlank2(params.accessToken)) {
       return {
-        error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
-          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
-        }
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
       };
     }
-    let tokenResponse;
-    try {
-      tokenResponse = await response.json();
-    } catch (parseError) {
-      logger.error("Parse error during token exchange:", parseError);
+    if (isBlank2(params.refreshToken)) {
       return {
-        error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
-        }
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
       };
     }
-    if (!response.ok) {
-      const errorBody = tokenResponse;
+    return fetchPublic(
+      `${OTP_BASE}/verify`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          accessToken: params.accessToken,
+          refreshToken: params.refreshToken
+        })
+      }
+    );
+  }
+  return {
+    sendOtp,
+    verifyOtp
+  };
+}
+// src/client/ffid-client.ts
+var UNAUTHORIZED_STATUS2 = 401;
+var SDK_LOG_PREFIX = "[FFID SDK]";
+var noopLogger = {
+  debug: () => {
+  },
+  info: () => {
+  },
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var consoleLogger = {
+  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
+  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var FFID_ERROR_CODES = {
+  NETWORK_ERROR: "NETWORK_ERROR",
+  PARSE_ERROR: "PARSE_ERROR",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR",
+  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
+  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
+  NO_TOKENS: "NO_TOKENS",
+  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
+};
+var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
+function createFFIDClient(config) {
+  if (!config.serviceCode || !config.serviceCode.trim()) {
+    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
+  }
+  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
+  const authMode = config.authMode ?? "cookie";
+  const clientId = config.clientId ?? config.serviceCode;
+  const resolvedRedirectUri = config.redirectUri ?? null;
+  const serviceApiKey = config.serviceApiKey?.trim();
+  const verifyStrategy = config.verifyStrategy ?? "jwt";
+  const cache = config.cache;
+  const timeout = config.timeout;
+  if (authMode === "service-key" && !serviceApiKey) {
+    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
+  }
+  if (cache && cache.ttl <= 0) {
+    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  }
+  if (timeout !== void 0 && timeout <= 0) {
+    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  }
+  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
+  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
+  function createError(code, message) {
+    return { code, message };
+  }
+  function buildFetchOptions(options) {
+    if (authMode === "service-key") {
       return {
-        error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        ...options,
+        credentials: "omit",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          "X-Service-Api-Key": serviceApiKey,
+          ...options.headers
         }
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
-    });
-    logger.debug("Token exchange successful");
-    return { data: void 0 };
-  }
-  async function refreshAccessToken() {
-    const tokens = tokenStore.getTokens();
-    if (!tokens) {
+    if (authMode === "token") {
+      const tokens = tokenStore.getTokens();
+      const headers = {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
+      };
+      if (tokens) {
+        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
+      }
       return {
-        error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
-          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
-        }
+        ...options,
+        credentials: "omit",
+        headers
       };
     }
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Refreshing access token:", url);
+    return {
+      ...options,
+      credentials: "include",
+      headers: {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
+      }
+    };
+  }
+  const { exchangeCodeForTokens, refreshAccessToken, signOutToken } = createOAuthTokenMethods({
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function fetchWithAuth(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching:", url);
+    const fetchOptions = buildFetchOptions(options);
     let response;
     try {
-      response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          grant_type: "refresh_token",
-          refresh_token: tokens.refreshToken,
-          client_id: clientId
-        }).toString()
-      });
+      response = await fetch(url, fetchOptions);
     } catch (error) {
-      logger.error("Network error during token refresh:", error);
+      logger.error("Network error:", error);
       return {
         error: {
           code: FFID_ERROR_CODES.NETWORK_ERROR,
@@ -958,88 +1383,83 @@ function createFFIDClient(config) {
         }
       };
     }
-    let tokenResponse;
+    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS2) {
+      const refreshResult = await refreshAccessToken();
+      if (!refreshResult.error) {
+        logger.debug("Token refreshed, retrying request");
+        const retryOptions = buildFetchOptions(options);
+        try {
+          response = await fetch(url, retryOptions);
