@hexclave/next 1.0.0

package/dist/esm/lib/stack-app/apps/implementations/client-app-impl.js

@@ -0,0 +1,2842 @@
+import { HexclaveAssertionError, captureError, throwErr } from "@hexclave/shared/dist/utils/errors";
+import { neverResolve, runAsynchronously, wait } from "@hexclave/shared/dist/utils/promises";
+import React, { useCallback, useMemo } from "react";
+import { HexclaveClientInterface, KnownErrors } from "@hexclave/shared";
+import { createUrlIfValid, isRelative } from "@hexclave/shared/dist/utils/urls";
+import { suspend, suspendIfSsr, use } from "@hexclave/shared/dist/utils/react";
+import { deepPlainEquals, omit } from "@hexclave/shared/dist/utils/objects";
+import * as NextNavigationUnscrambled from "next/navigation";
+import { deindent, mergeScopeStrings } from "@hexclave/shared/dist/utils/strings";
+import { Result } from "@hexclave/shared/dist/utils/results";
+import { isBrowserLike } from "@hexclave/shared/dist/utils/env";
+import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getAnalyticsBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveApiUrls, resolveConstructorOptions, useAsyncCache } from "./common.js";
+import { getTrustedParentDomain, validateRedirectUrl } from "@hexclave/shared/dist/utils/redirect-urls";
+import { decodeBase32, decodeBase64, encodeBase32, encodeBase64 } from "@hexclave/shared/dist/utils/bytes";
+import { stackAppInternalsSymbol } from "../../common.js";
+import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
+import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
+import { InternalSession } from "@hexclave/shared/dist/sessions";
+import { scrambleDuringCompileTime } from "@hexclave/shared/dist/utils/compile-time";
+import { parseJson } from "@hexclave/shared/dist/utils/json";
+import { DependenciesMap } from "@hexclave/shared/dist/utils/maps";
+import { Store, storeLock } from "@hexclave/shared/dist/utils/stores";
+import { BotChallengeExecutionFailedError, BotChallengeUserCancelledError, withBotChallengeFlow } from "@hexclave/shared/dist/utils/turnstile-flow";
+import { generateUuid } from "@hexclave/shared/dist/utils/uuids";
+import * as cookie from "cookie";
+import { constructRedirectUrl } from "../../../../utils/url.js";
+import { callOAuthCallback, getNewOAuthProviderOrScopeUrl } from "../../../auth.js";
+import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookie, deleteCookieClient, getCookieClient, isSecure, saveVerifierAndState, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
+import { envVars } from "../../../env.js";
+import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
+import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
+import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
+import { buildCliAuthConfirmUrl, getHostedHandlerUrl, isHostedHandlerUrlForProject, resolveHandlerUrls } from "../../url-targets.js";
+import { userUpdateOptionsToCrud, withUserDestructureGuard } from "../../users/index.js";
+import { EventTracker } from "./event-tracker.js";
+import { crossDomainAuthQueryParams, getCrossDomainHandoffParamsFromCurrentUrl, planRedirectToHandler } from "./redirect-page-urls.js";
+import { subscribeSessionRefresh } from "./session-refresh-subscription.js";
+import { SessionRecorder, analyticsOptionsFromJson, analyticsOptionsToJson } from "./session-replay.js";
+import { mountDevTool } from "../../../../dev-tool/index.js";
+import * as sc from "@hexclave/sc";
+import { cookies } from "@hexclave/sc";
+
+//#region src/lib/stack-app/apps/implementations/client-app-impl.ts
+let isReactServer = false;
+isReactServer = sc.isReactServer;
+const NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
+const prefetchedCrossDomainHandoffTtlMs = 3300 * 1e3;
+const nestedCrossDomainAuthQueryParams = {
+	refreshTokenId: "stack_nested_cross_domain_auth_refresh_token_id",
+	callbackUrl: "stack_nested_cross_domain_auth_callback_url",
+	redirectUri: "redirect_uri",
+	state: "state",
+	codeChallenge: "code_challenge",
+	codeChallengeMethod: "code_challenge_method",
+	afterCallbackRedirectUrl: "after_callback_redirect_url"
+};
+const oauthCallbackResponseQueryParams = [
+	"code",
+	"state",
+	"error",
+	"error_description",
+	"errorCode",
+	"message",
+	"details"
+];
+const allClientApps = /* @__PURE__ */ new Map();
+const STACK_AUTHORIZATION_VALUE_PREFIX = "stackauth_";
+const HEXCLAVE_AUTHORIZATION_VALUE_PREFIX = "hexclave_";
+function getAuthorizationHeaderValueFromAuthJson(authJson) {
+	if (authJson.accessToken == null && authJson.refreshToken == null) return null;
+	return `Bearer ${STACK_AUTHORIZATION_VALUE_PREFIX}${encodeBase64(new TextEncoder().encode(JSON.stringify(authJson)))}`;
+}
+function getAuthJsonFromAuthorizationHeaderValue(authorizationHeaderValue) {
+	const match = authorizationHeaderValue.match(/^Bearer\s+(.+)$/i);
+	if (match == null) return null;
+	const credential = match[1].trim();
+	const matchedPrefix = credential.startsWith(HEXCLAVE_AUTHORIZATION_VALUE_PREFIX) ? HEXCLAVE_AUTHORIZATION_VALUE_PREFIX : credential.startsWith(STACK_AUTHORIZATION_VALUE_PREFIX) ? STACK_AUTHORIZATION_VALUE_PREFIX : null;
+	if (matchedPrefix == null) return null;
+	const encodedAuthJson = credential.slice(matchedPrefix.length);
+	if (encodedAuthJson.length === 0) throw new Error("Invalid Authorization header format. Expected `Bearer stackauth_<base64(getAuthJson())>`.");
+	let parsed;
+	try {
+		const decodedAuthJson = new TextDecoder().decode(decodeBase64(encodedAuthJson));
+		parsed = JSON.parse(decodedAuthJson);
+	} catch (e) {
+		throw new Error("Invalid stackauth authorization header.", { cause: e });
+	}
+	if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error("Invalid stackauth authorization payload. Expected an object.");
+	const accessToken = Reflect.get(parsed, "accessToken");
+	const refreshToken = Reflect.get(parsed, "refreshToken");
+	if (accessToken != null && typeof accessToken !== "string") throw new Error("Invalid stackauth authorization payload. `accessToken` must be a string or null.");
+	if (refreshToken != null && typeof refreshToken !== "string") throw new Error("Invalid stackauth authorization payload. `refreshToken` must be a string or null.");
+	return {
+		accessToken: accessToken ?? null,
+		refreshToken: refreshToken ?? null
+	};
+}
+function getHeaderValueFromRequestLikeHeaders(headers, name) {
+	if ("get" in headers && typeof headers.get === "function") return headers.get(name);
+	const lowerCaseName = name.toLowerCase();
+	for (const [headerName, headerValue] of Object.entries(headers)) if (headerName.toLowerCase() === lowerCaseName) return headerValue;
+	return null;
+}
+async function getServerRequestHost() {
+	return (await sc.headers?.())?.get("host") ?? null;
+}
+var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
+	static {
+		this.LazyStackAdminAppImpl = { value: void 0 };
+	}
+	async _createCookieHelper(overrideTokenStoreInit) {
+		const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
+		if (tokenStoreInit === "nextjs-cookie" || tokenStoreInit === "cookie") return await createCookieHelper();
+		else return await createPlaceholderCookieHelper();
+	}
+	/** @deprecated Used by legacy getConnectedAccount(providerId) — combines user check + token check + redirect into one cache */
+	async _getUserOAuthConnectionCacheFn(options) {
+		const user = await options.getUser();
+		let hasConnection = true;
+		if (!user || !user.oauth_providers.find((p) => p.id === options.providerId)) hasConnection = false;
+		if (!await options.getOrWaitOAuthToken()) hasConnection = false;
+		if (!hasConnection && options.redirect) {
+			if (!options.session) throw new Error(deindent`
+          Cannot add new scopes to a user that is not a CurrentUser. Please ensure that you are calling this function on a CurrentUser object, or remove the 'or: redirect' option.
+
+          Often, you can solve this by calling this function in the browser instead, or by removing the 'or: redirect' option and dealing with the case where the user doesn't have enough permissions.
+        `);
+			const location = await getNewOAuthProviderOrScopeUrl(this._interface, {
+				provider: options.providerId,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
+				errorRedirectUrl: this.urls.error,
+				providerScope: mergeScopeStrings(options.scope || "", (this._oauthScopesOnSignIn[options.providerId] ?? []).join(" "))
+			}, options.session);
+			await this._redirectTo({ url: location });
+			return await neverResolve();
+		} else if (!hasConnection) return null;
+		const providerAccountId = user.oauth_providers.find((p) => p.id === options.providerId)?.account_id ?? "";
+		return {
+			id: options.providerId,
+			provider: options.providerId,
+			providerAccountId,
+			async getAccessToken() {
+				const result = await options.getOrWaitOAuthToken();
+				if (!result) throw new HexclaveAssertionError(`Failed to retrieve an access token for this connected account (provider: ${options.providerId}). This usually means the OAuth refresh token has been revoked or expired. The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`);
+				return result;
+			},
+			useAccessToken() {
+				const result = options.useOAuthToken();
+				if (!result) throw new HexclaveAssertionError(`Failed to retrieve an access token for this connected account (provider: ${options.providerId}). This usually means the OAuth refresh token has been revoked or expired. The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`);
+				return result;
+			}
+		};
+	}
+	_createOAuthConnectionFromCrudItem(item, session) {
+		const app = this;
+		const providerId = item.provider;
+		const providerAccountId = item.provider_account_id;
+		return {
+			id: providerId,
+			provider: providerId,
+			providerAccountId,
+			async getAccessToken(options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const result = Result.orThrow(await app._currentUserOAuthConnectionAccessTokensByAccountCache.getOrWait([
+					session,
+					providerId,
+					providerAccountId,
+					scopeString
+				], "write-only"));
+				if (!result) {
+					const scopeDetail = scopeString ? `The requested scopes [${scopeString}] are not available on the existing token.` : "The OAuth refresh token has likely been revoked or expired.";
+					return Result.error(new KnownErrors.OAuthAccessTokenNotAvailable(providerId, `${scopeDetail} The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`));
+				}
+				return Result.ok(result);
+			},
+			useAccessToken(options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const result = useAsyncCache(app._currentUserOAuthConnectionAccessTokensByAccountCache, [
+					session,
+					providerId,
+					providerAccountId,
+					scopeString
+				], "connection.useAccessToken()");
+				if (!result) {
+					const scopeDetail = scopeString ? `The requested scopes [${scopeString}] are not available on the existing token.` : "The OAuth refresh token has likely been revoked or expired.";
+					return Result.error(new KnownErrors.OAuthAccessTokenNotAvailable(providerId, `${scopeDetail} The user needs to re-authorize by calling \`linkConnectedAccount\` or using \`getOrLinkConnectedAccount\`.`));
+				}
+				return Result.ok(result);
+			}
+		};
+	}
+	constructor(options, extraOptions) {
+		this._uniqueIdentifier = void 0;
+		this._sessionRecorder = null;
+		this._eventTracker = null;
+		this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
+		this._ownedAdminApps = new DependenciesMap();
+		this._currentUserCache = createCacheBySession(async (session) => {
+			if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) await wait(2e3);
+			if (session.isKnownToBeInvalid()) return null;
+			return await this._interface.getClientUserByToken(session);
+		});
+		this._currentProjectCache = createCache(async () => {
+			return Result.orThrow(await this._interface.getClientProject());
+		});
+		this._ownedProjectsCache = createCacheBySession(async (session) => {
+			return await this._interface.listProjects(session);
+		});
+		this._currentUserPermissionsCache = createCacheBySession(async (session, [teamId, recursive]) => {
+			return await this._interface.listCurrentUserTeamPermissions({
+				teamId,
+				recursive
+			}, session);
+		});
+		this._currentUserProjectPermissionsCache = createCacheBySession(async (session, [recursive]) => {
+			return await this._interface.listCurrentUserProjectPermissions({ recursive }, session);
+		});
+		this._currentUserTeamsCache = createCacheBySession(async (session) => {
+			return await this._interface.listCurrentUserTeams(session);
+		});
+		this._currentUserOAuthConnectionAccessTokensCache = createCacheBySession(async (session, [providerId, scope]) => {
+			try {
+				return { accessToken: (await this._interface.createProviderAccessToken(providerId, scope || "", session)).access_token };
+			} catch (err) {
+				if (!(KnownErrors.OAuthAccessTokenNotAvailable.isInstance(err) || KnownErrors.OAuthConnectionDoesNotHaveRequiredScope.isInstance(err) || KnownErrors.OAuthConnectionNotConnectedToUser.isInstance(err))) throw err;
+			}
+			return null;
+		});
+		this._currentUserOAuthConnectionCache = createCacheBySession(async (session, [providerId, scope, redirect]) => {
+			return await this._getUserOAuthConnectionCacheFn({
+				getUser: async () => Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only")),
+				getOrWaitOAuthToken: async () => Result.orThrow(await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([
+					session,
+					providerId,
+					scope || ""
+				], "write-only")),
+				useOAuthToken: () => useAsyncCache(this._currentUserOAuthConnectionAccessTokensCache, [
+					session,
+					providerId,
+					scope || ""
+				], "connection.useAccessToken()"),
+				providerId,
+				scope,
+				redirect,
+				session
+			});
+		});
+		this._currentUserConnectedAccountsCache = createCacheBySession(async (session) => {
+			return (await this._interface.listConnectedAccounts(session)).items.map((item) => this._createOAuthConnectionFromCrudItem(item, session));
+		});
+		this._currentUserOAuthConnectionAccessTokensByAccountCache = createCacheBySession(async (session, [providerId, providerAccountId, scope]) => {
+			try {
+				return { accessToken: (await this._interface.createProviderAccessTokenByAccount(providerId, providerAccountId, scope, session)).access_token };
+			} catch (err) {
+				if (KnownErrors.OAuthAccessTokenNotAvailable.isInstance(err) || KnownErrors.OAuthConnectionDoesNotHaveRequiredScope.isInstance(err) || KnownErrors.OAuthConnectionNotConnectedToUser.isInstance(err)) return null;
+				throw err;
+			}
+		});
+		this._currentUserValidConnectedAccountForProviderCache = createCacheBySession(async (session, [provider, scopeString]) => {
+			const matchingAccounts = Result.orThrow(await this._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).filter((a) => a.provider === provider);
+			const scopes = scopeString ? scopeString.split(" ") : void 0;
+			for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes })).status === "ok") return account;
+			const location = await getNewOAuthProviderOrScopeUrl(this._interface, {
+				provider,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
+				errorRedirectUrl: this.urls.error,
+				providerScope: mergeScopeStrings(scopeString, (this._oauthScopesOnSignIn[provider] ?? []).join(" "))
+			}, session);
+			await this._redirectTo({ url: location });
+			return await neverResolve();
+		});
+		this._teamMemberProfilesCache = createCacheBySession(async (session, [teamId]) => {
