@getpara/core-sdk 2.0.0-alpha.6 → 2.0.0-alpha.61

package/dist/cjs/ParaCore.js

@@ -99,7 +99,8 @@ var import_recovery = require("./shares/recovery.js");
 var import_utils2 = require("./utils/index.js");
 var import_errors = require("./errors.js");
 var constants = __toESM(require("./constants.js"));
-var _authInfo, _partner, _ParaCore_instances, assertPartner_fn, guestWalletIds_get, guestWalletIdsArray_get, toAuthInfo_fn, setAuthInfo_fn, getPartner_fn, createPregenWallet_fn, _isCreateGuestWalletsPending, prepareAuthState_fn, prepareLogin_fn, prepareLoginState_fn, prepareSignUpState_fn;
+var import_enclave = require("./shares/enclave.js");
+var _authInfo, _ParaCore_instances, assertPartner_fn, guestWalletIds_get, guestWalletIdsArray_get, toAuthInfo_fn, setAuthInfo_fn, getPartner_fn, assertIsLinkingAccount_fn, assertIsLinkingAccountOrStart_fn, getOAuthUrl_fn, createPregenWallet_fn, _isCreateGuestWalletsPending, prepareAuthState_fn, prepareDoneState_fn, prepareVerificationState_fn, prepareLoginState_fn, prepareSignUpState_fn;
 if (typeof global !== "undefined") {
   global.Buffer = global.Buffer || import_buffer.Buffer;
 } else if (typeof window !== "undefined") {
@@ -111,22 +112,19 @@ if (typeof global !== "undefined") {
 }
 const { pki, jsbn } = import_node_forge.default;
 const _ParaCore = class _ParaCore {
-  /**
-   * Constructs a new `ParaCore` instance.
-   * @param env - `Environment` to use.
-   * @param apiKey - API key to use.
-   * @param opts - Additional constructor options; see `ConstructorOpts`.
-   * @returns - A new ParaCore instance.
-   */
-  constructor(env, apiKey, opts) {
+  constructor(envOrApiKey, apiKeyOrOpts, opts) {
     __privateAdd(this, _ParaCore_instances);
+    this.popupWindow = null;
     __privateAdd(this, _authInfo);
     this.isNativePasskey = false;
-    __privateAdd(this, _partner);
+    this.isReady = false;
+    this.accountLinkInProgress = void 0;
+    this.isEnclaveUser = false;
     this.isAwaitingAccountCreation = false;
     this.isAwaitingLogin = false;
     this.isAwaitingFarcaster = false;
     this.isAwaitingOAuth = false;
+    this.isWorkerInitialized = false;
     /**
      * The IDs of the currently active wallets, for each supported wallet type. Any signer integrations will default to the first viable wallet ID in this dictionary.
      */
@@ -135,6 +133,7 @@ const _ParaCore = class _ParaCore {
      * Wallets associated with the `ParaCore` instance.
      */
     this.externalWallets = {};
+    this.onRampPopup = void 0;
     this.localStorageGetItem = (key) => {
       return this.platformUtils.localStorage.get(key);
     };
@@ -156,16 +155,29 @@ const _ParaCore = class _ParaCore {
     this.retrieveSessionCookie = () => {
       return this.sessionCookie;
     };
+    this.retrieveEnclaveJwt = () => {
+      return this.enclaveJwt;
+    };
+    this.retrieveEnclaveRefreshJwt = () => {
+      return this.enclaveRefreshJwt;
+    };
     /**
      * Remove all local storage and prefixed session storage.
      * @param {'local' | 'session' | 'secure' | 'all'} type - Type of storage to clear. Defaults to 'all'.
      */
     this.clearStorage = (type = "all") => __async(this, null, function* () {
       const isAll = type === "all";
-      (isAll || type === "local") && this.platformUtils.localStorage.clear(constants.PREFIX);
-      (isAll || type === "session") && this.platformUtils.sessionStorage.clear(constants.PREFIX);
+      if (isAll || type === "local") {
+        this.platformUtils.localStorage.clear(constants.PREFIX);
+        this.platformUtils.localStorage.clear(constants.PARA_PREFIX);
+      }
+      if (isAll || type === "session") {
+        this.platformUtils.sessionStorage.clear(constants.PREFIX);
+        this.platformUtils.sessionStorage.clear(constants.PARA_PREFIX);
+      }
       if ((isAll || type === "secure") && this.platformUtils.secureStorage) {
         this.platformUtils.secureStorage.clear(constants.PREFIX);
+        this.platformUtils.secureStorage.clear(constants.PARA_PREFIX);
       }
     });
     this.trackError = (methodName, err) => __async(this, null, function* () {
@@ -207,6 +219,7 @@ const _ParaCore = class _ParaCore {
       this.updateWalletIdsFromStorage();
       this.updateSessionCookieFromStorage();
       this.updateLoginEncryptionKeyPairFromStorage();
+      this.updateEnclaveJwtFromStorage();
     };
     this.updateAuthInfoFromStorage = () => {
       var _a;
@@ -226,6 +239,10 @@ const _ParaCore = class _ParaCore {
       }
       __privateSet(this, _authInfo, authInfo);
     };
+    this.updateEnclaveJwtFromStorage = () => {
+      this.enclaveJwt = this.localStorageGetItem(constants.LOCAL_STORAGE_ENCLAVE_JWT) || this.sessionStorageGetItem(constants.LOCAL_STORAGE_ENCLAVE_JWT) || void 0;
+      this.enclaveRefreshJwt = this.localStorageGetItem(constants.LOCAL_STORAGE_ENCLAVE_REFRESH_JWT) || this.sessionStorageGetItem(constants.LOCAL_STORAGE_ENCLAVE_REFRESH_JWT) || void 0;
+    };
     this.updateUserIdFromStorage = () => {
       this.userId = this.localStorageGetItem(constants.LOCAL_STORAGE_USER_ID) || void 0;
     };
@@ -286,6 +303,16 @@ const _ParaCore = class _ParaCore {
       const _externalWallets = JSON.parse(stringExternalWallets || "{}");
       this.setExternalWallets(_externalWallets);
     };
+    this.initializeWorker = () => __async(this, null, function* () {
+      if (!this.isWorkerInitialized && !this.ctx.disableWebSockets && !this.ctx.disableWorkers) {
+        try {
+          this.isWorkerInitialized = true;
+          yield this.platformUtils.initializeWorker(this.ctx);
+        } catch (e) {
+          this.devLog("error initializing worker:", e);
+        }
+      }
+    });
     /**
      * Creates several new wallets with the desired types. If no types are provided, this method
      * will create one for each of the non-optional types specified in the instance's `supportedWalletTypes`
@@ -302,8 +329,29 @@ const _ParaCore = class _ParaCore {
     }) {
       return (yield this.ctx.client.getWalletBalance({ walletId, rpcUrl })).balance;
     });
-    if (!apiKey) {
-      throw new Error("A Para API key is required.");
+    let env, apiKey;
+    const actualArgs = Array.from(arguments).filter((arg) => arg !== void 0);
+    const actualArgumentCount = actualArgs.length;
+    if (actualArgumentCount === 1) {
+      if (Object.values(import_types.Environment).includes(envOrApiKey)) {
+        throw new Error("A Para API key is required.");
+      }
+      env = _ParaCore.resolveEnvironment(void 0, actualArgs[0]);
+      apiKey = actualArgs[0];
+      opts = void 0;
+    } else if (actualArgumentCount === 2) {
+      if (typeof apiKeyOrOpts === "object" && apiKeyOrOpts !== null) {
+        env = _ParaCore.resolveEnvironment(void 0, envOrApiKey);
+        apiKey = envOrApiKey;
+        opts = apiKeyOrOpts;
+      } else {
+        env = _ParaCore.resolveEnvironment(envOrApiKey, apiKeyOrOpts);
+        apiKey = apiKeyOrOpts;
+        opts = void 0;
+      }
+    } else {
+      env = _ParaCore.resolveEnvironment(envOrApiKey, apiKeyOrOpts);
+      apiKey = apiKeyOrOpts;
     }
     if (!opts) opts = {};
     let isE2E = false;
@@ -326,6 +374,7 @@ const _ParaCore = class _ParaCore {
     this.portalTheme = opts.portalTheme;
     this.platformUtils = this.getPlatformUtils();
     this.disableProviderModal = this.platformUtils.disableProviderModal;
+    this.fetchPregenWalletsOverride = opts.fetchPregenWalletsOverride;
     if (opts.useStorageOverrides) {
       this.localStorageGetItem = opts.localStorageGetItemOverride;
       this.localStorageSetItem = opts.localStorageSetItemOverride;
@@ -345,18 +394,41 @@ const _ParaCore = class _ParaCore {
         cookie
       );
     };
+    this.persistEnclaveJwt = (jwt) => {
+      this.enclaveJwt = jwt;
+      (opts.useSessionStorage ? this.sessionStorageSetItem : this.localStorageSetItem)(
+        constants.LOCAL_STORAGE_ENCLAVE_JWT,
+        jwt
+      );
+    };
+    this.persistEnclaveRefreshJwt = (refreshJwt) => {
+      this.enclaveRefreshJwt = refreshJwt;
+      (opts.useSessionStorage ? this.sessionStorageSetItem : this.localStorageSetItem)(
+        constants.LOCAL_STORAGE_ENCLAVE_REFRESH_JWT,
+        refreshJwt
+      );
+    };
+    const client = (0, import_userManagementClient.initClient)({
+      env,
+      version: _ParaCore.version,
+      apiKey,
+      partnerId: this.isPortal(env) ? opts.portalPartnerId : void 0,
+      useFetchAdapter: !!opts.disableWorkers,
+      retrieveSessionCookie: this.retrieveSessionCookie,
+      persistSessionCookie: this.persistSessionCookie
+    });
+    const enclaveClient = new import_enclave.EnclaveClient({
+      userManagementClient: client,
+      retrieveJwt: this.retrieveEnclaveJwt,
+      persistJwt: this.persistEnclaveJwt,
+      retrieveRefreshJwt: this.retrieveEnclaveRefreshJwt,
+      persistRefreshJwt: this.persistEnclaveRefreshJwt
+    });
     this.ctx = {
       env,
       apiKey,
-      client: (0, import_userManagementClient.initClient)({
-        env,
-        version: _ParaCore.version,
-        apiKey,
-        partnerId: this.isPortal(env) ? opts.portalPartnerId : void 0,
-        useFetchAdapter: !!opts.disableWorkers,
-        retrieveSessionCookie: this.retrieveSessionCookie,
-        persistSessionCookie: this.persistSessionCookie
-      }),
+      client,
+      enclaveClient,
       disableWorkers: opts.disableWorkers,
       offloadMPCComputationURL: opts.offloadMPCComputationURL,
       useLocalFiles: opts.useLocalFiles,
@@ -391,6 +463,9 @@ const _ParaCore = class _ParaCore {
       ]);
     }
   }
+  setModalError(_error) {
+    return;
+  }
   get authInfo() {
     return __privateGet(this, _authInfo);
   }
@@ -417,8 +492,15 @@ const _ParaCore = class _ParaCore {
   get externalWalletConnectionType() {
     if (this.isExternalWalletAuth) {
       return "AUTHENTICATED";
+    } else if (this.isExternalWalletWithVerification) {
+      return "VERIFICATION";
     } else if (!!Object.keys(this.externalWallets).length) {
-      return "CONNECTION_ONLY";
+      const hasEmbeddedWallets = Object.keys(this.wallets).some((id) => !this.wallets[id].isExternal);
+      if (hasEmbeddedWallets) {
+        return "NONE";
+      } else {
