@iqauth/sdk 2.3.0 → 2.6.0

package/dist/react.js

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,120 +20,24 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/react.ts
-var react_exports = {};
-__export(react_exports, {
-  AuthCallback: () => AuthCallback,
-  IQAuthLoaded: () => IQAuthLoaded,
-  IQAuthLoading: () => IQAuthLoading,
-  IQAuthProvider: () => IQAuthProvider,
-  OrganizationSwitcher: () => OrganizationSwitcher,
-  RedirectToSignIn: () => RedirectToSignIn,
-  SignIn: () => SignIn,
-  SignUp: () => SignUp,
-  SignedIn: () => SignedIn,
-  SignedOut: () => SignedOut,
-  UserButton: () => UserButton,
-  UserProfile: () => UserProfile,
-  __version__: () => __version__,
-  isSilentSsoEligible: () => isSilentSsoEligible,
-  sanitizeBrandCss: () => sanitizeBrandCss,
-  useAuth: () => useAuth,
-  useAuthFetch: () => useAuthFetch,
-  useIQAuthSignInContext: () => useIQAuthSignInContext,
-  useOrganization: () => useOrganization,
-  useResolvedSdkBranding: () => useResolvedSdkBranding,
-  useSession: () => useSession,
-  useUser: () => useUser
-});
-module.exports = __toCommonJS(react_exports);
-
-// src/react/index.tsx
-var import_react = require("react");
-
 // src/errors.ts
-var IQAuthError = class extends Error {
-  constructor(code, message, status, raw) {
-    super(message);
-    this.name = "IQAuthError";
-    this.code = code;
-    this.status = status;
-    this.raw = raw;
-  }
-};
-
-// src/publishableKey.ts
-function b64urlDecode(input) {
-  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
-  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
-  if (typeof atob === "function") {
-    const bin = atob(normalized);
-    const bytes = new Uint8Array(bin.length);
-    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
-    return new TextDecoder().decode(bytes);
-  }
-  const { Buffer: Buffer2 } = require("buffer");
-  return Buffer2.from(normalized, "base64").toString("utf8");
-}
-function isValidIssuerUrl(iss) {
-  if (typeof iss !== "string" || iss.length === 0) return false;
-  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
-  try {
-    const u = new URL(iss);
-    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
-    if (!u.hostname) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-function assertPublishableKey(raw, opts) {
-  const ctx = opts?.context ? `${opts.context}: ` : "";
-  if (typeof raw !== "string" || raw.length === 0) {
-    throw new IQAuthError(
-      "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
-    );
-  }
-  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!shapeMatch) {
-    throw new IQAuthError(
-      "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
-    );
-  }
-  let decoded;
-  try {
-    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
-  } catch {
-    throw new IQAuthError(
-      "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
-    );
-  }
-  if (!isPublishableKeyPayload(decoded)) {
-    throw new IQAuthError(
-      "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
-    );
-  }
-  if (!isValidIssuerUrl(decoded.iss)) {
-    throw new IQAuthError(
-      "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
-    );
+var IQAuthError;
+var init_errors = __esm({
+  "src/errors.ts"() {
+    "use strict";
+    IQAuthError = class extends Error {
+      constructor(code, message, status, raw) {
+        super(message);
+        this.name = "IQAuthError";
+        this.code = code;
+        this.status = status;
+        this.raw = raw;
+      }
+    };
   }
-  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
-}
-function isPublishableKeyPayload(value) {
-  if (!value || typeof value !== "object") return false;
-  const v = value;
-  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
-}
+});
 
 // src/browser/storage.ts
-var REFRESH_COOKIE = "iqauth_rt";
-var PKCE_STORAGE_PREFIX = "iqauth.pkce.";
 function isBrowser() {
   return typeof window !== "undefined" && typeof document !== "undefined";
 }
@@ -187,105 +94,918 @@ function clearPkce(state) {
   } catch {
   }
 }
+var REFRESH_COOKIE, PKCE_STORAGE_PREFIX;
+var init_storage = __esm({
+  "src/browser/storage.ts"() {
+    "use strict";
+    REFRESH_COOKIE = "iqauth_rt";
+    PKCE_STORAGE_PREFIX = "iqauth.pkce.";
+  }
+});
 
-// src/browser/sessionManager.ts
-var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
-var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
-function decodeClaims(token) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return null;
-    const json = typeof atob === "function" ? decodeURIComponent(
-      atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
-    ) : Buffer.from(parts[1], "base64url").toString("utf8");
-    return JSON.parse(json);
-  } catch {
-    return null;
+// src/browser/pkce.ts
+function getCrypto() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
   }
+  throw new Error("WebCrypto is not available in this environment");
 }
-function claimsToSessionUser(claims) {
-  if (!claims) return null;
-  return {
-    sub: claims.sub,
-    email: claims.email,
-    name: claims.name,
-    tenantId: claims.tenantId,
-    vendorId: claims.vendorId,
-    roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
-  };
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
-var EMPTY = {
-  status: "loading",
-  accessToken: null,
-  user: null,
-  claims: null,
-  tenantId: null,
-  error: null,
-  version: 0
-};
-function defaultCookieStore() {
-  return {
-    read: () => getCookie(REFRESH_COOKIE),
-    write: (token) => setCookie(REFRESH_COOKIE, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
-    clear: () => clearCookie(REFRESH_COOKIE)
-  };
+function randomUrlSafe(byteLength = 32) {
+  const bytes = new Uint8Array(byteLength);
+  getCrypto().getRandomValues(bytes);
+  return base64UrlEncode(bytes);
 }
-var NO_OP_STORE = {
-  read: () => null,
-  write: () => void 0,
-  clear: () => void 0
-};
-var SessionManager = class {
-  constructor(options) {
-    this.snapshot = { ...EMPTY };
-    this.listeners = /* @__PURE__ */ new Set();
-    this.refreshPromise = null;
-    this.channel = null;
-    this.proactiveTimer = null;
-    this.bootstrapped = false;
-    /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
-    this.remoteRefreshWaiters = [];
-    /** Active claims by other tabs (keyed by source tabId). */
-    this.foreignClaim = null;
-    const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
-    this.key = parsed;
-    const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
-    this.issuer = inferred.replace(/\/+$/, "");
-    this.refreshPath = options.refreshPath ?? DEFAULT_REFRESH_PATH;
-    this.userinfoPath = options.userinfoPath ?? DEFAULT_USERINFO_PATH;
-    this.useCookies = options.useCookies ?? true;
-    this.serverManagedSession = options.serverManagedSession ?? false;
-    this.proactiveRefresh = this.serverManagedSession ? false : options.proactiveRefresh ?? true;
-    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore() : NO_OP_STORE);
-    this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
-    this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
-      throw new Error("global fetch is not available; pass fetchImpl");
-    }));
-    this.tabId = Math.random().toString(36).slice(2);
-    if (typeof BroadcastChannel !== "undefined") {
-      const name = options.channelName ?? `iqauth.${parsed.appId}`;
-      try {
-        this.channel = new BroadcastChannel(name);
-        this.channel.onmessage = (ev) => this.onBroadcast(ev.data);
-      } catch {
-        this.channel = null;
-      }
-    }
+async function s256Challenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await getCrypto().subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function createPkcePair() {
+  const codeVerifier = randomUrlSafe(32);
+  const codeChallenge = await s256Challenge(codeVerifier);
+  const state = randomUrlSafe(16);
+  const nonce = randomUrlSafe(16);
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+var init_pkce = __esm({
+  "src/browser/pkce.ts"() {
+    "use strict";
   }
-  get publishableKey() {
-    return this.key;
+});
+
+// src/browser/signIn.ts
+var signIn_exports = {};
+__export(signIn_exports, {
+  buildSignInUrl: () => buildSignInUrl,
+  handleAuthCallback: () => handleAuthCallback,
+  redirectToSignIn: () => redirectToSignIn,
+  signIn: () => signIn,
+  signOut: () => signOut
+});
+function defaultRedirectUri() {
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment (window)");
   }
-  get appKey() {
-    return this.key.appId;
+  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
+}
+function defaultReturnTo() {
+  if (typeof window === "undefined") return "/";
+  return window.location.href;
+}
+async function buildSignInUrl(manager, opts = {}) {
+  const pkce = await createPkcePair();
+  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
+  const returnTo = opts.returnTo ?? defaultReturnTo();
+  savePkce({
+    codeVerifier: pkce.codeVerifier,
+    state: pkce.state,
+    nonce: pkce.nonce,
+    redirectUri,
+    appKey: manager.publishableKey.raw,
+    returnTo,
+    createdAt: Date.now()
+  });
+  const url2 = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  url2.searchParams.set("response_type", "code");
+  url2.searchParams.set("app", manager.appKey);
+  url2.searchParams.set("publishable_key", manager.publishableKey.raw);
+  url2.searchParams.set("redirect_uri", redirectUri);
+  url2.searchParams.set("state", pkce.state);
+  url2.searchParams.set("nonce", pkce.nonce);
+  url2.searchParams.set("code_challenge", pkce.codeChallenge);
+  url2.searchParams.set("code_challenge_method", "S256");