+			return await this._interface.listTeamMemberProfiles({ teamId }, session);
+		});
+		this._teamInvitationsCache = createCacheBySession(async (session, [teamId]) => {
+			return await this._interface.listTeamInvitations({ teamId }, session);
+		});
+		this._currentUserTeamProfileCache = createCacheBySession(async (session, [teamId]) => {
+			return await this._interface.getTeamMemberProfile({
+				teamId,
+				userId: "me"
+			}, session);
+		});
+		this._currentUserTeamInvitationsCache = createCacheBySession(async (session) => {
+			return await this._interface.listCurrentUserTeamInvitations(session);
+		});
+		this._clientContactChannelsCache = createCacheBySession(async (session) => {
+			return await this._interface.listClientContactChannels(session);
+		});
+		this._userApiKeysCache = createCacheBySession(async (session) => {
+			return await this._interface.listProjectApiKeys({ user_id: "me" }, session, "client");
+		});
+		this._teamApiKeysCache = createCacheBySession(async (session, [teamId]) => {
+			return await this._interface.listProjectApiKeys({ team_id: teamId }, session, "client");
+		});
+		this._notificationCategoriesCache = createCacheBySession(async (session) => {
+			return await this._interface.listNotificationCategories(session);
+		});
+		this._currentUserOAuthProvidersCache = createCacheBySession(async (session) => {
+			return await this._interface.listOAuthProviders({ user_id: "me" }, session);
+		});
+		this._userItemCache = createCacheBySession(async (session, [userId, itemId]) => {
+			return await this._interface.getItem({
+				userId,
+				itemId
+			}, session);
+		});
+		this._teamItemCache = createCacheBySession(async (session, [teamId, itemId]) => {
+			return await this._interface.getItem({
+				teamId,
+				itemId
+			}, session);
+		});
+		this._customItemCache = createCacheBySession(async (session, [customCustomerId, itemId]) => {
+			return await this._interface.getItem({
+				customCustomerId,
+				itemId
+			}, session);
+		});
+		this._userProductsCache = createCacheBySession(async (session, [userId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "user",
+				customer_id: userId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._teamProductsCache = createCacheBySession(async (session, [teamId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "team",
+				customer_id: teamId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._customProductsCache = createCacheBySession(async (session, [customCustomerId, cursor, limit]) => {
+			return await this._interface.listProducts({
+				customer_type: "custom",
+				customer_id: customCustomerId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._userInvoicesCache = createCacheBySession(async (session, [userId, cursor, limit]) => {
+			return await this._interface.listInvoices({
+				customer_type: "user",
+				customer_id: userId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._teamInvoicesCache = createCacheBySession(async (session, [teamId, cursor, limit]) => {
+			return await this._interface.listInvoices({
+				customer_type: "team",
+				customer_id: teamId,
+				cursor: cursor ?? void 0,
+				limit: limit ?? void 0
+			}, session);
+		});
+		this._customerBillingCache = createCacheBySession(async (session, [customerType, customerId]) => {
+			return await this._interface.getCustomerBilling(customerType, customerId, session);
+		});
+		this._convexPartialUserCache = createCache(async ([ctx]) => await this._getPartialUserFromConvex(ctx));
+		this._trustedParentDomainCache = createCache(async ([domain]) => await this._getTrustedParentDomain(domain));
+		this._anonymousSignUpInProgress = null;
+		this._prefetchedCrossDomainHandoffParams = null;
+		this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+		this._isPrefetchingCrossDomainHandoffParams = false;
+		this._pendingAuthResolutionPromises = [];
+		this._memoryTokenStore = createEmptyTokenStore();
+		this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
+		this._requestTokenStores = /* @__PURE__ */ new WeakMap();
+		this._storedBrowserCookieTokenStore = null;
+		this._mostRecentQueuedCookieRefreshIndex = 0;
+		this._sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
+		this._botChallengeSiteKeysWarned = false;
+		const resolvedOptions = resolveConstructorOptions(options);
+		if (!_StackClientAppImplIncomplete.LazyStackAdminAppImpl.value) throw new HexclaveAssertionError("Admin app implementation not initialized. Did you import the _StackClientApp from stack-app/apps/implementations/index.ts? You can't import it directly from ./apps/implementations/client-app-impl.ts as that causes a circular dependency (see the comment at _LazyStackAdminAppImpl for more details).");
+		this._options = resolvedOptions;
+		this._extraOptions = extraOptions;
+		const projectId = resolvedOptions.projectId ?? getDefaultProjectId();
+		if (projectId !== "internal" && !projectId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i)) throw new Error(`Invalid project ID: ${projectId}. Project IDs must be UUIDs. Please check your environment variables and/or your StackApp.`);
+		const publishableClientKey = resolvedOptions.publishableClientKey ?? getDefaultPublishableClientKey();
+		if (extraOptions && extraOptions.interface) this._interface = extraOptions.interface;
+		else {
+			const apiUrls = resolveApiUrls(resolvedOptions.baseUrl);
+			this._interface = new HexclaveClientInterface({
+				getBaseUrl: () => apiUrls()[0],
+				getAnalyticsBaseUrl: () => getAnalyticsBaseUrl(apiUrls()[0]),
+				getApiUrls: apiUrls,
+				extraRequestHeaders: resolvedOptions.extraRequestHeaders ?? getDefaultExtraRequestHeaders(),
+				projectId,
+				clientVersion,
+				...publishableClientKey != null ? { publishableClientKey } : {},
+				prepareRequest: async () => {
+					await cookies?.();
+				}
+			});
+		}
+		this._tokenStoreInit = resolvedOptions.tokenStore;
+		this._redirectMethod = resolvedOptions.redirectMethod || (isBrowserLike() ? "window" : "none");
+		this._redirectMethod = resolvedOptions.redirectMethod || "nextjs";
+		this._urlOptions = resolvedOptions.urls ?? {};
+		this._oauthScopesOnSignIn = resolvedOptions.oauthScopesOnSignIn ?? {};
+		if (isBrowserLike() && (resolvedOptions.tokenStore === "cookie" || resolvedOptions.tokenStore === "nextjs-cookie")) {
+			runAsynchronously(this._trustedParentDomainCache.getOrWait([window.location.hostname], "write-only"));
+			this._ensureCrossSubdomainCookieExists();
+		}
+		if (extraOptions && extraOptions.uniqueIdentifier) {
+			this._uniqueIdentifier = extraOptions.uniqueIdentifier;
+			this._initUniqueIdentifier();
+		}
+		this._analyticsOptions = resolvedOptions.analytics;
+		const getAnalyticsSession = async () => {
+			this._ensurePersistentTokenStore();
+			if (await this.getPartialUser({
+				from: "token",
+				or: "anonymous-if-exists"
+			})) return await this._getSession();
+			return (await this.getUser({ or: "anonymous" }))._internalSession;
+		};
+		const analyticsEnabled = this._analyticsOptions?.enabled !== false;
+		if (analyticsEnabled && isBrowserLike() && this._hasPersistentTokenStore() && this._analyticsOptions?.replays?.enabled === true) {
+			this._sessionRecorder = new SessionRecorder({
+				projectId: this.projectId,
+				sendBatch: async (body, opts) => {
+					return await this._interface.sendSessionReplayBatch(body, await getAnalyticsSession(), opts);
+				}
+			}, this._analyticsOptions.replays);
+			this._sessionRecorder.start();
+		}
+		if (analyticsEnabled && isBrowserLike() && this._hasPersistentTokenStore()) {
+			this._eventTracker = new EventTracker({
+				projectId: this.projectId,
+				sendBatch: async (body, opts) => {
+					return await this._interface.sendAnalyticsEventBatch(body, await getAnalyticsSession(), opts);
+				}
+			});
+			this._eventTracker.start();
+		}
+		if (isBrowserLike() && this._isOAuthCallbackUrlHosted() && this._currentUrlLooksLikeStackOAuthCallback()) this._trackPendingAuthResolution(async () => {
+			if (isBrowserLike()) await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+		});
+		if (isBrowserLike()) this._trackPendingAuthResolution(async () => {
+			await this._maybeHandleNestedCrossDomainAuth();
+		});
+		if (isBrowserLike() && resolvedOptions.devTool !== false) mountDevTool(this);
+	}
+	_initUniqueIdentifier() {
+		if (!this._uniqueIdentifier) throw new HexclaveAssertionError("Unique identifier not initialized");
+		if (allClientApps.has(this._uniqueIdentifier)) throw new HexclaveAssertionError("A Stack client app with the same unique identifier already exists");
+		allClientApps.set(this._uniqueIdentifier, [this._extraOptions?.checkString ?? void 0, this]);
+	}
+	_trackPendingAuthResolution(callback) {
+		const promise = (async () => {
+			await Promise.resolve();
+			try {
+				await callback();
+			} catch (error) {
+				captureError("pending-auth-resolution-failed", error);
+			}
+		})();
+		this._pendingAuthResolutionPromises.push(promise);
+		runAsynchronously(async () => {
+			try {
+				await promise;
+			} finally {
+				this._pendingAuthResolutionPromises = this._pendingAuthResolutionPromises.filter((p) => p !== promise);
+			}
+		});
+	}
+	async _awaitPendingAuthResolutions(overrideTokenStoreInit, options) {
+		if (options?.awaitPendingAuthResolutions === false || overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		await Promise.all(this._pendingAuthResolutionPromises);
+	}
+	_usePendingAuthResolutions(overrideTokenStoreInit) {
+		if (overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		use(Promise.all(this._pendingAuthResolutionPromises));
+	}
+	_isOAuthCallbackUrlHosted() {
+		const oauthCallbackTarget = this._urlOptions.oauthCallback ?? this._urlOptions.default;
+		return typeof oauthCallbackTarget !== "string" && oauthCallbackTarget?.type === "hosted";
+	}
+	_currentUrlLooksLikeOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		return currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state") || currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message");
+	}
+	_currentUrlLooksLikeStackOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		const state = currentUrl.searchParams.get("state");
+		if (!currentUrl.searchParams.has("code") || state == null) return false;
+		return getCookieClient(`stack-oauth-outer-${state}`) != null;
+	}
+	_getOAuthCallbackRedirectUri() {
+		if (!this._isOAuthCallbackUrlHosted()) return this.urls.oauthCallback;
+		if (typeof window === "undefined") throw new HexclaveAssertionError("Hosted OAuth callback URLs require a browser environment to use the current URL as the redirect URI");
+		const currentUrl = new URL(window.location.href);
+		for (const param of oauthCallbackResponseQueryParams) currentUrl.searchParams.delete(param);
+		return currentUrl.toString();
+	}
+	async _getCurrentRefreshTokenIdIfSignedIn(options) {
+		const tokens = await (await this._getSession(options?.overrideTokenStoreInit, options)).getOrFetchLikelyValidTokens(0, null);
+		if (tokens?.refreshToken == null) return null;
+		return tokens.accessToken.payload.refresh_token_id;
+	}
+	async _addNestedCrossDomainAuthParamsToRedirectUrl(options) {
+		const targetUrl = new URL(options.url, options.currentUrl);
+		if (targetUrl.origin === options.currentUrl.origin) return options.url;
+		const refreshTokenId = await this._getCurrentRefreshTokenIdIfSignedIn({
+			awaitPendingAuthResolutions: options.awaitPendingAuthResolutions,
+			overrideTokenStoreInit: options.overrideTokenStoreInit
+		});
+		if (refreshTokenId == null) return options.url;
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.callbackUrl, new URL(this._getOAuthCallbackRedirectUri(), options.currentUrl).toString());
+		return targetUrl.toString();
+	}
+	async _maybeHandleNestedCrossDomainAuth() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state")) return false;
+		const refreshTokenId = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		if (refreshTokenId == null) return false;
+		const redirectUri = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.redirectUri);
+		const state = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.state);
+		const codeChallenge = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallenge);
+		if (redirectUri != null || state != null || codeChallenge != null) {
+			if (redirectUri == null || state == null || codeChallenge == null) throw new HexclaveAssertionError("Nested cross-domain auth callback URL is missing OAuth request parameters", {
+				redirectUri,
+				state,
+				codeChallenge
+			});
+			if ((currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallengeMethod) ?? "S256") !== "S256") throw new HexclaveAssertionError("Nested cross-domain auth only supports S256 PKCE");
+			if (isRelative(redirectUri)) throw new Error("Nested cross-domain auth redirect URI must be absolute.");
+			const redirectUriUrl = new URL(redirectUri);
+			if (!await this._isTrusted(redirectUriUrl.toString())) throw new Error(`Nested cross-domain auth redirect URI ${redirectUri} is not trusted.`);
+			const afterCallbackRedirectUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl);
+			const afterCallbackRedirectUrl = afterCallbackRedirectUrlString == null ? redirectUriUrl : new URL(afterCallbackRedirectUrlString, redirectUriUrl);
+			if (!await this._isTrusted(afterCallbackRedirectUrl.toString())) throw new Error(`Nested cross-domain auth after-callback redirect URL ${afterCallbackRedirectUrlString} is not trusted.`);
+			if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
+			await this._redirectTo({
+				url: await this._createCrossDomainAuthRedirectUrl({
+					redirectUri: redirectUriUrl.toString(),
+					state,
+					codeChallenge,
+					afterCallbackRedirectUrl: afterCallbackRedirectUrl.toString(),
+					awaitPendingAuthResolutions: false
+				}),
+				replace: true
+			});
+			return true;
+		}
+		if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) === refreshTokenId) return false;
+		const callbackUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.callbackUrl);
+		if (callbackUrlString == null) throw new HexclaveAssertionError("Nested cross-domain auth URL is missing callback URL");
+		if (isRelative(callbackUrlString)) throw new Error("Nested cross-domain auth callback URL must be absolute.");
+		const callbackUrl = new URL(callbackUrlString);
+		if (!await this._isTrusted(callbackUrl.toString())) throw new Error(`Nested cross-domain auth callback URL ${callbackUrlString} is not trusted.`);
+		const afterCallbackRedirectUrl = new URL(currentUrl);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.callbackUrl);
+		const { state: newState, codeChallenge: newCodeChallenge } = await this._getCrossDomainHandoffParamsForRedirect(currentUrl);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.redirectUri, new URL(this._getOAuthCallbackRedirectUri(), currentUrl).toString());
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.state, newState);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallenge, newCodeChallenge);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallengeMethod, "S256");
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl, afterCallbackRedirectUrl.toString());
+		await this._redirectTo({
+			url: callbackUrl,
+			replace: true
+		});
+		return true;
+	}
+	/**
+	* Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
+	* initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
+	* constructor.
