@imtbl/auth-next-client 2.12.7-alpha.1 → 2.12.7-alpha.11

package/dist/node/index.js

@@ -7,9 +7,42 @@ import { signIn } from "next-auth/react";
 import { handleLoginCallback as handleAuthCallback } from "@imtbl/auth";
 
 // src/constants.ts
+var DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+var DEFAULT_AUDIENCE = "platform_api";
+var DEFAULT_SCOPE = "openid profile email offline_access transact";
 var IMMUTABLE_PROVIDER_ID = "immutable";
-var DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
-var DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3;
+var DEFAULT_SANDBOX_CLIENT_ID = "mjtCL8mt06BtbxSkp2vbrYStKWnXVZfo";
+var DEFAULT_REDIRECT_URI_PATH = "/callback";
+var DEFAULT_LOGOUT_REDIRECT_URI_PATH = "/";
+var TOKEN_EXPIRY_BUFFER_MS = 6e4;
+
+// src/idTokenStorage.ts
+var ID_TOKEN_STORAGE_KEY = "imtbl_id_token";
+function storeIdToken(idToken) {
+  try {
+    if (typeof window !== "undefined" && window.localStorage) {
+      window.localStorage.setItem(ID_TOKEN_STORAGE_KEY, idToken);
+    }
+  } catch {
+  }
+}
+function getStoredIdToken() {
+  try {
+    if (typeof window !== "undefined" && window.localStorage) {
+      return window.localStorage.getItem(ID_TOKEN_STORAGE_KEY) ?? void 0;
+    }
+  } catch {
+  }
+  return void 0;
+}
+function clearStoredIdToken() {
+  try {
+    if (typeof window !== "undefined" && window.localStorage) {
+      window.localStorage.removeItem(ID_TOKEN_STORAGE_KEY);
+    }
+  } catch {
+  }
+}
 
 // src/callback.tsx
 import { jsx, jsxs } from "react/jsx-runtime";
@@ -60,6 +93,9 @@ function CallbackPage({
           window.close();
         } else {
           const tokenData = mapTokensToSignInData(tokens);
+          if (tokens.idToken) {
+            storeIdToken(tokens.idToken);
+          }
           const result = await signIn(IMMUTABLE_PROVIDER_ID, {
             tokens: JSON.stringify(tokenData),
             redirect: false
@@ -149,7 +185,12 @@ function CallbackPage({
 }
 
 // src/hooks.tsx
-import { useCallback, useRef as useRef2, useState as useState2 } from "react";
+import {
+  useCallback,
+  useEffect as useEffect2,
+  useRef as useRef2,
+  useState as useState2
+} from "react";
 import { useSession, signIn as signIn2, signOut } from "next-auth/react";
 import {
   loginWithPopup as rawLoginWithPopup,
@@ -157,6 +198,51 @@ import {
   loginWithRedirect as rawLoginWithRedirect,
   logoutWithRedirect as rawLogoutWithRedirect
 } from "@imtbl/auth";
+
+// src/defaultConfig.ts
+function deriveDefaultRedirectUri() {
+  if (typeof window === "undefined") {
+    throw new Error(
+      "[auth-next-client] deriveDefaultRedirectUri requires window. Login hooks run in the browser when the user triggers login."
+    );
+  }
+  return `${window.location.origin}${DEFAULT_REDIRECT_URI_PATH}`;
+}
+
+// src/hooks.tsx
+var pendingRefresh = null;
+function deduplicatedUpdate(update) {
+  if (!pendingRefresh) {
+    pendingRefresh = update().finally(() => {
+      pendingRefresh = null;
+    });
+  }
+  return pendingRefresh;
+}
+function getSandboxLoginConfig() {
+  const redirectUri = deriveDefaultRedirectUri();
+  return {
+    clientId: DEFAULT_SANDBOX_CLIENT_ID,
+    redirectUri,
+    popupRedirectUri: redirectUri,
+    scope: DEFAULT_SCOPE,
+    audience: DEFAULT_AUDIENCE,
+    authenticationDomain: DEFAULT_AUTH_DOMAIN
+  };
+}
+function getSandboxLogoutConfig() {
+  if (typeof window === "undefined") {
+    throw new Error(
+      "[auth-next-client] getSandboxLogoutConfig requires window. Logout runs in the browser when the user triggers it."