+        } catch (retryError) {
+          logger.error("Network error on retry:", retryError);
+          return {
+            error: {
+              code: FFID_ERROR_CODES.NETWORK_ERROR,
+              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+            }
+          };
+        }
+      } else {
+        logger.warn("Token refresh failed, returning refresh error:", refreshResult.error);
+        return { error: refreshResult.error };
+      }
+    }
+    let raw;
     try {
-      tokenResponse = await response.json();
+      raw = await response.json();
     } catch (parseError) {
-      logger.error("Parse error during token refresh:", parseError);
+      logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
           code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
+    logger.debug("Response:", response.status, raw);
+    checkVersionHeader(response, logger);
     if (!response.ok) {
-      const errorBody = tokenResponse;
-      logger.error("Token refresh failed:", errorBody);
-      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
-      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
-        tokenStore.clearTokens();
-        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
-      }
+      return {
+        error: raw.error ?? {
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
       return {
         error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_REFRESH_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
         }
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
-    });
-    logger.debug("Token refresh successful");
-    return { data: void 0 };
+    return { data: raw.data };
   }
-  function redirectToLogin() {
-    if (typeof window === "undefined") {
-      logger.debug("Cannot redirect in SSR context");
-      return false;
-    }
+  const { getSession, signOutCookie } = createSessionMethods({
+    authMode,
+    baseUrl,
+    serviceCode: config.serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function signOut() {
     if (authMode === "token") {
-      return redirectToAuthorize();
+      return signOutToken();
     }
-    const currentUrl = window.location.href;
-    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(config.serviceCode)}`;
-    logger.debug("Redirecting to login:", loginUrl);
-    window.location.href = loginUrl;
-    return true;
-  }
-  function redirectToAuthorize() {
-    const verifier = generateCodeVerifier();
-    storeCodeVerifier(verifier);
-    generateCodeChallenge(verifier).then((challenge) => {
-      const state = generateRandomState();
-      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
-      const params = new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        state,
-        code_challenge: challenge,
-        code_challenge_method: "S256"
-      });
-      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
-      logger.debug("Redirecting to authorize:", authorizeUrl);
-      window.location.href = authorizeUrl;
-    }).catch((error) => {
-      logger.error("Failed to generate code challenge:", error);
-    });
-    return true;
-  }
-  function getLoginUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
-  }
-  function getSignupUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
-  }
-  function createError(code, message) {
-    return { code, message };
+    return signOutCookie();
   }
+  const { redirectToLogin, getLoginUrl, getSignupUrl } = createRedirectMethods({
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode: config.serviceCode,
+    resolvedRedirectUri,
+    logger
+  });
   async function checkSubscription(params) {
     if (!params.userId || !params.organizationId) {
       return {
@@ -1059,6 +1479,24 @@ function createFFIDClient(config) {
     fetchWithAuth,
     createError
   });
+  const {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  } = createPasswordResetMethods({
+    baseUrl,
+    logger,
+    createError,
+    fetchWithAuth,
+    errorCodes: FFID_ERROR_CODES
+  });
+  const { sendOtp, verifyOtp } = createOtpMethods({
+    baseUrl,
+    logger,
+    createError,
+    errorCodes: FFID_ERROR_CODES
+  });
   const verifyAccessToken = createVerifyAccessToken({
     authMode,
     baseUrl,
@@ -1084,6 +1522,12 @@ function createFFIDClient(config) {
     createCheckoutSession,
     createPortalSession,
     verifyAccessToken,
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset,
+    sendOtp,
+    verifyOtp,
     /** Token store (token mode only) */
     tokenStore,
     /** Resolved auth mode */
@@ -1096,11 +1540,6 @@ function createFFIDClient(config) {
     redirectUri: resolvedRedirectUri
   };
 }
-function generateRandomState() {
-  const array = new Uint8Array(STATE_RANDOM_BYTES);
-  crypto.getRandomValues(array);
-  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
-}
 var DEFAULT_REFRESH_INTERVAL_MS = 5 * 60 * 1e3;
 var TOKEN_REFRESH_RATIO = 0.8;
 var FFIDContext = react.createContext(null);
@@ -1186,7 +1625,9 @@ function FFIDProvider({
     }
   }, [client]);
   const login = react.useCallback(() => {
-    client.redirectToLogin();
+    client.redirectToLogin().catch((err) => {
+      client.logger.error("\u30ED\u30B0\u30A4\u30F3\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", err);
+    });
   }, [client]);
   const logout = react.useCallback(async () => {
     client.logger.debug("Signing out...");