+	*/
+	_getUniqueIdentifier() {
+		if (!this._uniqueIdentifier) {
+			this._uniqueIdentifier = generateUuid();
+			this._initUniqueIdentifier();
+		}
+		return this._uniqueIdentifier;
+	}
+	async _checkFeatureSupport(name, options) {
+		return await this._interface.checkFeatureSupport({
+			...options,
+			name
+		});
+	}
+	_useCheckFeatureSupport(name, options) {
+		runAsynchronously(this._checkFeatureSupport(name, options));
+		throw new HexclaveAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
+	}
+	get _legacyRefreshTokenCookieName() {
+		return `stack-refresh-${this.projectId}`;
+	}
+	get _refreshTokenCookieName() {
+		return `hexclave-refresh-${this.projectId}`;
+	}
+	_getRefreshTokenDefaultCookieNameForSecure(secure) {
+		return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+	}
+	_getCustomRefreshCookieName(domain) {
+		const encoded = encodeBase32(new TextEncoder().encode(domain.toLowerCase()));
+		return `${this._refreshTokenCookieName}--custom-${encoded}`;
+	}
+	_getDomainFromCustomRefreshCookieName(name) {
+		for (const base of [this._refreshTokenCookieName, this._legacyRefreshTokenCookieName]) {
+			const prefix = `${base}--custom-`;
+			if (!name.startsWith(prefix)) continue;
+			try {
+				return new TextDecoder().decode(decodeBase32(name.slice(prefix.length)));
+			} catch {
+				return null;
+			}
+		}
+		return null;
+	}
+	_formatRefreshCookieValue(refreshToken, updatedAt) {
+		return JSON.stringify({
+			refresh_token: refreshToken,
+			updated_at_millis: updatedAt
+		});
+	}
+	_formatAccessCookieValue(refreshToken, accessToken) {
+		return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+	}
+	_parseStructuredRefreshCookie(value) {
+		if (!value) return null;
+		const parsed = parseJson(value);
+		if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+			console.warn("Failed to parse structured refresh cookie");
+			return null;
+		}
+		const data = parsed.data;
+		const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+		const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+		if (!refreshToken) {
+			console.warn("Refresh token not found in structured refresh cookie");
+			return null;
+		}
+		return {
+			refreshToken,
+			updatedAt
+		};
+	}
+	_extractRefreshTokenFromCookieMap(cookies) {
+		const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+		const currentStructuredPrefixes = [`${this._refreshTokenCookieName}--`, `__Host-${this._refreshTokenCookieName}--`];
+		const getNewestStructuredCookie = (prefixes) => {
+			let selected = null;
+			for (const [name, value] of Object.entries(cookies)) {
+				if (!prefixes.some((prefix) => name.startsWith(prefix))) continue;
+				const parsed = this._parseStructuredRefreshCookie(value);
+				if (!parsed) continue;
+				const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+				const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+				if (!selected || candidateUpdatedAt > selectedUpdatedAt) selected = parsed;
+			}
+			return selected;
+		};
+		const currentStructuredCookie = getNewestStructuredCookie(currentStructuredPrefixes);
+		if (currentStructuredCookie) return {
+			refreshToken: currentStructuredCookie.refreshToken,
+			updatedAt: currentStructuredCookie.updatedAt ?? null
+		};
+		for (const name of legacyNames) {
+			const value = cookies[name];
+			if (value) return {
+				refreshToken: value,
+				updatedAt: null
+			};
+		}
+		const selected = getNewestStructuredCookie(structuredPrefixes);
+		if (!selected) return {
+			refreshToken: null,
+			updatedAt: null
+		};
+		return {
+			refreshToken: selected.refreshToken,
+			updatedAt: selected.updatedAt ?? null
+		};
+	}
+	_getTokensFromCookies(cookies) {
+		const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies);
+		const accessTokenCookie = cookies[this._accessTokenCookieName] ?? cookies[this._legacyAccessTokenCookieName] ?? null;
+		let accessToken = null;
+		if (accessTokenCookie && accessTokenCookie.startsWith("[\"")) {
+			const parsed = parseJson(accessTokenCookie);
+			if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+				if (parsed.data[0] === refreshToken) accessToken = parsed.data[1];
+			} else console.warn("Access token cookie has invalid format");
+		}
+		return {
+			refreshToken,
+			accessToken
+		};
+	}
+	get _accessTokenCookieName() {
+		return `hexclave-access`;
+	}
+	get _legacyAccessTokenCookieName() {
+		return `stack-access`;
+	}
+	_getAllBrowserCookies() {
+		if (!isBrowserLike()) throw new HexclaveAssertionError("Cannot get browser cookies on the server!");
+		return cookie.parseCookie(document.cookie || "");
+	}
+	_getRefreshTokenCookieNamePatterns() {
+		return {
+			legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+			structuredPrefixes: [
+				`${this._refreshTokenCookieName}--`,
+				`__Host-${this._refreshTokenCookieName}--`,
+				`${this._legacyRefreshTokenCookieName}--`,
+				`__Host-${this._legacyRefreshTokenCookieName}--`
+			]
+		};
+	}
+	_collectRefreshTokenCookieNames(cookies) {
+		const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+		const names = /* @__PURE__ */ new Set();
+		for (const name of legacyNames) if (cookies[name]) names.add(name);
+		for (const name of Object.keys(cookies)) if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) names.add(name);
+		return names;
+	}
+	_prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+		const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+		cookieNames.delete(defaultCookieName);
+		const updatedAt = refreshToken ? Date.now() : null;
+		return {
+			updatedAt,
+			refreshCookieValue: refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null,
+			accessTokenPayload: this._formatAccessCookieValue(refreshToken, accessToken),
+			cookieNamesToDelete: [...cookieNames]
+		};
+	}
+	_ensureCrossSubdomainCookieExists() {
+		runAsynchronously(async () => {
+			const hostname = window.location.hostname;
+			const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+			if (domain.status === "error" || !domain.data) return;
+			const cookies = this._getAllBrowserCookies();
+			const customCookieName = this._getCustomRefreshCookieName(domain.data);
+			if (cookies[customCookieName]) return;
+			const { refreshToken, updatedAt } = this._extractRefreshTokenFromCookieMap(cookies);
+			if (refreshToken && updatedAt) setOrDeleteCookieClient(customCookieName, this._formatRefreshCookieValue(refreshToken, updatedAt), {
+				maxAge: 3600 * 24 * 365,
+				domain: domain.data
+			});
+		});
+	}
+	_queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+		runAsynchronously(async () => {
+			this._mostRecentQueuedCookieRefreshIndex++;
+			const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+			let hostname;
+			if (isBrowserLike()) hostname = window.location.hostname;
+			else hostname = await getServerRequestHost();
+			if (!hostname) {
+				console.warn("No hostname found when queueing custom refresh cookie update");
+				return;
+			}
+			const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+			const cookieOptions = {
+				maxAge: 3600 * 24 * 365,
+				noOpIfServerComponent: true
+			};
+			const setCookie = async (targetDomain, value) => {
+				const name = this._getCustomRefreshCookieName(targetDomain);
+				const options = {
+					...cookieOptions,
+					domain: targetDomain
+				};
+				if (context === "browser") setOrDeleteCookieClient(name, value, options);
+				else await setOrDeleteCookie(name, value, options);
+			};
+			if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) return;
+			const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+			await setCookie(domain.data, value);
+			const isSecure$1 = await isSecure();
+			const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(isSecure$1);
+			if (context === "browser") setOrDeleteCookieClient(defaultName, null, cookieOptions);
+			else await setOrDeleteCookie(defaultName, null, cookieOptions);
+		});
+	}
+	async _getTrustedRedirectConfig() {
+		const project = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return {
+			allowLocalhost: project.config.allow_localhost,
+			trustedDomains: [...project.config.domains.map((d) => d.domain), new URL(getHostedHandlerUrl({
+				projectId: this.projectId,
+				pagePath: ""
+			})).origin]
+		};
+	}
+	async _getTrustedParentDomain(currentDomain) {
+		return getTrustedParentDomain(currentDomain, (await this._getTrustedRedirectConfig()).trustedDomains);
+	}
+	_getBrowserCookieTokenStore() {
+		if (!isBrowserLike()) throw new Error("Cannot use cookie token store on the server!");
+		if (this._storedBrowserCookieTokenStore === null) {
+			const getCurrentValue = (old) => {
+				const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
+				return {
+					refreshToken: tokens.refreshToken,
+					accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
+				};
+			};
+			this._storedBrowserCookieTokenStore = new Store(getCurrentValue(null));
+			let hasSucceededInWriting = true;
+			setInterval(() => {
+				if (hasSucceededInWriting) {
+					const oldValue = this._storedBrowserCookieTokenStore.get();
+					const currentValue = getCurrentValue(oldValue);
+					if (!deepPlainEquals(currentValue, oldValue)) this._storedBrowserCookieTokenStore.set(currentValue);
+				}
+			}, 100);
+			this._storedBrowserCookieTokenStore.onChange((value) => {
+				try {
+					const refreshToken = value.refreshToken;
+					const secure = window.location.protocol === "https:";
+					const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+					const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(this._getAllBrowserCookies(), refreshToken, value.accessToken ?? null, defaultName);
+					setOrDeleteCookieClient(defaultName, refreshCookieValue, {
+						maxAge: 3600 * 24 * 365,
+						secure
+					});
+					setOrDeleteCookieClient(this._accessTokenCookieName, accessTokenPayload, { maxAge: 3600 * 24 });
+					cookieNamesToDelete.forEach((name) => {
+						const domain = this._getDomainFromCustomRefreshCookieName(name);
+						deleteCookieClient(name, domain ? { domain } : {});
+					});
+					this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
+					hasSucceededInWriting = true;
+				} catch (e) {
+					if (!isBrowserLike()) hasSucceededInWriting = false;
+					else throw e;
+				}
+			});
+		}
+		return this._storedBrowserCookieTokenStore;
+	}
+	_getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit) {
+		const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
+		switch (tokenStoreInit) {
+			case "cookie": return this._getBrowserCookieTokenStore();
+			case "nextjs-cookie": if (isBrowserLike()) return this._getBrowserCookieTokenStore();
+			else {
+				const store = new Store(this._getTokensFromCookies(cookieHelper.getAll()));
+				store.onChange((value) => {
+					runAsynchronously(async () => {
+						const refreshToken = value.refreshToken;
+						const secure = await isSecure();
+						const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+						const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(cookieHelper.getAll(), refreshToken, value.accessToken ?? null, defaultName);
+						await Promise.all([setOrDeleteCookie(defaultName, refreshCookieValue, {
+							maxAge: 3600 * 24 * 365,
+							noOpIfServerComponent: true
+						}), setOrDeleteCookie(this._accessTokenCookieName, accessTokenPayload, {
+							maxAge: 3600 * 24,
+							noOpIfServerComponent: true
+						})]);
+						if (cookieNamesToDelete.length > 0) await Promise.all(cookieNamesToDelete.map((name) => {
+							const domain = this._getDomainFromCustomRefreshCookieName(name);
+							return deleteCookie(name, {
+								noOpIfServerComponent: true,
+								...domain ? { domain } : {}
+							});
+						}));
+						this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
+					});
+				});
+				return store;
+			}
+			case "memory": return this._memoryTokenStore;
+			default:
+				if (tokenStoreInit === null) return createEmptyTokenStore();
+				else if (typeof tokenStoreInit === "object" && "headers" in tokenStoreInit) {
+					if (this._requestTokenStores.has(tokenStoreInit)) return this._requestTokenStores.get(tokenStoreInit);
+					const authorizationHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "authorization");
+					if (authorizationHeader) {
+						const authJson = getAuthJsonFromAuthorizationHeaderValue(authorizationHeader);
+						if (authJson != null) {
+							const tokenStore = new Store({
+								accessToken: authJson.accessToken,
+								refreshToken: authJson.refreshToken
+							});
+							this._requestTokenStores.set(tokenStoreInit, tokenStore);
+							return tokenStore;
+						}
+					}
+					const stackAuthHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "x-stack-auth");
+					if (stackAuthHeader) {
+						let parsed;
+						try {
+							parsed = JSON.parse(stackAuthHeader);
+							if (typeof parsed !== "object") throw new Error("x-stack-auth header must be a JSON object");
+							if (parsed === null) throw new Error("x-stack-auth header must not be null");
+						} catch (e) {
+							throw new Error("Invalid x-stack-auth header.", { cause: e });
+						}
+						return this._getOrCreateTokenStore(cookieHelper, {
+							accessToken: parsed.accessToken ?? null,
+							refreshToken: parsed.refreshToken ?? null
+						});
+					}
+					const cookieHeader = getHeaderValueFromRequestLikeHeaders(tokenStoreInit.headers, "cookie");
+					const parsed = cookie.parseCookie(cookieHeader || "");
+					const res = new Store(this._getTokensFromCookies(parsed));
+					this._requestTokenStores.set(tokenStoreInit, res);
+					return res;
+				} else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) return new Store({
+					refreshToken: tokenStoreInit.refreshToken,
+					accessToken: tokenStoreInit.accessToken
+				});
+				throw new Error(`Invalid token store ${tokenStoreInit}`);
+		}
+	}
+	_useTokenStore(overrideTokenStoreInit) {
+		suspendIfSsr();
+		const cookieHelper = createBrowserCookieHelper();
+		return this._getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit);
+	}
+	_getSessionFromTokenStore(tokenStore) {
+		const tokenObj = tokenStore.get();
+		const sessionKey = InternalSession.calculateSessionKey(tokenObj);
+		const existing = sessionKey ? this._sessionsByTokenStoreAndSessionKey.get(tokenStore)?.get(sessionKey) : null;
+		if (existing) return existing;
+		const session = this._interface.createSession({
+			refreshToken: tokenObj.refreshToken,
+			accessToken: tokenObj.accessToken
+		});
+		session.onAccessTokenChange((newAccessToken) => {
+			tokenStore.update((old) => ({
+				...old,
+				accessToken: newAccessToken?.token ?? null
+			}));
+		});
+		session.onInvalidate(() => {
+			tokenStore.update((old) => ({
+				...old,
+				accessToken: null,
+				refreshToken: null
+			}));
+		});
+		let sessionsBySessionKey = this._sessionsByTokenStoreAndSessionKey.get(tokenStore) ?? /* @__PURE__ */ new Map();
+		this._sessionsByTokenStoreAndSessionKey.set(tokenStore, sessionsBySessionKey);
+		sessionsBySessionKey.set(sessionKey, session);
+		return session;
+	}
+	async _getSession(overrideTokenStoreInit, options) {
+		await this._awaitPendingAuthResolutions(overrideTokenStoreInit, options);
+		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper(overrideTokenStoreInit), overrideTokenStoreInit);
+		return this._getSessionFromTokenStore(tokenStore);
+	}
+	_useSession(overrideTokenStoreInit) {
+		this._usePendingAuthResolutions(overrideTokenStoreInit);
+		const tokenStore = this._useTokenStore(overrideTokenStoreInit);
+		const subscribe = useCallback((cb) => {
+			return subscribeSessionRefresh({
+				tokenStore,