+        return "CONNECTION_ONLY";
+      }
     }
     return "NONE";
   }
@@ -439,16 +521,28 @@ const _ParaCore = class _ParaCore {
     return (0, import_user_management_client.isTelegram)((_a = this.authInfo) == null ? void 0 : _a.auth);
   }
   get isExternalWalletAuth() {
-    var _a;
-    return (0, import_user_management_client.isExternalWallet)((_a = __privateGet(this, _authInfo)) == null ? void 0 : _a.auth);
+    var _a, _b, _c;
+    return (0, import_user_management_client.isExternalWallet)((_a = __privateGet(this, _authInfo)) == null ? void 0 : _a.auth) && !!((_c = (_b = __privateGet(this, _authInfo)) == null ? void 0 : _b.externalWallet) == null ? void 0 : _c.withFullParaAuth);
+  }
+  get isExternalWalletWithVerification() {
+    var _a, _b, _c;
+    return (0, import_user_management_client.isExternalWallet)((_a = __privateGet(this, _authInfo)) == null ? void 0 : _a.auth) && !!((_c = (_b = __privateGet(this, _authInfo)) == null ? void 0 : _b.externalWallet) == null ? void 0 : _c.withVerification);
   }
   get partnerId() {
     var _a;
-    return (_a = __privateGet(this, _partner)) == null ? void 0 : _a.id;
+    return (_a = this.partner) == null ? void 0 : _a.id;
+  }
+  get partnerName() {
+    var _a;
+    return (_a = this.partner) == null ? void 0 : _a.displayName;
+  }
+  get partnerLogo() {
+    var _a;
+    return (_a = this.partner) == null ? void 0 : _a.logoUrl;
   }
   get currentWalletIdsArray() {
     var _a, _b;
-    return ((_b = (_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes) != null ? _b : Object.keys(this.currentWalletIds).map((type) => ({ type }))).reduce(
+    return ((_b = (_a = this.partner) == null ? void 0 : _a.supportedWalletTypes) != null ? _b : Object.keys(this.currentWalletIds).map((type) => ({ type }))).reduce(
       (acc, { type }) => {
         var _a2;
         return [
@@ -488,19 +582,23 @@ const _ParaCore = class _ParaCore {
   }
   get isNoWalletConfig() {
     var _a;
-    return !!((_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes) && __privateGet(this, _partner).supportedWalletTypes.length === 0;
+    return !!((_a = this.partner) == null ? void 0 : _a.supportedWalletTypes) && this.partner.supportedWalletTypes.length === 0;
   }
   get supportedWalletTypes() {
     var _a, _b;
-    return (_b = (_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes) != null ? _b : [];
+    return (_b = (_a = this.partner) == null ? void 0 : _a.supportedWalletTypes) != null ? _b : [];
   }
   get cosmosPrefix() {
     var _a;
-    return (_a = __privateGet(this, _partner)) == null ? void 0 : _a.cosmosPrefix;
+    return (_a = this.partner) == null ? void 0 : _a.cosmosPrefix;
+  }
+  get supportedAccountLinks() {
+    var _a, _b;
+    return (_b = (_a = this.partner) == null ? void 0 : _a.supportedAccountLinks) != null ? _b : [...import_user_management_client.LINKED_ACCOUNT_TYPES];
   }
   get isWalletTypeEnabled() {
     var _a;
-    return (((_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes) || []).reduce((acc, { type }) => {
+    return (((_a = this.partner) == null ? void 0 : _a.supportedWalletTypes) || []).reduce((acc, { type }) => {
       return __spreadProps(__spreadValues({}, acc), { [type]: true });
     }, {});
   }
@@ -534,6 +632,12 @@ const _ParaCore = class _ParaCore {
     if (typeof window === "undefined") return false;
     return !!((_a = window.location) == null ? void 0 : _a.host) && (0, import_utils2.getPortalBaseURL)(envOverride ? { env: envOverride } : this.ctx).includes(window.location.host);
   }
+  isRecoveryPortal(envOverride) {
+    var _a, _b;
+    if (typeof window === "undefined") return false;
+    const normalizedUrl = (_b = (_a = window.location) == null ? void 0 : _a.host) == null ? void 0 : _b.replace("getpara", "usecapsule");
+    return !!normalizedUrl && (0, import_utils2.getPortalBaseURL)(envOverride ? { env: envOverride } : this.ctx).includes(normalizedUrl);
+  }
   isParaConnect() {
     var _a;
     if (typeof window === "undefined") return false;
@@ -549,7 +653,7 @@ const _ParaCore = class _ParaCore {
   }
   isWalletSupported(wallet) {
     var _a, _b;
-    return !((_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes) || (0, import_utils2.isWalletSupported)((_b = __privateGet(this, _partner).supportedWalletTypes.map(({ type }) => type)) != null ? _b : [], wallet);
+    return !((_a = this.partner) == null ? void 0 : _a.supportedWalletTypes) || (0, import_utils2.isWalletSupported)((_b = this.partner.supportedWalletTypes.map(({ type }) => type)) != null ? _b : [], wallet);
   }
   isWalletOwned(wallet) {
     return this.isWalletSupported(wallet) && !(wallet == null ? void 0 : wallet.pregenIdentifier) && !(wallet == null ? void 0 : wallet.pregenIdentifierType) && !!this.userId && (wallet == null ? void 0 : wallet.userId) === this.userId;
@@ -575,12 +679,12 @@ const _ParaCore = class _ParaCore {
     } else {
       const wallet = this.wallets[walletId];
       const [isUnclaimed, isOwned] = [this.isPregenWalletUnclaimed(wallet), this.isWalletOwned(wallet)];
-      if (forbidPregen && isUnclaimed) {
+      if (forbidPregen && isUnclaimed && wallet.pregenIdentifierType !== "GUEST_ID") {
         error = `pre-generated wallet with id ${wallet == null ? void 0 : wallet.id} cannot be selected`;
       } else if (!isOwned && !isUnclaimed) {
         error = `wallet with id ${wallet == null ? void 0 : wallet.id} is not owned by the current user`;
       } else if (!this.isWalletSupported(wallet)) {
-        error = `wallet with id ${wallet.id} and type ${wallet.type} is not supported, supported types are: ${(((_b = __privateGet(this, _partner)) == null ? void 0 : _b.supportedWalletTypes) || []).map(({ type }) => type).join(", ")}`;
+        error = `wallet with id ${wallet.id} and type ${wallet.type} is not supported, supported types are: ${(((_b = this.partner) == null ? void 0 : _b.supportedWalletTypes) || []).map(({ type }) => type).join(", ")}`;
       } else if (types && (!(0, import_utils2.getEquivalentTypes)(types).includes(wallet == null ? void 0 : wallet.type) || isOwned && !types.some((type) => {
         var _a2, _b2;
         return (_b2 = (_a2 = this.currentWalletIds) == null ? void 0 : _a2[type]) == null ? void 0 : _b2.includes(walletId);
@@ -611,7 +715,7 @@ const _ParaCore = class _ParaCore {
     if (this.externalWallets[walletId]) {
       const wallet2 = this.externalWallets[walletId];
       return options.truncate ? (0, import_utils2.truncateAddress)(wallet2.address, wallet2.type, {
-        prefix: (_a = __privateGet(this, _partner)) == null ? void 0 : _a.cosmosPrefix,
+        prefix: (_a = this.partner) == null ? void 0 : _a.cosmosPrefix,
         targetLength: options.targetLength
       }) : wallet2.address;
     }
@@ -623,7 +727,7 @@ const _ParaCore = class _ParaCore {
     let prefix;
     switch (wallet.type) {
       case "COSMOS":
-        prefix = (_d = (_c = options.cosmosPrefix) != null ? _c : (_b = __privateGet(this, _partner)) == null ? void 0 : _b.cosmosPrefix) != null ? _d : "cosmos";
+        prefix = (_d = (_c = options.cosmosPrefix) != null ? _c : (_b = this.partner) == null ? void 0 : _b.cosmosPrefix) != null ? _d : "cosmos";
         str = (0, import_utils2.getCosmosAddress)(wallet.publicKey, prefix);
         break;
       default:
@@ -657,29 +761,40 @@ const _ParaCore = class _ParaCore {
   constructPortalUrl(_0) {
     return __async(this, arguments, function* (type, opts = {}) {
       var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-      const [isCreate, isLogin, isOnRamp] = [
-        ["createAuth", "createPassword"].includes(type),
-        ["loginAuth", "loginPassword"].includes(type),
-        type === "onRamp"
+      const [isCreate, isLogin, isOnRamp, isOAuth, isOAuthCallback, isTelegramLogin, isFarcasterLogin] = [
+        ["createAuth", "createPassword", "createPIN"].includes(type),
+        ["loginAuth", "loginPassword", "loginPIN", "loginOTP"].includes(type),
+        type === "onRamp",
+        type === "oAuth",
+        type === "oAuthCallback",
+        ["telegramLogin", "telegramLoginVerify"].includes(type),
+        type === "loginFarcaster"
       ];
+      if (isOAuth && !opts.oAuthMethod) {
+        throw new Error("oAuthMethod is required for oAuth portal URLs");
+      }
       if (isCreate || isLogin) {
         this.assertIsAuthSet();
       }
       let sessionId = opts.sessionId;
-      if ((isLogin || isOnRamp) && !sessionId) {
+      if ((isLogin || isOnRamp || isTelegramLogin || isFarcasterLogin) && !sessionId) {
         const session = yield this.touchSession(true);
         sessionId = session.sessionId;
       }
       if (!this.loginEncryptionKeyPair) {
         yield this.setLoginEncryptionKeyPair();
       }
-      const base = type === "onRamp" ? (0, import_utils2.getPortalBaseURL)(this.ctx) : yield this.getPortalURL();
+      const base = type === "onRamp" || isTelegramLogin ? (0, import_utils2.getPortalBaseURL)(this.ctx, isTelegramLogin) : yield this.getPortalURL();
       let path;
       switch (type) {
         case "createPassword": {
           path = `/web/users/${this.userId}/passwords/${opts.pathId}`;
           break;
         }
+        case "createPIN": {
+          path = `/web/users/${this.userId}/pin/${opts.pathId}`;
+          break;
+        }
         case "createAuth": {
           path = `/web/users/${this.userId}/biometrics/${opts.pathId}`;
           break;
@@ -692,32 +807,69 @@ const _ParaCore = class _ParaCore {
           path = "/web/biometrics/login";
           break;
         }
+        case "loginPIN": {
+          path = "/web/pin/login";
+          break;
+        }
         case "txReview": {
           path = `/web/users/${this.userId}/transaction-review/${opts.pathId}`;
           break;
         }
         case "onRamp": {
-          path = `/web/users/${this.userId}/on-ramp-transaction/${opts.pathId}`;
+          path = `/web/users/${this.userId}/on-ramp-transaction/v2/${opts.pathId}`;
+          break;
+        }
+        case "telegramLoginVerify": {
+          path = `/auth/telegram/verify`;
+          break;
+        }
+        case "telegramLogin": {
+          path = `/auth/telegram`;
+          break;
+        }