+    );
+  }
+  const logoutRedirectUri = window.location.origin + DEFAULT_LOGOUT_REDIRECT_URI_PATH;
+  return {
+    clientId: DEFAULT_SANDBOX_CLIENT_ID,
+    logoutRedirectUri,
+    authenticationDomain: DEFAULT_AUTH_DOMAIN
+  };
+}
 function useImmutableSession() {
   const { data: sessionData, status, update } = useSession();
   const [isRefreshing, setIsRefreshing] = useState2(false);
@@ -173,6 +259,18 @@ function useImmutableSession() {
   updateRef.current = update;
   const setIsRefreshingRef = useRef2(setIsRefreshing);
   setIsRefreshingRef.current = setIsRefreshing;
+  useEffect2(() => {
+    if (!session?.accessTokenExpires) return;
+    const timeUntilExpiry = session.accessTokenExpires - Date.now() - TOKEN_EXPIRY_BUFFER_MS;
+    if (timeUntilExpiry <= 0) {
+      deduplicatedUpdate(() => updateRef.current());
+    }
+  }, [session?.accessTokenExpires]);
+  useEffect2(() => {
+    if (session?.idToken) {
+      storeIdToken(session.idToken);
+    }
+  }, [session?.idToken]);
   const getUser = useCallback(async (forceRefresh) => {
     let currentSession;
     if (forceRefresh) {
@@ -182,6 +280,9 @@ function useImmutableSession() {
         currentSession = updatedSession;
         if (currentSession) {
           sessionRef.current = currentSession;
+          if (currentSession.idToken) {
+            storeIdToken(currentSession.idToken);
+          }
         }
       } catch (error) {
         console.error("[auth-next-client] Force refresh failed:", error);
@@ -189,6 +290,17 @@ function useImmutableSession() {
       } finally {
         setIsRefreshingRef.current(false);
       }
+    } else if (pendingRefresh) {
+      const refreshed = await pendingRefresh;
+      if (refreshed) {
+        currentSession = refreshed;
+        sessionRef.current = currentSession;
+        if (currentSession.idToken) {
+          storeIdToken(currentSession.idToken);
+        }
+      } else {
+        currentSession = sessionRef.current;
+      }
     } else {
       currentSession = sessionRef.current;
     }
@@ -202,7 +314,9 @@ function useImmutableSession() {
     return {
       accessToken: currentSession.accessToken,
       refreshToken: currentSession.refreshToken,
-      idToken: currentSession.idToken,
+      // Prefer session idToken (fresh after sign-in or refresh, before useEffect
+      // stores it), fall back to localStorage for normal reads (cookie has no idToken).
+      idToken: currentSession.idToken || getStoredIdToken(),
       profile: {
         sub: currentSession.user?.sub ?? "",
         email: currentSession.user?.email ?? void 0,
@@ -211,19 +325,40 @@ function useImmutableSession() {
       zkEvm: currentSession.zkEvm
     };
   }, []);
+  const getAccessToken = useCallback(async () => {
+    const currentSession = sessionRef.current;
+    if (currentSession?.accessToken && currentSession.accessTokenExpires && Date.now() < currentSession.accessTokenExpires - TOKEN_EXPIRY_BUFFER_MS && !currentSession.error) {
+      return currentSession.accessToken;
+    }
+    const refreshed = await deduplicatedUpdate(
+      () => updateRef.current()
+    );
+    if (!refreshed?.accessToken || refreshed.error) {
+      throw new Error(
+        `[auth-next-client] Failed to get access token: ${refreshed?.error || "no session"}`
+      );
+    }
+    sessionRef.current = refreshed;
+    return refreshed.accessToken;
+  }, []);
+  const publicSession = session;
   return {
-    session,
+    session: publicSession,
     status,
     isLoading,
     isAuthenticated,
     isRefreshing,
-    getUser
+    getUser,
+    getAccessToken
   };
 }
 function useLogin() {
   const [isLoggingIn, setIsLoggingIn] = useState2(false);
   const [error, setError] = useState2(null);
   const signInWithTokens = useCallback(async (tokens) => {
+    if (tokens.idToken) {
+      storeIdToken(tokens.idToken);
+    }
     const result = await signIn2(IMMUTABLE_PROVIDER_ID, {
       tokens: JSON.stringify(tokens),
       redirect: false
@@ -239,7 +374,8 @@ function useLogin() {
     setIsLoggingIn(true);
     setError(null);
     try {
-      const tokens = await rawLoginWithPopup(config, options);