+				getSession: () => this._getSessionFromTokenStore(tokenStore),
+				onTokenStoreChange: cb
+			});
+		}, [tokenStore]);
+		const getSnapshot = useCallback(() => this._getSessionFromTokenStore(tokenStore), [tokenStore]);
+		return React.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+	}
+	async _signInToAccountWithTokens(tokens) {
+		if (!("accessToken" in tokens) || !("refreshToken" in tokens)) throw new HexclaveAssertionError("Invalid tokens object; can't sign in with this", { tokens });
+		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper());
+		tokenStore.set(tokens);
+		const newSession = this._getSessionFromTokenStore(tokenStore);
+		this._currentUserCache.getOrWait([newSession], "write-only").catch(() => {});
+	}
+	_getTokenStoreInitForFreshTokens(tokens) {
+		if (tokens.accessToken == null) return;
+		return {
+			accessToken: tokens.accessToken,
+			refreshToken: tokens.refreshToken
+		};
+	}
+	_hasPersistentTokenStore(overrideTokenStoreInit) {
+		return (overrideTokenStoreInit !== void 0 ? overrideTokenStoreInit : this._tokenStoreInit) !== null;
+	}
+	_ensurePersistentTokenStore(overrideTokenStoreInit) {
+		if (!this._hasPersistentTokenStore(overrideTokenStoreInit)) throw new Error("Cannot call this function on a Stack app without a persistent token store. Make sure the tokenStore option on the constructor is set to a non-null value when initializing Stack.\n\nStack uses token stores to access access tokens of the current user. For example, on web frontends it is commonly the string value 'cookies' for cookie storage.");
+	}
+	_isInternalProject() {
+		return this.projectId === "internal";
+	}
+	_ensureInternalProject() {
+		if (!this._isInternalProject()) throw new Error("Cannot call this function on a Stack app with a project ID other than 'internal'.");
+	}
+	_clientProjectFromCrud(crud) {
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			config: {
+				signUpEnabled: crud.config.sign_up_enabled,
+				credentialEnabled: crud.config.credential_enabled,
+				magicLinkEnabled: crud.config.magic_link_enabled,
+				passkeyEnabled: crud.config.passkey_enabled,
+				clientTeamCreationEnabled: crud.config.client_team_creation_enabled,
+				clientUserDeletionEnabled: crud.config.client_user_deletion_enabled,
+				allowTeamApiKeys: crud.config.allow_team_api_keys,
+				allowUserApiKeys: crud.config.allow_user_api_keys,
+				oauthProviders: crud.config.enabled_oauth_providers.map((p) => ({ id: p.id }))
+			}
+		};
+	}
+	_clientPermissionFromCrud(crud) {
+		return { id: crud.id };
+	}
+	_clientTeamUserFromCrud(crud) {
+		return {
+			id: crud.user_id,
+			teamProfile: {
+				displayName: crud.display_name,
+				profileImageUrl: crud.profile_image_url
+			}
+		};
+	}
+	_clientSentTeamInvitationFromCrud(session, crud) {
+		return {
+			id: crud.id,
+			recipientEmail: crud.recipient_email,
+			expiresAt: new Date(crud.expires_at_millis),
+			revoke: async () => {
+				await this._interface.revokeTeamInvitation(crud.id, crud.team_id, session);
+				await this._teamInvitationsCache.refresh([session, crud.team_id]);
+			}
+		};
+	}
+	_clientReceivedTeamInvitationFromCrud(session, crud) {
+		const app = this;
+		return {
+			id: crud.id,
+			teamId: crud.team_id,
+			teamDisplayName: crud.team_display_name,
+			recipientEmail: crud.recipient_email,
+			expiresAt: new Date(crud.expires_at_millis),
+			accept: async () => {
+				await app._interface.acceptTeamInvitationById(crud.id, session);
+				await Promise.all([
+					app._currentUserTeamInvitationsCache.refresh([session]),
+					app._currentUserTeamsCache.refresh([session]),
+					app._teamInvitationsCache.refresh([session, crud.team_id])
+				]);
+			}
+		};
+	}
+	_baseApiKeyFromCrud(crud) {
+		return {
+			id: crud.id,
+			description: crud.description,
+			expiresAt: crud.expires_at_millis ? new Date(crud.expires_at_millis) : void 0,
+			manuallyRevokedAt: crud.manually_revoked_at_millis ? new Date(crud.manually_revoked_at_millis) : null,
+			createdAt: new Date(crud.created_at_millis),
+			...crud.type === "team" ? {
+				type: "team",
+				teamId: crud.team_id
+			} : {
+				type: "user",
+				userId: crud.user_id
+			},
+			value: typeof crud.value === "string" ? crud.value : { lastFour: crud.value.last_four },
+			isValid: function() {
+				return this.whyInvalid() === null;
+			},
+			whyInvalid: function() {
+				if (this.manuallyRevokedAt) return "manually-revoked";
+				if (this.expiresAt && this.expiresAt < /* @__PURE__ */ new Date()) return "expired";
+				return null;
+			}
+		};
+	}
+	_clientApiKeyFromCrud(session, crud) {
+		return {
+			...this._baseApiKeyFromCrud(crud),
+			async revoke() {
+				await this.update({ revoked: true });
+			},
+			update: async (options) => {
+				await this._interface.updateProjectApiKey(crud.type === "team" ? { team_id: crud.team_id } : { user_id: crud.user_id }, crud.id, options, session, "client");
+				if (crud.type === "team") await this._teamApiKeysCache.refresh([session, crud.team_id]);
+				else await this._userApiKeysCache.refresh([session]);
+			}
+		};
+	}
+	_clientTeamFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			profileImageUrl: crud.profile_image_url,
+			clientMetadata: crud.client_metadata,
+			clientReadOnlyMetadata: crud.client_read_only_metadata,
+			...this._createCustomer(crud.id, "team", session),
+			async inviteUser(options) {
+				await app._interface.sendTeamInvitation({
+					teamId: crud.id,
+					email: options.email,
+					session,
+					callbackUrl: options.callbackUrl ?? constructRedirectUrl(app.urls.teamInvitation, "callbackUrl")
+				});
+				await app._teamInvitationsCache.refresh([session, crud.id]);
+			},
+			async listUsers() {
+				return Result.orThrow(await app._teamMemberProfilesCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientTeamUserFromCrud(crud));
+			},
+			useUsers() {
+				return useAsyncCache(app._teamMemberProfilesCache, [session, crud.id], "team.useUsers()").map((crud) => app._clientTeamUserFromCrud(crud));
+			},
+			async listInvitations() {
+				return Result.orThrow(await app._teamInvitationsCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientSentTeamInvitationFromCrud(session, crud));
+			},
+			useInvitations() {
+				return useAsyncCache(app._teamInvitationsCache, [session, crud.id], "team.useInvitations()").map((crud) => app._clientSentTeamInvitationFromCrud(session, crud));
+			},
+			async update(data) {
+				await app._interface.updateTeam({
+					data: teamUpdateOptionsToCrud(data),
+					teamId: crud.id
+				}, session);
+				await app._currentUserTeamsCache.refresh([session]);
+			},
+			async delete() {
+				await app._interface.deleteTeam(crud.id, session);
+				await app._currentUserTeamsCache.refresh([session]);
+			},
+			useApiKeys() {
+				return useAsyncCache(app._teamApiKeysCache, [session, crud.id], "team.useApiKeys()").map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async listApiKeys() {
+				return Result.orThrow(await app._teamApiKeysCache.getOrWait([session, crud.id], "write-only")).map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async createApiKey(options) {
+				const result = await app._interface.createProjectApiKey(await apiKeyCreationOptionsToCrud("team", crud.id, options), session, "client");
+				await app._teamApiKeysCache.refresh([session, crud.id]);
+				return app._clientApiKeyFromCrud(session, result);
+			}
+		};
+	}
+	_clientContactChannelFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			value: crud.value,
+			type: crud.type,
+			isVerified: crud.is_verified,
+			isPrimary: crud.is_primary,
+			usedForAuth: crud.used_for_auth,
+			async sendVerificationEmail(options) {
+				await app._interface.sendCurrentUserContactChannelVerificationEmail(crud.id, options?.callbackUrl || constructRedirectUrl(app.urls.emailVerification, "callbackUrl"), session);
+			},
+			async update(data) {
+				await app._interface.updateClientContactChannel(crud.id, contactChannelUpdateOptionsToCrud(data), session);
+				await app._clientContactChannelsCache.refresh([session]);
+			},
+			async delete() {
+				await app._interface.deleteClientContactChannel(crud.id, session);
+				await app._clientContactChannelsCache.refresh([session]);
+			}
+		};
+	}
+	_clientNotificationCategoryFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.notification_category_id,
+			name: crud.notification_category_name,
+			enabled: crud.enabled,
+			canDisable: crud.can_disable,
+			async setEnabled(enabled) {
+				await app._interface.setNotificationsEnabled(crud.notification_category_id, enabled, session);
+				await app._notificationCategoriesCache.refresh([session]);
+			}
+		};
+	}
+	_clientOAuthProviderFromCrud(crud, session) {
+		const app = this;
+		return {
+			id: crud.id,
+			type: crud.type,
+			userId: crud.user_id,
+			email: crud.email,
+			allowSignIn: crud.allow_sign_in,
+			allowConnectedAccounts: crud.allow_connected_accounts,
+			async update(data) {
+				try {
+					await app._interface.updateOAuthProvider(crud.user_id, crud.id, {
+						allow_sign_in: data.allowSignIn,
+						allow_connected_accounts: data.allowConnectedAccounts
+					}, session);
+					await Promise.all([app._currentUserOAuthProvidersCache.refresh([session]), app._currentUserConnectedAccountsCache.refresh([session])]);
+					return Result.ok(void 0);
+				} catch (error) {
+					if (KnownErrors.OAuthProviderAccountIdAlreadyUsedForSignIn.isInstance(error)) return Result.error(error);
+					throw error;
+				}
+			},
+			async delete() {
+				await app._interface.deleteOAuthProvider(crud.user_id, crud.id, session);
+				await Promise.all([app._currentUserOAuthProvidersCache.refresh([session]), app._currentUserConnectedAccountsCache.refresh([session])]);
+			}
+		};
+	}
+	_clientItemFromCrud(crud) {
+		return {
+			displayName: crud.display_name,
+			quantity: crud.quantity,
+			nonNegativeQuantity: Math.max(0, crud.quantity)
+		};
+	}
+	_customerProductsFromResponse(response) {
+		const products = response.items.map((item) => ({
+			id: item.id,
+			quantity: item.quantity,
+			displayName: item.product.display_name,
+			customerType: item.product.customer_type,
+			isServerOnly: item.product.server_only,
+			stackable: item.product.stackable,
+			type: item.type,
+			subscription: item.subscription ? {
+				subscriptionId: item.subscription.subscription_id,
+				currentPeriodEnd: item.subscription.current_period_end ? new Date(item.subscription.current_period_end) : null,
+				cancelAtPeriodEnd: item.subscription.cancel_at_period_end,
+				isCancelable: item.subscription.is_cancelable
+			} : null,
+			switchOptions: item.switch_options?.map((option) => ({
+				productId: option.product_id,
+				displayName: option.product.display_name,
+				prices: option.product.prices
+			}))
+		}));
+		return Object.assign(products, { nextCursor: response.pagination.next_cursor ?? null });
+	}
+	_customerInvoicesFromResponse(response) {
+		const invoices = response.items.map((item) => ({
+			status: item.status,
+			amountTotal: item.amount_total,
+			hostedInvoiceUrl: item.hosted_invoice_url,
+			createdAt: new Date(item.created_at_millis)
+		}));
+		return Object.assign(invoices, { nextCursor: response.pagination.next_cursor ?? null });
+	}
+	_customerBillingFromResponse(response) {
+		return {
+			hasCustomer: response.has_customer,
+			defaultPaymentMethod: response.default_payment_method
+		};
+	}
+	_createAuth(session) {
+		const app = this;
+		return {
+			_internalSession: session,
+			currentSession: {
+				async getTokens() {
+					const tokens = await session.getOrFetchLikelyValidTokens(2e4, 75e3);
+					return {
+						accessToken: tokens?.accessToken.token ?? null,
+						refreshToken: tokens?.refreshToken?.token ?? null
+					};
+				},
+				useTokens() {
+					const subscribe = useCallback((cb) => {
+						const { unsubscribe: unsubscribeInvalidate } = session.onInvalidate(cb);
+						const { unsubscribe: unsubscribeAccessTokenChange } = session.onAccessTokenChange(cb);
+						return () => {
+							unsubscribeInvalidate();
+							unsubscribeAccessTokenChange();
+						};
+					}, [session]);
+					const getSnapshot = useCallback(() => {
+						return session.isKnownToBeInvalid() ? null : session.getAccessTokenIfNotExpiredYet(2e4, 75e3)?.token ?? null;
+					}, [session]);
+					let accessToken = React.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+					if (accessToken === null && !session.isKnownToBeInvalid()) accessToken = use(session.getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? null;
+					return {
+						accessToken,
+						refreshToken: session.getRefreshToken()?.token ?? null
+					};
+				}
+			},
+			async getAccessToken() {
+				return (await this.currentSession.getTokens()).accessToken;
+			},
+			useAccessToken() {
+				return this.currentSession.useTokens().accessToken;
+			},
+			async getRefreshToken() {
+				return (await this.currentSession.getTokens()).refreshToken;
+			},
+			useRefreshToken() {
+				return this.currentSession.useTokens().refreshToken;
+			},
+			async getAuthorizationHeader() {
+				return getAuthorizationHeaderValueFromAuthJson(await this.getAuthJson());
+			},
+			useAuthorizationHeader() {
+				return getAuthorizationHeaderValueFromAuthJson(this.useAuthJson());
+			},
+			async getAuthHeaders() {
+				return { "x-stack-auth": JSON.stringify(await this.getAuthJson()) };
+			},
+			useAuthHeaders() {
+				return { "x-stack-auth": JSON.stringify(this.useAuthJson()) };
+			},
+			async getAuthJson() {
+				return await this.currentSession.getTokens();
+			},
+			useAuthJson() {
+				return this.currentSession.useTokens();
+			},
+			signOut(options) {
+				return app._signOut(session, options);
+			}
+		};
+	}
+	_editableTeamProfileFromCrud(crud, session) {
+		const app = this;
+		return {
+			displayName: crud.display_name,
+			profileImageUrl: crud.profile_image_url,
+			async update(update) {
+				await app._interface.updateTeamMemberProfile({
+					teamId: crud.team_id,
+					userId: crud.user_id,
+					profile: {
+						display_name: update.displayName,
+						profile_image_url: update.profileImageUrl
+					}
+				}, session);
+				await app._currentUserTeamProfileCache.refresh([session, crud.team_id]);
+			}
+		};
+	}
+	_createBaseUser(crud) {
+		return {
+			id: crud.id,
+			displayName: crud.display_name,
+			primaryEmail: crud.primary_email,
+			primaryEmailVerified: crud.primary_email_verified,
+			profileImageUrl: crud.profile_image_url,
+			signedUpAt: new Date(crud.signed_up_at_millis),
+			clientMetadata: crud.client_metadata,
+			clientReadOnlyMetadata: crud.client_read_only_metadata,
+			hasPassword: crud.has_password,
+			emailAuthEnabled: crud.auth_with_email,
+			otpAuthEnabled: crud.otp_auth_enabled,
+			oauthProviders: crud.oauth_providers,
+			passkeyAuthEnabled: crud.passkey_auth_enabled,
+			isMultiFactorRequired: crud.requires_totp_mfa,
+			isAnonymous: crud.is_anonymous,
+			isRestricted: crud.is_restricted,
+			restrictedReason: crud.restricted_reason,
+			toClientJson() {
+				return crud;
+			}
+		};
+	}
+	_createUserExtraFromCurrent(crud, session) {
+		const app = this;
+		async function getConnectedAccount(idOrAccount, options) {
+			const scopeString = options?.scopes?.join(" ") ?? "";
+			if (typeof idOrAccount === "object" && "provider" in idOrAccount && "providerAccountId" in idOrAccount) {
+				const { provider, providerAccountId } = idOrAccount;
+				const found = Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).find((a) => a.provider === provider && a.providerAccountId === providerAccountId);
+				if (!found) return null;
+				return found;