+        case "oAuth": {
+          path = `/auth/${opts.oAuthMethod.toLowerCase()}`;
+          break;
+        }
+        case "oAuthCallback": {
+          path = `/auth/${opts.oAuthMethod.toLowerCase()}/callback`;
+          break;
+        }
+        case "loginOTP": {
+          path = "/auth/otp";
+          break;
+        }
+        case "loginFarcaster": {
+          path = "/auth/farcaster";
           break;
         }
         default: {
           throw new Error(`invalid URL type ${type}`);
         }
       }
-      const partner = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      let partner = void 0;
+      try {
+        partner = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      } catch (e) {
+        if (this.isPartnerOptional) {
+          partner = void 0;
+        } else {
+          throw e;
+        }
+      }
       const thisDevice = (_a = opts.thisDevice) != null ? _a : {
         encryptionKey: (0, import_utils.getPublicKeyHex)(this.loginEncryptionKeyPair),
         sessionId
       };
-      const params = __spreadValues(__spreadValues(__spreadValues(__spreadValues({
+      const params = __spreadValues(__spreadValues(__spreadValues(__spreadValues(__spreadValues(__spreadValues({
         apiKey: this.ctx.apiKey,
-        partnerId: partner.id,
-        portalFont: ((_b = opts.portalTheme) == null ? void 0 : _b.font) || (partner == null ? void 0 : partner.font) || ((_c = this.portalTheme) == null ? void 0 : _c.font),
+        partnerId: partner == null ? void 0 : partner.id,
+        portalFont: ((_b = opts.portalTheme) == null ? void 0 : _b.font) || ((_c = this.portalTheme) == null ? void 0 : _c.font) || (partner == null ? void 0 : partner.font),
         portalBorderRadius: ((_d = opts.portalTheme) == null ? void 0 : _d.borderRadius) || ((_e = this.portalTheme) == null ? void 0 : _e.borderRadius),
-        portalThemeMode: ((_f = opts.portalTheme) == null ? void 0 : _f.mode) || (partner == null ? void 0 : partner.themeMode) || ((_g = this.portalTheme) == null ? void 0 : _g.mode),
-        portalAccentColor: ((_h = opts.portalTheme) == null ? void 0 : _h.accentColor) || (partner == null ? void 0 : partner.accentColor) || ((_i = this.portalTheme) == null ? void 0 : _i.accentColor),
-        portalForegroundColor: ((_j = opts.portalTheme) == null ? void 0 : _j.foregroundColor) || (partner == null ? void 0 : partner.foregroundColor) || ((_k = this.portalTheme) == null ? void 0 : _k.foregroundColor),
-        portalBackgroundColor: ((_l = opts.portalTheme) == null ? void 0 : _l.backgroundColor) || (partner == null ? void 0 : partner.backgroundColor) || this.portalBackgroundColor || ((_m = this.portalTheme) == null ? void 0 : _m.backgroundColor),
+        portalThemeMode: ((_f = opts.portalTheme) == null ? void 0 : _f.mode) || ((_g = this.portalTheme) == null ? void 0 : _g.mode) || (partner == null ? void 0 : partner.themeMode),
+        portalAccentColor: ((_h = opts.portalTheme) == null ? void 0 : _h.accentColor) || ((_i = this.portalTheme) == null ? void 0 : _i.accentColor) || (partner == null ? void 0 : partner.accentColor),
+        portalForegroundColor: ((_j = opts.portalTheme) == null ? void 0 : _j.foregroundColor) || ((_k = this.portalTheme) == null ? void 0 : _k.foregroundColor) || (partner == null ? void 0 : partner.foregroundColor),
+        portalBackgroundColor: ((_l = opts.portalTheme) == null ? void 0 : _l.backgroundColor) || ((_m = this.portalTheme) == null ? void 0 : _m.backgroundColor) || (partner == null ? void 0 : partner.backgroundColor) || this.portalBackgroundColor,
         portalPrimaryButtonColor: this.portalPrimaryButtonColor,
         portalTextColor: this.portalTextColor,
         portalPrimaryButtonTextColor: this.portalPrimaryButtonTextColor,
@@ -727,7 +879,7 @@ const _ParaCore = class _ParaCore {
       }, (0, import_user_management_client.isPhone)(this.authInfo.auth) ? (0, import_utils2.splitPhoneNumber)(this.authInfo.auth.phone) : this.authInfo.auth), {
         pfpUrl: this.authInfo.pfpUrl,
         displayName: this.authInfo.displayName
-      }) : {}), isOnRamp ? { sessionId } : {}), isLogin ? __spreadProps(__spreadValues({
+      }) : {}), isOnRamp ? { origin: typeof window !== "undefined" ? window.location.origin : void 0, email: this.email } : {}), isLogin || isOAuth || isOAuthCallback || isTelegramLogin || isFarcasterLogin ? __spreadProps(__spreadValues({
         sessionId: thisDevice.sessionId,
         encryptionKey: thisDevice.encryptionKey
       }, opts.newDevice ? {
@@ -735,7 +887,9 @@ const _ParaCore = class _ParaCore {
         newDeviceEncryptionKey: opts.newDevice.encryptionKey
       } : {}), {
         pregenIds: JSON.stringify(this.pregenIds)
-      }) : {}), opts.params || {});
+      }) : {}), isOAuth || isOAuthCallback || isFarcasterLogin ? {
+        appScheme: opts.appScheme
+      } : {}), isTelegramLogin ? { isEmbed: "true" } : {}), opts.params || {});
       const url = (0, import_utils2.constructUrl)({ base, path, params });
       if (opts.shorten) {
         return (0, import_utils2.shortenUrl)(this.ctx, url);
@@ -743,12 +897,72 @@ const _ParaCore = class _ParaCore {
       return url;
     });
   }
+  static resolveEnvironment(env, apiKey) {
+    var _a;
+    if (!apiKey) {
+      throw new Error("A Para API key is required.");
+    }
+    if (apiKey.includes("_")) {
+      const validEnvironmentPrefixes = Object.values(import_types.Environment);
+      const envPrefix = (_a = apiKey.split("_")[0]) == null ? void 0 : _a.toUpperCase();
+      const hasValidPrefix = validEnvironmentPrefixes.some((envValue) => envValue === envPrefix);
+      if (!hasValidPrefix) {
+        throw new Error(`Invalid API key environment prefix.`);
+      }
+      return envPrefix;
+    }
+    if (!env) {
+      throw new Error("Environment parameter is required.");
+    }
+    return env;
+  }
   touchSession(regenerate = false) {
     return __async(this, null, function* () {
-      var _a, _b, _c;
-      const session = yield this.ctx.client.touchSession(regenerate);
-      if (!__privateGet(this, _partner) || ((_a = __privateGet(this, _partner)) == null ? void 0 : _a.id) !== session.partnerId || !(0, import_utils2.supportedWalletTypesEq)(((_b = __privateGet(this, _partner)) == null ? void 0 : _b.supportedWalletTypes) || [], session.supportedWalletTypes) || (((_c = __privateGet(this, _partner)) == null ? void 0 : _c.cosmosPrefix) || "cosmos") !== session.cosmosPrefix) {
-        yield __privateMethod(this, _ParaCore_instances, getPartner_fn).call(this, session.partnerId);
+      var _a, _b, _c, _d, _e;
+      if (!this.isWorkerInitialized) {
+        this.initializeWorker();
+      }
+      if (!this.isReady) {
+        yield this.ready();
+      }
+      let session;
+      try {
+        session = yield this.ctx.client.touchSession(regenerate);
+      } catch (error) {
+        this.handleTouchSessionError(error);
+        throw error;
+      }
+      if (!this.partner || ((_a = this.partner) == null ? void 0 : _a.id) !== session.partnerId || !(0, import_utils2.supportedWalletTypesEq)(((_b = this.partner) == null ? void 0 : _b.supportedWalletTypes) || [], session.supportedWalletTypes) || (((_c = this.partner) == null ? void 0 : _c.cosmosPrefix) || "cosmos") !== session.cosmosPrefix) {
+        if (!session.partnerId && !this.isRecoveryPortal()) {
+          this.displayModalError(
+            `Invalid API Key. Please ensure you have a valid API key for the current environment: ${(_d = this.ctx.env) == null ? void 0 : _d.toUpperCase()}.`
+          );
+          console.error(`
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+\u{1F6A8} PARA SDK CONFIGURATION ERROR \u{1F6A8}
+
+INVALID API KEY FOR CONFIGURED ENVIRONMENT
+
+Your API key does not match the configured environment. This usually means:
+
+1. You're using a production API key with a development environment
+2. You're using a development API key with a production environment  
+3. Your API key is invalid or has been regenerated
+
+SOLUTION:
+\u2022 Verify your API key at: https://developer.getpara.com
+\u2022 If your API key doesn't contain an environment prefix, ensure your API key is the correct key for your target environment
+
+Current Environment: ${this.ctx.env}
+API Key Prefix: ${((_e = this.ctx.apiKey) == null ? void 0 : _e.split("_")[0].toUpperCase()) || "None"}
+
+Need help? Visit: https://docs.getpara.com or contact support
+\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501
+        `);
+          throw new Error("Invalid API Key.");
+        } else {
+          yield __privateMethod(this, _ParaCore_instances, getPartner_fn).call(this, session.partnerId);
+        }
       }
       return session;
     });
@@ -847,8 +1061,35 @@ const _ParaCore = class _ParaCore {
       return __privateGet(this, _authInfo);
     });
   }
-  assertUserId() {
-    if (!this.userId) {
+  /**
+   * Display an error message in the modal (if available)
+   * @internal
+   */
+  displayModalError(error) {
+    if (this.ctx.env !== import_types.Environment.PROD) {
+      this.setModalError(error);
+    }
+  }
+  /**
+   * Handle specific touchSession errors with user-friendly messages
+   * @private
+   */
+  handleTouchSessionError(error) {
+    const errorStr = String(error);
+    const errorMessage = error instanceof Error ? error.message : "";
+    if (errorStr.includes("blocked by CORS policy") && errorStr.includes("Access-Control-Allow-Origin")) {
+      this.displayModalError("Request rate limit reached. Please wait a couple of minutes and try again.");
+      return;
+    }
+    if (error.status === 403 && errorMessage.includes("origin not authorized")) {
+      this.displayModalError(
+        "The current origin is not allowed. Update your allowed origins in the Para developer portal to allow the current origin."
+      );
+      return;
+    }
+  }
+  assertUserId({ allowGuestMode = false } = {}) {
+    if (!this.userId || !allowGuestMode && this.isGuestMode) {
       throw new Error("no userId is set");
     }
     return this.userId;
@@ -904,19 +1145,75 @@ const _ParaCore = class _ParaCore {
    * @param externalAddress - External wallet address to set.
    * @param externalType - Type of external wallet to set.
