@iqauth/sdk 2.3.0 → 2.5.0

package/dist/reverify-4UEJXUS6.mjs

@@ -0,0 +1,16 @@
+import {
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+} from "./chunk-LIZYFXH7.mjs";
+import "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+};

package/dist/server/handlers.d.mts

@@ -47,6 +47,11 @@ interface IQAuthHelperConfig {
     accessCookieName?: string;
     /** Override the refresh token cookie name. Defaults to `iqauth_rt`. */
     refreshCookieName?: string;
+    /** F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`. */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     /** Cookie domain (e.g. `.example.com`). Defaults to host-only. */
     cookieDomain?: string;
     /** Cookie sameSite policy. Defaults to `lax`. */
@@ -82,7 +87,11 @@ interface IQAuthHelperConfig {
      */
     clearCookiesOnRefreshFailure?: "terminal-only" | "always" | "never";
 }
-interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure">> {
+interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure" | "cookieNames">> {
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     secretKey?: string;
     cookieDomain?: string;
     issuer: string;

package/dist/server/handlers.d.ts

@@ -47,6 +47,11 @@ interface IQAuthHelperConfig {
     accessCookieName?: string;
     /** Override the refresh token cookie name. Defaults to `iqauth_rt`. */
     refreshCookieName?: string;
+    /** F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`. */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     /** Cookie domain (e.g. `.example.com`). Defaults to host-only. */
     cookieDomain?: string;
     /** Cookie sameSite policy. Defaults to `lax`. */
@@ -82,7 +87,11 @@ interface IQAuthHelperConfig {
      */
     clearCookiesOnRefreshFailure?: "terminal-only" | "always" | "never";
 }
-interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure">> {
+interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure" | "cookieNames">> {
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     secretKey?: string;
     cookieDomain?: string;
     issuer: string;

package/dist/server/handlers.js

@@ -133,8 +133,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,

package/dist/server/handlers.mjs

@@ -3,7 +3,7 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "../chunk-KGEPDXHU.mjs";
+} from "../chunk-6TDJJER7.mjs";
 import "../chunk-WQWBJSSS.mjs";
 import "../chunk-6I6RM4MN.mjs";
 import "../chunk-Y6FXYEAI.mjs";

package/dist/server.d.mts

@@ -1,8 +1,10 @@
-import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
-import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
+import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-A0-dWEMy.mjs';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.mjs';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-88xjOS2n.mjs';
+import './tokens-DCyzzn8L.mjs';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/server.d.ts

@@ -1,8 +1,10 @@
-import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
-import { I as IQAuthClient } from './client-DTX4hNdS.js';
+import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-Bo_pJKHN.js';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-CHpfa7D_.js';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.js';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-DnTfzdZK.js';
+import './tokens-aHiGFr_E.js';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/server.js

@@ -36,6 +36,7 @@ __export(server_exports, {
   IQAuthClient: () => IQAuthClient,
   IQAuthError: () => IQAuthError,
   ServerIQAuthClient: () => ServerIQAuthClient,
+  createProvisioningBridge: () => createProvisioningBridge,
   createServerClient: () => createServerClient,
   handleCallback: () => handleCallback,
   handleRefresh: () => handleRefresh,
@@ -1925,6 +1926,22 @@ function readCookie(req, name) {
   }
   return void 0;
 }
+function compileMatcher(pat) {
+  if (pat instanceof RegExp) return (p) => pat.test(p);
+  const re = new RegExp(
+    "^" + pat.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "::DOUBLE::").replace(/\*/g, "[^/]*").replace(/::DOUBLE::/g, ".*") + "$"
+  );
+  return (p) => re.test(p);
+}
+function compileMatchers(pats) {
+  return (pats ?? []).map(compileMatcher);
+}
+function pathOf(req) {
+  const r = req;
+  const raw = r.path || r.originalUrl || r.url || "/";
+  const q = raw.indexOf("?");
+  return q >= 0 ? raw.slice(0, q) : raw;
+}
 function clientFromPublishableKey(opts) {
   const parsed = assertPublishableKey(opts.publishableKey, { context: "iqAuthMiddleware" });
   const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
@@ -1952,10 +1969,26 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
     onUnauthorized,
     onForbidden,
     onError,
-    accessCookieName = DEFAULT_ACCESS_COOKIE,
-    cookieAware = true
+    cookieAware = true,
+    cookieNames,
+    protect,
+    publicRoutes
   } = resolvedOptions;
+  const accessCookieName = resolvedOptions.accessCookieName ?? cookieNames?.access ?? DEFAULT_ACCESS_COOKIE;
+  const protectMatchers = compileMatchers(protect);
+  const publicMatchers = compileMatchers(publicRoutes);
+  const hasProtect = protectMatchers.length > 0;
+  const hasPublic = publicMatchers.length > 0;
   return async (req, res, next) => {
+    if (hasProtect || hasPublic) {
+      const path = pathOf(req);
+      if (hasPublic && publicMatchers.some((m) => m(path))) {
+        return next();
+      }
+      if (hasProtect && !protectMatchers.some((m) => m(path))) {
+        return next();
+      }
+    }
     let token;
     const authHeader = getAuthorizationHeader(req);
     if (authHeader && authHeader.startsWith("Bearer ")) {
@@ -2074,8 +2107,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,
@@ -2255,6 +2288,57 @@ async function handleSignout(config, input) {
   };
 }
 