+      const fullConfig = config ?? getSandboxLoginConfig();
+      const tokens = await rawLoginWithPopup(fullConfig, options);
       await signInWithTokens(tokens);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Login failed";
@@ -253,7 +389,8 @@ function useLogin() {
     setIsLoggingIn(true);
     setError(null);
     try {
-      const tokens = await rawLoginWithEmbedded(config);
+      const fullConfig = config ?? getSandboxLoginConfig();
+      const tokens = await rawLoginWithEmbedded(fullConfig);
       await signInWithTokens(tokens);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Login failed";
@@ -267,7 +404,8 @@ function useLogin() {
     setIsLoggingIn(true);
     setError(null);
     try {
-      await rawLoginWithRedirect(config, options);
+      const fullConfig = config ?? getSandboxLoginConfig();
+      await rawLoginWithRedirect(fullConfig, options);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Login failed";
       setError(errorMessage);
@@ -290,8 +428,10 @@ function useLogout() {
     setIsLoggingOut(true);
     setError(null);
     try {
+      clearStoredIdToken();
       await signOut({ redirect: false });
-      rawLogoutWithRedirect(config);
+      const fullConfig = config ?? getSandboxLogoutConfig();
+      rawLogoutWithRedirect(fullConfig);
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "Logout failed";
       setError(errorMessage);
@@ -310,7 +450,15 @@ function useLogout() {
 import { MarketingConsentStatus } from "@imtbl/auth";
 export {
   CallbackPage,
+  DEFAULT_AUDIENCE,
+  DEFAULT_AUTH_DOMAIN,
+  DEFAULT_LOGOUT_REDIRECT_URI_PATH,
+  DEFAULT_REDIRECT_URI_PATH,
+  DEFAULT_SANDBOX_CLIENT_ID,
+  DEFAULT_SCOPE,
+  IMMUTABLE_PROVIDER_ID,
   MarketingConsentStatus,
+  deriveDefaultRedirectUri,
   useImmutableSession,
   useLogin,
   useLogout

package/dist/types/constants.d.ts

@@ -1,32 +1,15 @@
 /**
- * Shared constants for @imtbl/auth-next-client
- */
-/**
- * Default Immutable authentication domain
+ * Client-side constants for @imtbl/auth-next-client.
+ * Defined locally to avoid importing from auth-next-server (which uses next/server).
+ * Values must stay in sync with auth-next-server constants.
  */
 export declare const DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
-/**
- * Default OAuth audience
- */
 export declare const DEFAULT_AUDIENCE = "platform_api";
-/**
- * Default OAuth scopes
- */
 export declare const DEFAULT_SCOPE = "openid profile email offline_access transact";
-/**
- * NextAuth credentials provider ID for Immutable
- */
 export declare const IMMUTABLE_PROVIDER_ID = "immutable";
-/**
- * Default NextAuth API base path
- */
 export declare const DEFAULT_NEXTAUTH_BASE_PATH = "/api/auth";
-/**
- * Default token expiry in seconds (15 minutes)
- * Used as fallback when exp claim cannot be extracted from JWT
- */
-export declare const DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
-/**
- * Default token expiry in milliseconds
- */
-export declare const DEFAULT_TOKEN_EXPIRY_MS: number;
+export declare const DEFAULT_SANDBOX_CLIENT_ID = "mjtCL8mt06BtbxSkp2vbrYStKWnXVZfo";
+export declare const DEFAULT_REDIRECT_URI_PATH = "/callback";
+export declare const DEFAULT_LOGOUT_REDIRECT_URI_PATH = "/";
+export declare const DEFAULT_TOKEN_EXPIRY_MS = 900000;
+export declare const TOKEN_EXPIRY_BUFFER_MS = 60000;

package/dist/types/defaultConfig.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sandbox default redirect URI for zero-config mode.
+ * Defined locally to avoid importing from auth-next-server (which uses next/server).
+ * OAuth requires an absolute URL; this runs in the browser when login is invoked.
+ *
+ * @internal
+ */
+export declare function deriveDefaultRedirectUri(): string;

package/dist/types/hooks.d.ts

@@ -2,9 +2,10 @@ import type { Session } from 'next-auth';
 import type { User, LoginConfig, StandaloneLoginOptions, LogoutConfig } from '@imtbl/auth';
 import type { ZkEvmInfo } from './types';
 /**
- * Extended session type with Immutable token data
+ * Internal session type with full token data (not exported).
+ * Used internally by the hook for token validation, refresh logic, and getUser/getAccessToken.