    */
-  setExternalWallet(_0) {
-    return __async(this, arguments, function* ({ address, type, provider, addressBech32, withFullParaAuth }) {
-      this.externalWallets = {
-        [address]: {
-          id: address,
-          address: addressBech32 != null ? addressBech32 : address,
+  setExternalWallet(externalWallet) {
+    return __async(this, null, function* () {
+      const { id: partnerId, supportedWalletTypes } = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      this.externalWallets = (Array.isArray(externalWallet) ? externalWallet : [externalWallet]).reduce(
+        (acc, {
+          partnerId: wPartnerId,
+          address,
           type,
-          name: provider,
-          isExternal: true,
-          isExternalWithParaAuth: withFullParaAuth,
-          signer: ""
+          provider,
+          providerId,
+          addressBech32,
+          withFullParaAuth,
+          isConnectionOnly,
+          withVerification
+        }) => {
+          if (partnerId === wPartnerId && supportedWalletTypes.some(({ type: supportedType }) => supportedType === type)) {
+            return __spreadProps(__spreadValues({}, acc), {
+              [address]: {
+                id: address,
+                partnerId,
+                address: addressBech32 != null ? addressBech32 : address,
+                type,
+                name: provider,
+                isExternal: true,
+                isExternalWithParaAuth: withFullParaAuth,
+                externalProviderId: providerId,
+                signer: "",
+                isExternalConnectionOnly: isConnectionOnly,
+                isExternalWithVerification: withVerification
+              }
+            });
+          }
+          return acc;
+        },
+        {}
+      ), this.setExternalWallets(this.externalWallets);
+      (0, import_utils2.dispatchEvent)(import_types.ParaEvent.EXTERNAL_WALLET_CHANGE_EVENT, null);
+    });
+  }
+  addExternalWallets(externalWallets) {
+    return __async(this, null, function* () {
+      const { id: partnerId, supportedWalletTypes } = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      this.externalWallets = __spreadValues(__spreadValues({}, Object.entries(this.externalWallets).reduce((acc, [address, wallet]) => {
+        if (partnerId === wallet.partnerId && supportedWalletTypes.some(({ type }) => type === wallet.type)) {
+          return __spreadProps(__spreadValues({}, acc), {
+            [address]: wallet
+          });
         }
-      };
+        return acc;
+      }, {})), externalWallets.reduce(
+        (acc, { address, type, provider, providerId, addressBech32, withFullParaAuth, isConnectionOnly, withVerification }) => {
+          return __spreadProps(__spreadValues({}, acc), {
+            [address]: {
+              id: address,
+              partnerId,
+              address: addressBech32 != null ? addressBech32 : address,
+              type,
+              name: provider,
+              isExternal: true,
+              isExternalWithParaAuth: withFullParaAuth,
+              externalProviderId: providerId,
+              signer: "",
+              isExternalConnectionOnly: isConnectionOnly,
+              isExternalWithVerification: withVerification
+            }
+          });
+        },
+        {}
+      ));
       this.setExternalWallets(this.externalWallets);
       (0, import_utils2.dispatchEvent)(import_types.ParaEvent.EXTERNAL_WALLET_CHANGE_EVENT, null);
     });
@@ -947,12 +1244,16 @@ const _ParaCore = class _ParaCore {
   }
   /**
    * Sets the external wallets associated with the `ParaCore` instance.
-   * @param externalWallets - External wallets to set.
+   * @param externalWallets - External wallets to set, or a function that modifies the current wallets.
    */
   setExternalWallets(externalWallets) {
     return __async(this, null, function* () {
-      this.externalWallets = externalWallets;
-      yield this.localStorageSetItem(constants.LOCAL_STORAGE_EXTERNAL_WALLETS, JSON.stringify(externalWallets));
+      if (typeof externalWallets === "function") {
+        this.externalWallets = externalWallets(this.externalWallets);
+      } else {
+        this.externalWallets = externalWallets;
+      }
+      yield this.localStorageSetItem(constants.LOCAL_STORAGE_EXTERNAL_WALLETS, JSON.stringify(this.externalWallets));
     });
   }
   /**
@@ -1028,6 +1329,7 @@ const _ParaCore = class _ParaCore {
   /**
    * Fetches the most recent OAuth account metadata for the signed-in user.
    * If applicable, this will include the user's most recent metadata from their Google, Apple, Facebook, X, Discord, Farcaster, or Telegram account, the last time they signed in to your app.
+   * @deprecated use `para.getLinkedAccounts({ withMetadata: true })` instead.
    * @returns {Promise<AccountMetadata>} the user's account metadata.
    */
   getAccountMetadata() {
@@ -1173,8 +1475,15 @@ const _ParaCore = class _ParaCore {
   }
   getPartnerURL() {
     return __async(this, null, function* () {
-      const { portalUrl } = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
-      return portalUrl;
+      try {
+        const { portalUrl } = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+        return portalUrl;
+      } catch (e) {
+        if (this.isPartnerOptional) {
+          return void 0;
+        }
+        throw e;
+      }
     });
   }
   /**
@@ -1260,15 +1569,27 @@ const _ParaCore = class _ParaCore {
       } = _b, urlOptions = __objRest(_b, [
         "externalWallet"
       ]);
-      if (this.externalWalletConnectionOnly) {
-        externalWallet.withFullParaAuth = false;
-        yield this.setExternalWallet(externalWallet);
+      const externalWallets = Array.isArray(externalWallet) ? externalWallet : [externalWallet];
+      if (this.externalWalletConnectionOnly || externalWallets.every((wallet) => wallet.isConnectionOnly)) {
+        yield this.addExternalWallets(
+          externalWallets.map((wallet) => __spreadProps(__spreadValues({}, wallet), {
+            withFullParaAuth: false
+          }))
+        );
         return Promise.resolve({
           userId: constants.EXTERNAL_WALLET_CONNECTION_ONLY_USER_ID
         });
       }
+      if (Array.isArray(externalWallet)) {
+        throw new Error(
+          "Cannot authenticate multiple external wallets at once. To connect multiple wallets at once, use CONNECTION_ONLY mode."
+        );
+      }
       this.requireApiKey();
       const serverAuthState = yield this.ctx.client.loginExternalWallet({ externalWallet });
+      if (!externalWallet.withFullParaAuth && externalWallet.withVerification) {
+        yield this.touchSession(true);
+      }
       return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
     });
   }
@@ -1285,36 +1606,89 @@ const _ParaCore = class _ParaCore {
         "cosmosPublicKeyHex",
         "cosmosSigner"
       ]);
+      var _a;
       const serverAuthState = yield this.ctx.client.verifyExternalWallet(this.userId, {
         externalWallet,
         signedMessage,
         cosmosPublicKeyHex,
         cosmosSigner
       });
+      if (serverAuthState.stage === "login" && ((_a = serverAuthState.loginAuthMethods) == null ? void 0 : _a.includes(import_user_management_client.AuthMethod.PIN))) {
+        const { sessionLookupId } = yield this.touchSession();
+        return __privateMethod(this, _ParaCore_instances, prepareLoginState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, urlOptions), { sessionLookupId }));
+      }
       return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
     });
   }
+  verifyExternalWalletLink(opts) {
+    return __async(this, null, function* () {
+      const accountLinkInProgress = yield __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, ["EXTERNAL_WALLET"]);
+      if (!accountLinkInProgress.externalWallet) {
+        throw new Error("no external wallet account link in progress");
+      }
+      const accounts = yield this.verifyLink(__spreadValues({
+        accountLinkInProgress,
+        externalWallet: accountLinkInProgress.externalWallet
+      }, opts));
+      return accounts;
+    });
+  }
+  // TELEGRAM
   /**
    * Validates the response received from an attempted Telegram login for authenticity, then
    * creates or retrieves the corresponding Para user and prepares the Para instance to sign in with that user.
    * @param authResponse - the response JSON object received from the Telegram widget.
    * @returns `{ isValid: boolean; telegramUserId?: string; userId?: string; isNewUser?: boolean; supportedAuthMethods?: AuthMethod[]; biometricHints?: BiometricLocationHint[] }`
    */
-  verifyTelegram(_e) {
+  verifyTelegramProcess(_e) {
     return __async(this, null, function* () {
       var _f = _e, {
-        telegramAuthResponse
+        serverAuthState: optsServerAuthState,
+        telegramAuthResponse,
+        isLinkAccount
       } = _f, urlOptions = __objRest(_f, [
-        "telegramAuthResponse"
+        "serverAuthState",
+        "telegramAuthResponse",
+        "isLinkAccount"
       ]);
       try {
-        const serverAuthState = yield this.ctx.client.verifyTelegram(telegramAuthResponse);
-        return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
+        switch (isLinkAccount) {
+          case false: {
+            if (!optsServerAuthState && !telegramAuthResponse) {
+              throw new Error("one of serverAuthState or telegramAuthResponse are required for verifying telegram");
+            }
+            const serverAuthState = optsServerAuthState != null ? optsServerAuthState : yield this.ctx.client.verifyTelegram({ authObject: telegramAuthResponse });
+            const { sessionLookupId } = yield this.touchSession();
+            return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, urlOptions), { sessionLookupId }));
+          }
+          case true: {
+            if (!telegramAuthResponse) {
+              throw new Error("telegramAuthResponse is required for verifying telegram link");
+            }
+            const accountLinkInProgress = yield __privateMethod(this, _ParaCore_instances, assertIsLinkingAccountOrStart_fn).call(this, "TELEGRAM");
+            const accounts = yield this.verifyLink({
+              accountLinkInProgress,
+              telegramAuthResponse
+            });
+            return accounts;
+          }
+        }
       } catch (e) {
-        throw new Error(e.message);
+        const errorMessage = e instanceof Error ? e.message : e ? String(e) : "Unknown error occurred";
+        throw new Error(errorMessage);
       }
     });
   }
+  verifyTelegram(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyTelegramProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: false }));
+    });
+  }
+  verifyTelegramLink(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyTelegramProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: true }));
+    });
+  }
   /**
    * Performs 2FA verification.
    * @param {Object} opts the options object
@@ -1358,10 +1732,35 @@ const _ParaCore = class _ParaCore {
   /**
    * Resend a verification email for the current user.
    */
-  resendVerificationCode() {
-    return __async(this, null, function* () {
+  resendVerificationCode(_0) {
+    return __async(this, arguments, function* ({
+      type: reason = "SIGNUP"
+    }) {
+      let type, linkedAccountId;
+      switch (reason) {
+        case "SIGNUP":
+        case "LOGIN":
+          {
+            const authInfo = this.assertIsAuthSet(["email", "phone"]);
+            type = authInfo.authType.toUpperCase();
+          }
+          break;
+        case "LINK_ACCOUNT":
+          {
+            const accountLinkInProgress = __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, ["EMAIL", "PHONE"]);
+            linkedAccountId = accountLinkInProgress.id;
+            type = accountLinkInProgress.type;
+          }
+          break;
+      }
+      const userId = this.assertUserId({ allowGuestMode: true });
+      if (type !== "EMAIL" && type !== "PHONE") {
+        throw new Error("invalid auth type for verification code");
+      }
       yield this.ctx.client.resendVerificationCode(__spreadValues({
-        userId: this.userId
+        userId,
+        type,
+        linkedAccountId
       }, this.getVerificationEmailProps()));
     });
   }
@@ -1374,7 +1773,14 @@ const _ParaCore = class _ParaCore {
       if (this.externalWalletConnectionType === "CONNECTION_ONLY") {
         return true;
       }
-      const { isAuthenticated } = yield this.touchSession();
+      const { isAuthenticated, verifiedExternalWalletAddresses } = yield this.touchSession();
+      if (this.externalWalletConnectionType === "VERIFICATION") {
+        if (!verifiedExternalWalletAddresses) {
+          return false;
+        }
+        const externalAddresses = Object.values(this.externalWallets).map((w) => w.id);
+        return externalAddresses.every((address) => verifiedExternalWalletAddresses.includes(address));
+      }
       return !!isAuthenticated;
     });
   }
@@ -1385,12 +1791,18 @@ const _ParaCore = class _ParaCore {
   isFullyLoggedIn() {
     return __async(this, null, function* () {
       if (this.externalWalletConnectionType === "CONNECTION_ONLY") {
+        if (!this.isReady) {
+          yield this.ready();
+        }
         return true;
       }
       if (this.isGuestMode) {
         return true;
       }
       const isSessionActive = yield this.isSessionActive();
+      if (this.externalWalletConnectionType === "VERIFICATION") {
+        return isSessionActive;
+      }
       return isSessionActive && (this.isNoWalletConfig || this.currentWalletIdsArray.length > 0 && this.currentWalletIdsArray.reduce((acc, [id]) => acc && !!this.wallets[id], true));
     });
   }
@@ -1398,10 +1810,13 @@ const _ParaCore = class _ParaCore {
     return __privateGet(this, _ParaCore_instances, guestWalletIdsArray_get).length > 0 && Object.values(this.wallets).every(
       ({ userId, partnerId }) => {
         var _a;
-        return partnerId === ((_a = __privateGet(this, _partner)) == null ? void 0 : _a.id) && (!userId || userId !== this.userId);
+        return partnerId === ((_a = this.partner) == null ? void 0 : _a.id) && (!userId || userId !== this.userId);
       }
     );
   }
+  /**
+   * Get the auth methods available to an existing user
+   */
   supportedAuthMethods(auth) {
     return __async(this, null, function* () {
       const { supportedAuthMethods } = yield this.ctx.client.getSupportedAuthMethods(auth);
@@ -1495,36 +1910,47 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * Initiates a Farcaster login attempt and return the URI for the user to connect.