+			}
+			return Result.orThrow(await app._currentUserOAuthConnectionCache.getOrWait([
+				session,
+				idOrAccount,
+				scopeString,
+				options?.or === "redirect"
+			], "write-only"));
+		}
+		function useConnectedAccount(idOrAccount, options) {
+			const scopeString = options?.scopes?.join(" ") ?? "";
+			if (typeof idOrAccount === "object" && "provider" in idOrAccount && "providerAccountId" in idOrAccount) {
+				const { provider, providerAccountId } = idOrAccount;
+				return useAsyncCache(app._currentUserConnectedAccountsCache, [session], "user.useConnectedAccount()").find((a) => a.provider === provider && a.providerAccountId === providerAccountId) ?? null;
+			}
+			return useAsyncCache(app._currentUserOAuthConnectionCache, [
+				session,
+				idOrAccount,
+				scopeString,
+				options?.or === "redirect"
+			], "user.useConnectedAccount()");
+		}
+		return {
+			async getActiveSessions() {
+				return (await app._interface.listSessions(session)).items.map((crud) => app._clientSessionFromCrud(crud));
+			},
+			async revokeSession(sessionId) {
+				await app._interface.deleteSession(sessionId, session);
+			},
+			setDisplayName(displayName) {
+				return this.update({ displayName });
+			},
+			setClientMetadata(metadata) {
+				return this.update({ clientMetadata: metadata });
+			},
+			async setSelectedTeam(team) {
+				await this.update({ selectedTeamId: typeof team === "string" ? team : team?.id ?? null });
+			},
+			getConnectedAccount,
+			useConnectedAccount,
+			async listConnectedAccounts() {
+				return Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only"));
+			},
+			useConnectedAccounts() {
+				return useAsyncCache(app._currentUserConnectedAccountsCache, [session], "user.useConnectedAccounts()");
+			},
+			async linkConnectedAccount(provider, options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				const location = await getNewOAuthProviderOrScopeUrl(app._interface, {
+					provider,
+					redirectUrl: app._getOAuthCallbackRedirectUri(),
+					errorRedirectUrl: app.urls.error,
+					providerScope: mergeScopeStrings(scopeString, (app._oauthScopesOnSignIn[provider] ?? []).join(" "))
+				}, session);
+				await app._redirectTo({ url: location });
+				return await neverResolve();
+			},
+			async getOrLinkConnectedAccount(provider, options) {
+				const matchingAccounts = Result.orThrow(await app._currentUserConnectedAccountsCache.getOrWait([session], "write-only")).filter((a) => a.provider === provider);
+				for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes: options?.scopes })).status === "ok") return account;
+				await this.linkConnectedAccount(provider, options);
+				return await neverResolve();
+			},
+			useOrLinkConnectedAccount(provider, options) {
+				const scopeString = options?.scopes?.join(" ") ?? "";
+				return useAsyncCache(app._currentUserValidConnectedAccountForProviderCache, [
+					session,
+					provider,
+					scopeString
+				], "user.useOrLinkConnectedAccount()");
+			},
+			async getTeam(teamId) {
+				return (await this.listTeams()).find((t) => t.id === teamId) ?? null;
+			},
+			useTeam(teamId) {
+				const teams = this.useTeams();
+				return useMemo(() => {
+					return teams.find((t) => t.id === teamId) ?? null;
+				}, [teams, teamId]);
+			},
+			async listTeams() {
+				return Result.orThrow(await app._currentUserTeamsCache.getOrWait([session], "write-only")).map((crud) => app._clientTeamFromCrud(crud, session));
+			},
+			useTeams() {
+				const teams = useAsyncCache(app._currentUserTeamsCache, [session], "user.useTeams()");
+				return useMemo(() => teams.map((crud) => app._clientTeamFromCrud(crud, session)), [teams]);
+			},
+			async createTeam(data) {
+				const crud = await app._interface.createClientTeam(teamCreateOptionsToCrud(data, "me"), session);
+				await app._currentUserTeamsCache.refresh([session]);
+				await this.update({ selectedTeamId: crud.id });
+				return app._clientTeamFromCrud(crud, session);
+			},
+			async leaveTeam(team) {
+				await app._interface.leaveTeam(team.id, session);
+			},
+			async listTeamInvitations() {
+				return Result.orThrow(await app._currentUserTeamInvitationsCache.getOrWait([session], "write-only")).map((crud) => app._clientReceivedTeamInvitationFromCrud(session, crud));
+			},
+			useTeamInvitations() {
+				const invitations = useAsyncCache(app._currentUserTeamInvitationsCache, [session], "user.useTeamInvitations()");
+				return useMemo(() => invitations.map((crud) => app._clientReceivedTeamInvitationFromCrud(session, crud)), [invitations]);
+			},
+			async listPermissions(scopeOrOptions, options) {
+				if (scopeOrOptions && "id" in scopeOrOptions) {
+					const scope = scopeOrOptions;
+					const recursive = options?.recursive ?? true;
+					return Result.orThrow(await app._currentUserPermissionsCache.getOrWait([
+						session,
+						scope.id,
+						recursive
+					], "write-only")).map((crud) => app._clientPermissionFromCrud(crud));
+				} else {
+					const recursive = scopeOrOptions?.recursive ?? true;
+					return Result.orThrow(await app._currentUserProjectPermissionsCache.getOrWait([session, recursive], "write-only")).map((crud) => app._clientPermissionFromCrud(crud));
+				}
+			},
+			usePermissions(scopeOrOptions, options) {
+				if (scopeOrOptions && "id" in scopeOrOptions) {
+					const scope = scopeOrOptions;
+					const recursive = options?.recursive ?? true;
+					const permissions = useAsyncCache(app._currentUserPermissionsCache, [
+						session,
+						scope.id,
+						recursive
+					], "user.usePermissions()");
+					return useMemo(() => permissions.map((crud) => app._clientPermissionFromCrud(crud)), [permissions]);
+				} else {
+					const recursive = scopeOrOptions?.recursive ?? true;
+					const permissions = useAsyncCache(app._currentUserProjectPermissionsCache, [session, recursive], "user.usePermissions()");
+					return useMemo(() => permissions.map((crud) => app._clientPermissionFromCrud(crud)), [permissions]);
+				}
+			},
+			usePermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					const permissions = this.usePermissions(scope);
+					return useMemo(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
+				} else {
+					const pid = scopeOrPermissionId;
+					const permissions = this.usePermissions();
+					return useMemo(() => permissions.find((p) => p.id === pid) ?? null, [permissions, pid]);
+				}
+			},
+			async getPermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					return (await this.listPermissions(scope)).find((p) => p.id === permissionId) ?? null;
+				} else {
+					const pid = scopeOrPermissionId;
+					return (await this.listPermissions()).find((p) => p.id === pid) ?? null;
+				}
+			},
+			async hasPermission(scopeOrPermissionId, permissionId) {
+				if (scopeOrPermissionId && typeof scopeOrPermissionId !== "string") {
+					const scope = scopeOrPermissionId;
+					return await this.getPermission(scope, permissionId) !== null;
+				} else {
+					const pid = scopeOrPermissionId;
+					return await this.getPermission(pid) !== null;
+				}
+			},
+			async update(update) {
+				return await app._updateClientUser(update, session);
+			},
+			async sendVerificationEmail(options) {
+				if (!crud.primary_email) throw new HexclaveAssertionError("User does not have a primary email");
+				return await app._interface.sendVerificationEmail(crud.primary_email, options?.callbackUrl ?? constructRedirectUrl(app.urls.emailVerification, "callbackUrl"), session);
+			},
+			async updatePassword(options) {
+				const result = await app._interface.updatePassword(options, session);
+				await app._currentUserCache.refresh([session]);
+				return result;
+			},
+			async setPassword(options) {
+				const result = await app._interface.setPassword(options, session);
+				await app._currentUserCache.refresh([session]);
+				return result;
+			},
+			selectedTeam: crud.selected_team && this._clientTeamFromCrud(crud.selected_team, session),
+			async getTeamProfile(team) {
+				const result = Result.orThrow(await app._currentUserTeamProfileCache.getOrWait([session, team.id], "write-only"));
+				return app._editableTeamProfileFromCrud(result, session);
+			},
+			useTeamProfile(team) {
+				const result = useAsyncCache(app._currentUserTeamProfileCache, [session, team.id], "user.useTeamProfile()");
+				return app._editableTeamProfileFromCrud(result, session);
+			},
+			async delete() {
+				await app._interface.deleteCurrentUser(session);
+				session.markInvalid();
+			},
+			async listContactChannels() {
+				return Result.orThrow(await app._clientContactChannelsCache.getOrWait([session], "write-only")).map((crud) => app._clientContactChannelFromCrud(crud, session));
+			},
+			useContactChannels() {
+				return useAsyncCache(app._clientContactChannelsCache, [session], "user.useContactChannels()").map((crud) => app._clientContactChannelFromCrud(crud, session));
+			},
+			async createContactChannel(data) {
+				const crud = await app._interface.createClientContactChannel(contactChannelCreateOptionsToCrud("me", data), session);
+				await app._clientContactChannelsCache.refresh([session]);
+				return app._clientContactChannelFromCrud(crud, session);
+			},
+			useNotificationCategories() {
+				return useAsyncCache(app._notificationCategoriesCache, [session], "user.useNotificationCategories()").map((crud) => app._clientNotificationCategoryFromCrud(crud, session));
+			},
+			async listNotificationCategories() {
+				return Result.orThrow(await app._notificationCategoriesCache.getOrWait([session], "write-only")).map((crud) => app._clientNotificationCategoryFromCrud(crud, session));
+			},
+			useApiKeys() {
+				return useAsyncCache(app._userApiKeysCache, [session], "user.useApiKeys()").map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async listApiKeys() {
+				return (await app._interface.listProjectApiKeys({ user_id: "me" }, session, "client")).map((crud) => app._clientApiKeyFromCrud(session, crud));
+			},
+			async createApiKey(options) {
+				const result = await app._interface.createProjectApiKey(await apiKeyCreationOptionsToCrud("user", "me", options), session, "client");
+				await app._userApiKeysCache.refresh([session]);
+				return app._clientApiKeyFromCrud(session, result);
+			},
+			useOAuthProviders() {
+				return useAsyncCache(app._currentUserOAuthProvidersCache, [session], "user.useOAuthProviders()").map((crud) => app._clientOAuthProviderFromCrud(crud, session));
+			},
+			async listOAuthProviders() {
+				return Result.orThrow(await app._currentUserOAuthProvidersCache.getOrWait([session], "write-only")).map((crud) => app._clientOAuthProviderFromCrud(crud, session));
+			},
+			useOAuthProvider(id) {
+				const providers = this.useOAuthProviders();
+				return useMemo(() => providers.find((p) => p.id === id) ?? null, [providers, id]);
+			},
+			async getOAuthProvider(id) {
+				return (await this.listOAuthProviders()).find((p) => p.id === id) ?? null;
+			},
+			async registerPasskey(options) {
+				const hostname = (await app._getCurrentUrl())?.hostname;
+				if (!hostname) throw new HexclaveAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+				const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+				if (initiationResult.status !== "ok") return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+				const { options_json, code } = initiationResult.data;
+				if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") throw new HexclaveAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+				options_json.rp.id = hostname;
+				let attResp;
+				try {
+					attResp = await startRegistration({ optionsJSON: options_json });
+				} catch (error) {
+					if (error instanceof WebAuthnError) return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+					else {
+						captureError("passkey-registration-failed", error);
+						return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
+					}
+				}
+				const registrationResult = await app._interface.registerPasskey({
+					credential: attResp,
+					code
+				}, session);
+				await app._refreshUser(session);
+				return registrationResult;
+			}
+		};
+	}
+	_createInternalUserExtra(session) {
+		const app = this;
+		this._ensureInternalProject();
+		return {
+			createProject(newProject) {
+				return app._createProject(session, newProject);
+			},
+			async transferProject(projectIdToTransfer, newTeamId) {
+				await app._interface.transferProject(session, projectIdToTransfer, newTeamId);
+				await app._refreshProject();
+			},
+			listOwnedProjects() {
+				return app._listOwnedProjects(session);
+			},
+			useOwnedProjects() {
+				return app._useOwnedProjects(session);
+			}
+		};
+	}
+	_createCustomer(userIdOrTeamId, type, session) {
+		const app = this;
+		const effectiveSession = session ?? app._interface.createSession({ refreshToken: null });
+		const customerOptions = type === "user" ? { userId: userIdOrTeamId } : { teamId: userIdOrTeamId };
+		return {
+			async getBilling() {
+				const response = Result.orThrow(await app._customerBillingCache.getOrWait([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				], "write-only"));
+				return app._customerBillingFromResponse(response);
+			},
+			useBilling() {
+				const response = useAsyncCache(app._customerBillingCache, [
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				], "customer.useBilling()");
+				return app._customerBillingFromResponse(response);
+			},
+			async createPaymentMethodSetupIntent() {
+				const body = await app._interface.createCustomerPaymentMethodSetupIntent(type, userIdOrTeamId, effectiveSession);
+				return {
+					clientSecret: body.client_secret,
+					stripeAccountId: body.stripe_account_id
+				};
+			},
+			async setDefaultPaymentMethodFromSetupIntent(setupIntentId) {
+				const body = await app._interface.setDefaultCustomerPaymentMethodFromSetupIntent(type, userIdOrTeamId, setupIntentId, effectiveSession);
+				await app._customerBillingCache.refresh([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				]);
+				return body.default_payment_method;
+			},
+			async getItem(itemId) {
+				return await app.getItem({
+					itemId,
+					...customerOptions
+				});
+			},
+			useItem(itemId) {
+				return app.useItem({
+					itemId,
+					...customerOptions
+				});
+			},
+			async listProducts(options) {
+				return await app.listProducts({
+					...options,
+					...customerOptions
+				});
+			},
+			useProducts(options) {
+				return app.useProducts({
+					...options,
+					...customerOptions
+				});
+			},
+			async listInvoices(options) {
+				return await app.listInvoices({
+					...options,
+					...customerOptions
+				});
+			},
+			useInvoices(options) {
+				return app.useInvoices({
+					...options,
+					...customerOptions
+				});
+			},
+			async createCheckoutUrl(options) {
+				return await app._interface.createCheckoutUrl(type, userIdOrTeamId, options.productId, effectiveSession, options.returnUrl, "client");
+			},
+			async switchSubscription(options) {
+				await app._interface.switchSubscription({
+					customer_type: type,
+					customer_id: userIdOrTeamId,
+					from_product_id: options.fromProductId,
+					to_product_id: options.toProductId,
+					price_id: options.priceId,
+					quantity: options.quantity
+				}, effectiveSession);
+				await app._customerBillingCache.refresh([
+					effectiveSession,
+					type,
+					userIdOrTeamId
+				]);
+				if (type === "user") await app._userProductsCache.invalidateWhere(([cachedSession, userId]) => cachedSession === effectiveSession && userId === userIdOrTeamId);