+  url2.searchParams.set("scope", opts.scope ?? "openid profile email");
+  url2.searchParams.set("return_to", returnTo);
+  if (opts.prompt) url2.searchParams.set("prompt", opts.prompt);
+  return url2.toString();
+}
+async function redirectToSignIn(manager, opts = {}) {
+  const url2 = await buildSignInUrl(manager, opts);
+  if (typeof window === "undefined") {
+    throw new Error("redirectToSignIn requires a browser environment");
   }
-  get tenantIdFromKey() {
-    return this.key.tenantId;
+  window.location.assign(url2);
+}
+async function signIn(manager, opts = {}) {
+  return redirectToSignIn(manager, opts);
+}
+async function handleAuthCallback(manager, options = {}) {
+  const url2 = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
+  const code = url2.searchParams.get("code");
+  const state = url2.searchParams.get("state");
+  const errorParam = url2.searchParams.get("error");
+  if (errorParam) {
+    return { ok: false, returnTo: "/", error: errorParam };
   }
-  get issuerUrl() {
-    return this.issuer;
+  if (!code || !state) {
+    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
   }
-  getSnapshot() {
+  const record = loadPkce(state);
+  if (!record) {
+    return { ok: false, returnTo: "/", error: "unknown_state" };
+  }
+  clearPkce(state);
+  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
+  if (!fetchImpl) {
+    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
+  }
+  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
+  const res = await fetchImpl(tokenUrl, {
+    method: "POST",
+    credentials: "include",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: record.redirectUri,
+      client_id: manager.appKey,
+      code_verifier: record.codeVerifier
+    })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
+    return { ok: false, returnTo: record.returnTo, error: desc };
+  }
+  const tokens = body;
+  if (!tokens.access_token) {
+    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
+  }
+  if (tokens.refresh_token) {
+    const cookieName = options.cookieNames?.refresh ?? manager.refreshCookie ?? REFRESH_COOKIE;
+    setCookie(cookieName, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+  }
+  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
+  return { ok: true, returnTo: record.returnTo };
+}
+async function signOut(manager, opts = {}) {
+  if (!opts.localOnly) {
+    const issuer = manager.issuerUrl.replace(/\/$/, "");
+    try {
+      const url2 = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      await manager.fetch(url2, { method: "POST" }).catch(() => void 0);
+    } catch {
+    }
+    if (opts.endSsoSession !== false) {
+      try {
+        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
+          method: "POST",
+          credentials: "include"
+        }).catch(() => void 0);
+      } catch {
+      }
+    }
+  }
+  clearCookie(manager.refreshCookie ?? REFRESH_COOKIE);
+  manager.signOutLocal();
+  if (opts.returnTo && typeof window !== "undefined") {
+    window.location.assign(opts.returnTo);
+  }
+}
+var DEFAULT_SIGN_IN_PATH, DEFAULT_LOGOUT_PATH, DEFAULT_SSO_LOGOUT_PATH, DEFAULT_TOKEN_PATH, DEFAULT_CALLBACK_PATH;
+var init_signIn = __esm({
+  "src/browser/signIn.ts"() {
+    "use strict";
+    init_pkce();
+    init_storage();
+    DEFAULT_SIGN_IN_PATH = "/sign-in";
+    DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+    DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
+    DEFAULT_TOKEN_PATH = "/oidc/token";
+    DEFAULT_CALLBACK_PATH = "/auth/callback";
+  }
+});
+
+// ../../node_modules/@simplewebauthn/browser/dist/bundle/index.js
+var bundle_exports = {};
+__export(bundle_exports, {
+  WebAuthnAbortService: () => WebAuthnAbortService,
+  WebAuthnError: () => WebAuthnError,
+  base64URLStringToBuffer: () => base64URLStringToBuffer,
+  browserSupportsWebAuthn: () => browserSupportsWebAuthn,
+  browserSupportsWebAuthnAutofill: () => browserSupportsWebAuthnAutofill,
+  bufferToBase64URLString: () => bufferToBase64URLString,
+  platformAuthenticatorIsAvailable: () => platformAuthenticatorIsAvailable,
+  startAuthentication: () => startAuthentication,
+  startRegistration: () => startRegistration
+});
+function bufferToBase64URLString(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let str = "";
+  for (const charCode of bytes) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLStringToBuffer(base64URLString) {
+  const base64 = base64URLString.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  const padded = base64.padEnd(base64.length + padLength, "=");
+  const binary = atob(padded);
+  const buffer = new ArrayBuffer(binary.length);
+  const bytes = new Uint8Array(buffer);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return buffer;
+}
+function browserSupportsWebAuthn() {
+  return window?.PublicKeyCredential !== void 0 && typeof window.PublicKeyCredential === "function";
+}
+function toPublicKeyCredentialDescriptor(descriptor) {
+  const { id } = descriptor;
+  return {
+    ...descriptor,
+    id: base64URLStringToBuffer(id),
+    transports: descriptor.transports
+  };
+}
+function isValidDomain(hostname) {
+  return hostname === "localhost" || /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname);
+}
+function identifyRegistrationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Registration ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "ConstraintError") {
+    if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+      return new WebAuthnError({
+        message: "Discoverable credentials were required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",
+        cause: error
+      });
+    } else if (options.mediation === "conditional" && publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required during automatic registration but it could not be performed",
+        code: "ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",
+        cause: error
+      });
+    } else if (publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",
+        cause: error
+      });
+    }
+  } else if (error.name === "InvalidStateError") {
+    return new WebAuthnError({
+      message: "The authenticator was previously registered",
+      code: "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",
+      cause: error
+    });
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "NotSupportedError") {
+    const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === "public-key");
+    if (validPubKeyCredParams.length === 0) {
+      return new WebAuthnError({
+        message: 'No entry in pubKeyCredParams was of type "public-key"',
+        code: "ERROR_MALFORMED_PUBKEYCREDPARAMS",
+        cause: error
+      });
+    }
+    return new WebAuthnError({
+      message: "No available authenticator supported any of the specified pubKeyCredParams algorithms",
+      code: "ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rp.id !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "TypeError") {
+    if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+      return new WebAuthnError({
+        message: "User ID was not between 1 and 64 characters",
+        code: "ERROR_INVALID_USER_ID_LENGTH",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new credential",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+function toAuthenticatorAttachment(attachment) {
+  if (!attachment) {
+    return;
+  }
+  if (attachments.indexOf(attachment) < 0) {
+    return;
+  }
+  return attachment;
+}
+async function startRegistration(options) {
+  const { optionsJSON, useAutoRegister = false } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    user: {
+      ...optionsJSON.user,
+      id: base64URLStringToBuffer(optionsJSON.user.id)
+    },
+    excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor)
+  };
+  const createOptions = {};
+  if (useAutoRegister) {
+    createOptions.mediation = "conditional";
+  }
+  createOptions.publicKey = publicKey;
+  createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.create(createOptions);
+  } catch (err) {
+    throw identifyRegistrationError({ error: err, options: createOptions });
+  }
+  if (!credential) {
+    throw new Error("Registration was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let transports = void 0;
+  if (typeof response.getTransports === "function") {
+    transports = response.getTransports();
+  }
+  let responsePublicKeyAlgorithm = void 0;
+  if (typeof response.getPublicKeyAlgorithm === "function") {
+    try {
+      responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKeyAlgorithm()", error);
+    }
+  }
+  let responsePublicKey = void 0;
+  if (typeof response.getPublicKey === "function") {
+    try {
+      const _publicKey = response.getPublicKey();
+      if (_publicKey !== null) {
+        responsePublicKey = bufferToBase64URLString(_publicKey);
+      }
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKey()", error);
+    }
+  }
+  let responseAuthenticatorData;
+  if (typeof response.getAuthenticatorData === "function") {
+    try {
+      responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
+    } catch (error) {
+      warnOnBrokenImplementation("getAuthenticatorData()", error);
+    }
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      attestationObject: bufferToBase64URLString(response.attestationObject),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      transports,
+      publicKeyAlgorithm: responsePublicKeyAlgorithm,
+      publicKey: responsePublicKey,
+      authenticatorData: responseAuthenticatorData
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function warnOnBrokenImplementation(methodName, cause) {
+  console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.