+   * Initiates a Farcaster login attempt and returns the URL for the user to connect.
    * You can create a QR code with this URI that works with Farcaster's mobile app.
    * @return {string} the Farcaster connect URI
    */
   getFarcasterConnectUri() {
-    return __async(this, null, function* () {
-      const {
-        data: { connect_uri: connectUri }
-      } = yield this.ctx.client.initializeFarcasterLogin();
+    return __async(this, arguments, function* ({ appScheme } = {}) {
+      const { connect_uri: connectUri } = yield this.ctx.client.initializeFarcasterLogin({ appScheme });
       return connectUri;
     });
   }
+  // FARCASTER
   /**
    * Awaits the response from a user's attempt to log in with Farcaster.
    * If successful, this returns the user's Farcaster username and profile picture and indicates whether the user already exists.
    * @return {Object} `{userExists: boolean; username: string; pfpUrl?: string | null }` - the user's information and whether the user already exists.
    */
-  verifyFarcaster(_g) {
+  verifyFarcasterProcess(_g) {
     return __async(this, null, function* () {
       var _h = _g, {
         isCanceled = () => false,
         onConnectUri,
         onCancel,
-        onPoll
+        onPoll,
+        isLinkAccount,
+        serverAuthState: optsServerAuthState
       } = _h, urlOptions = __objRest(_h, [
         "isCanceled",
         "onConnectUri",
         "onCancel",
-        "onPoll"
+        "onPoll",
+        "isLinkAccount",
+        "serverAuthState"
       ]);
+      if (optsServerAuthState) {
+        const authState = yield __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, optsServerAuthState, urlOptions);
+        return authState;
+      }
+      let accountLinkInProgress;
+      if (isLinkAccount) {
+        accountLinkInProgress = yield __privateMethod(this, _ParaCore_instances, assertIsLinkingAccountOrStart_fn).call(this, "FARCASTER");
+      }
       if (onConnectUri) {
         const connectUri = yield this.getFarcasterConnectUri();
         onConnectUri(connectUri);
@@ -1536,53 +1962,55 @@ const _ParaCore = class _ParaCore {
             try {
               if (isCanceled() || Date.now() - startedAt > constants.POLLING_TIMEOUT_MS) {
                 onCancel == null ? void 0 : onCancel();
-                return reject("canceled");
+                return reject("CANCELED");
               }
               yield new Promise((_resolve) => setTimeout(_resolve, constants.POLLING_INTERVAL_MS));
-              const serverAuthState = yield this.ctx.client.getFarcasterAuthStatus();
-              if ((0, import_utils2.isServerAuthState)(serverAuthState)) {
-                const authState = yield __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
-                return resolve(authState);
+              switch (isLinkAccount) {
+                case false:
+                  {
+                    const serverAuthState = yield this.ctx.client.getFarcasterAuthStatus();
+                    if ((0, import_utils2.isServerAuthState)(serverAuthState)) {
+                      const authState = yield __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
+                      return resolve(authState);
+                    }
+                  }
+                  break;
+                case true: {
+                  const result = yield this.verifyLink({
+                    accountLinkInProgress
+                  });
+                  if ("isConflict" in result) {
+                    throw new Error(import_types.AccountLinkError.Conflict);
+                  }
+                  return resolve(result);
+                }
               }
               onPoll == null ? void 0 : onPoll();
             } catch (e) {
-              console.error(e);
-              return reject(e);
+              if (!isLinkAccount || e.message === import_types.AccountLinkError.Conflict) {
+                return reject(e.message);
+              }
             }
           }
         }))();
       });
     });
   }
-  /**
-   * Generates a URL for the user to log in with OAuth using a desire method.
-   *
-   * @param {Object} opts the options object
-   * @param {TOAuthMethod} opts.method the third-party service to use for OAuth.
-   * @param {string} [opts.deeplinkUrl] the deeplink to redirect to after the OAuth flow. This is for mobile only.
-   * @returns {string} the URL for the user to log in with OAuth.
-   */
-  getOAuthUrl(_i) {
+  verifyFarcaster(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyFarcasterProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: false }));
+    });
+  }
+  verifyFarcasterLink(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyFarcasterProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: true }));
+    });
+  }
+  getOAuthUrl(opts) {
     return __async(this, null, function* () {
-      var _j = _i, { method, deeplinkUrl } = _j, params = __objRest(_j, ["method", "deeplinkUrl"]);
       var _a;
-      if (deeplinkUrl) {
-        try {
-          new URL(deeplinkUrl);
-        } catch (e) {
-          throw new Error("Invalid deeplink URL");
-        }
-      }
-      const sessionLookupId = (_a = params.sessionLookupId) != null ? _a : yield __privateMethod(this, _ParaCore_instances, prepareLogin_fn).call(this);
-      return (0, import_utils2.constructUrl)({
-        base: (0, import_userManagementClient.getBaseOAuthUrl)(this.ctx.env),
-        path: `/auth/${method}`,
-        params: {
-          apiKey: this.ctx.apiKey,
-          sessionLookupId,
-          deeplinkUrl
-        }
-      });
+      const sessionLookupId = (_a = opts.sessionLookupId) != null ? _a : yield this.prepareLogin();
+      return __privateMethod(this, _ParaCore_instances, getOAuthUrl_fn).call(this, __spreadProps(__spreadValues({}, opts), { sessionLookupId }));
     });
   }
   /**
@@ -1593,28 +2021,54 @@ const _ParaCore = class _ParaCore {
    * @param {Window} [opts.popupWindow] the popup window being used for login.
    * @return {Object} `{ email?: string; isError?: boolean; userExists: boolean; }` the result data
    */
-  verifyOAuth(_k) {
+  verifyOAuthProcess(_i) {
     return __async(this, null, function* () {
-      var _l = _k, {
+      var _j = _i, {
         method,
-        deeplinkUrl,
+        appScheme,
         isCanceled = () => false,
         onCancel,
         onPoll,
-        onOAuthUrl
-      } = _l, urlOptions = __objRest(_l, [
+        onOAuthUrl,
+        onOAuthPopup,
+        isLinkAccount
+      } = _j, urlOptions = __objRest(_j, [
         "method",
-        "deeplinkUrl",
+        "appScheme",
         "isCanceled",
         "onCancel",
         "onPoll",
-        "onOAuthUrl"
+        "onOAuthUrl",
+        "onOAuthPopup",
+        "isLinkAccount"
       ]);
-      let sessionLookupId;
-      if (onOAuthUrl) {
-        sessionLookupId = yield __privateMethod(this, _ParaCore_instances, prepareLogin_fn).call(this);
-        const oAuthUrl = yield this.getOAuthUrl({ method, deeplinkUrl, sessionLookupId });
-        onOAuthUrl(oAuthUrl);
+      if (onOAuthPopup) {
+        try {
+          this.popupWindow = yield this.platformUtils.openPopup("about:blank", { type: import_types.PopupType.OAUTH });
+        } catch (error) {
+          throw new Error(`Failed to open OAuth popup: ${error}`);
+        }
+      }
+      let sessionLookupId, accountLinkInProgress;
+      if (onOAuthUrl || onOAuthPopup) {
+        if (isLinkAccount) {
+          accountLinkInProgress = yield __privateMethod(this, _ParaCore_instances, assertIsLinkingAccountOrStart_fn).call(this, method);
+          sessionLookupId = (yield this.touchSession()).sessionLookupId;
+        } else {
+          sessionLookupId = yield this.prepareLogin();
+        }
+        const oAuthUrl = yield __privateMethod(this, _ParaCore_instances, getOAuthUrl_fn).call(this, { method, appScheme, sessionLookupId, accountLinkInProgress });
+        switch (true) {
+          case !!onOAuthUrl: {
+            onOAuthUrl(oAuthUrl);
+            break;
+          }
+          case (!!onOAuthPopup && !!this.popupWindow): {
+            this.popupWindow.location.href = oAuthUrl;
+            onOAuthPopup(this.popupWindow);
+            break;
+          }
+        }
       } else {
         ({ sessionLookupId } = yield this.touchSession());
       }
@@ -1625,17 +2079,29 @@ const _ParaCore = class _ParaCore {
             try {
               if (isCanceled() || Date.now() - startedAt > constants.POLLING_TIMEOUT_MS) {
                 onCancel == null ? void 0 : onCancel();
-                return reject("canceled");
+                return reject(import_types.AccountLinkError.Canceled);
               }
               yield new Promise((_resolve) => setTimeout(_resolve, constants.POLLING_INTERVAL_MS));
-              const serverAuthState = yield this.ctx.client.verifyOAuth();
-              if ((0, import_utils2.isServerAuthState)(serverAuthState)) {
-                const authState = yield __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, urlOptions), { sessionLookupId }));
-                return resolve(authState);
+              switch (isLinkAccount) {
+                case false:
+                  {
+                    const serverAuthState = yield this.ctx.client.verifyOAuth();
+                    if ((0, import_utils2.isServerAuthState)(serverAuthState)) {
+                      const authState = yield __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, urlOptions), { sessionLookupId }));
+                      return resolve(authState);
+                    }
+                  }
+                  break;
+                case true: {
+                  const accounts = yield this.verifyLink({ accountLinkInProgress });
+                  return resolve(accounts);
+                }
               }
               onPoll == null ? void 0 : onPoll();
             } catch (err) {
-              console.error(err);
+              if (isLinkAccount && err.message === import_types.AccountLinkError.Conflict) {
+                return reject(err.message);
+              }
               onPoll == null ? void 0 : onPoll();
             }
           }
@@ -1643,6 +2109,16 @@ const _ParaCore = class _ParaCore {
       });
     });
   }
+  verifyOAuth(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyOAuthProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: false }));
+    });
+  }
+  verifyOAuthLink(opts) {
+    return __async(this, null, function* () {
+      return yield this.verifyOAuthProcess(__spreadProps(__spreadValues({}, opts), { isLinkAccount: true }));
+    });
+  }
   /**
    * Waits for the session to be active and sets up the user.