+// src/server/provisioningBridge.ts
+function defaultIsUniqueViolation(err) {
+  if (!err || typeof err !== "object") return false;
+  const e = err;
+  if (e.code === "23505") return true;
+  if (typeof e.code === "string" && e.code.startsWith("SQLITE_CONSTRAINT")) return true;
+  if (typeof e.message === "string" && /unique constraint|duplicate key/i.test(e.message)) return true;
+  return false;
+}
+function createProvisioningBridge(options) {
+  const { storage } = options;
+  const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const roleOf = (claims) => {
+    try {
+      return options.roleMapper?.(claims) ?? null;
+    } catch {
+      return null;
+    }
+  };
+  const ensureUser = async (claims) => {
+    if (!claims?.sub) {
+      throw new Error("createProvisioningBridge: claims.sub is required");
+    }
+    const byId = await storage.findByIqAuthUserId(claims.sub);
+    if (byId) return { user: byId, claims, created: false, adopted: false };
+    if (claims.email) {
+      const byEmail = await storage.findByEmail(claims.email);
+      if (byEmail) {
+        if (storage.adoptByEmail) {
+          const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
+          return { user: adopted, claims, created: false, adopted: true };
+        }
+      }
+    }
+    try {
+      const created = await storage.insertFromClaims(claims, roleOf(claims));
+      return { user: created, claims, created: true, adopted: false };
+    } catch (err) {
+      if (!isUniqueViolation(err)) throw err;
+      const after = await storage.findByIqAuthUserId(claims.sub);
+      if (after) return { user: after, claims, created: false, adopted: false };
+      if (claims.email) {
+        const byEmail = await storage.findByEmail(claims.email);
+        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+      }
+      throw err;
+    }
+  };
+  return { ensureUser };
+}
+
 // src/server.ts
 var ServerIQAuthClient = class extends IQAuthClient {
   constructor(config) {
@@ -2275,6 +2359,7 @@ function createServerClient(config) {
   IQAuthClient,
   IQAuthError,
   ServerIQAuthClient,
+  createProvisioningBridge,
   createServerClient,
   handleCallback,
   handleRefresh,

package/dist/server.mjs

@@ -1,18 +1,21 @@
+import {
+  handleCallback,
+  handleRefresh,
+  handleSignout,
+  serializeCookie
+} from "./chunk-6TDJJER7.mjs";
+import {
+  createProvisioningBridge
+} from "./chunk-SL3KRS4W.mjs";
 import {
   DEFAULT_ACCESS_COOKIE,
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-EKTNEZIH.mjs";
+} from "./chunk-BVV54LPI.mjs";
+import "./chunk-WQWBJSSS.mjs";
 import {
   IQAuthClient
 } from "./chunk-W3F4JYGP.mjs";
-import {
-  handleCallback,
-  handleRefresh,
-  handleSignout,
-  serializeCookie
-} from "./chunk-KGEPDXHU.mjs";
-import "./chunk-WQWBJSSS.mjs";
 import "./chunk-UNYDG2L4.mjs";
 import {
   ErrorCodes,
@@ -39,6 +42,7 @@ export {
   IQAuthClient,
   IQAuthError,
   ServerIQAuthClient,
+  createProvisioningBridge,
   createServerClient,
   handleCallback,
   handleRefresh,

package/dist/service.d.mts

@@ -1,6 +1,7 @@
-import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
+import './tokens-DCyzzn8L.mjs';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/service.d.ts

@@ -1,6 +1,7 @@
-import { I as IQAuthClient } from './client-DTX4hNdS.js';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
+import './tokens-aHiGFr_E.js';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/signIn-CCY4JE5G.mjs