+`, cause);
+}
+function browserSupportsWebAuthnAutofill() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  const globalPublicKeyCredential = window.PublicKeyCredential;
+  if (globalPublicKeyCredential.isConditionalMediationAvailable === void 0) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return globalPublicKeyCredential.isConditionalMediationAvailable();
+}
+function identifyAuthenticationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Authentication ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rpId !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new assertion signature",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+async function startAuthentication(options) {
+  const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  let allowCredentials;
+  if (optionsJSON.allowCredentials?.length !== 0) {
+    allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    allowCredentials
+  };
+  const getOptions = {};
+  if (useBrowserAutofill) {
+    if (!await browserSupportsWebAuthnAutofill()) {
+      throw Error("Browser does not support WebAuthn autofill");
+    }
+    const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+    if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
+      throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+    }
+    getOptions.mediation = "conditional";
+    publicKey.allowCredentials = [];
+  }
+  getOptions.publicKey = publicKey;
+  getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.get(getOptions);
+  } catch (err) {
+    throw identifyAuthenticationError({ error: err, options: getOptions });
+  }
+  if (!credential) {
+    throw new Error("Authentication was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let userHandle = void 0;
+  if (response.userHandle) {
+    userHandle = bufferToBase64URLString(response.userHandle);
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      authenticatorData: bufferToBase64URLString(response.authenticatorData),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      signature: bufferToBase64URLString(response.signature),
+      userHandle
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function platformAuthenticatorIsAvailable() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+}
+var WebAuthnError, BaseWebAuthnAbortService, WebAuthnAbortService, attachments;
+var init_bundle = __esm({
+  "../../node_modules/@simplewebauthn/browser/dist/bundle/index.js"() {
+    "use strict";
+    WebAuthnError = class extends Error {
+      constructor({ message, code, cause, name }) {
+        super(message, { cause });
+        this.name = name ?? cause.name;
+        this.code = code;
+      }
+    };
+    BaseWebAuthnAbortService = class {
+      createNewAbortSignal() {
+        if (this.controller) {
+          const abortError = new Error("Cancelling existing WebAuthn API call for new one");
+          abortError.name = "AbortError";
+          this.controller.abort(abortError);
+        }
+        const newController = new AbortController();
+        this.controller = newController;
+        return newController.signal;
+      }
+      cancelCeremony() {
+        if (this.controller) {
+          const abortError = new Error("Manually cancelling existing WebAuthn API call");
+          abortError.name = "AbortError";
+          this.controller.abort(abortError);
+          this.controller = void 0;
+        }
+      }
+    };
+    WebAuthnAbortService = new BaseWebAuthnAbortService();
+    attachments = ["cross-platform", "platform"];
+  }
+});
+
+// src/browser/reverify.ts
+var reverify_exports = {};
+__export(reverify_exports, {
+  PRIOR_SESSION_STORAGE_KEY: () => PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation: () => enterImpersonation,
+  exitImpersonation: () => exitImpersonation,
+  reverify: () => reverify,
+  withReverification: () => withReverification
+});
+function enterImpersonation(manager, actorAccessToken) {
+  if (typeof window === "undefined") return;
+  const current = manager.getSnapshot().accessToken;
+  if (current) {
+    const envelope = { accessToken: current, savedAt: Date.now() };
+    try {
+      window.sessionStorage.setItem(PRIOR_SESSION_STORAGE_KEY, JSON.stringify(envelope));
+    } catch {
+    }
+  }
+  manager.applyAccessToken(actorAccessToken);
+}
+function exitImpersonation(manager) {
+  if (typeof window === "undefined") return false;
+  let raw = null;
+  try {
+    raw = window.sessionStorage.getItem(PRIOR_SESSION_STORAGE_KEY);
+  } catch {
+    return false;
+  }
+  if (!raw) return false;
+  try {
+    const envelope = JSON.parse(raw);
+    if (!envelope?.accessToken) return false;
+    manager.applyAccessToken(envelope.accessToken);
+    return true;
+  } catch {
+    return false;
+  } finally {
+    try {
+      window.sessionStorage.removeItem(PRIOR_SESSION_STORAGE_KEY);
+    } catch {
+    }
+  }
+}
+async function reverify(manager, input, options = {}) {
+  if (input.level === "password" && !input.password) {
+    throw new IQAuthError("MISSING_PASSWORD", "password is required for level=password");
+  }
+  if (input.level === "mfa" && !input.totp) {
+    throw new IQAuthError("MISSING_CODE", "totp code is required for level=mfa");
+  }
+  const issuer = manager.issuerUrl.replace(/\/$/, "");
+  const url2 = `${issuer}${options.path ?? DEFAULT_REVERIFY_PATH}`;
+  const res = await manager.fetch(url2, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  let payload = null;
+  try {
+    payload = await res.json();
+  } catch {
+  }
+  if (!res.ok || !payload?.success) {
+    const code = payload?.error?.code ?? "REVERIFICATION_FAILED";
+    const message = payload?.error?.message ?? `reverification failed (${res.status})`;
+    throw new IQAuthError(code, message);
+  }
+  return {
+    token: payload.data.reverificationToken,
+    level: payload.data.level,
+    expiresAt: new Date(payload.data.expiresAt)
+  };
+}
+function withReverification(manager, token) {
+  let used = false;
+  return async (input, init = {}) => {
+    if (used) throw new IQAuthError("REVERIFICATION_USED", "Reverification token already consumed");
+    used = true;
+    const headers2 = new Headers(init.headers);
+    headers2.set("X-Reverification-Token", token);
+    return manager.fetch(input, { ...init, headers: headers2 });
+  };
+}
+var PRIOR_SESSION_STORAGE_KEY, DEFAULT_REVERIFY_PATH;
+var init_reverify = __esm({
+  "src/browser/reverify.ts"() {
+    "use strict";
+    init_errors();
+    PRIOR_SESSION_STORAGE_KEY = "iqauth_prior_admin_session";
+    DEFAULT_REVERIFY_PATH = "/api/v1/auth/reverify";
+  }
+});
+
+// src/react.ts
+var react_exports = {};
+__export(react_exports, {
+  AuthCallback: () => AuthCallback,
+  CreateOrganization: () => CreateOrganization,
+  IQAuthLoaded: () => IQAuthLoaded,
+  IQAuthLoading: () => IQAuthLoading,
+  IQAuthProvider: () => IQAuthProvider,
+  IQAuthReturnToBouncer: () => IQAuthReturnToBouncer,
+  ImpersonationBanner: () => ImpersonationBanner,
+  LinkedAccounts: () => LinkedAccounts,
+  MagicLinkSignInForm: () => MagicLinkSignInForm,
+  MultisessionAppSupport: () => MultisessionAppSupport,
+  OrganizationList: () => OrganizationList,
+  OrganizationProfile: () => OrganizationProfile,
+  OrganizationSwitcher: () => OrganizationSwitcher,
+  PasskeySignInButton: () => PasskeySignInButton,
+  Protect: () => Protect,
+  RedirectToSignIn: () => RedirectToSignIn,
+  RedirectToSignedIn: () => RedirectToSignedIn,
+  SignIn: () => SignIn,
+  SignUp: () => SignUp,
+  SignedIn: () => SignedIn,
+  SignedOut: () => SignedOut,
+  UserButton: () => UserButton,
+  UserProfile: () => UserProfile,
+  Waitlist: () => Waitlist,
+  __version__: () => __version__,
+  isReturnToAllowed: () => isReturnToAllowed,
+  isSilentSsoEligible: () => isSilentSsoEligible,
+  preflightReturnTo: () => preflightReturnTo,
+  revokeSession: () => revokeSession,
+  sanitizeBrandCss: () => sanitizeBrandCss,
+  sanitizeReturnTo: () => sanitizeReturnTo,
+  slugify: () => slugify,
+  useAccountList: () => useAccountList,
+  useAccountSwitcher: () => useAccountSwitcher,
+  useAuth: () => useAuth,
+  useAuthFetch: () => useAuthFetch,
+  useIQAuthSignInContext: () => useIQAuthSignInContext,
+  useImpersonation: () => useImpersonation,
+  useLinkedIdentities: () => useLinkedIdentities,
+  useLocale: () => useLocale,
+  useMagicLink: () => useMagicLink,
+  useOrganization: () => useOrganization,
+  usePasskey: () => usePasskey,
+  useResolvedSdkBranding: () => useResolvedSdkBranding,
+  useReturnTo: () => useReturnTo,
+  useReverification: () => useReverification,
+  useSession: () => useSession,
+  useSessionList: () => useSessionList,
+  useT: () => useT,
+  useUser: () => useUser
+});
+module.exports = __toCommonJS(react_exports);
+
+// src/react/index.tsx
+var import_react = require("react");
+
+// src/browser/sessionManager.ts
+init_errors();
+
+// src/publishableKey.ts
+init_errors();
+function b64urlDecode(input) {
+  const pad = input.length % 4 === 0 ? "" : "=".repeat(4 - input.length % 4);
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/") + pad;
+  if (typeof atob === "function") {
+    const bin = atob(normalized);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++) bytes[i] = bin.charCodeAt(i);
+    return new TextDecoder().decode(bytes);
+  }
+  const { Buffer: Buffer2 } = require("buffer");
+  return Buffer2.from(normalized, "base64").toString("utf8");
+}
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
+  try {
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
+}
+
+// src/browser/sessionManager.ts
+init_storage();
+var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
+var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
+async function readAuthErrorCode(res) {
+  try {
+    const cloned = res.clone();
+    const data = await cloned.json().catch(() => null);
+    if (!data || typeof data !== "object") return null;
+    const err = data.error;
+    if (err && typeof err.code === "string") {
+      return { code: err.code, message: typeof err.message === "string" ? err.message : void 0 };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function decodeClaims(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const json = typeof atob === "function" ? decodeURIComponent(