    *
@@ -1728,7 +2204,7 @@ const _ParaCore = class _ParaCore {
         sessionId
       });
       if (shouldOpenPopup) {
-        this.platformUtils.openPopup(link);
+        yield this.platformUtils.openPopup(link);
       }
       return link;
     });
@@ -1819,7 +2295,9 @@ const _ParaCore = class _ParaCore {
         userId: this.userId,
         walletId,
         userShare: userSigner,
-        emailProps: this.getBackupKitEmailProps()
+        emailProps: this.getBackupKitEmailProps(),
+        isEnclaveUser: this.isEnclaveUser,
+        walletScheme: this.wallets[walletId].scheme
       });
       return recoveryShare;
     });
@@ -1947,7 +2425,9 @@ const _ParaCore = class _ParaCore {
         ignoreRedistributingBackupEncryptedShare: !redistributeBackupEncryptedShares,
         emailProps: this.getBackupKitEmailProps(),
         partnerId: newPartnerId,
-        protocolId
+        protocolId,
+        isEnclaveUser: this.isEnclaveUser,
+        walletScheme: this.wallets[walletId].scheme
       });
       return { signer, recoverySecret, protocolId };
     });
@@ -2013,7 +2493,9 @@ const _ParaCore = class _ParaCore {
           userId: this.userId,
           walletId: wallet.id,
           userShare: signer,
-          emailProps: this.getBackupKitEmailProps()
+          emailProps: this.getBackupKitEmailProps(),
+          isEnclaveUser: this.isEnclaveUser,
+          walletScheme: wallet.scheme
         });
       }
       yield this.setCurrentWalletIds(__spreadProps(__spreadValues({}, this.currentWalletIds), {
@@ -2094,7 +2576,9 @@ const _ParaCore = class _ParaCore {
             walletId: wallet.id,
             userShare: this.wallets[wallet.id].signer,
             emailProps: this.getBackupKitEmailProps(),
-            partnerId: wallet.partnerId
+            partnerId: wallet.partnerId,
+            isEnclaveUser: this.isEnclaveUser,
+            walletScheme: wallet.scheme
           });
           if (distributeRes.length > 0) {
             newRecoverySecret = distributeRes;
@@ -2272,25 +2756,12 @@ const _ParaCore = class _ParaCore {
       });
     });
   }
-  getOnRampTransactionUrl(_m) {
-    return __async(this, null, function* () {
-      var _n = _m, {
-        purchaseId,
-        providerKey
-      } = _n, walletParams = __objRest(_n, [
-        "purchaseId",
-        "providerKey"
-      ]);
-      const { sessionId } = yield this.touchSession();
-      const [key, identifier] = (0, import_user_management_client.extractWalletRef)(walletParams);
+  getOnRampTransactionUrl(_0) {
+    return __async(this, arguments, function* ({
+      purchaseId
+    }) {
       return this.constructPortalUrl("onRamp", {
-        pathId: purchaseId,
-        sessionId,
-        params: {
-          [key]: identifier,
-          providerKey,
-          currentWalletIds: JSON.stringify(this.currentWalletIds)
-        }
+        pathId: purchaseId
       });
     });
   }
@@ -2315,6 +2786,7 @@ const _ParaCore = class _ParaCore {
       onCancel,
       onPoll
     }) {
+      var _a;
       this.assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
@@ -2324,7 +2796,7 @@ const _ParaCore = class _ParaCore {
       let signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
       let timeStart = Date.now();
       if (signRes.pendingTransactionId) {
-        this.platformUtils.openPopup(
+        yield this.platformUtils.openPopup(
           yield this.getTransactionReviewUrl(signRes.pendingTransactionId, timeoutMs),
           { type: cosmosSignDocBase64 ? import_types.PopupType.SIGN_TRANSACTION_REVIEW : import_types.PopupType.SIGN_MESSAGE_REVIEW }
         );
@@ -2338,18 +2810,19 @@ const _ParaCore = class _ParaCore {
           break;
         }
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
+        let pendingTransaction;
         try {
-          yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId);
+          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
         } catch (err) {
           const error = new import_errors.TransactionReviewDenied();
           (0, import_utils2.dispatchEvent)(import_types.ParaEvent.SIGN_MESSAGE_EVENT, signRes, error.message);
           throw error;
         }
-        signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
-        if (signRes.pendingTransactionId) {
+        if (!(pendingTransaction == null ? void 0 : pendingTransaction.approvedAt)) {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
+          signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
           break;
         }
       }
@@ -2418,6 +2891,7 @@ const _ParaCore = class _ParaCore {
       onCancel,
       onPoll
     }) {
+      var _a;
       this.assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
@@ -2436,7 +2910,7 @@ const _ParaCore = class _ParaCore {
       );
       let timeStart = Date.now();
       if (signRes.pendingTransactionId) {
-        this.platformUtils.openPopup(
+        yield this.platformUtils.openPopup(
           yield this.getTransactionReviewUrl(signRes.pendingTransactionId, timeoutMs),
           { type: import_types.PopupType.SIGN_TRANSACTION_REVIEW }
         );
@@ -2450,27 +2924,28 @@ const _ParaCore = class _ParaCore {
           break;
         }
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
+        let pendingTransaction;
         try {
-          yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId);
+          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
         } catch (err) {
           const error = new import_errors.TransactionReviewDenied();
           (0, import_utils2.dispatchEvent)(import_types.ParaEvent.SIGN_TRANSACTION_EVENT, signRes, error.message);
           throw error;
         }
-        signRes = yield this.platformUtils.signTransaction(
-          this.ctx,
-          signerId,
-          walletId,
-          this.wallets[walletId].signer,
-          rlpEncodedTxBase64,
-          chainId,
-          this.retrieveSessionCookie(),
-          wallet.scheme === "DKLS"
-        );
-        if (signRes.pendingTransactionId) {
+        if (!(pendingTransaction == null ? void 0 : pendingTransaction.approvedAt)) {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
+          signRes = yield this.platformUtils.signTransaction(
+            this.ctx,
+            signerId,
+            walletId,
+            this.wallets[walletId].signer,
+            rlpEncodedTxBase64,
+            chainId,
+            this.retrieveSessionCookie(),
+            wallet.scheme === "DKLS"
+          );
           break;
         }
       }
@@ -2512,7 +2987,8 @@ const _ParaCore = class _ParaCore {
         providerKey: onRampPurchase.providerKey
       }, walletParams));
       if (shouldOpenPopup) {
-        this.platformUtils.openPopup(portalUrl, { type: import_types.PopupType.ON_RAMP_TRANSACTION });
+        const onRampWindow = yield this.platformUtils.openPopup(portalUrl, { type: import_types.PopupType.ON_RAMP_TRANSACTION });
+        this.onRampPopup = { window: onRampWindow, onRampPurchase };
       }
       return { onRampPurchase, portalUrl };
     });
@@ -2595,6 +3071,20 @@ const _ParaCore = class _ParaCore {
       return sessionLookupId;
     });
   }
+  issueJwt() {
+    return __async(this, arguments, function* ({ keyIndex = 0 } = {}) {
+      try {
+        return yield this.ctx.client.issueJwt({ keyIndex });
+      } catch (error) {
+        if (error.status === 403 || error.status === 401) {
+          const errorMessage = "The user needs to be logged in to issue a JWT. Please log in and try again.";
+          this.displayModalError(errorMessage);
+          console.warn(errorMessage);
+        }
+        throw error;
+      }
+    });
+  }
   /**
    * Logs the user out.
    * @param {Object} opts the options object.
@@ -2602,6 +3092,7 @@ const _ParaCore = class _ParaCore {
    **/
   logout() {
     return __async(this, arguments, function* ({ clearPregenWallets = false } = {}) {
+      const shouldDispatchLogoutEvent = yield this.isSessionActive();
       yield this.ctx.client.logout();
       yield this.clearStorage();
       if (!clearPregenWallets) {
@@ -2618,22 +3109,17 @@ const _ParaCore = class _ParaCore {
       this.externalWallets = {};
       this.loginEncryptionKeyPair = void 0;
       __privateSet(this, _authInfo, void 0);
+      this.accountLinkInProgress = void 0;
       this.userId = void 0;
       this.sessionCookie = void 0;
-      (0, import_utils2.dispatchEvent)(import_types.ParaEvent.LOGOUT_EVENT, null);
-    });
-  }
-  /** @deprecated */
-  getSupportedCreateAuthMethods() {
-    return __async(this, null, function* () {
-      const partner = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
-      let supportedAuthMethods = /* @__PURE__ */ new Set();
-      for (const authMethod of partner.supportedAuthMethods) {
-        supportedAuthMethods.add(import_user_management_client.AuthMethod[authMethod]);
+      if (shouldDispatchLogoutEvent) {
+        (0, import_utils2.dispatchEvent)(import_types.ParaEvent.LOGOUT_EVENT, null);
       }
-      return supportedAuthMethods;
     });
   }
+  get toStringAdditions() {
+    return {};
+  }
   /**
    * Converts to a string, removing sensitive data when logging this class.
    *
@@ -2657,10 +3143,10 @@ const _ParaCore = class _ParaCore {
       }),
       {}
     );
-    const obj = {
-      partnerId: (_a = __privateGet(this, _partner)) == null ? void 0 : _a.id,
-      supportedWalletTypes: (_b = __privateGet(this, _partner)) == null ? void 0 : _b.supportedWalletTypes,
-      cosmosPrefix: (_c = __privateGet(this, _partner)) == null ? void 0 : _c.cosmosPrefix,
+    const obj = __spreadProps(__spreadValues({
+      partnerId: (_a = this.partner) == null ? void 0 : _a.id,
+      supportedWalletTypes: (_b = this.partner) == null ? void 0 : _b.supportedWalletTypes,
+      cosmosPrefix: (_c = this.partner) == null ? void 0 : _c.cosmosPrefix,
       authInfo: __privateGet(this, _authInfo),
       isGuestMode: this.isGuestMode,
       userId: this.userId,
@@ -2670,6 +3156,8 @@ const _ParaCore = class _ParaCore {
       wallets: redactedWallets,
       externalWallets: redactedExternalWallets,
       loginEncryptionKeyPair: this.loginEncryptionKeyPair ? "[REDACTED]" : void 0,
+      isReady: this.isReady
+    }, this.toStringAdditions), {
       ctx: {
         apiKey: this.ctx.apiKey,
         disableWorkers: this.ctx.disableWorkers,
@@ -2680,9 +3168,14 @@ const _ParaCore = class _ParaCore {
         useDKLS: this.ctx.useDKLS,
         cosmosPrefix: this.ctx.cosmosPrefix
       }
-    };
+    });
     return `Para ${JSON.stringify(obj, null, 2)}`;
   }
+  devLog(...s) {
+    if (this.ctx.env === import_types.Environment.DEV || this.ctx.env === import_types.Environment.SANDBOX) {
+      console.log(...s);
+    }
+  }
   getNewCredentialAndUrl() {
     return __async(this, arguments, function* ({
       authMethod = "PASSKEY",
@@ -2697,7 +3190,7 @@ const _ParaCore = class _ParaCore {
           ({
             data: { id: credentialId }
           } = yield this.ctx.client.addSessionPublicKey(this.userId, {
-            status: import_user_management_client.PublicKeyStatus.PENDING,
+            status: import_user_management_client.AuthMethodStatus.PENDING,
             type: import_user_management_client.PublicKeyType.WEB
           }));
           urlType = "createAuth";
@@ -2706,10 +3199,18 @@ const _ParaCore = class _ParaCore {
           ({
             data: { id: credentialId }
           } = yield this.ctx.client.addSessionPasswordPublicKey(this.userId, {
-            status: import_user_management_client.PasswordStatus.PENDING
+            status: import_user_management_client.AuthMethodStatus.PENDING
           }));
           urlType = "createPassword";
           break;
+        case "PIN":
+          ({
+            data: { id: credentialId }
+          } = yield this.ctx.client.addSessionPasswordPublicKey(this.userId, {
+            status: import_user_management_client.AuthMethodStatus.PENDING
+          }));
+          urlType = "createPIN";
+          break;
       }
       const url = this.isNativePasskey && urlType === "createAuth" ? void 0 : yield this.constructPortalUrl(urlType, {
         isForNewDevice,
@@ -2721,7 +3222,7 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * Returns a Para Portal URL for logging in with a WebAuth passkey or a password.