+				else await app._teamProductsCache.invalidateWhere(([cachedSession, teamId]) => cachedSession === effectiveSession && teamId === userIdOrTeamId);
+			}
+		};
+	}
+	async getItem(options) {
+		const session = await this._getSession();
+		let crud;
+		if ("userId" in options) crud = Result.orThrow(await this._userItemCache.getOrWait([
+			session,
+			options.userId,
+			options.itemId
+		], "write-only"));
+		else if ("teamId" in options) crud = Result.orThrow(await this._teamItemCache.getOrWait([
+			session,
+			options.teamId,
+			options.itemId
+		], "write-only"));
+		else crud = Result.orThrow(await this._customItemCache.getOrWait([
+			session,
+			options.customCustomerId,
+			options.itemId
+		], "write-only"));
+		return this._clientItemFromCrud(crud);
+	}
+	useItem(options) {
+		const session = this._useSession();
+		const [cache, ownerId] = "userId" in options ? [this._userItemCache, options.userId] : "teamId" in options ? [this._teamItemCache, options.teamId] : [this._customItemCache, options.customCustomerId];
+		const crud = useAsyncCache(cache, [
+			session,
+			ownerId,
+			options.itemId
+		], "app.useItem()");
+		return this._clientItemFromCrud(crud);
+	}
+	async listProducts(options) {
+		const session = (await this.getUser())?._internalSession ?? await this._getSession();
+		if ("userId" in options) {
+			const response = Result.orThrow(await this._userProductsCache.getOrWait([
+				session,
+				options.userId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerProductsFromResponse(response);
+		} else if ("teamId" in options) {
+			const response = Result.orThrow(await this._teamProductsCache.getOrWait([
+				session,
+				options.teamId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerProductsFromResponse(response);
+		}
+		const response = Result.orThrow(await this._customProductsCache.getOrWait([
+			session,
+			options.customCustomerId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "write-only"));
+		return this._customerProductsFromResponse(response);
+	}
+	async listInvoices(options) {
+		const session = await this._getSession();
+		if ("userId" in options) {
+			const response = Result.orThrow(await this._userInvoicesCache.getOrWait([
+				session,
+				options.userId,
+				options.cursor ?? null,
+				options.limit ?? null
+			], "write-only"));
+			return this._customerInvoicesFromResponse(response);
+		}
+		const response = Result.orThrow(await this._teamInvoicesCache.getOrWait([
+			session,
+			options.teamId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "write-only"));
+		return this._customerInvoicesFromResponse(response);
+	}
+	async cancelSubscription(options) {
+		const session = await this._getSession();
+		const user = await this.getUser();
+		if (!user) throw new KnownErrors.UserAuthenticationRequired();
+		const customerType = "teamId" in options ? "team" : "user";
+		const customerId = "teamId" in options ? options.teamId : user.id;
+		await this._interface.cancelSubscription({
+			customer_type: customerType,
+			customer_id: customerId,
+			product_id: options.productId,
+			subscription_id: options.subscriptionId
+		}, session);
+		if (customerType === "user") await this._userProductsCache.invalidateWhere(([cachedSession, userId]) => cachedSession === session && userId === customerId);
+		else await this._teamProductsCache.invalidateWhere(([cachedSession, teamId]) => cachedSession === session && teamId === customerId);
+	}
+	useProducts(options) {
+		const session = this._useSession();
+		const response = useAsyncCache("userId" in options ? this._userProductsCache : "teamId" in options ? this._teamProductsCache : this._customProductsCache, [
+			session,
+			"userId" in options ? options.userId : "teamId" in options ? options.teamId : options.customCustomerId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "clientApp.useProducts()");
+		return this._customerProductsFromResponse(response);
+	}
+	useInvoices(options) {
+		const session = this._useSession();
+		const response = useAsyncCache("userId" in options ? this._userInvoicesCache : this._teamInvoicesCache, [
+			session,
+			"userId" in options ? options.userId : options.teamId,
+			options.cursor ?? null,
+			options.limit ?? null
+		], "clientApp.useInvoices()");
+		return this._customerInvoicesFromResponse(response);
+	}
+	_currentUserFromCrud(crud, session) {
+		return withUserDestructureGuard({
+			...this._createBaseUser(crud),
+			...this._createAuth(session),
+			...this._createUserExtraFromCurrent(crud, session),
+			...this._isInternalProject() ? this._createInternalUserExtra(session) : {},
+			...this._createCustomer(crud.id, "user", session)
+		});
+	}
+	_clientSessionFromCrud(crud) {
+		return {
+			id: crud.id,
+			userId: crud.user_id,
+			createdAt: new Date(crud.created_at),
+			isImpersonation: crud.is_impersonation,
+			lastUsedAt: crud.last_used_at ? new Date(crud.last_used_at) : void 0,
+			isCurrentSession: crud.is_current_session ?? false,
+			geoInfo: crud.last_used_at_end_user_ip_info
+		};
+	}
+	_getOwnedAdminApp(forProjectId, session) {
+		if (!this._ownedAdminApps.has([session, forProjectId])) this._ownedAdminApps.set([session, forProjectId], new _StackClientAppImplIncomplete.LazyStackAdminAppImpl.value({
+			baseUrl: this._interface.options.getBaseUrl(),
+			projectId: forProjectId,
+			tokenStore: null,
+			projectOwnerSession: session,
+			noAutomaticPrefetch: true
+		}));
+		return this._ownedAdminApps.get([session, forProjectId]);
+	}
+	get projectId() {
+		return this._interface.projectId;
+	}
+	get version() {
+		return clientVersion;
+	}
+	_getBotChallengeSiteKeys() {
+		if (!isBrowserLike()) return null;
+		const visibleSiteKey = envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY;
+		if (!visibleSiteKey) {
+			if (!this._botChallengeSiteKeysWarned) {
+				this._botChallengeSiteKeysWarned = true;
+				console.warn("[stack-auth] NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY is not set — bot challenge fraud protection is disabled. Set the env variable to enable it.");
+			}
+			return null;
+		}
+		return {
+			visibleSiteKey,
+			invisibleSiteKey: envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey
+		};
+	}
+	_getBotChallengeFlowFailure(error) {
+		if (error instanceof BotChallengeUserCancelledError) return {
+			type: "cancelled",
+			knownError: new KnownErrors.BotChallengeFailed("Bot challenge cancelled by user")
+		};
+		if (error instanceof BotChallengeExecutionFailedError) return {
+			type: "failed",
+			knownError: new KnownErrors.BotChallengeFailed(error.message)
+		};
+		return null;
+	}
+	_normalizeBotChallengeResult(result) {
+		if (result.status === "ok") return result;
+		if (KnownErrors.BotChallengeRequired.isInstance(result.error)) {
+			captureError("bot-challenge-unexpected-after-flow", result.error);
+			return Result.error(new KnownErrors.BotChallengeFailed("Unexpected bot challenge after flow completion"));
+		}
+		return Result.error(result.error);
+	}
+	_toInterfaceBotChallengeInput(challenge) {
+		if (challenge.unavailable) return { phase: "visible" };
+		return {
+			token: challenge.token,
+			phase: challenge.phase
+		};
+	}
+	async _executeResultWithBotChallengeFlow(options) {
+		const siteKeys = this._getBotChallengeSiteKeys();
+		let result;
+		try {
+			if (siteKeys) result = await withBotChallengeFlow({
+				...siteKeys,
+				action: options.action,
+				execute: options.execute,
+				isChallengeRequired: (flowResult) => {
+					return flowResult.status === "error" && KnownErrors.BotChallengeRequired.isInstance(flowResult.error);
+				}
+			});
+			else result = await options.execute({});
+		} catch (e) {
+			const flowFailure = this._getBotChallengeFlowFailure(e);
+			if (flowFailure) return Result.error(flowFailure.knownError);
+			throw e;
+		}
+		return this._normalizeBotChallengeResult(result);
+	}
+	async _isTrusted(url) {
+		if (isRelative(url)) return true;
+		const parsedUrl = createUrlIfValid(url);
+		if (parsedUrl == null) return false;
+		if (typeof window !== "undefined" && window.location.origin === parsedUrl.origin) return true;
+		if (isHostedHandlerUrlForProject({
+			url,
+			projectId: this.projectId
+		})) return true;
+		const trustedRedirectConfig = await this._getTrustedRedirectConfig();
+		return validateRedirectUrl(parsedUrl, {
+			allowLocalhost: trustedRedirectConfig.allowLocalhost,
+			trustedDomains: trustedRedirectConfig.trustedDomains
+		});
+	}
+	get urls() {
+		return getUrls(this._urlOptions, { projectId: this.projectId });
+	}
+	_prefetchCrossDomainHandoffParamsIfNeeded() {
+		const canWriteOauthVerifierCookie = this._tokenStoreInit === "cookie" || this._tokenStoreInit === "nextjs-cookie";
+		if (!isBrowserLike() || !canWriteOauthVerifierCookie || this._isPrefetchingCrossDomainHandoffParams || this._getFreshPrefetchedCrossDomainHandoffParams() != null) return;
+		this._isPrefetchingCrossDomainHandoffParams = true;
+		runAsynchronously(async () => {
+			try {
+				if (!isBrowserLike()) return;
+				const { state, codeChallenge } = await saveVerifierAndState();
+				this._prefetchedCrossDomainHandoffParams = {
+					state,
+					codeChallenge
+				};
+				this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+			} finally {
+				this._isPrefetchingCrossDomainHandoffParams = false;
+			}
+		});
+	}
+	_getCrossDomainHandoffParamsForUrlsGetter(currentUrl) {
+		const fromQuery = getCrossDomainHandoffParamsFromCurrentUrl(currentUrl);
+		if (fromQuery != null) return fromQuery;
+		const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+		if (prefetched != null) return prefetched;
+		this._prefetchCrossDomainHandoffParamsIfNeeded();
+		return null;
+	}
+	async _getCrossDomainHandoffParamsForRedirect(currentUrl) {
+		const fromQuery = getCrossDomainHandoffParamsFromCurrentUrl(currentUrl);
+		if (fromQuery != null) return fromQuery;
+		const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+		if (prefetched != null) return prefetched;
+		const { state, codeChallenge } = await saveVerifierAndState();
+		this._prefetchedCrossDomainHandoffParams = {
+			state,
+			codeChallenge
+		};
+		this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+		return {
+			state,
+			codeChallenge
+		};
+	}
+	_getLocalOAuthCallbackHandlerUrl() {
+		if (this._isOAuthCallbackUrlHosted()) return this._getOAuthCallbackRedirectUri();
+		return resolveHandlerUrls({
+			urls: {
+				...this._urlOptions,
+				default: { type: "handler-component" },
+				oauthCallback: { type: "handler-component" }
+			},
+			projectId: this.projectId
+		}).oauthCallback;
+	}
+	async _createCrossDomainAuthRedirectUrl(options) {
+		const session = await this._getSession(options.overrideTokenStoreInit, { awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
+		const response = await this._interface.sendClientRequest("/auth/oauth/cross-domain/authorize", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				redirect_uri: options.redirectUri,
+				state: options.state,
+				code_challenge: options.codeChallenge,
+				code_challenge_method: "S256",
+				after_callback_redirect_url: options.afterCallbackRedirectUrl
+			})
+		}, session);
+		if (!response.ok) {
+			const responseBody = await response.text();
+			throw new HexclaveAssertionError(`Cross-domain authorization endpoint failed: ${response.status} ${responseBody}`);
+		}
+		const result = await response.json();
+		if (!("redirect_url" in result) || typeof result.redirect_url !== "string") throw new HexclaveAssertionError("Cross-domain authorization endpoint returned an invalid payload", { result });
+		return result.redirect_url;
+	}
+	_getFreshPrefetchedCrossDomainHandoffParams() {
+		if (this._prefetchedCrossDomainHandoffParams == null) return null;
+		if (performance.now() - this._prefetchedCrossDomainHandoffParamsFetchedAt > prefetchedCrossDomainHandoffTtlMs) {
+			this._prefetchedCrossDomainHandoffParams = null;
+			this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+			return null;
+		}
+		return this._prefetchedCrossDomainHandoffParams;
+	}
+	async _getCurrentUrl() {
+		if (this._redirectMethod === "none") return null;
+		return new URL(window.location.href);
+	}
+	async _redirectTo(options) {
+		if (this._redirectMethod === "none") return;
+		else if (isReactServer && this._redirectMethod === "nextjs") NextNavigation.redirect(options.url.toString(), options.replace ? NextNavigation.RedirectType.replace : NextNavigation.RedirectType.push);
+		else if (typeof this._redirectMethod === "object" && this._redirectMethod.navigate) this._redirectMethod.navigate(options.url.toString());
+		else if (options.replace) window.location.replace(options.url);
+		else window.location.assign(options.url);
+		await wait(2e3);
+	}
+	useNavigate() {
+		if (typeof this._redirectMethod === "object") return this._redirectMethod.useNavigate();
+		else if (this._redirectMethod === "window") return (to) => window.location.assign(to);
+		else if (this._redirectMethod === "nextjs") {
+			const router = NextNavigation.useRouter();
+			return (to) => router.push(to);
+		} else return (to) => {};
+	}
+	async _redirectIfTrusted(url, options) {
+		if (!await this._isTrusted(url)) throw new Error(`Redirect URL ${url} is not trusted; should be relative.`);
+		return await this._redirectTo({
+			url,
+			...options
+		});
+	}
+	async _redirectToHandler(handlerName, options, internalOptions) {
+		const rawHandlerUrl = getUrls(this._urlOptions, { projectId: this.projectId })[handlerName];
+		if (!rawHandlerUrl) throw new Error(`No URL for handler name ${handlerName}`);
+		const currentUrl = isReactServer || typeof window === "undefined" ? null : new URL(window.location.href);
+		const plan = await planRedirectToHandler({
+			handlerName,
+			rawHandlerUrl,
+			noRedirectBack: options?.noRedirectBack === true,
+			currentUrl,
+			localOAuthCallbackUrl: this._getLocalOAuthCallbackHandlerUrl(),
+			getCrossDomainHandoffParams: async (href) => await this._getCrossDomainHandoffParamsForRedirect(href)
+		});
+		if (plan.type === "cross-domain-authorize") {
+			const crossDomainRedirectUrl = await this._createCrossDomainAuthRedirectUrl({
+				redirectUri: plan.redirectUri,
+				state: plan.state,
+				codeChallenge: plan.codeChallenge,
+				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl,
+				awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions,
+				overrideTokenStoreInit: internalOptions?.overrideTokenStoreInit
+			});
+			await this._redirectTo({
+				url: crossDomainRedirectUrl,
+				...options
+			});
+			return;
+		}
+		const redirectUrl = currentUrl != null && handlerName !== "signOut" && handlerName !== "afterSignOut" && handlerName !== "oauthCallback" ? await this._addNestedCrossDomainAuthParamsToRedirectUrl({
+			url: plan.url,
+			currentUrl,
+			awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions,
+			overrideTokenStoreInit: internalOptions?.overrideTokenStoreInit
+		}) : plan.url;
+		await this._redirectIfTrusted(redirectUrl, options);
+	}
+	_redirectToHandlerDuringRender(handlerName, options) {
+		return false;
+	}
+	async redirectToSignIn(options) {
+		return await this._redirectToHandler("signIn", options);
+	}
+	async redirectToSignUp(options) {
+		return await this._redirectToHandler("signUp", options);
+	}
+	async redirectToSignOut(options) {
+		return await this._redirectToHandler("signOut", options);
+	}
+	async redirectToEmailVerification(options) {
+		return await this._redirectToHandler("emailVerification", options);
+	}
+	async redirectToPasswordReset(options) {
+		return await this._redirectToHandler("passwordReset", options);
+	}