+      atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+    ) : Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
+function claimsToSessionUser(claims) {
+  if (!claims) return null;
+  return {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? []
+  };
+}
+var EMPTY = {
+  status: "loading",
+  accessToken: null,
+  user: null,
+  claims: null,
+  tenantId: null,
+  error: null,
+  version: 0
+};
+function defaultCookieStore(name = REFRESH_COOKIE) {
+  return {
+    read: () => getCookie(name),
+    write: (token) => setCookie(name, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
+    clear: () => clearCookie(name)
+  };
+}
+var NO_OP_STORE = {
+  read: () => null,
+  write: () => void 0,
+  clear: () => void 0
+};
+var SessionManager = class {
+  constructor(options) {
+    this.snapshot = { ...EMPTY };
+    this.listeners = /* @__PURE__ */ new Set();
+    this.refreshPromise = null;
+    this.channel = null;
+    this.proactiveTimer = null;
+    this.bootstrapped = false;
+    /** Pending refresh awaited by other tabs after a `refresh:claim` from us. */
+    this.remoteRefreshWaiters = [];
+    /** Active claims by other tabs (keyed by source tabId). */
+    this.foreignClaim = null;
+    const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
+    this.key = parsed;
+    const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
+    this.issuer = inferred.replace(/\/+$/, "");
+    this.refreshPath = options.refreshPath ?? DEFAULT_REFRESH_PATH;
+    this.userinfoPath = options.userinfoPath ?? DEFAULT_USERINFO_PATH;
+    this.useCookies = options.useCookies ?? true;
+    this.serverManagedSession = options.serverManagedSession ?? false;
+    this.proactiveRefresh = this.serverManagedSession ? false : options.proactiveRefresh ?? true;
+    this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
+    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
+    this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
+      throw new Error("global fetch is not available; pass fetchImpl");
+    }));
+    this.tabId = Math.random().toString(36).slice(2);
+    if (typeof BroadcastChannel !== "undefined") {
+      const name = options.channelName ?? `iqauth.${parsed.appId}`;
+      try {
+        this.channel = new BroadcastChannel(name);
+        this.channel.onmessage = (ev) => this.onBroadcast(ev.data);
+      } catch {
+        this.channel = null;
+      }
+    }
+  }
+  get publishableKey() {
+    return this.key;
+  }
+  get appKey() {
+    return this.key.appId;
+  }
+  get tenantIdFromKey() {
+    return this.key.tenantId;
+  }
+  get issuerUrl() {
+    return this.issuer;
+  }
+  /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
+  get refreshCookie() {
+    return this.refreshCookieName;
+  }
+  getSnapshot() {
     return this.snapshot;
   }
   subscribe(listener) {
@@ -391,7 +1111,7 @@ var SessionManager = class {
         return false;
       }
       if (data.refreshToken) {
-        await Promise.resolve(this.tokenStore.write(data.refreshToken));
+        await Promise.resolve(this.tokenStore.write(data.refreshToken, { claims: decodeClaims(data.accessToken) }));
       }
       this.applyAccessToken(data.accessToken);
       this.broadcast("session:refresh");
@@ -435,7 +1155,7 @@ var SessionManager = class {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
     if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken));
+      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",
@@ -469,33 +1189,39 @@ var SessionManager = class {
    */
   async fetch(input, init = {}) {
     const exec = async (token2) => {
-      const headers = new Headers(init.headers || {});
-      if (token2) headers.set("Authorization", `Bearer ${token2}`);
+      const headers2 = new Headers(init.headers || {});
+      if (token2) headers2.set("Authorization", `Bearer ${token2}`);
       return this.fetchImpl(input, {
         ...init,
-        headers,
+        headers: headers2,
         credentials: init.credentials ?? "include"
       });
     };
     let token = await this.getToken();
     let res = await exec(token);
     if (res.status !== 401) return res;
+    const initialErr = await readAuthErrorCode(res);
+    if (initialErr && (initialErr.code === "SESSION_EXPIRED_INACTIVITY" || initialErr.code === "SESSION_EXPIRED_MAX_DURATION" || initialErr.code === "SESSION_INVALID")) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(initialErr.code, initialErr.message || "Session expired", 401);
+    }
     const refreshed = await this.refresh();
     if (!refreshed) {
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Session refresh failed; user must sign in again",
+        initialErr?.code || "TOKEN_EXPIRED",
+        initialErr?.message || "Session refresh failed; user must sign in again",
         401
       );
     }
     token = this.snapshot.accessToken;
     res = await exec(token);
     if (res.status === 401) {
+      const secondErr = await readAuthErrorCode(res);
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Authenticated request failed twice with 401; aborting",
+        secondErr?.code || "TOKEN_EXPIRED",
+        secondErr?.message || "Authenticated request failed twice with 401; aborting",
         401
       );
     }
@@ -523,6 +1249,14 @@ var SessionManager = class {
     });
     this.broadcast("session:signout");
   }
+  /**
+   * Replace the refresh-token store at runtime. Used by the F22
+   * `<MultisessionAppSupport>` wrapper to swap in a `MultiAccountTokenStore`
+   * after the manager has already been constructed by `<IQAuthProvider>`.
+   */
+  setTokenStore(store) {
+    this.tokenStore = store;
+  }
   destroy() {
     if (this.proactiveTimer) clearTimeout(this.proactiveTimer);
     this.proactiveTimer = null;
@@ -589,190 +1323,518 @@ var SessionManager = class {
       this.foreignClaim = null;
       return;
     }
-    if (env.type === "session:signout") {
-      this.update({
-        status: "unauthenticated",
-        accessToken: null,
-        user: null,
-        claims: null,
-        tenantId: null,
-        error: null,
-        version: this.snapshot.version + 1
-      });
+    if (env.type === "session:signout") {
+      this.update({
+        status: "unauthenticated",
+        accessToken: null,
+        user: null,
+        claims: null,
+        tenantId: null,
+        error: null,
+        version: this.snapshot.version + 1
+      });
+      return;
+    }
+    if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      this.update({
+        ...env.payload,
+        version: Math.max(this.snapshot.version, env.payload.version) + 1
+      });
+      if (this.remoteRefreshWaiters.length) {
+        const waiters = this.remoteRefreshWaiters;
+        this.remoteRefreshWaiters = [];
+        for (const w of waiters) w(true);
+      }
+    }
+  }
+};
+
+// src/react/index.tsx
+init_signIn();
+
+// src/browser/accountRegistry.ts
+init_storage();
+var STORAGE_PREFIX = "iqauth.accounts.";
+var COOKIE_PREFIX = "iqauth_rt_";
+var COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
+function isBrowser2() {
+  return typeof window !== "undefined" && typeof localStorage !== "undefined";
+}
+function storageKey(appId) {
+  return STORAGE_PREFIX + appId;
+}
+function readState(appId) {
+  if (!isBrowser2()) return { accounts: [], activeAccountId: null };
+  try {
+    const raw = localStorage.getItem(storageKey(appId));
+    if (!raw) return { accounts: [], activeAccountId: null };
+    const parsed = JSON.parse(raw);
+    return {
+      accounts: Array.isArray(parsed.accounts) ? parsed.accounts : [],
+      activeAccountId: parsed.activeAccountId ?? null
+    };
+  } catch {
+    return { accounts: [], activeAccountId: null };
+  }
+}
+function writeState(appId, state) {
+  if (!isBrowser2()) return;
+  try {
+    localStorage.setItem(storageKey(appId), JSON.stringify(state));
+  } catch {
+  }
+}
+var AccountRegistry = class {
+  constructor(appId) {
+    this.appId = appId;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.storageHandler = null;
+    if (isBrowser2()) {
+      this.storageHandler = (ev) => {
+        if (ev.key === storageKey(this.appId)) {
+          for (const l of this.listeners) l();
+        }
+      };
+      window.addEventListener("storage", this.storageHandler);
+    }
+  }
+  destroy() {
+    if (this.storageHandler && isBrowser2()) {
+      window.removeEventListener("storage", this.storageHandler);
+    }
+    this.listeners.clear();
+  }
+  list() {
+    return readState(this.appId).accounts.slice();
+  }
+  active() {
+    return readState(this.appId).activeAccountId;
+  }
+  get(accountId) {
+    return readState(this.appId).accounts.find((a) => a.accountId === accountId) ?? null;
+  }
+  upsert(rec) {
+    const state = readState(this.appId);
+    const idx = state.accounts.findIndex((a) => a.accountId === rec.accountId);
+    if (idx >= 0) state.accounts[idx] = { ...state.accounts[idx], ...rec };
+    else state.accounts.push(rec);
+    writeState(this.appId, state);
+    this.notify();
+  }
+  setActive(accountId) {
+    const state = readState(this.appId);
+    state.activeAccountId = accountId;
+    writeState(this.appId, state);
+    this.notify();
+  }
+  remove(accountId) {
+    const state = readState(this.appId);
+    state.accounts = state.accounts.filter((a) => a.accountId !== accountId);
+    if (state.activeAccountId === accountId) state.activeAccountId = state.accounts[0]?.accountId ?? null;
+    writeState(this.appId, state);
+    clearCookie(COOKIE_PREFIX + accountId);
+    this.notify();
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Read the refresh token for a specific account from its per-account
+   * cookie. Used by `MultiAccountTokenStore.read()`.
+   */
+  readRefreshToken(accountId) {
+    return getCookie(COOKIE_PREFIX + accountId);
+  }
+  /**
+   * Persist a refresh token to the per-account cookie. Caller is the
+   * SessionManager via `MultiAccountTokenStore.write()`.