+   * Returns a Para Portal URL for logging in with a WebAuth passkey, password, PIN or OTP.
    * @param {Object} opts the options object
    * @param {String} opts.auth - the user auth to sign up or log in with, in the form ` { email: string } | { phone: `+${number}` } `
    * @param {boolean} opts.useShortUrls - whether to shorten the generated portal URLs
@@ -2747,6 +3248,12 @@ const _ParaCore = class _ParaCore {
         case "PASSWORD":
           urlType = "loginPassword";
           break;
+        case "PIN":
+          urlType = "loginPIN";
+          break;
+        case "BASIC_LOGIN":
+          urlType = "loginOTP";
+          break;
         default:
           throw new Error(`invalid authentication method: '${authMethod}'`);
       }
@@ -2757,53 +3264,214 @@ const _ParaCore = class _ParaCore {
       });
     });
   }
-  signUpOrLogIn(_o) {
+  prepareLogin() {
     return __async(this, null, function* () {
-      var _p = _o, { auth } = _p, urlOptions = __objRest(_p, ["auth"]);
-      const serverAuthState = yield this.ctx.client.signUpOrLogIn(__spreadValues(__spreadValues({}, auth), this.getVerificationEmailProps()));
-      return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
+      yield this.logout();
+      const { sessionLookupId } = yield this.touchSession(true);
+      if (!this.loginEncryptionKeyPair) {
+        yield this.setLoginEncryptionKeyPair();
+      }
+      return sessionLookupId;
     });
   }
-  verifyNewAccount(_q) {
+  signUpOrLogIn(_k) {
     return __async(this, null, function* () {
-      var _r = _q, {
+      var _l = _k, { auth } = _l, urlOptions = __objRest(_l, ["auth"]);
+      let serverAuthState;
+      try {
+        serverAuthState = yield this.ctx.client.signUpOrLogIn(__spreadValues(__spreadValues({}, auth), this.getVerificationEmailProps()));
+      } catch (error) {
+        if (error.message.includes("max beta users reached")) {
+          this.displayModalError(
+            `50 user limit reached. [Go to Production.](https://docs.getpara.com/v2/general/checklist#go-live-checklist)`
+          );
+        }
+        throw error;
+      }
+      const authInfo = serverAuthState.auth;
+      if (this.fetchPregenWalletsOverride && (0, import_user_management_client.isPregenAuth)(authInfo)) {
+        const { userShare } = yield this.fetchPregenWalletsOverride({ pregenId: authInfo });
+        if (userShare) {
+          yield this.setUserShare(userShare);
+        }
+      }
+      return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, __spreadValues({}, urlOptions));
+    });
+  }
+  verifyNewAccount(_m) {
+    return __async(this, null, function* () {
+      var _n = _m, {
         verificationCode
-      } = _r, urlOptions = __objRest(_r, [
+      } = _n, urlOptions = __objRest(_n, [
         "verificationCode"
       ]);
       this.assertIsAuthSet(["email", "phone"]);
-      const userId = this.assertUserId();
-      const serverAuthState = yield this.ctx.client.verifyNewAccount(userId, {
+      const userId = this.assertUserId({ allowGuestMode: true });
+      const serverAuthState = yield this.ctx.client.verifyAccount(userId, {
         verificationCode
       });
+      if (serverAuthState.stage === "login" || serverAuthState.stage === "done") {
+        throw new Error("Account already exists.");
+      }
+      yield this.touchSession(true);
       return __privateMethod(this, _ParaCore_instances, prepareAuthState_fn).call(this, serverAuthState, urlOptions);
     });
   }
+  getLinkedAccounts() {
+    return __async(this, arguments, function* ({
+      withMetadata = false
+    } = {}) {
+      const userId = this.assertUserId();
+      const { accounts } = yield this.ctx.client.getLinkedAccounts({ userId, withMetadata });
+      return __spreadValues({
+        userId
+      }, accounts);
+    });
+  }
+  linkAccount(opts) {
+    return __async(this, null, function* () {
+      const { supportedAccountLinks = [...import_user_management_client.LINKED_ACCOUNT_TYPES] } = yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      let type, identifier, externalWallet, isPermitted;
+      switch (true) {
+        case "auth" in opts:
+          {
+            const authInfo = (0, import_user_management_client.extractAuthInfo)(opts.auth, { isRequired: true });
+            if (authInfo.auth === this.authInfo.auth) {
+              throw new Error(import_types.AccountLinkError.Conflict);
+            }
+            type = authInfo.authType.toUpperCase();
+            identifier = authInfo.identifier;
+            isPermitted = supportedAccountLinks.includes(type);
+          }
+          break;
+        case "externalWallet" in opts:
+          {
+            externalWallet = opts.externalWallet;
+            type = "EXTERNAL_WALLET";
+            isPermitted = supportedAccountLinks.includes("EXTERNAL_WALLET") || supportedAccountLinks.includes(externalWallet.providerId);
+          }
+          break;
+        case "type" in opts:
+          {
+            type = opts.type;
+            if (type === "X") {
+              type = "TWITTER";
+            }
+            isPermitted = supportedAccountLinks.includes(type);
+          }
+          break;
+        default:
+          throw new Error("Invalid parameters for linking account, must pass `auth` or `type` or `externalWallet`");
+      }
+      if (!isPermitted) {
+        throw new Error(`Account linking for type '${type}' is not supported by the current API key configuration`);
+      }
+      const userId = this.assertUserId();
+      const result = yield this.ctx.client.linkAccount(__spreadValues(__spreadValues({
+        userId,
+        type
+      }, identifier ? { identifier } : {}), externalWallet ? { externalWallet } : {}));
+      if ("isConflict" in result) {
+        throw new Error(import_types.AccountLinkError.Conflict);
+      }
+      const { linkedAccountId, signatureVerificationMessage } = result;
+      this.accountLinkInProgress = __spreadValues(__spreadValues({
+        id: linkedAccountId,
+        type,
+        isComplete: false
+      }, identifier ? { identifier } : {}), signatureVerificationMessage && externalWallet ? {
+        externalWallet: __spreadProps(__spreadValues({}, externalWallet), {
+          signatureVerificationMessage
+        })
+      } : {});
+      return this.accountLinkInProgress;
+    });
+  }
+  unlinkAccount(_0) {
+    return __async(this, arguments, function* ({
+      linkedAccountId
+    }) {
+      if (!linkedAccountId) {
+        throw new Error("No linked account ID provided");
+      }
+      const userId = this.assertUserId();
+      const accounts = yield this.ctx.client.unlinkAccount({ linkedAccountId, userId });
+      return accounts;
+    });
+  }
+  verifyLink() {
+    return __async(this, arguments, function* (_o = {}) {
+      var _p = _o, {
+        accountLinkInProgress = __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this)
+      } = _p, opts = __objRest(_p, [
+        "accountLinkInProgress"
+      ]);
+      try {
+        const userId = this.assertUserId(), result = yield this.ctx.client.verifyLink(__spreadValues({
+          linkedAccountId: accountLinkInProgress.id,
+          userId
+        }, opts));
+        if ("isConflict" in result) {
+          throw new Error(import_types.AccountLinkError.Conflict);
+        }
+        this.accountLinkInProgress = void 0;
+        return result.accounts;
+      } catch (e) {
+        throw new Error(e.message === import_types.AccountLinkError.Conflict ? import_types.AccountLinkError.Conflict : e.message);
+      }
+    });
+  }
+  verifyEmailOrPhoneLink(_0) {
+    return __async(this, arguments, function* ({
+      verificationCode
+    }) {
+      const accounts = yield this.verifyLink({
+        accountLinkInProgress: __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, ["EMAIL", "PHONE"]),
+        verificationCode
+      });
+      return accounts;
+    });
+  }
+  getProfileBalance() {
+    return __async(this, arguments, function* ({ config, refetch = false } = {}) {
+      const { balance } = yield this.ctx.client.getProfileBalance({
+        config,
+        wallets: this.availableWallets.map(({ type, address }) => ({ type, address })),
+        refetch
+      });
+      return balance;
+    });
+  }
+  sendLoginCode() {
+    return __async(this, null, function* () {
+      const { userId } = yield this.ctx.client.sendLoginVerificationCode(this.authInfo);
+      this.setUserId(userId);
+    });
+  }
 };
 _authInfo = new WeakMap();
-_partner = new WeakMap();
 _ParaCore_instances = new WeakSet();
 assertPartner_fn = function() {
   return __async(this, null, function* () {
     var _a, _b;
-    if (!__privateGet(this, _partner)) {
+    if (!this.partner) {
       yield this.touchSession();
     }
-    if (((_a = __privateGet(this, _partner)) == null ? void 0 : _a.cosmosPrefix) && this.ctx.cosmosPrefix !== __privateGet(this, _partner).cosmosPrefix) {
-      this.ctx.cosmosPrefix = (_b = __privateGet(this, _partner)) == null ? void 0 : _b.cosmosPrefix;
+    if (((_a = this.partner) == null ? void 0 : _a.cosmosPrefix) && this.ctx.cosmosPrefix !== this.partner.cosmosPrefix) {
+      this.ctx.cosmosPrefix = (_b = this.partner) == null ? void 0 : _b.cosmosPrefix;
     }
-    return __privateGet(this, _partner);
+    return this.partner;
   });
 };
 guestWalletIds_get = function() {
   var _a, _b, _c;
-  if (!((_a = __privateGet(this, _partner)) == null ? void 0 : _a.supportedWalletTypes)) {
+  if (!((_a = this.partner) == null ? void 0 : _a.supportedWalletTypes)) {
     return {};
   }
   const guestId = (_c = (_b = this.pregenIds) == null ? void 0 : _b.GUEST_ID) == null ? void 0 : _c[0];
   return !!guestId ? Object.entries(this.wallets).reduce((acc, [id, wallet]) => {
     if (wallet.isPregen && !wallet.userId && wallet.pregenIdentifierType === "GUEST_ID" && wallet.pregenIdentifier === guestId) {
-      return __spreadValues(__spreadValues({}, acc), (0, import_utils2.getEquivalentTypes)(wallet.type).filter((type) => __privateGet(this, _partner).supportedWalletTypes.some((entry) => entry.type === type)).reduce((acc2, eqType) => {
+      return __spreadValues(__spreadValues({}, acc), (0, import_utils2.getEquivalentTypes)(wallet.type).filter((type) => this.partner.supportedWalletTypes.some((entry) => entry.type === type)).reduce((acc2, eqType) => {
         var _a2;
         return __spreadProps(__spreadValues({}, acc2), { [eqType]: [.../* @__PURE__ */ new Set([...(_a2 = acc2[eqType]) != null ? _a2 : [], id])] });
       }, {}));
@@ -2860,9 +3528,70 @@ setAuthInfo_fn = function(authInfo) {
 };
 getPartner_fn = function(partnerId) {
   return __async(this, null, function* () {
+    if (this.isPartnerOptional && !partnerId) {
+      return void 0;
+    }