+	async redirectToForgotPassword(options) {
+		return await this._redirectToHandler("forgotPassword", options);
+	}
+	async redirectToHome(options) {
+		return await this._redirectToHandler("home", options);
+	}
+	async redirectToOAuthCallback(options) {
+		return await this._redirectToHandler("oauthCallback", options);
+	}
+	async redirectToMagicLinkCallback(options) {
+		return await this._redirectToHandler("magicLinkCallback", options);
+	}
+	async redirectToAfterSignIn(options) {
+		return await this._redirectToHandler("afterSignIn", options);
+	}
+	async redirectToAfterSignUp(options) {
+		return await this._redirectToHandler("afterSignUp", options);
+	}
+	async redirectToOnboarding(options) {
+		return await this._redirectToHandler("onboarding", options);
+	}
+	async redirectToAfterSignOut(options) {
+		return await this._redirectToHandler("afterSignOut", options);
+	}
+	async redirectToAccountSettings(options) {
+		return await this._redirectToHandler("accountSettings", options);
+	}
+	async redirectToError(options) {
+		return await this._redirectToHandler("error", options);
+	}
+	async redirectToTeamInvitation(options) {
+		return await this._redirectToHandler("teamInvitation", options);
+	}
+	async redirectToCliAuthConfirm(options) {
+		return await this._redirectToHandler("cliAuthConfirm", options);
+	}
+	async redirectToMfa(options) {
+		return await this._redirectToHandler("mfa", options);
+	}
+	async sendForgotPasswordEmail(email, options) {
+		return await this._interface.sendForgotPasswordEmail(email, options?.callbackUrl ?? constructRedirectUrl(this.urls.passwordReset, "callbackUrl"));
+	}
+	async sendMagicLinkEmail(email, options) {
+		const callbackUrl = options?.callbackUrl ?? constructRedirectUrl(this.urls.magicLinkCallback, "callbackUrl");
+		return await this._executeResultWithBotChallengeFlow({
+			action: "send_magic_link_email",
+			execute: async (challenge) => {
+				return await this._interface.sendMagicLinkEmail(email, callbackUrl, this._toInterfaceBotChallengeInput(challenge));
+			}
+		});
+	}
+	async resetPassword(options) {
+		return await this._interface.resetPassword(options);
+	}
+	async verifyPasswordResetCode(code) {
+		return await this._interface.verifyPasswordResetCode(code);
+	}
+	async verifyTeamInvitationCode(code) {
+		return await this._interface.acceptTeamInvitation({
+			type: "check",
+			code,
+			session: await this._getSession()
+		});
+	}
+	async acceptTeamInvitation(code) {
+		const result = await this._interface.acceptTeamInvitation({
+			type: "use",
+			code,
+			session: await this._getSession()
+		});
+		if (result.status === "ok") return Result.ok(void 0);
+		else return Result.error(result.error);
+	}
+	async getTeamInvitationDetails(code) {
+		const result = await this._interface.acceptTeamInvitation({
+			type: "details",
+			code,
+			session: await this._getSession()
+		});
+		if (result.status === "ok") return Result.ok({ teamDisplayName: result.data.team_display_name });
+		else return Result.error(result.error);
+	}
+	async verifyEmail(code) {
+		const result = await this._interface.verifyEmail(code);
+		await this._currentUserCache.refresh([await this._getSession()]);
+		await this._clientContactChannelsCache.refresh([await this._getSession()]);
+		return result;
+	}
+	async getUser(options) {
+		if (options?.or === "anonymous" && options.includeRestricted === false) throw new Error("Cannot use { or: 'anonymous' } with { includeRestricted: false }. Anonymous users implicitly include restricted users.");
+		this._ensurePersistentTokenStore(options?.tokenStore);
+		const session = await this._getSession(options?.tokenStore);
+		let crud = Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only"));
+		const includeAnonymous = options?.or === "anonymous" || options?.or === "anonymous-if-exists[deprecated]";
+		const includeRestricted = options?.includeRestricted === true || includeAnonymous;
+		if (crud === null || crud.is_anonymous && !includeAnonymous || crud.is_restricted && !includeRestricted) switch (options?.or) {
+			case "redirect":
+				if (!crud?.is_anonymous && crud?.is_restricted) await this.redirectToOnboarding({ replace: true });
+				else await this.redirectToSignIn({ replace: true });
+				break;
+			case "throw": throw new Error("User is not signed in but getUser was called with { or: 'throw' }");
+			case "anonymous": {
+				const tokens = await this._signUpAnonymously();
+				return await this.getUser({
+					tokenStore: tokens,
+					or: "anonymous-if-exists[deprecated]",
+					includeRestricted: true
+				}) ?? throwErr("Something went wrong while signing up anonymously");
+			}
+			case void 0:
+			case "anonymous-if-exists[deprecated]":
+			case "return-null": return null;
+		}
+		return crud && this._currentUserFromCrud(crud, session);
+	}
+	useUser(options) {
+		if (options?.or === "anonymous" && options.includeRestricted === false) throw new Error("Cannot use { or: 'anonymous' } with { includeRestricted: false }. Anonymous users implicitly include restricted users.");
+		this._ensurePersistentTokenStore(options?.tokenStore);
+		const session = this._useSession(options?.tokenStore);
+		let crud = useAsyncCache(this._currentUserCache, [session], "clientApp.useUser()");
+		const includeAnonymous = options?.or === "anonymous" || options?.or === "anonymous-if-exists[deprecated]";
+		const includeRestricted = options?.includeRestricted === true || includeAnonymous;
+		if (crud === null || crud.is_anonymous && !includeAnonymous || crud.is_restricted && !includeRestricted) switch (options?.or) {
+			case "redirect":
+				if (!crud?.is_anonymous && crud?.is_restricted) {
+					if (!this._redirectToHandlerDuringRender("onboarding", { replace: true })) runAsynchronously(this.redirectToOnboarding({ replace: true }));
+				} else if (!this._redirectToHandlerDuringRender("signIn", { replace: true })) runAsynchronously(this.redirectToSignIn({ replace: true }));
+				suspend();
+				throw new HexclaveAssertionError("suspend should never return");
+			case "throw": throw new Error("User is not signed in but useUser was called with { or: 'throw' }");
+			case "anonymous":
+				runAsynchronously(async () => {
+					await this._signUpAnonymously();
+					if (typeof window !== "undefined") window.location.reload();
+				});
+				suspend();
+				throw new HexclaveAssertionError("suspend should never return");
+			case void 0:
+			case "anonymous-if-exists[deprecated]":
+			case "return-null":
+				crud = null;
+				break;
+		}
+		return useMemo(() => {
+			return crud && this._currentUserFromCrud(crud, session);
+		}, [
+			crud,
+			session,
+			options?.or
+		]);
+	}
+	_getTokenPartialUserFromSession(session, options) {
+		const accessToken = session.getAccessTokenIfNotExpiredYet(0, null);
+		if (!accessToken) return null;
+		const isAnonymous = accessToken.payload.is_anonymous;
+		if (isAnonymous && options.or !== "anonymous-if-exists") return null;
+		return {
+			id: accessToken.payload.sub,
+			primaryEmail: accessToken.payload.email,
+			displayName: accessToken.payload.name,
+			primaryEmailVerified: accessToken.payload.email_verified,
+			isAnonymous,
+			isMultiFactorRequired: accessToken.payload.requires_totp_mfa,
+			isRestricted: accessToken.payload.is_restricted,
+			restrictedReason: accessToken.payload.restricted_reason
+		};
+	}
+	async _getPartialUserFromConvex(ctx) {
+		const auth = await ctx.auth.getUserIdentity();
+		if (!auth) return null;
+		return {
+			id: auth.subject,
+			displayName: auth.name ?? null,
+			primaryEmail: auth.email ?? null,
+			primaryEmailVerified: auth.email_verified,
+			isAnonymous: auth.is_anonymous,
+			isMultiFactorRequired: auth.requires_totp_mfa,
+			isRestricted: auth.is_restricted,
+			restrictedReason: auth.restricted_reason ?? null
+		};
+	}
+	async getPartialUser(options) {
+		switch (options.from) {
+			case "token": {
+				this._ensurePersistentTokenStore(options.tokenStore ?? this._tokenStoreInit);
+				const session = await this._getSession(options.tokenStore);
+				return this._getTokenPartialUserFromSession(session, options);
+			}
+			case "convex": return await this._getPartialUserFromConvex(options.ctx);
+			default: throw new Error(`Invalid 'from' option: ${options.from}`);
+		}
+	}
+	usePartialUser(options) {
+		switch (options.from) {
+			case "token": {
+				this._ensurePersistentTokenStore(options.tokenStore ?? this._tokenStoreInit);
+				const session = this._useSession(options.tokenStore);
+				return this._getTokenPartialUserFromSession(session, options);
+			}
+			case "convex": return useAsyncCache(this._convexPartialUserCache, [options.ctx], "clientApp.usePartialUser()");
+			default: throw new Error(`Invalid 'from' option: ${options.from}`);
+		}
+	}
+	getConvexClientAuth(options) {
+		return async (args) => {
+			const session = await this._getSession(options.tokenStore ?? this._tokenStoreInit);
+			if (!args.forceRefreshToken) return (await session.getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? null;
+			return (await session.fetchNewTokens())?.accessToken.token ?? null;
+		};
+	}
+	async getConvexHttpClientAuth(options) {
+		return (await (await this._getSession(options.tokenStore)).getOrFetchLikelyValidTokens(2e4, 75e3))?.accessToken.token ?? "";
+	}
+	async _updateClientUser(update, session) {
+		const res = await this._interface.updateClientUser(userUpdateOptionsToCrud(update), session);
+		await this._refreshUser(session);
+		return res;
+	}
+	async signInWithOAuth(provider, options) {
+		if (typeof window === "undefined") throw new Error("signInWithOAuth can currently only be called in a browser environment");
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		const currentUrl = new URL(window.location.href);
+		const afterCallbackRedirectUrl = options?.returnTo != null ? constructRedirectUrl(options.returnTo, "returnTo") : currentUrl.searchParams.has("after_auth_return_to") ? currentUrl.toString() : void 0;
+		const siteKeys = this._getBotChallengeSiteKeys();
+		const { codeChallenge, state } = await saveVerifierAndState();
+		const executeOAuth = async (challenge) => {
+			return await this._interface.authorizeOAuth({
+				provider,
+				redirectUrl: constructRedirectUrl(this._getOAuthCallbackRedirectUri(), "redirectUrl"),
+				errorRedirectUrl: constructRedirectUrl(this.urls.error, "errorRedirectUrl"),
+				afterCallbackRedirectUrl,
+				type: "authenticate",
+				providerScope: this._oauthScopesOnSignIn[provider]?.join(" "),
+				codeChallenge,
+				state,
+				botChallenge: this._toInterfaceBotChallengeInput(challenge),
+				session
+			});
+		};
+		let authorizeResult;
+		try {
+			if (siteKeys) authorizeResult = await withBotChallengeFlow({
+				...siteKeys,
+				action: "oauth_authenticate",
+				execute: executeOAuth,
+				isChallengeRequired: (result) => {
+					return result.status === "error" && KnownErrors.BotChallengeRequired.isInstance(result.error);
+				}
+			});
+			else authorizeResult = await executeOAuth({});
+		} catch (e) {
+			const flowFailure = this._getBotChallengeFlowFailure(e);
+			if (flowFailure?.type === "cancelled") return;
+			if (flowFailure?.type === "failed") throw flowFailure.knownError;
+			throw e;
+		}
+		const location = Result.orThrow(authorizeResult);
+		await this._redirectTo({ url: location });
+		await neverResolve();
+	}
+	/**
+	* Handles MFA verification by redirecting to the OTP page
+	*/
+	async _experimentalMfa(error, session) {
+		if (typeof window !== "undefined") window.sessionStorage.setItem("hexclave_mfa_attempt_code", error.details?.attempt_code ?? throwErr("attempt code missing"));
+		await this.redirectToMfa();
+		throw new HexclaveAssertionError("we should have redirected in redirectToMfa()");
+	}
+	/**
+	* @deprecated
+	* TODO remove
+	*/
+	async _catchMfaRequiredError(callback) {
+		try {
+			return await callback();
+		} catch (e) {
+			if (KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return Result.ok(await this._experimentalMfa(e, await this._getSession(void 0, { awaitPendingAuthResolutions: false })));
+			throw e;
+		}
+	}
+	async signInWithCredential(options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithCredential(options.email, options.password, session);
+			});
+		} catch (e) {
+			if (KnownErrors.InvalidTotpCode.isInstance(e)) return Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options.noRedirect) await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return Result.ok(void 0);
+		} else return Result.error(result.error);
+	}
+	async signUpWithCredential(options) {
+		if (options.noVerificationCallback && options.verificationCallbackUrl) throw new HexclaveAssertionError("verificationCallbackUrl is not allowed when noVerificationCallback is true");
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		const emailVerificationRedirectUrl = options.noVerificationCallback ? void 0 : options.verificationCallbackUrl ?? constructRedirectUrl(this.urls.emailVerification, "verificationCallbackUrl");
+		const executeSignUp = async (challenge) => {
+			let result = await this._interface.signUpWithCredential(options.email, options.password, emailVerificationRedirectUrl, session, this._toInterfaceBotChallengeInput(challenge));
+			if (result.status === "error" && result.error instanceof KnownErrors.RedirectUrlNotWhitelisted && emailVerificationRedirectUrl !== void 0) {
+				if (!options.verificationCallbackUrl) {
+					captureError("signup-verification-url-not-whitelisted", new HexclaveAssertionError("The auto-constructed verification callback URL is not whitelisted; proceeding without email verification", { emailVerificationRedirectUrl }));
+					result = await this._interface.signUpWithCredential(options.email, options.password, void 0, session, this._toInterfaceBotChallengeInput(challenge));
+				}
+			}
+			return result;
+		};
+		let result;
+		result = await this._executeResultWithBotChallengeFlow({
+			action: "sign_up_with_credential",
+			execute: executeSignUp
+		});
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options.noRedirect) await this._redirectToHandler("afterSignUp", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return Result.ok(void 0);
+		} else return Result.error(result.error);
+	}
+	async _signUpAnonymously() {
+		this._ensurePersistentTokenStore();
+		if (!this._anonymousSignUpInProgress) this._anonymousSignUpInProgress = (async () => {
+			this._ensurePersistentTokenStore();
+			const session = await this._getSession();
+			const result = await this._interface.signUpAnonymously(session);
+			if (result.status === "ok") await this._signInToAccountWithTokens(result.data);
+			else throw new HexclaveAssertionError("signUpAnonymously() should never return an error");
+			this._anonymousSignUpInProgress = null;
+			return result.data;
+		})();
+		return await this._anonymousSignUpInProgress;
+	}
+	async signInWithMagicLink(code, options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithMagicLink(code, session);
+			});
+		} catch (e) {
+			if (KnownErrors.InvalidTotpCode.isInstance(e)) return Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, {
+				awaitPendingAuthResolutions: false,
+				overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+			});
+			else await this._redirectToHandler("afterSignIn", { replace: true }, {
+				awaitPendingAuthResolutions: false,
+				overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+			});
+			return Result.ok(void 0);
+		} else return Result.error(result.error);
+	}
+	/**
+	* Initiates a CLI authentication process that allows a command line application
+	* to get a refresh token for a user's account.