+   */
+  writeRefreshToken(accountId, token, opts = {}) {
+    setCookie(COOKIE_PREFIX + accountId, token, { maxAgeSeconds: COOKIE_MAX_AGE, ...opts });
+  }
+  clearRefreshToken(accountId) {
+    clearCookie(COOKIE_PREFIX + accountId);
+  }
+  notify() {
+    for (const l of this.listeners) l();
+  }
+};
+var MultiAccountTokenStore = class {
+  constructor(registry, fallback) {
+    this.registry = registry;
+    this.fallback = fallback;
+  }
+  read() {
+    const id = this.registry.active();
+    if (id) return this.registry.readRefreshToken(id);
+    return this.fallback.read();
+  }
+  write(token, ctx) {
+    let id = this.registry.active();
+    if (!id) {
+      const sub = ctx?.claims?.sub;
+      if (sub) {
+        id = sub;
+        this.registry.setActive(sub);
+      }
+    }
+    if (id) {
+      this.registry.writeRefreshToken(id, token);
       return;
     }
-    if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
-      this.update({
-        ...env.payload,
-        version: Math.max(this.snapshot.version, env.payload.version) + 1
-      });
-      if (this.remoteRefreshWaiters.length) {
-        const waiters = this.remoteRefreshWaiters;
-        this.remoteRefreshWaiters = [];
-        for (const w of waiters) w(true);
-      }
+    return this.fallback.write(token);
+  }
+  clear() {
+    const id = this.registry.active();
+    if (id) {
+      this.registry.clearRefreshToken(id);
+      return;
     }
+    return this.fallback.clear();
   }
 };
 
-// src/browser/pkce.ts
-function getCrypto() {
-  if (typeof globalThis !== "undefined" && globalThis.crypto) {
-    return globalThis.crypto;
-  }
-  throw new Error("WebCrypto is not available in this environment");
-}
-function base64UrlEncode(bytes) {
-  let bin = "";
-  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
-  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
-  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function randomUrlSafe(byteLength = 32) {
-  const bytes = new Uint8Array(byteLength);
-  getCrypto().getRandomValues(bytes);
-  return base64UrlEncode(bytes);
+// src/locales/enUS.ts
+var enUS = {
+  locale: "en-US",
+  "common.loading": "Loading\u2026",
+  "common.submitting": "Submitting\u2026",
+  "common.cancel": "Cancel",
+  "common.continue": "Continue",
+  "common.back": "Back",
+  "common.close": "Close",
+  "common.save": "Save",
+  "common.saving": "Saving\u2026",
+  "common.delete": "Delete",
+  "common.confirm": "Confirm",
+  "common.email": "Email",
+  "common.password": "Password",
+  "common.name": "Name",
+  "common.or": "or",
+  "common.required": "Required",
+  "common.optional": "Optional",
+  "common.retry": "Try again",
+  "signIn.title": "Sign in",
+  "signIn.subtitle": "Welcome back",
+  "signIn.titleWithApp": "Sign in to {appName}",
+  "signIn.emailLabel": "Email",
+  "signIn.emailPlaceholder": "you@company.com",
+  "signIn.passwordLabel": "Password",
+  "signIn.passwordPlaceholder": "Your password",
+  "signIn.submit": "Sign in",
+  "signIn.submitting": "Signing in\u2026",
+  "signIn.continueWithGoogle": "Continue with Google",
+  "signIn.continueWithMagicLink": "Email me a sign-in link",
+  "signIn.continueWithPasskey": "Sign in with passkey",
+  "signIn.forgotPassword": "Forgot password?",
+  "signIn.noAccount": "Don't have an account?",
+  "signIn.signUp": "Sign up",
+  "signIn.resumingSession": "Signing you in\u2026",
+  "signIn.useDifferentAccount": "Use a different account",
+  "signIn.selectTenant": "Choose an organization",
+  "signIn.selectTenantSubtitle": "You belong to multiple organizations. Pick one to continue.",
+  "signIn.dividerOr": "or",
+  "signIn.preparingExperience": "Preparing your sign-in experience.",
+  "signIn.applicationUnavailable": "Application unavailable",
+  "signIn.applicationNotFound": "Application not found",
+  "signIn.invalidRedirect": "Invalid redirect",
+  "signIn.returnUrlNotRegistered": "The return URL is not registered for {appName}. Add the origin to the app's allowed origins.",
+  "signIn.welcomeBackName": "Welcome back, {name}.",
+  "signIn.oneMomentResume": "One moment while we resume your session.",
+  "signIn.notYouUseDifferent": "Not you? Use a different account",
+  "signIn.chooseWorkspace": "Choose a workspace",
+  "signIn.pickTenantToSignIn": "Pick the tenant to sign in to.",
+  "signIn.subtitleHosted": "Use your work email and password to continue.",
+  "signIn.createAccount": "Create account",
+  "signIn.couldntResume": "Couldn't resume your session.",
+  "signUp.title": "Create your account",
+  "signUp.subtitle": "Start in seconds",
+  "signUp.nameLabel": "Full name",
+  "signUp.namePlaceholder": "Jane Doe",
+  "signUp.emailLabel": "Work email",
+  "signUp.passwordLabel": "Password",
+  "signUp.passwordHint": "At least 8 characters.",
+  "signUp.submit": "Create account",
+  "signUp.submitting": "Creating account\u2026",
+  "signUp.haveAccount": "Already have an account?",
+  "signUp.signIn": "Sign in",
+  "signUp.tenantNameLabel": "Organization name",
+  "signUp.tenantNamePlaceholder": "Acme, Inc.",
+  "signUp.legal": "By creating an account you agree to the Terms of Service and Privacy Policy.",
+  "forgotPassword.title": "Reset your password",
+  "forgotPassword.subtitle": "We'll email you a reset link.",
+  "forgotPassword.submit": "Send reset link",
+  "forgotPassword.submitting": "Sending\u2026",
+  "forgotPassword.sent": "Check your inbox for a reset link.",
+  "forgotPassword.backToSignIn": "Back to sign in",
+  "resetPassword.title": "Choose a new password",
+  "resetPassword.newPasswordLabel": "New password",
+  "resetPassword.confirmPasswordLabel": "Confirm new password",
+  "resetPassword.submit": "Update password",
+  "resetPassword.submitting": "Updating\u2026",
+  "resetPassword.success": "Password updated. You can now sign in.",
+  "resetPassword.mismatch": "Passwords do not match.",
+  "mfa.title": "Verify it's you",
+  "mfa.subtitle": "Enter the verification code to continue.",
+  "mfa.totpLabel": "Authenticator code",
+  "mfa.totpPlaceholder": "123456",
+  "mfa.smsLabel": "Text message code",
+  "mfa.emailLabel": "Email code",
+  "mfa.submit": "Verify",
+  "mfa.submitting": "Verifying\u2026",
+  "mfa.useBackupCode": "Use a backup code",
+  "mfa.useAuthenticator": "Use authenticator app",
+  "mfa.useSms": "Use text message",
+  "mfa.useEmail": "Use email",
+  "mfa.resend": "Resend code",
+  "mfa.resent": "Code sent.",
+  "mfa.backupCodeLabel": "Backup code",
+  "userButton.signedInAs": "Signed in as",
+  "userButton.manageAccount": "Manage account",
+  "userButton.switchOrg": "Switch organization",
+  "userButton.signOut": "Sign out",
+  "userProfile.title": "Your account",
+  "userProfile.profileTab": "Profile",
+  "userProfile.securityTab": "Security",
+  "userProfile.sessionsTab": "Devices & sessions",
+  "userProfile.linkedAccountsTab": "Linked accounts",
+  "userProfile.changeName": "Update name",
+  "userProfile.changeEmail": "Change email",
+  "userProfile.changePassword": "Change password",
+  "userProfile.currentPassword": "Current password",
+  "userProfile.newPassword": "New password",
+  "userProfile.confirmPassword": "Confirm new password",
+  "userProfile.passwordUpdated": "Password updated.",
+  "userProfile.mfaSection": "Two-factor authentication",
+  "userProfile.mfaEnable": "Enable two-factor",
+  "userProfile.mfaDisable": "Disable two-factor",
+  "userProfile.sessionsSection": "Active sessions",
+  "userProfile.revokeSession": "Revoke",
+  "userProfile.revokeAllOthers": "Sign out of all other sessions",
+  "userProfile.thisDevice": "This device",
+  "userProfile.sessionsEmpty": "No active sessions.",
+  "userProfile.linkedAccountsEmpty": "No linked accounts.",
+  "userProfile.connectGoogle": "Connect Google",
+  "userProfile.disconnect": "Disconnect",
+  "orgSwitcher.label": "Organization",
+  "orgSwitcher.personal": "Personal account",
+  "orgSwitcher.createNew": "Create organization",
+  "orgSwitcher.manage": "Manage organization",
+  "orgSwitcher.noOrgs": "You don't belong to any organizations yet.",
+  "orgProfile.title": "Organization settings",
+  "orgProfile.generalTab": "General",
+  "orgProfile.membersTab": "Members",
+  "orgProfile.invitationsTab": "Invitations",
+  "orgProfile.dangerTab": "Danger zone",
+  "orgProfile.invite": "Invite member",
+  "orgProfile.inviteEmailLabel": "Email address",
+  "orgProfile.inviteRoleLabel": "Role",
+  "orgProfile.inviteSend": "Send invitation",
+  "orgProfile.inviteSent": "Invitation sent.",
+  "orgProfile.removeMember": "Remove",
+  "orgProfile.deleteOrg": "Permanently delete organization",
+  "orgProfile.deleteOrgConfirm": "Type the organization name to confirm.",
+  "createOrg.title": "Create an organization",
+  "createOrg.nameLabel": "Organization name",
+  "createOrg.submit": "Create",
+  "createOrg.submitting": "Creating\u2026",
+  "waitlist.title": "Join the waitlist",
+  "waitlist.subtitle": "We'll notify you when access opens up.",
+  "waitlist.submit": "Join waitlist",
+  "waitlist.submitting": "Joining\u2026",
+  "waitlist.success": "You're on the list. We'll be in touch.",
+  "impersonation.banner": "Impersonation active \u2014 you are signed in as {targetEmail}.",
+  "impersonation.exit": "Exit impersonation",
+  "magicLink.title": "Check your email",
+  "magicLink.subtitle": "We sent a sign-in link to {email}.",
+  "magicLink.resend": "Resend link",
+  "magicLink.changeEmail": "Use a different email",
+  "errors.generic": "Something went wrong. Please try again.",
+  "errors.network": "Network error. Check your connection and try again.",
+  "errors.invalidCredentials": "Incorrect email or password.",
+  "errors.userNotFound": "No account found for that email.",
+  "errors.emailInUse": "An account already exists for that email.",
+  "errors.weakPassword": "Password is too weak.",
+  "errors.mfaInvalid": "That code didn't work. Try again.",
+  "errors.mfaExpired": "That code has expired. Request a new one.",
+  "errors.tooManyAttempts": "Too many attempts. Please wait and try again.",
+  "errors.sessionExpired": "Your session expired. Please sign in again.",
+  "errors.permissionDenied": "You don't have permission to do that.",
+  "errors.notFound": "Not found.",
+  "errors.serverError": "Server error. Please try again shortly.",
+  "errors.invalidEmail": "Enter a valid email address.",
+  "errors.passwordTooShort": "Password must be at least {min} characters.",
+  "errors.required": "This field is required.",
+  "errors.invitationInvalid": "This invitation link is invalid or expired.",
+  "validation.emailRequired": "Email is required.",
+  "validation.emailInvalid": "Enter a valid email address.",
+  "validation.passwordRequired": "Password is required.",
+  "validation.nameRequired": "Name is required.",
+  "validation.codeRequired": "Verification code is required.",
+  "validation.codeInvalid": "Code must be 6 digits."