  */
-export interface ImmutableSession extends Session {
+interface ImmutableSessionInternal extends Session {
     accessToken: string;
     refreshToken?: string;
     idToken?: string;
@@ -12,6 +13,14 @@ export interface ImmutableSession extends Session {
     zkEvm?: ZkEvmInfo;
     error?: string;
 }
+/**
+ * Public session type exposed to consumers.
+ *
+ * Does **not** include `accessToken` -- consumers must use the `getAccessToken()`
+ * function returned by `useImmutableSession()` to obtain a guaranteed-fresh token.
+ * This prevents accidental use of stale/expired tokens.
+ */
+export type ImmutableSession = Omit<ImmutableSessionInternal, 'accessToken'>;
 /**
  * Return type for useImmutableSession hook
  */
@@ -35,6 +44,13 @@ export interface UseImmutableSessionReturn {
      *   The refreshed session will include updated zkEvm data if available.
      */
     getUser: (forceRefresh?: boolean) => Promise<User | null>;
+    /**
+     * Get a guaranteed-fresh access token.
+     * Returns immediately if the current token is valid.
+     * If expired, triggers a refresh and blocks (awaits) until the fresh token is available.
+     * Throws if the user is not authenticated or if refresh fails.
+     */
+    getAccessToken: () => Promise<string>;
 }
 /**
  * Hook to access Immutable session with a getUser function for wallet integration.
@@ -70,53 +86,87 @@ export interface UseImmutableSessionReturn {
 export declare function useImmutableSession(): UseImmutableSessionReturn;
 /**
  * Return type for useLogin hook
+ *
+ * Config is optional - when omitted, defaults are auto-derived (clientId, redirectUri, etc.).
+ * When provided, must be a complete LoginConfig.
  */
 export interface UseLoginReturn {
     /** Start login with popup flow */
-    loginWithPopup: (config: LoginConfig, options?: StandaloneLoginOptions) => Promise<void>;
+    loginWithPopup: (config?: LoginConfig, options?: StandaloneLoginOptions) => Promise<void>;
     /** Start login with embedded modal flow */
-    loginWithEmbedded: (config: LoginConfig) => Promise<void>;
+    loginWithEmbedded: (config?: LoginConfig) => Promise<void>;
     /** Start login with redirect flow (navigates away from page) */
-    loginWithRedirect: (config: LoginConfig, options?: StandaloneLoginOptions) => Promise<void>;
+    loginWithRedirect: (config?: LoginConfig, options?: StandaloneLoginOptions) => Promise<void>;
     /** Whether login is currently in progress */
     isLoggingIn: boolean;
     /** Error message from the last login attempt, or null if none */
     error: string | null;
 }
 /**
- * Hook to handle Immutable authentication login flows.
+ * Hook to handle Immutable authentication login flows with automatic defaults.
  *
  * Provides login functions that:
  * 1. Handle OAuth authentication via popup, embedded modal, or redirect
  * 2. Automatically sign in to NextAuth after successful authentication
  * 3. Track loading and error states
+ * 4. Auto-detect clientId and redirectUri if not provided (uses defaults)
  *
- * Config is passed at call time to allow different configurations for different
- * login methods (e.g., different redirectUri vs popupRedirectUri).
+ * Config can be passed at call time or omitted to use sensible defaults:
+ * - `clientId`: Auto-detected based on environment (sandbox vs production)
+ * - `redirectUri`: Auto-derived from `window.location.origin + '/callback'`
+ * - `popupRedirectUri`: Auto-derived from `window.location.origin + '/callback'` (same as redirectUri)
+ * - `logoutRedirectUri`: Auto-derived from `window.location.origin`
+ * - `scope`: `'openid profile email offline_access transact'`
+ * - `audience`: `'platform_api'`
+ * - `authenticationDomain`: `'https://auth.immutable.com'`
  *
  * Must be used within a SessionProvider from next-auth/react.