     const res = yield this.ctx.client.getPartner(partnerId);
-    __privateSet(this, _partner, res.data.partner);
-    return __privateGet(this, _partner);
+    this.partner = res.data.partner;
+    return this.partner;
+  });
+};
+assertIsLinkingAccount_fn = function(types) {
+  if (!this.accountLinkInProgress || this.accountLinkInProgress.isComplete) {
+    throw new Error("no account linking in progress");
+  }
+  if (types && !types.includes(this.accountLinkInProgress.type)) {
+    throw new Error(
+      `account linking in progress for type ${this.accountLinkInProgress.type}, expected one of ${types.join(", ")}`
+    );
+  }
+  return this.accountLinkInProgress;
+};
+assertIsLinkingAccountOrStart_fn = function(type) {
+  return __async(this, null, function* () {
+    if (this.accountLinkInProgress && !this.accountLinkInProgress.isComplete) {
+      return __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, [type]);
+    }
+    return yield this.linkAccount({ type });
+  });
+};
+getOAuthUrl_fn = function(_0) {
+  return __async(this, arguments, function* ({
+    method,
+    appScheme,
+    accountLinkInProgress,
+    sessionLookupId,
+    encryptionKey
+  }) {
+    if (!accountLinkInProgress && !this.isPortal()) {
+      return yield this.constructPortalUrl("oAuth", { sessionId: sessionLookupId, oAuthMethod: method, appScheme });
+    }
+    let portalSessionLookupId;
+    if (this.isPortal()) {
+      portalSessionLookupId = (yield this.touchSession(true)).sessionLookupId;
+    }
+    return (0, import_utils2.constructUrl)({
+      base: (0, import_userManagementClient.getBaseOAuthUrl)(this.ctx.env),
+      path: `/auth/${method.toLowerCase()}`,
+      params: __spreadProps(__spreadValues({
+        apiKey: this.ctx.apiKey,
+        sessionLookupId,
+        portalSessionLookupId,
+        appScheme
+      }, accountLinkInProgress ? {
+        linkedAccountId: this.accountLinkInProgress.id
+      } : {}), {
+        callback: !accountLinkInProgress && (yield this.constructPortalUrl("oAuthCallback", {
+          sessionId: sessionLookupId,
+          oAuthMethod: method,
+          appScheme,
+          thisDevice: {
+            sessionId: sessionLookupId,
+            encryptionKey
+          }
+        }))
+      })
+    });
   });
 };
 createPregenWallet_fn = function(opts) {
@@ -2915,8 +3644,9 @@ createPregenWallet_fn = function(opts) {
 _isCreateGuestWalletsPending = new WeakMap();
 prepareAuthState_fn = function(_0) {
   return __async(this, arguments, function* (serverAuthState, opts = {}) {
-    if (!opts.sessionLookupId && serverAuthState.stage === "login") {
-      opts.sessionLookupId = yield __privateMethod(this, _ParaCore_instances, prepareLogin_fn).call(this);
+    var _a, _b;
+    if (!opts.sessionLookupId && serverAuthState.stage === "login" && (!serverAuthState.externalWallet || !(((_a = serverAuthState.externalWallet) == null ? void 0 : _a.withFullParaAuth) && ((_b = serverAuthState.loginAuthMethods) == null ? void 0 : _b.includes(import_user_management_client.AuthMethod.PIN))))) {
+      opts.sessionLookupId = yield this.prepareLogin();
     }
     const { auth, externalWallet, userId, displayName, pfpUrl, username } = serverAuthState;
     const authInfo = __spreadValues(__spreadValues({}, (0, import_user_management_client.extractAuthInfo)(auth, { isRequired: true })), Object.fromEntries(
@@ -2930,34 +3660,68 @@ prepareAuthState_fn = function(_0) {
     yield __privateMethod(this, _ParaCore_instances, setAuthInfo_fn).call(this, authInfo);
     yield this.assertIsAuthSet();
     if (!!externalWallet) {
-      yield this.setExternalWallet(externalWallet);
+      yield this.setExternalWallet([externalWallet]);
     }
     if (!!userId) {
       yield this.setUserId(userId);
     }
     let authState;
     switch (serverAuthState.stage) {
+      case "done": {
+        authState = yield __privateMethod(this, _ParaCore_instances, prepareDoneState_fn).call(this, serverAuthState);
+        break;
+      }
       case "verify":
-        authState = serverAuthState;
+        authState = yield __privateMethod(this, _ParaCore_instances, prepareVerificationState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, opts), {
+          sessionLookupId: opts.sessionLookupId
+        }));
         break;
       case "login":
+        if (externalWallet && !(externalWallet == null ? void 0 : externalWallet.withFullParaAuth)) {
+          authState = serverAuthState;
+          break;
+        }
         authState = yield __privateMethod(this, _ParaCore_instances, prepareLoginState_fn).call(this, serverAuthState, __spreadProps(__spreadValues({}, opts), { sessionLookupId: opts.sessionLookupId }));
         break;
       case "signup":
+        if (externalWallet && !(externalWallet == null ? void 0 : externalWallet.withFullParaAuth)) {
+          authState = serverAuthState;
+          break;
+        }
         authState = yield __privateMethod(this, _ParaCore_instances, prepareSignUpState_fn).call(this, serverAuthState, opts);
         break;
     }
     return authState;
   });
 };
-prepareLogin_fn = function() {
+prepareDoneState_fn = function(doneState) {
   return __async(this, null, function* () {
-    yield this.logout();
-    const { sessionLookupId } = yield this.touchSession(true);
-    if (!this.loginEncryptionKeyPair) {
-      yield this.setLoginEncryptionKeyPair();
+    let isSLOPossible = doneState.authMethods.includes(import_user_management_client.AuthMethod.BASIC_LOGIN);
+    this.isEnclaveUser = isSLOPossible;
+    return doneState;
+  });
+};
+prepareVerificationState_fn = function(_0, _1) {
+  return __async(this, arguments, function* (verifyState, {
+    useShortUrls: shorten = false,
+    portalTheme,
+    sessionLookupId
+  }) {
+    let isSLOPossible = false;
+    if (verifyState.nextStage === "login") {
+      isSLOPossible = verifyState.loginAuthMethods.includes(import_user_management_client.AuthMethod.BASIC_LOGIN);
+    } else if (verifyState.nextStage === "signup") {
+      isSLOPossible = verifyState.signupAuthMethods.includes(import_user_management_client.AuthMethod.BASIC_LOGIN);
     }
-    return sessionLookupId;
+    this.isEnclaveUser = isSLOPossible;
+    return __spreadValues(__spreadValues({}, verifyState), isSLOPossible ? {
+      loginUrl: yield this.getLoginUrl({
+        authMethod: import_user_management_client.AuthMethod.BASIC_LOGIN,
+        sessionId: sessionLookupId,
+        shorten,
+        portalTheme
+      })
+    } : {});
   });
 };
 prepareLoginState_fn = function(_0, _1) {
@@ -2966,8 +3730,12 @@ prepareLoginState_fn = function(_0, _1) {
     portalTheme,
     sessionLookupId
   }) {
-    const _a = loginState, { loginAuthMethods } = _a, authState = __objRest(_a, ["loginAuthMethods"]);
-    return __spreadValues(__spreadValues(__spreadValues({}, authState), !this.isNativePasskey && loginAuthMethods.includes(import_user_management_client.AuthMethod.PASSKEY) ? {
+    const _a = loginState, { loginAuthMethods = [], hasPasswordWithoutPIN } = _a, authState = __objRest(_a, ["loginAuthMethods", "hasPasswordWithoutPIN"]);
+    const isPasskeySupported = yield this.isPasskeySupported(), isPasskeyPossible = loginAuthMethods.includes(import_user_management_client.AuthMethod.PASSKEY) && !this.isNativePasskey, isPasswordPossible = loginAuthMethods.includes(import_user_management_client.AuthMethod.PASSWORD) && hasPasswordWithoutPIN, isPINPossible = loginAuthMethods.includes(import_user_management_client.AuthMethod.PIN);
+    return __spreadValues(__spreadValues(__spreadValues(__spreadProps(__spreadValues({}, authState), {
+      isPasskeySupported,
+      loginAuthMethods
+    }), isPasskeyPossible ? {
       passkeyUrl: yield this.getLoginUrl({ sessionId: sessionLookupId, shorten, portalTheme }),
       passkeyKnownDeviceUrl: yield this.constructPortalUrl("loginAuth", {
         sessionId: sessionLookupId,
@@ -2978,28 +3746,41 @@ prepareLoginState_fn = function(_0, _1) {
         shorten,
         portalTheme
       })
-    } : {}), loginAuthMethods.includes(import_user_management_client.AuthMethod.PASSWORD) ? {
+    } : {}), isPasswordPossible ? {
       passwordUrl: yield this.constructPortalUrl("loginPassword", {
         sessionId: sessionLookupId,
         shorten,
-        portalTheme
+        portalTheme,
+        params: { isEmbedded: `${!loginState.isWalletSelectionNeeded}` }
+      })
+    } : {}), isPINPossible ? {
+      pinUrl: yield this.constructPortalUrl("loginPIN", {
+        sessionId: sessionLookupId,
+        shorten,
+        portalTheme,
+        params: { isEmbedded: `${!loginState.isWalletSelectionNeeded}` }
       })
     } : {});
   });
 };
 prepareSignUpState_fn = function(_0, _1) {
   return __async(this, arguments, function* (serverSignupState, { useShortUrls: shorten = false, portalTheme }) {
-    const _a = serverSignupState, { signupAuthMethods } = _a, authState = __objRest(_a, ["signupAuthMethods"]);
-    const [isPasskey, isPassword] = [
+    const _a = serverSignupState, { signupAuthMethods = [] } = _a, authState = __objRest(_a, ["signupAuthMethods"]);
+    const isPasskeySupported = yield this.isPasskeySupported();
+    const [isPasskey, isPassword, isPIN] = [
       signupAuthMethods.includes(import_user_management_client.AuthMethod.PASSKEY),
-      signupAuthMethods.includes(import_user_management_client.AuthMethod.PASSWORD)
+      signupAuthMethods.includes(import_user_management_client.AuthMethod.PASSWORD) || !isPasskeySupported,
+      signupAuthMethods.includes(import_user_management_client.AuthMethod.PIN)
     ];
-    if (!isPasskey && !isPassword) {
+    if (!isPasskey && !isPassword && !isPIN) {
       throw new Error(
-        "No supported authentication methods found. Please ensure you have enabled either WebAuth passkeys or passwords in your Developer Portal settings."
+        "No supported authentication methods found. Please ensure you have enabled either WebAuth passkeys, passwords or PINs in your Developer Portal settings."
       );
     }
-    const signupState = authState;
+    const signupState = __spreadProps(__spreadValues({}, authState), {
+      isPasskeySupported,
+      signupAuthMethods
+    });
     if (isPasskey) {
       const { url: passkeyUrl, credentialId: passkeyId } = yield this.getNewCredentialAndUrl({
         authMethod: "PASSKEY",
@@ -3017,6 +3798,15 @@ prepareSignUpState_fn = function(_0, _1) {
       signupState.passwordUrl = passwordUrl;
       signupState.passwordId = passwordId;
     }
+    if (isPIN) {
+      const { url: pinUrl, credentialId: pinId } = yield this.getNewCredentialAndUrl({
+        authMethod: "PIN",
+        portalTheme,
+        shorten
+      });
+      signupState.pinUrl = pinUrl;
+      signupState.pinId = pinId;
+    }
     return signupState;
   });
 };