+};
+
+// src/locales/index.ts
+var defaultBundle = enUS;
+function t(bundle, key, vars) {
+  const fromBundle = bundle && bundle[key];
+  const raw = typeof fromBundle === "string" && fromBundle || defaultBundle[key];
+  if (!vars) return raw;
+  return raw.replace(/\{(\w+)\}/g, (_match, name) => {
+    const v = vars[name];
+    return v === void 0 || v === null ? `{${name}}` : String(v);
+  });
 }
-async function s256Challenge(verifier) {
-  const data = new TextEncoder().encode(verifier);
-  const digest = await getCrypto().subtle.digest("SHA-256", data);
-  return base64UrlEncode(new Uint8Array(digest));
+function resolveBundle(override) {
+  if (!override) return defaultBundle;
+  return { ...defaultBundle, ...override };
 }
-async function createPkcePair() {
-  const codeVerifier = randomUrlSafe(32);
-  const codeChallenge = await s256Challenge(codeVerifier);
-  const state = randomUrlSafe(16);
-  const nonce = randomUrlSafe(16);
-  return { codeVerifier, codeChallenge, state, nonce };
+var ERROR_CODE_MAP = {
+  INVALID_CREDENTIALS: "errors.invalidCredentials",
+  USER_NOT_FOUND: "errors.userNotFound",
+  EMAIL_IN_USE: "errors.emailInUse",
+  EMAIL_ALREADY_EXISTS: "errors.emailInUse",
+  WEAK_PASSWORD: "errors.weakPassword",
+  MFA_INVALID: "errors.mfaInvalid",
+  MFA_CODE_INVALID: "errors.mfaInvalid",
+  MFA_EXPIRED: "errors.mfaExpired",
+  MFA_CODE_EXPIRED: "errors.mfaExpired",
+  RATE_LIMITED: "errors.tooManyAttempts",
+  TOO_MANY_REQUESTS: "errors.tooManyAttempts",
+  SESSION_EXPIRED: "errors.sessionExpired",
+  TOKEN_EXPIRED: "errors.sessionExpired",
+  FORBIDDEN: "errors.permissionDenied",
+  PERMISSION_DENIED: "errors.permissionDenied",
+  NOT_FOUND: "errors.notFound",
+  INTERNAL_ERROR: "errors.serverError",
+  SERVER_ERROR: "errors.serverError",
+  NETWORK_ERROR: "errors.network",
+  INVITATION_INVALID: "errors.invitationInvalid",
+  INVITATION_EXPIRED: "errors.invitationInvalid"
+};
+function localizeErrorCode(bundle, code, vars) {
+  if (!code) return t(bundle, "errors.generic", vars);
+  const key = ERROR_CODE_MAP[code.toUpperCase()];
+  return key ? t(bundle, key, vars) : t(bundle, "errors.generic", vars);
 }
 
-// src/browser/signIn.ts
-var DEFAULT_SIGN_IN_PATH = "/sign-in";
-var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
-var DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
-var DEFAULT_TOKEN_PATH = "/oidc/token";
-var DEFAULT_CALLBACK_PATH = "/auth/callback";
-function defaultRedirectUri() {
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment (window)");
+// src/browser/returnTo.ts
+function normalizeOrigin(o) {
+  try {
+    return new URL(o).origin;
+  } catch {
+    return o.replace(/\/+$/, "");
   }
-  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
 }
-function defaultReturnTo() {
-  if (typeof window === "undefined") return "/";
-  return window.location.href;
+function sanitizeReturnTo(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  if (!input || typeof input !== "string") return fallback;
+  const trimmed = input.trim();
+  if (!trimmed) return fallback;
+  if (trimmed.startsWith("//")) return fallback;
+  if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
+    return trimmed;
+  }
+  if (!/^[a-z][a-z0-9+\-.]*:/i.test(trimmed)) {
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    return fallback;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return fallback;
+  const currentOrigin = options.currentOrigin ?? (typeof window !== "undefined" ? window.location.origin : "");
+  const allowed = /* @__PURE__ */ new Set();
+  if (currentOrigin) allowed.add(normalizeOrigin(currentOrigin));
+  for (const o of options.allowedOrigins ?? []) allowed.add(normalizeOrigin(o));
+  if (allowed.has(parsed.origin)) return parsed.toString();
+  return fallback;
 }
-async function buildSignInUrl(manager, opts = {}) {
-  const pkce = await createPkcePair();
-  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
-  const returnTo = opts.returnTo ?? defaultReturnTo();
-  savePkce({
-    codeVerifier: pkce.codeVerifier,
-    state: pkce.state,
-    nonce: pkce.nonce,
-    redirectUri,
-    appKey: manager.publishableKey.raw,
-    returnTo,
-    createdAt: Date.now()
-  });
-  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("app", manager.appKey);
-  url.searchParams.set("publishable_key", manager.publishableKey.raw);
-  url.searchParams.set("redirect_uri", redirectUri);
-  url.searchParams.set("state", pkce.state);
-  url.searchParams.set("nonce", pkce.nonce);
-  url.searchParams.set("code_challenge", pkce.codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set("scope", opts.scope ?? "openid profile email");
-  url.searchParams.set("return_to", returnTo);
-  return url.toString();
+function isReturnToAllowed(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  const out = sanitizeReturnTo(input, options);
+  if (!input) return false;
+  return out !== fallback || input === fallback;
 }
-async function redirectToSignIn(manager, opts = {}) {
-  const url = await buildSignInUrl(manager, opts);
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment");
-  }
-  window.location.assign(url);
+
+// src/browser/passwordless.ts
+function url(base, path) {
+  return `${base.replace(/\/+$/, "")}${path}`;
 }
-async function signIn(manager, opts = {}) {
-  return redirectToSignIn(manager, opts);
+function headers(o) {
+  const h = { "Content-Type": "application/json" };
+  if (o.cookieSession !== false) h["x-iqauth-session"] = "cookie";
+  return h;
 }
-async function handleAuthCallback(manager, options = {}) {
-  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
-  const code = url.searchParams.get("code");
-  const state = url.searchParams.get("state");
-  const errorParam = url.searchParams.get("error");
-  if (errorParam) {
-    return { ok: false, returnTo: "/", error: errorParam };
-  }
-  if (!code || !state) {
-    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
-  }
-  const record = loadPkce(state);
-  if (!record) {
-    return { ok: false, returnTo: "/", error: "unknown_state" };
-  }
-  clearPkce(state);
-  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
-  if (!fetchImpl) {
-    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
-  }
-  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
-  const res = await fetchImpl(tokenUrl, {
+async function postJson(u, body, h) {
+  const r = await fetch(u, {
     method: "POST",
     credentials: "include",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      grant_type: "authorization_code",
-      code,
-      redirect_uri: record.redirectUri,
-      client_id: manager.appKey,
-      code_verifier: record.codeVerifier
-    })
+    headers: h,
+    body: JSON.stringify(body)
   });
-  const body = await res.json().catch(() => ({}));
-  if (!res.ok) {
-    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
-    return { ok: false, returnTo: record.returnTo, error: desc };
-  }
-  const tokens = body;
-  if (!tokens.access_token) {
-    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
-  }
-  if (tokens.refresh_token) {
-    setCookie(REFRESH_COOKIE, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) {
+    const msg = p?.error?.message || `Request failed (${r.status})`;
+    throw new Error(msg);
   }
-  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
-  return { ok: true, returnTo: record.returnTo };
+  return p.data;
 }
-async function signOut(manager, opts = {}) {
-  if (!opts.localOnly) {
-    const issuer = manager.issuerUrl.replace(/\/$/, "");
-    try {
-      const url = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
-      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
-    } catch {
-    }
-    if (opts.endSsoSession !== false) {
-      try {
-        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
-          method: "POST",
-          credentials: "include"
-        }).catch(() => void 0);
-      } catch {
-      }
-    }
-  }
-  clearCookie(REFRESH_COOKIE);
-  manager.signOutLocal();
-  if (opts.returnTo && typeof window !== "undefined") {
-    window.location.assign(opts.returnTo);
-  }
+async function requestMagicLink(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/magic-link/request"), input, headers(opts));
+  return { ok: true };
+}
+async function beginPasskeyAuthentication(opts, input = {}) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/options"), input, headers(opts));
+}
+async function finishPasskeyAuthentication(opts, response) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/verify"), { response }, headers(opts));
+}
+async function beginPasskeyRegistration(opts) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/options"), {}, headers(opts));
+}
+async function finishPasskeyRegistration(opts, response, name) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/verify"), { response, name }, headers(opts));
+}
+async function signInWithPasskey(opts, input = {}) {
+  const mod = await Promise.resolve().then(() => (init_bundle(), bundle_exports));
+  const options = await beginPasskeyAuthentication(opts, input);
+  const response = await mod.startAuthentication({ optionsJSON: options });
+  return finishPasskeyAuthentication(opts, response);