  *
- * @example
+ * @example Minimal usage (uses all defaults)
  * ```tsx
  * import { useLogin, useImmutableSession } from '@imtbl/auth-next-client';
  *
- * const config = {
- *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
- *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
- *   popupRedirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback/popup`,
- * };
+ * function LoginButton() {
+ *   const { isAuthenticated } = useImmutableSession();
+ *   const { loginWithPopup, isLoggingIn, error } = useLogin();
+ *
+ *   if (isAuthenticated) {
+ *     return <p>You are logged in!</p>;
+ *   }
+ *
+ *   return (
+ *     <>
+ *       <button onClick={() => loginWithPopup()} disabled={isLoggingIn}>
+ *         {isLoggingIn ? 'Signing in...' : 'Sign In'}
+ *       </button>
+ *       {error && <p style={{ color: 'red' }}>{error}</p>}
+ *     </>
+ *   );
+ * }
+ * ```
+ *
+ * @example With custom configuration
+ * ```tsx
+ * import { useLogin, useImmutableSession } from '@imtbl/auth-next-client';
  *
  * function LoginButton() {
  *   const { isAuthenticated } = useImmutableSession();
  *   const { loginWithPopup, isLoggingIn, error } = useLogin();
  *
+ *   const handleLogin = () => {
+ *     loginWithPopup({
+ *       clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID,
+ *       redirectUri: `${window.location.origin}/callback`,
+ *     });
+ *   };
+ *
  *   if (isAuthenticated) {
  *     return <p>You are logged in!</p>;
  *   }
  *
  *   return (
  *     <>
- *       <button onClick={() => loginWithPopup(config)} disabled={isLoggingIn}>
+ *       <button onClick={handleLogin} disabled={isLoggingIn}>
  *         {isLoggingIn ? 'Signing in...' : 'Sign In'}
  *       </button>
  *       {error && <p style={{ color: 'red' }}>{error}</p>}
@@ -136,9 +186,11 @@ export interface UseLogoutReturn {
      * This ensures that when the user logs in again, they will be prompted to select
      * an account instead of being automatically logged in with the previous account.
      *
-     * @param config - Logout configuration with clientId and optional redirectUri
+     * Config is optional - defaults will be auto-derived if not provided.
+     *
+     * @param config - Optional logout configuration with clientId and optional redirectUri
      */
-    logout: (config: LogoutConfig) => Promise<void>;
+    logout: (config?: LogoutConfig) => Promise<void>;
     /** Whether logout is currently in progress */
     isLoggingOut: boolean;
     /** Error message from the last logout attempt, or null if none */
@@ -155,16 +207,38 @@ export interface UseLogoutReturn {
  * an account (for social logins like Google) instead of being automatically logged
  * in with the previous account.
  *
+ * Config is optional - defaults will be auto-derived if not provided:
+ * - `clientId`: Auto-detected based on environment (sandbox vs production)
+ * - `logoutRedirectUri`: Auto-derived from `window.location.origin`
+ *
  * Must be used within a SessionProvider from next-auth/react.
  *
- * @example
+ * @example Minimal usage (uses all defaults)
  * ```tsx
  * import { useLogout, useImmutableSession } from '@imtbl/auth-next-client';
  *
- * const logoutConfig = {
- *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
- *   logoutRedirectUri: process.env.NEXT_PUBLIC_BASE_URL!,
- * };
+ * function LogoutButton() {
+ *   const { isAuthenticated } = useImmutableSession();
+ *   const { logout, isLoggingOut, error } = useLogout();
+ *
+ *   if (!isAuthenticated) {
+ *     return null;
+ *   }
+ *
+ *   return (
+ *     <>
+ *       <button onClick={() => logout()} disabled={isLoggingOut}>
+ *         {isLoggingOut ? 'Signing out...' : 'Sign Out'}
+ *       </button>
+ *       {error && <p style={{ color: 'red' }}>{error}</p>}
+ *     </>
+ *   );
+ * }
+ * ```
+ *
+ * @example With custom configuration
+ * ```tsx
+ * import { useLogout, useImmutableSession } from '@imtbl/auth-next-client';
  *
  * function LogoutButton() {
  *   const { isAuthenticated } = useImmutableSession();
@@ -176,7 +250,13 @@ export interface UseLogoutReturn {
  *
  *   return (
  *     <>
- *       <button onClick={() => logout(logoutConfig)} disabled={isLoggingOut}>
+ *       <button
+ *         onClick={() => logout({
+ *           clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID,
+ *           logoutRedirectUri: `${window.location.origin}/custom-logout`,
+ *         })}
+ *         disabled={isLoggingOut}
+ *       >
  *         {isLoggingOut ? 'Signing out...' : 'Sign Out'}
  *       </button>
  *       {error && <p style={{ color: 'red' }}>{error}</p>}
@@ -186,3 +266,4 @@ export interface UseLogoutReturn {
  * ```
  */
 export declare function useLogout(): UseLogoutReturn;
+export {};

package/dist/types/idTokenStorage.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Utility for persisting idToken in localStorage.