@@ -0,0 +1,15 @@
+import {
+  buildSignInUrl,
+  handleAuthCallback,
+  redirectToSignIn,
+  signIn,
+  signOut
+} from "./chunk-TKZTCPEK.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  buildSignInUrl,
+  handleAuthCallback,
+  redirectToSignIn,
+  signIn,
+  signOut
+};

package/dist/{signIn-Cd0P4y9d.d.mts → signIn-CiIBTJIh.d.mts}

@@ -1,5 +1,5 @@
 import { c as ParsedPublishableKey } from './publishableKey-BaR0HoAH.mjs';
-import { d as SessionUser, J as JwtClaims } from './types-Cxl3bQHt.mjs';
+import { J as JwtClaims, d as SessionUser } from './types-DZAflmmq.mjs';
 
 /**
  * SessionManager — core browser-side session state.
@@ -28,9 +28,17 @@ type SessionStatus = "loading" | "authenticated" | "unauthenticated";
  * first-party cookie — convenient for browser-only apps but not as resistant
  * to XSS exfiltration.
  */
+/**
+ * Optional context handed to `RefreshTokenStore.write`. Multi-account stores
+ * use it to route the token to the correct per-account cookie when no
+ * "active" account is set yet (i.e. immediately after `addAccount()`).
+ */
+interface RefreshTokenWriteContext {
+    claims?: JwtClaims | null;
+}
 interface RefreshTokenStore {
     read(): string | null | Promise<string | null>;
-    write(token: string): void | Promise<void>;
+    write(token: string, ctx?: RefreshTokenWriteContext): void | Promise<void>;
     clear(): void | Promise<void>;
 }
 interface SessionSnapshot {
@@ -101,6 +109,17 @@ interface SessionManagerOptions {
      * Defaults to `false` to preserve pre-2.0.3 behavior.
      */
     serverManagedSession?: boolean;
+    /**
+     * F14 — Override the names of the cookies the SDK reads/writes. Useful when
+     * a host app already uses `iqauth_rt`/`iqauth_at` for an unrelated purpose
+     * or wants to prefix all SDK cookies. Only the `refresh` cookie is written
+     * by the browser SDK directly; `access` is for parity with the backend
+     * helpers/middleware which read it via the same umbrella option.
+     */
+    cookieNames?: {
+        refresh?: string;
+        access?: string;
+    };
 }
 declare class SessionManager {
     private snapshot;
@@ -115,9 +134,10 @@ declare class SessionManager {
     private readonly userinfoPath;
     private readonly useCookies;
     private readonly proactiveRefresh;
-    private readonly tokenStore;
+    private tokenStore;
     private readonly crossTabLockTimeoutMs;
     private readonly serverManagedSession;
+    private readonly refreshCookieName;
     private proactiveTimer;
     private bootstrapped;
     /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
@@ -129,6 +149,8 @@ declare class SessionManager {
     get appKey(): string;
     get tenantIdFromKey(): string;
     get issuerUrl(): string;
+    /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
+    get refreshCookie(): string;
     getSnapshot(): SessionSnapshot;
     subscribe(listener: (s: SessionSnapshot) => void): () => void;
     /**
@@ -175,6 +197,12 @@ declare class SessionManager {
      * the server-side logout request.
      */
     signOutLocal(status?: SessionStatus): void;
+    /**
+     * Replace the refresh-token store at runtime. Used by the F22
+     * `<MultisessionAppSupport>` wrapper to swap in a `MultiAccountTokenStore`
+     * after the manager has already been constructed by `<IQAuthProvider>`.
+     */
+    setTokenStore(store: RefreshTokenStore): void;
     destroy(): void;
     private setStatus;
     private setError;
@@ -186,6 +214,180 @@ declare class SessionManager {
     private onBroadcast;
 }
 