+}
+async function enrollPasskey(opts, name) {
+  const mod = await Promise.resolve().then(() => (init_bundle(), bundle_exports));
+  const options = await beginPasskeyRegistration(opts);
+  const response = await mod.startRegistration({ optionsJSON: options });
+  return finishPasskeyRegistration(opts, response, name);
+}
+async function listLinkedIdentities(opts) {
+  const r = await fetch(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities"), { credentials: "include" });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) throw new Error(p?.error?.message || `Request failed (${r.status})`);
+  return p?.data?.identities ?? [];
+}
+async function linkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/link"), input, headers(opts));
+  return { ok: true };
+}
+async function unlinkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/unlink"), input, headers(opts));
+  return { ok: true };
 }
 
 // src/react/index.tsx
 var import_jsx_runtime = require("react/jsx-runtime");
+var globalManager = null;
+function setGlobalManager(m) {
+  globalManager = m;
+}
+function getGlobalManager() {
+  return globalManager;
+}
 var IQAuthContext = (0, import_react.createContext)(null);
 function IQAuthProvider({
   publishableKey,
@@ -780,6 +1842,11 @@ function IQAuthProvider({
   channelName,
   proactiveRefresh,
   manager: externalManager,
+  allowedReturnOrigins,
+  appearance,
+  roleMapper,
+  cookieNames,
+  localization,
   children
 }) {
   const managerRef = (0, import_react.useRef)(null);
@@ -788,8 +1855,10 @@ function IQAuthProvider({
       publishableKey,
       issuer,
       channelName,
-      proactiveRefresh
+      proactiveRefresh,
+      cookieNames
     });
+    setGlobalManager(managerRef.current);
   }
   const manager = managerRef.current;
   const subscribe = (0, import_react.useCallback)(
@@ -815,7 +1884,21 @@ function IQAuthProvider({
       }
     };
   }, [manager]);
-  const value = (0, import_react.useMemo)(() => ({ manager, snapshot }), [manager, snapshot]);
+  const resolvedLocalization = (0, import_react.useMemo)(
+    () => resolveBundle(localization),
+    [localization]
+  );
+  const value = (0, import_react.useMemo)(
+    () => ({
+      manager,
+      snapshot,
+      allowedReturnOrigins: allowedReturnOrigins ?? [],
+      appearance: appearance ?? null,
+      roleMapper: roleMapper ?? null,
+      localization: resolvedLocalization
+    }),
+    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization]
+  );
   return (0, import_react.createElement)(IQAuthContext.Provider, { value }, children);
 }
 function useCtx() {
@@ -823,16 +1906,56 @@ function useCtx() {
   if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
   return ctx;
 }
+function useLocale() {
+  const ctx = (0, import_react.useContext)(IQAuthContext);
+  return ctx?.localization ?? defaultBundle;
+}
+function useT() {
+  const bundle = useLocale();
+  return (0, import_react.useMemo)(
+    () => (key, vars) => t(bundle, key, vars),
+    [bundle]
+  );
+}
+function localizeError(bundle, raw) {
+  if (!raw) return t(bundle, "errors.generic");
+  if (typeof raw === "string") {
+    if (/^[A-Z][A-Z0-9_]+$/.test(raw)) return localizeErrorCode(bundle, raw);
+    return raw;
+  }
+  if (raw.code) return localizeErrorCode(bundle, raw.code);
+  return raw.message || t(bundle, "errors.generic");
+}
 function useUser() {
-  const { snapshot } = useCtx();
+  const { snapshot, roleMapper } = useCtx();
   return (0, import_react.useMemo)(
-    () => ({
-      isLoaded: snapshot.status !== "loading",
-      isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
-      user: snapshot.user,
-      error: snapshot.error
-    }),
-    [snapshot.status, snapshot.user, snapshot.error, snapshot.version]
+    () => {
+      const user = snapshot.user ? {
+        ...snapshot.user,
+        // F13 — derive `role` via roleMapper, falling back to a sensible default
+        role: (() => {
+          if (roleMapper) {
+            try {
+              return roleMapper(snapshot.claims);
+            } catch {
+              return null;
+            }
+          }
+          const c = snapshot.claims;
+          if (!c) return null;
+          if (typeof c.role === "string" && c.role) return c.role;
+          if (Array.isArray(c.roles) && c.roles.length > 0 && typeof c.roles[0] === "string") return c.roles[0];
+          return null;
+        })()
+      } : null;
+      return {
+        isLoaded: snapshot.status !== "loading",
+        isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
+        user,
+        error: snapshot.error
+      };
+    },
+    [snapshot.status, snapshot.user, snapshot.claims, snapshot.error, snapshot.version, roleMapper]
   );
 }
 function useSession() {
@@ -884,6 +2007,148 @@ function useAuthFetch() {
     [manager]
   );
 }
+function useSessionList() {
+  const { manager } = useCtx();
+  const [sessions, setSessions] = (0, import_react.useState)([]);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  const base = manager.issuerUrl.replace(/\/$/, "");
+  const refresh = (0, import_react.useCallback)(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await manager.fetch(`${base}/api/v1/users/me/sessions`);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+      setSessions(json?.data?.sessions || []);
+    } catch (err) {
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  }, [manager, base]);
+  (0, import_react.useEffect)(() => {
+    void refresh();
+  }, [refresh]);
+  const revoke = (0, import_react.useCallback)(async (sessionId) => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+    if (!res.ok) {
+      const j = await res.json().catch(() => ({}));
+      throw new Error(j?.error?.message || `HTTP ${res.status}`);
+    }
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  }, [manager, base]);
+  const revokeAllOthers = (0, import_react.useCallback)(async () => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST" });
+    const json = await res.json().catch(() => ({}));
+    if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+    setSessions((prev) => prev.filter((s) => s.isCurrent));
+    return { terminatedCount: json?.data?.terminatedCount ?? 0 };
+  }, [manager, base]);
+  return { sessions, loading, error, refresh, revoke, revokeAllOthers };
+}
+async function revokeSession(sessionId) {
+  const mgr = getGlobalManager();
+  if (!mgr) throw new Error("revokeSession() requires <IQAuthProvider> mounted");
+  const base = mgr.issuerUrl.replace(/\/$/, "");
+  const res = await mgr.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+  if (!res.ok) {
+    const j = await res.json().catch(() => ({}));
+    throw new Error(j?.error?.message || `HTTP ${res.status}`);
+  }
+}
+var MultisessionContext = (0, import_react.createContext)(null);
+function MultisessionAppSupport({ children }) {
+  const { manager, snapshot } = useCtx();
+  const registryRef = (0, import_react.useRef)(null);
+  if (!registryRef.current) {
+    registryRef.current = new AccountRegistry(manager.appKey);
+  }
+  const registry = registryRef.current;
+  const [version, setVersion] = (0, import_react.useState)(0);
+  (0, import_react.useEffect)(() => {
+    const store = new MultiAccountTokenStore(registry, defaultCookieStore());
+    manager.setTokenStore(store);
+    const unsub = registry.subscribe(() => setVersion((v) => v + 1));
+    return () => {
+      unsub();
+      registry.destroy();
+    };
+  }, [manager]);
+  (0, import_react.useEffect)(() => {
+    if (snapshot.status !== "authenticated" || !snapshot.user) return;
+    const claims = snapshot.claims;
+    const rec = {
+      accountId: snapshot.user.sub,
+      userId: snapshot.user.sub,
+      email: snapshot.user.email,
+      name: snapshot.user.name,
+      tenantId: snapshot.tenantId ?? claims?.tenantId ?? null,
+      addedAt: Date.now()
+    };
+    registry.upsert(rec);
+    if (registry.active() !== rec.accountId) {
+      registry.setActive(rec.accountId);
+    }
+  }, [snapshot.user?.sub, snapshot.tenantId, snapshot.status]);
+  const value = (0, import_react.useMemo)(
+    () => ({ registry, version }),
+    [registry, version]
+  );
+  return (0, import_react.createElement)(MultisessionContext.Provider, { value }, children);
+}
+function useMultiCtx() {
+  const ctx = (0, import_react.useContext)(MultisessionContext);
+  if (!ctx) throw new Error("F22 hooks must be used inside <MultisessionAppSupport>");
+  return ctx;
+}
+function useAccountList() {
+  const { registry, version } = useMultiCtx();
+  const { isLoaded } = useUser();
+  const accounts = (0, import_react.useMemo)(() => {
+    const active = registry.active();
+    return registry.list().map((a) => ({
+      accountId: a.accountId,
+      userId: a.userId,
+      email: a.email,
+      name: a.name,
+      tenantId: a.tenantId,
+      isActive: a.accountId === active
+    }));
+  }, [registry, version]);
+  return { accounts, loading: !isLoaded };
+}
+function useAccountSwitcher() {
+  const { manager } = useCtx();
+  const { registry } = useMultiCtx();
+  const addAccount = (0, import_react.useCallback)(
+    async (opts = {}) => {
+      registry.setActive(null);