+	*
+	* This process works as follows:
+	* 1. The CLI app calls this method, which initiates the auth process with the server
+	* 2. The server returns a polling code and a login code
+	* 3. The CLI app opens a browser window to the appUrl with the login code as a parameter
+	* 4. The user logs in through the browser and confirms the authorization
+	* 5. The CLI app polls for the refresh token using the polling code
+	*
+	* @param options Options for the CLI login
+	* @param options.appUrl The URL of the app that will handle the CLI auth confirmation
+	* @param options.expiresInMillis Optional duration in milliseconds before the auth attempt expires (default: 2 hours)
+	* @param options.maxAttempts Optional maximum number of polling attempts (default: Infinity)
+	* @param options.waitTimeMillis Optional time to wait between polling attempts (default: 2 seconds)
+	* @param options.promptLink Optional function to call with the login URL and code to prompt the user to open the browser
+	* @param options.anonRefreshToken Optional anonymous refresh token from the CLI's token store to associate with this login attempt
+	* @returns Result containing either the refresh token or an error
+	*/
+	async promptCliLogin(options) {
+		const response = await this._interface.sendClientRequest("/auth/cli", {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				expires_in_millis: options.expiresInMillis,
+				...options.anonRefreshToken != null ? { anon_refresh_token: options.anonRefreshToken } : {}
+			})
+		}, null);
+		if (!response.ok) return Result.error(new KnownErrors.CliAuthError(`Failed to initiate CLI auth: ${response.status} ${await response.text()}`));
+		const initResult = await response.json();
+		const pollingCode = initResult.polling_code;
+		const loginCode = initResult.login_code;
+		const url = buildCliAuthConfirmUrl({
+			cliAuthConfirmUrl: this.urls.cliAuthConfirm,
+			appUrl: options.appUrl,
+			loginCode
+		});
+		if (options.promptLink) options.promptLink(url, loginCode);
+		else {
+			console.log(`Your verification code: ${loginCode}`);
+			console.log(`Please visit the following URL to authenticate:\n${url}`);
+		}
+		let attempts = 0;
+		while (attempts < (options.maxAttempts ?? Infinity)) {
+			attempts++;
+			const pollResponse = await this._interface.sendClientRequest("/auth/cli/poll", {
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				body: JSON.stringify({ polling_code: pollingCode })
+			}, null);
+			if (!pollResponse.ok) return Result.error(new KnownErrors.CliAuthError(`Failed to initiate CLI auth: ${pollResponse.status} ${await pollResponse.text()}`));
+			const pollResult = await pollResponse.json();
+			if (pollResponse.status === 201 && pollResult.status === "success") return Result.ok(pollResult.refresh_token);
+			if (pollResult.status === "waiting") {
+				await wait(options.waitTimeMillis ?? 2e3);
+				continue;
+			}
+			if (pollResult.status === "expired") return Result.error(new KnownErrors.CliAuthExpiredError("CLI authentication request expired. Please try again."));
+			if (pollResult.status === "used") return Result.error(new KnownErrors.CliAuthUsedError("This authentication token has already been used."));
+			return Result.error(new KnownErrors.CliAuthError(`Unexpected status from CLI auth polling: ${pollResult.status}`));
+		}
+		return Result.error(new KnownErrors.CliAuthError("Timed out waiting for CLI authentication."));
+	}
+	async signInWithMfa(totp, code, options) {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await this._interface.signInWithMfa(totp, code, session);
+			});
+		} catch (e) {
+			if (e instanceof KnownErrors.InvalidTotpCode) return Result.error(e);
+			throw e;
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			else await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return Result.ok(void 0);
+		}
+		return Result.error(result.error);
+	}
+	async signInWithPasskey() {
+		this._ensurePersistentTokenStore();
+		const session = await this._getSession();
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				const initiationResult = await this._interface.initiatePasskeyAuthentication({}, session);
+				if (initiationResult.status !== "ok") return Result.error(new KnownErrors.PasskeyAuthenticationFailed("Failed to get initiation options for passkey authentication"));
+				const { options_json, code } = initiationResult.data;
+				if (options_json.rpId !== "THIS_VALUE_WILL_BE_REPLACED.example.com") throw new HexclaveAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rpId}`);
+				options_json.rpId = window.location.hostname;
+				const authentication_response = await startAuthentication({ optionsJSON: options_json });
+				return await this._interface.signInWithPasskey({
+					authentication_response,
+					code
+				}, session);
+			});
+		} catch (error) {
+			if (error instanceof WebAuthnError) return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+			else return Result.error(new KnownErrors.PasskeyAuthenticationFailed("Failed to sign in with passkey"));
+		}
+		if (result.status === "ok") {
+			await this._signInToAccountWithTokens(result.data);
+			await this._redirectToHandler("afterSignIn", { replace: true }, { overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data) });
+			return Result.ok(void 0);
+		} else return Result.error(result.error);
+	}
+	async callOAuthCallback(options) {
+		if (typeof window === "undefined") throw new Error("callOAuthCallback can currently only be called in a browser environment");
+		if (this._currentUrlLooksLikeOAuthCallback()) this._ensurePersistentTokenStore();
+		let oauthCallbackRedirectUri = this._getOAuthCallbackRedirectUri();
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.get(crossDomainAuthQueryParams.marker) === "1") {
+			currentUrl.searchParams.delete("code");
+			currentUrl.searchParams.delete("state");
+			oauthCallbackRedirectUri = currentUrl.toString();
+		}
+		let result;
+		try {
+			result = await this._catchMfaRequiredError(async () => {
+				return await callOAuthCallback(this._interface, oauthCallbackRedirectUri, options);
+			});
+		} catch (e) {
+			if (KnownErrors.InvalidTotpCode.isInstance(e)) {
+				alert("Invalid TOTP code. Please try signing in again.");
+				return false;
+			} else throw e;
+		}
+		if (result.status === "ok" && result.data) {
+			this._ensurePersistentTokenStore();
+			await this._signInToAccountWithTokens(result.data);
+			if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
+				await this._redirectTo({
+					url: result.data.afterCallbackRedirectUrl,
+					replace: true
+				});
+				return true;
+			} else if (result.data.newUser) {
+				await this._redirectToHandler("afterSignUp", { replace: true }, {
+					awaitPendingAuthResolutions: false,
+					overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+				});
+				return true;
+			} else {
+				await this._redirectToHandler("afterSignIn", { replace: true }, {
+					awaitPendingAuthResolutions: false,
+					overrideTokenStoreInit: this._getTokenStoreInitForFreshTokens(result.data)
+				});
+				return true;
+			}
+		}
+		return false;
+	}
+	async _signOut(session, options) {
+		this._eventTracker?.clearBuffer();
+		this._sessionRecorder?.clearBuffer();
+		await storeLock.withWriteLock(async () => {
+			await this._interface.signOut(session);
+			if (options?.redirectUrl) await this._redirectTo({
+				url: options.redirectUrl,
+				replace: true
+			});
+			else await this.redirectToAfterSignOut();
+		});
+	}
+	async signOut(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) await user.signOut({ redirectUrl: options?.redirectUrl });
+	}
+	async getAccessToken(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getAccessToken();
+		return null;
+	}
+	useAccessToken(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useAccessToken();
+		return null;
+	}
+	async getRefreshToken(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getRefreshToken();
+		return null;
+	}
+	useRefreshToken(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useRefreshToken();
+		return null;
+	}
+	async getAuthorizationHeader(options) {
+		return getAuthorizationHeaderValueFromAuthJson(await this.getAuthJson(options));
+	}
+	useAuthorizationHeader(options) {
+		return getAuthorizationHeaderValueFromAuthJson(this.useAuthJson(options));
+	}
+	async getAuthHeaders(options) {
+		return { "x-stack-auth": JSON.stringify(await this.getAuthJson(options)) };
+	}
+	useAuthHeaders(options) {
+		return { "x-stack-auth": JSON.stringify(this.useAuthJson(options)) };
+	}
+	async getAuthJson(options) {
+		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return await user.getAuthJson();
+		return {
+			accessToken: null,
+			refreshToken: null
+		};
+	}
+	useAuthJson(options) {
+		const user = this.useUser({ tokenStore: options?.tokenStore ?? void 0 });
+		if (user) return user.useAuthJson();
+		return {
+			accessToken: null,
+			refreshToken: null
+		};
+	}
+	async getProject() {
+		const crud = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return this._clientProjectFromCrud(crud);
+	}
+	useProject() {
+		const crud = useAsyncCache(this._currentProjectCache, [], "clientApp.useProject()");
+		return useMemo(() => this._clientProjectFromCrud(crud), [crud]);
+	}
+	async _listOwnedProjects(session) {
+		this._ensureInternalProject();
+		return Result.orThrow(await this._ownedProjectsCache.getOrWait([session], "write-only")).map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(j, () => this._refreshOwnedProjects(session)));
+	}
+	_useOwnedProjects(session) {
+		this._ensureInternalProject();
+		const projects = useAsyncCache(this._ownedProjectsCache, [session], "clientApp.useOwnedProjects()");
+		return useMemo(() => projects.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(j, () => this._refreshOwnedProjects(session))), [projects]);
+	}
+	async _createProject(session, newProject) {
+		this._ensureInternalProject();
+		const crud = await this._interface.createProject(adminProjectCreateOptionsToCrud(newProject), session);
+		const res = this._getOwnedAdminApp(crud.id, session)._adminOwnedProjectFromCrud(crud, () => this._refreshOwnedProjects(session));
+		await this._refreshOwnedProjects(session);
+		return res;
+	}
+	async _refreshUser(session) {
+		await this._refreshSession(session);
+	}
+	async _refreshSession(session) {
+		await Promise.all([this._currentUserCache.refresh([session]), this._currentUserConnectedAccountsCache.refresh([session])]);
+		session.suggestAccessTokenExpired();
+	}
+	async _refreshUsers() {}
+	async _refreshProject() {
+		await this._currentProjectCache.refresh([]);
+	}
+	async _refreshOwnedProjects(session) {
+		await this._ownedProjectsCache.refresh([session]);
+	}
+	static get [stackAppInternalsSymbol]() {
+		return { fromClientJson: (json) => {
+			const providedCheckString = JSON.stringify(omit(json, []));
+			const existing = allClientApps.get(json.uniqueIdentifier);
+			if (existing) {
+				const [existingCheckString, clientApp] = existing;
+				if (existingCheckString !== void 0 && existingCheckString !== providedCheckString) throw new HexclaveAssertionError("The provided app JSON does not match the configuration of the existing client app with the same unique identifier", {
+					providedObj: json,
+					existingString: existingCheckString
+				});
+				return clientApp;
+			}
+			const { analytics, ...restJson } = omit(json, ["uniqueIdentifier"]);
+			return new _StackClientAppImplIncomplete({
+				...restJson,
+				analytics: analyticsOptionsFromJson(analytics)
+			}, {
+				uniqueIdentifier: json.uniqueIdentifier,
+				checkString: providedCheckString
+			});
+		} };
+	}
+	get [stackAppInternalsSymbol]() {
+		return {
+			toClientJson: () => {
+				if (typeof this._redirectMethod !== "string") throw new HexclaveAssertionError("Cannot serialize to JSON from an application with a non-string redirect method");
+				const publishableClientKey = "publishableClientKey" in this._interface.options ? this._interface.options.publishableClientKey : void 0;
+				return {
+					baseUrl: this._options.baseUrl,
+					projectId: this.projectId,
+					...publishableClientKey != null ? { publishableClientKey } : {},
+					tokenStore: this._tokenStoreInit,
+					urls: this._urlOptions,
+					oauthScopesOnSignIn: this._oauthScopesOnSignIn,
+					uniqueIdentifier: this._getUniqueIdentifier(),
+					redirectMethod: this._redirectMethod,
+					extraRequestHeaders: this._options.extraRequestHeaders,
+					devTool: this._options.devTool,
+					analytics: analyticsOptionsToJson(this._analyticsOptions)
+				};
+			},
+			setCurrentUser: (userJsonPromise) => {
+				runAsynchronously(async () => {
+					await this._currentUserCache.forceSetCachedValueAsync([await this._getSession()], Result.fromPromise(userJsonPromise));
+				});
+			},
+			getConstructorOptions: () => this._options,
+			sendSessionReplayBatch: async (body, options) => {
+				return await this._interface.sendSessionReplayBatch(body, await this._getSession(), options);
+			},
+			sendAnalyticsEventBatch: async (body, options) => {
+				return await this._interface.sendAnalyticsEventBatch(body, await this._getSession(), options);
+			},
+			addRequestListener: (listener) => {
+				return this._interface.addRequestListener(listener);
+			},
+			sendRequest: async (path, requestOptions, requestType = "client") => {
+				return await this._interface.sendClientRequest(path, requestOptions, await this._getSession(), requestType);
+			},
+			getRedirectMethod: () => this._redirectMethod ?? throwErr("Redirect method should have been initialized in the Stack client app constructor"),
+			redirectToUrl: async (url, options) => {
+				await this._redirectTo({
+					url,
+					...options
+				});
+			},
+			redirectToHandler: async (handlerName, options) => {
+				await this._redirectToHandler(handlerName, options);
+			},
+			refreshOwnedProjects: async () => {
+				await this._refreshOwnedProjects(await this._getSession());
+			},
+			signInWithTokens: async (tokens) => {
+				await this._signInToAccountWithTokens(tokens);
+			}
+		};
+	}
+};
+
+//#endregion
+export { _StackClientAppImplIncomplete };
+//# sourceMappingURL=client-app-impl.js.map