+/**
+ * Passwordless helpers (Task #91 / F24/F25/F31). Browser-only — these wrap
+ * the issuer's `/api/v1/auth/{magic-link,passkeys,identities}` routes so
+ * non-React consumers (vanilla JS, Vue, Svelte) can integrate without
+ * pulling in framework code. React consumers should prefer the hooks
+ * exported from `@iqauth/sdk/react`.
+ *
+ * All calls use `credentials: "include"` so the issuer can promote the
+ * minted session to httpOnly cookies (`iqauth_at` / `iqauth_rt`) when
+ * the caller forwards the `x-iqauth-session: cookie` header.
+ *
+ * `iqAuthBaseUrl` is the issuer URL (e.g. https://auth.example.com); it
+ * must NOT end with a slash.
+ */
+type PasswordlessOptions = {
+    iqAuthBaseUrl: string;
+    /** When true (default), tells the issuer to set httpOnly cookies on success. */
+    cookieSession?: boolean;
+};
+type MagicLinkRequestInput = {
+    email: string;
+    /** App identifier — accepts the app id, key, or omitted for global links. */
+    appId?: string;
+    redirectUri: string;
+};
+declare function requestMagicLink(opts: PasswordlessOptions, input: MagicLinkRequestInput): Promise<{
+    ok: true;
+}>;
+declare function verifyMagicLink(opts: PasswordlessOptions, token: string): Promise<{
+    accessToken?: string;
+    user?: unknown;
+    redirectUri?: string;
+}>;
+type PasskeyAuthInput = {
+    email?: string;
+};
+declare function beginPasskeyAuthentication(opts: PasswordlessOptions, input?: PasskeyAuthInput): Promise<unknown>;
+declare function finishPasskeyAuthentication(opts: PasswordlessOptions, response: unknown): Promise<unknown>;
+declare function beginPasskeyRegistration(opts: PasswordlessOptions): Promise<unknown>;
+declare function finishPasskeyRegistration(opts: PasswordlessOptions, response: unknown, name?: string): Promise<unknown>;
+/**
+ * End-to-end passkey sign-in convenience. Loads `@simplewebauthn/browser` on
+ * demand (peer dependency) so callers that never use passkeys don't pay the
+ * bundle cost.
+ */
+declare function signInWithPasskey(opts: PasswordlessOptions, input?: PasskeyAuthInput): Promise<unknown>;
+declare function enrollPasskey(opts: PasswordlessOptions, name?: string): Promise<unknown>;
+type LinkedIdentity = {
+    id: string;
+    provider: string;
+    providerUserId: string | null;
+    linkedAt: string;
+    label?: string | null;
+    name?: string | null;
+    canUnlink: boolean;
+};
+declare function listLinkedIdentities(opts: PasswordlessOptions): Promise<LinkedIdentity[]>;
+type LinkProviderInput = {
+    provider: "google";
+    idToken: string;
+    reauth: {
+        password?: string;
+    };
+} | {
+    provider: string;
+    opaque: {
+        providerUserId: string;
+        verifiedBy: string;
+    };
+    reauth: {
+        password?: string;
+    };
+};
+declare function linkProvider(opts: PasswordlessOptions, input: LinkProviderInput): Promise<{
+    ok: true;
+}>;
+type UnlinkProviderInput = {
+    provider: string;
+    reauth: {
+        password?: string;
+    };
+};
+declare function unlinkProvider(opts: PasswordlessOptions, input: UnlinkProviderInput): Promise<{
+    ok: true;
+}>;
+
+/**
+ * Browser-only storage helpers used by the SessionManager.
+ *
+ * Storage strategy (Phase B):
+ *   - Access token: in memory only (held by SessionManager).
+ *   - Refresh token: first-party cookie on the app's own domain. The cookie
+ *     is set by the SDK callback handler and cleared on signOut.
+ *
+ * NOTE: Cookies set from JS cannot be httpOnly. Phase D (cookie-aware
+ * middleware) will move refresh-token cookie management into the app's
+ * backend so it can be httpOnly. Until then, the SDK uses a `Secure`,
+ * `SameSite=Lax` first-party cookie as a pragmatic stopgap. Nothing
+ * privileged ever lives in localStorage.
+ */
+declare const REFRESH_COOKIE = "iqauth_rt";
+interface CookieOptions {
+    maxAgeSeconds?: number;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    sameSite?: "lax" | "strict" | "none";
+}
+declare function setCookie(name: string, value: string, opts?: CookieOptions): void;
+declare function getCookie(name: string): string | null;
+declare function clearCookie(name: string, opts?: CookieOptions): void;
+
+/**
+ * F22 — Multi-account registry.
+ *
+ * Persists the set of accounts currently signed in to a given app (keyed by
+ * the app's publishableKey appId) plus which one is "active". Each account
+ * stores a single per-account refresh cookie named `iqauth_rt_<accountId>`
+ * (where `accountId` is the user's `sub` claim), so SessionManager can
+ * pivot to any account by reading a different cookie + calling refresh().
+ *
+ * NOTE: We deliberately do NOT store refresh tokens in localStorage — they
+ * stay in cookies (same security posture as the single-account default).
+ * localStorage holds only public profile data + ordering metadata.
+ */
+
+interface AccountRecord {
+    accountId: string;
+    userId: string;
+    email: string;
+    name: string;
+    tenantId: string | null;
+    addedAt: number;
+}
+declare class AccountRegistry {
+    private readonly appId;
+    private listeners;
+    private storageHandler;
+    constructor(appId: string);
+    destroy(): void;
+    list(): AccountRecord[];
+    active(): string | null;
+    get(accountId: string): AccountRecord | null;
+    upsert(rec: AccountRecord): void;
+    setActive(accountId: string | null): void;
+    remove(accountId: string): void;
+    subscribe(listener: () => void): () => void;
+    /**
+     * Read the refresh token for a specific account from its per-account
+     * cookie. Used by `MultiAccountTokenStore.read()`.
+     */
+    readRefreshToken(accountId: string): string | null;
+    /**
+     * Persist a refresh token to the per-account cookie. Caller is the
+     * SessionManager via `MultiAccountTokenStore.write()`.
+     */
+    writeRefreshToken(accountId: string, token: string, opts?: CookieOptions): void;
+    clearRefreshToken(accountId: string): void;
+    private notify;
+}
+/**
+ * RefreshTokenStore that reads/writes the active account's per-account
+ * cookie. Falls back to a configurable single-account store when no active
+ * account is set (e.g. before the first sign-in completes).
+ */
+declare class MultiAccountTokenStore implements RefreshTokenStore {
+    private readonly registry;
+    private readonly fallback;
+    constructor(registry: AccountRegistry, fallback: RefreshTokenStore);
+    read(): string | null | Promise<string | null>;
+    write(token: string, ctx?: RefreshTokenWriteContext): void | Promise<void>;
+    clear(): void | Promise<void>;
+}
+
 /**
  * Sign-in / sign-out / callback helpers that build on top of the
  * SessionManager. These are usable both from React (via the hook helpers in
@@ -208,6 +410,20 @@ interface SignInOptions {
     redirectUri?: string;
     /** Extra OIDC scopes beyond `openid` to request. */
     scope?: string;
+    /**
+     * F14 — Override SDK cookie names. `refresh` controls where the JS
+     * fallback writes the refresh token after the callback exchange.
+     */
+    cookieNames?: {
+        refresh?: string;
+    };
+    /**
+     * OIDC `prompt` parameter. `"login"` forces the IQAuth host to show the
+     * sign-in form even if a single-sign-on session already exists — used by
+     * the multi-account `addAccount()` helper to add a second account in
+     * parallel rather than re-using the active session.
+     */
+    prompt?: "login" | "none" | "consent" | "select_account";
 }
 interface SignOutOptions {
     /** Where to send the user after sign out. Defaults to the current page. */
@@ -258,6 +474,10 @@ declare function handleAuthCallback(manager: SessionManager, options?: {
     url?: string;
     tokenPath?: string;
     fetchImpl?: typeof fetch;
+    /** F14 — refresh-cookie name override (defaults to `manager.refreshCookie`). */
+    cookieNames?: {
+        refresh?: string;
+    };
 }): Promise<CallbackResult>;
 /**
  * Clear the local session, ask IQAuth to revoke the refresh token, and
@@ -265,4 +485,4 @@ declare function handleAuthCallback(manager: SessionManager, options?: {
  */
 declare function signOut(manager: SessionManager, opts?: SignOutOptions): Promise<void>;
 