+ *
+ * The idToken is stripped from the NextAuth session cookie (via a custom
+ * jwt.encode in @imtbl/auth-next-server) to keep cookie size under CDN header
+ * limits (CloudFront 20 KB). Instead, the client stores idToken in
+ * localStorage so that wallet operations (e.g., MagicTEESigner) can still
+ * access it via getUser().
+ *
+ * All functions are safe to call during SSR or in restricted environments
+ * (e.g., incognito mode with localStorage disabled) -- they silently no-op.
+ */
+/**
+ * Store the idToken in localStorage.
+ * @param idToken - The raw ID token JWT string
+ */
+export declare function storeIdToken(idToken: string): void;
+/**
+ * Retrieve the idToken from localStorage.
+ * @returns The stored idToken, or undefined if not available.
+ */
+export declare function getStoredIdToken(): string | undefined;
+/**
+ * Remove the idToken from localStorage (e.g., on logout).
+ */
+export declare function clearStoredIdToken(): void;

package/dist/types/index.d.ts

@@ -28,3 +28,5 @@ export type { ImmutableUserClient, ImmutableTokenDataClient, ZkEvmInfo, } from '
 export type { ImmutableAuthConfig, ImmutableTokenData, ImmutableUser, AuthProps, AuthPropsWithData, ProtectedAuthProps, ProtectedAuthPropsWithData, } from '@imtbl/auth-next-server';
 export type { LoginConfig, StandaloneLoginOptions, DirectLoginOptions, LogoutConfig, } from '@imtbl/auth';
 export { MarketingConsentStatus } from '@imtbl/auth';
+export { DEFAULT_AUTH_DOMAIN, DEFAULT_AUDIENCE, DEFAULT_SCOPE, IMMUTABLE_PROVIDER_ID, DEFAULT_SANDBOX_CLIENT_ID, DEFAULT_REDIRECT_URI_PATH, DEFAULT_LOGOUT_REDIRECT_URI_PATH, } from './constants';
+export { deriveDefaultRedirectUri } from './defaultConfig';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@imtbl/auth-next-client",
-  "version": "2.12.7-alpha.1",
+  "version": "2.12.7-alpha.11",
   "description": "Immutable Auth.js v5 integration for Next.js - Client-side components",
   "author": "Immutable",
   "license": "Apache-2.0",
@@ -27,11 +27,11 @@
     }
   },
   "dependencies": {
-    "@imtbl/auth": "2.12.7-alpha.1",
-    "@imtbl/auth-next-server": "2.12.7-alpha.1"
+    "@imtbl/auth": "2.12.7-alpha.11",
+    "@imtbl/auth-next-server": "2.12.7-alpha.11"
   },
   "peerDependencies": {
-    "next": "^15.0.0",
+    "next": "^14.0.0 || ^15.0.0",
     "next-auth": "^5.0.0-beta.25",
     "react": "^18.2.0 || ^19.0.0"
   },
@@ -49,12 +49,14 @@
   "devDependencies": {
     "@swc/core": "^1.4.2",
     "@swc/jest": "^0.2.37",
+    "@testing-library/jest-dom": "^5.16.5",
+    "@testing-library/react": "^13.4.0",
     "@types/jest": "^29.5.12",
     "@types/node": "^22.10.7",
     "@types/react": "^18.3.5",
     "eslint": "^8.56.0",
     "jest": "^29.7.0",
-    "next": "^15.1.6",
+    "next": "^15.2.6",
     "next-auth": "^5.0.0-beta.30",
     "react": "^18.2.0",
     "tsup": "^8.3.0",

package/src/callback.tsx

@@ -6,6 +6,7 @@ import { signIn } from 'next-auth/react';
 import { handleLoginCallback as handleAuthCallback, type TokenResponse } from '@imtbl/auth';
 import type { ImmutableUserClient } from './types';
 import { IMMUTABLE_PROVIDER_ID } from './constants';
+import { storeIdToken } from './idTokenStorage';
 
 /**
  * Config for CallbackPage - matches LoginConfig from @imtbl/auth
@@ -159,6 +160,12 @@ export function CallbackPage({
           // Not in a popup - sign in to NextAuth with the tokens
           const tokenData = mapTokensToSignInData(tokens);
 
+          // Persist idToken to localStorage before signIn so it's available
+          // immediately. The cookie won't contain idToken (stripped by jwt.encode).
+          if (tokens.idToken) {
+            storeIdToken(tokens.idToken);
+          }
+
           const result = await signIn(IMMUTABLE_PROVIDER_ID, {
             tokens: JSON.stringify(tokenData),
             redirect: false,