-export { type CallbackResult as C, SessionManager as S, type SessionSnapshot as a, type SignInOptions as b, type SignOutOptions as c, type SessionManagerOptions as d, type SessionStatus as e, buildSignInUrl as f, signOut as g, handleAuthCallback as h, redirectToSignIn as r, signIn as s };
+export { AccountRegistry as A, clearCookie as B, type CallbackResult as C, getCookie as D, setCookie as E, type LinkedIdentity as L, type MagicLinkRequestInput as M, type PasswordlessOptions as P, type RefreshTokenStore as R, SessionManager as S, type UnlinkProviderInput as U, type SessionManagerOptions as a, type SessionSnapshot as b, type SessionStatus as c, beginPasskeyAuthentication as d, beginPasskeyRegistration as e, finishPasskeyAuthentication as f, finishPasskeyRegistration as g, enrollPasskey as h, linkProvider as i, type PasskeyAuthInput as j, type LinkProviderInput as k, listLinkedIdentities as l, MultiAccountTokenStore as m, type AccountRecord as n, buildSignInUrl as o, handleAuthCallback as p, redirectToSignIn as q, requestMagicLink as r, signInWithPasskey as s, signIn as t, unlinkProvider as u, verifyMagicLink as v, signOut as w, type SignInOptions as x, type SignOutOptions as y, REFRESH_COOKIE as z };