+      await signIn(manager, { ...opts, prompt: "login" });
+    },
+    [manager, registry]
+  );
+  const switchTo = (0, import_react.useCallback)(
+    async (accountId) => {
+      const target = registry.get(accountId);
+      if (!target) throw new Error(`Unknown accountId: ${accountId}`);
+      registry.setActive(accountId);
+      const ok = await manager.refresh();
+      if (!ok) {
+        registry.remove(accountId);
+        throw new Error("Could not switch account; session may have been revoked");
+      }
+    },
+    [manager, registry]
+  );
+  const removeAccount = (0, import_react.useCallback)(
+    (accountId) => {
+      registry.remove(accountId);
+    },
+    [registry]
+  );
+  return { addAccount, switchTo, removeAccount };
+}
 function SignedIn({ children }) {
   const { isSignedIn, isLoaded } = useUser();
   if (!isLoaded || !isSignedIn) return null;
@@ -947,6 +2212,113 @@ function RedirectToSignIn(props = {}) {
   }
   return null;
 }
+function asArray(v) {
+  if (v == null) return [];
+  return Array.isArray(v) ? v : [v];
+}
+function claimRoles(c) {
+  if (!c) return [];
+  const x = c;
+  if (Array.isArray(x.roles)) return x.roles.filter((r) => typeof r === "string");
+  if (typeof x.role === "string") return [x.role];
+  return [];
+}
+function claimPermissions(c) {
+  if (!c) return [];
+  const x = c;
+  const out = /* @__PURE__ */ new Set();
+  if (Array.isArray(x.permissions)) {
+    for (const p of x.permissions) if (typeof p === "string") out.add(p);
+  }
+  if (Array.isArray(x.entitlements)) {
+    for (const p of x.entitlements) if (typeof p === "string") out.add(p);
+  }
+  if (typeof x.scope === "string") {
+    for (const s of x.scope.split(/\s+/)) if (s) out.add(s);
+  }
+  return Array.from(out);
+}
+function Protect({ role, permission, condition, fallback = null, children }) {
+  const { snapshot } = useCtx();
+  if (snapshot.status !== "authenticated") return (0, import_react.createElement)(import_react.Fragment, null, fallback);
+  const wantedRoles = asArray(role);
+  const wantedPerms = asArray(permission);
+  if (wantedRoles.length) {
+    const have = new Set(claimRoles(snapshot.claims));
+    if (!wantedRoles.some((r) => have.has(r))) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
+  }
+  if (wantedPerms.length) {
+    const have = new Set(claimPermissions(snapshot.claims));
+    if (!wantedPerms.some((p) => have.has(p))) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
+  }
+  if (condition && !condition(snapshot.claims)) return (0, import_react.createElement)(import_react.Fragment, null, fallback);
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
+function RedirectToSignedIn({ to = "/", replace = true } = {}) {
+  const { snapshot, allowedReturnOrigins } = useCtx();
+  (0, import_react.useEffect)(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    const safe = sanitizeReturnTo(to, { allowedOrigins: allowedReturnOrigins, fallback: "/" });
+    if (replace) window.location.replace(safe);
+    else window.location.assign(safe);
+  }, [snapshot.status, to, replace, allowedReturnOrigins]);
+  return null;
+}
+function useReturnTo(options = {}) {
+  const { allowedReturnOrigins } = useCtx();
+  const paramName = options.paramName ?? "return_to";
+  const storageKey2 = options.storageKey ?? "iqauth_return_to";
+  const fallback = options.fallback ?? "/";
+  return (0, import_react.useMemo)(() => {
+    if (typeof window === "undefined") return fallback;
+    let raw = null;
+    try {
+      const params = new URLSearchParams(window.location.search);
+      raw = params.get(paramName) || params.get("next");
+    } catch {
+    }
+    if (!raw) {
+      try {
+        raw = window.sessionStorage.getItem(storageKey2);
+      } catch {
+      }
+    }
+    const safe = sanitizeReturnTo(raw, { allowedOrigins: allowedReturnOrigins, fallback });
+    if (safe !== fallback) {
+      try {
+        window.sessionStorage.setItem(storageKey2, safe);
+      } catch {
+      }
+    }
+    return safe;
+  }, [paramName, storageKey2, fallback, allowedReturnOrigins]);
+}
+function IQAuthReturnToBouncer({ children, ...opts }) {
+  const { snapshot } = useCtx();
+  const returnTo = useReturnTo(opts);
+  (0, import_react.useEffect)(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    window.location.replace(returnTo);
+  }, [snapshot.status, returnTo]);
+  if (snapshot.status === "authenticated") return null;
+  return (0, import_react.createElement)(import_react.Fragment, null, children);
+}
+async function preflightReturnTo(args) {
+  const f = args.fetchImpl ?? fetch;
+  const url2 = `${args.iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(args.appKey)}/sign-in-context?return_to=${encodeURIComponent(args.returnTo)}`;
+  try {
+    const r = await f(url2, { credentials: "include" });
+    const body = await r.json().catch(() => null);
+    if (!r.ok || !body?.success || !body.data) {
+      return { ok: false, allowedOrigins: [], reason: body?.error?.message || `HTTP ${r.status}` };
+    }
+    return { ok: !!body.data.returnAllowed, allowedOrigins: body.data.allowedOrigins ?? [], reason: body.data.returnAllowed ? void 0 : "returnTo not in app allowedOrigins" };
+  } catch (err) {
+    return { ok: false, allowedOrigins: [], reason: err.message };
+  }
+}
 function AuthCallback({ onComplete, fallback } = {}) {
   const { manager } = useCtx();
   (0, import_react.useEffect)(() => {
@@ -980,8 +2352,8 @@ function brandStyle(branding) {
   if (branding.fontFamilyHeading) s["--brand-font-heading"] = branding.fontFamilyHeading;
   return s;
 }
-async function jsonFetch(url, init) {
-  const res = await fetch(url, { ...init, credentials: init?.credentials || "include" });
+async function jsonFetch(url2, init) {
+  const res = await fetch(url2, { ...init, credentials: init?.credentials || "include" });
   const payload = await res.json().catch(() => ({}));
   if (!res.ok && payload?.success !== true) {
     const message = payload?.error?.message || payload?.error_description || payload?.error || `HTTP ${res.status}`;
@@ -1001,8 +2373,20 @@ function useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo) {
     }
     let cancelled = false;
     setLoading(true);
-    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
-    fetch(url, { credentials: "include" }).then((r) => r.json()).then((payload) => {
+    const url2 = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
+    fetch(url2, { credentials: "include" }).then(async (r) => {
+      const contentType = r.headers.get("content-type") || "";
+      if (!r.ok || !contentType.includes("json")) {
+        const bodyPreview = await r.text().then((t2) => t2.slice(0, 160)).catch(() => "");
+        console.error(
+          `[IQAuth] sign-in-context request failed: ${r.status} ${r.statusText} (content-type: ${contentType || "\u2014"}). URL: ${url2}. Common causes: (1) iqAuthBaseUrl points at the wrong host (it should be your IQAuth issuer, e.g. https://auth.dispositioniq.com \u2014 NOT your own app's domain); (2) the app key "${appKey}" is wrong or revoked; (3) CORS preflight is blocked because this origin isn't in the app's allowed-origins list. Response body preview: ${bodyPreview}`
+        );
+        throw new Error(
+          r.status >= 500 ? "Failed to load sign-in context (server error)" : `Failed to load sign-in context (HTTP ${r.status})`
+        );
+      }
+      return r.json();
+    }).then((payload) => {
       if (cancelled) return;
       if (payload?.success === false) throw new Error(payload?.error?.message || "Failed to load sign-in context");
       setCtx(payload.data);
@@ -1025,6 +2409,14 @@ var SHELL_CSS = `
   grid-template-columns: 1fr;
   background: var(--brand-bg, #f7f7f6);
   color: var(--brand-text, #0f172a);
+  /* Container queries so the two-pane layout responds to the SDK's
+     RENDERED width, not the viewport. This keeps the form usable when
+     a host app embeds <SignIn/> inside a narrower card or sidebar
+     instead of full-screen \u2014 the previous viewport @media query would
+     happily render the side-by-side hero+form into a 200px container
+     and wrap text one character per line. */
+  container-type: inline-size;
+  container-name: iqauth-sdk;
 }
 .iqauth-sdk-hero { display: none; }
 .iqauth-sdk-pane {
@@ -1074,7 +2466,7 @@ var SHELL_CSS = `
 .iqauth-sdk-google-btn:hover { background: #f8fafc; border-color: rgba(15,23,42,0.28); }
 .iqauth-sdk-google-btn[disabled] { opacity: 0.6; cursor: not-allowed; }
 
-@media (min-width: 768px) {
+@container iqauth-sdk (min-width: 768px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
@@ -1095,7 +2487,7 @@ var SHELL_CSS = `
   .iqauth-sdk-hero-foot { font-size: 12px; opacity: 0.7; }
   .iqauth-sdk-mobile-brand { display: none; }
 }
-@media (min-width: 1280px) {
+@container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
 }
 `;
@@ -1164,34 +2556,34 @@ function flattenBrandingPayload(data) {
 function useResolvedSdkBranding(iqAuthBaseUrl, appId) {
   const ctx = (0, import_react.useContext)(IQAuthContext);
   const resolvedAppId = appId ?? ctx?.manager?.appKey ?? null;
-  const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/branding${resolvedAppId ? `?appId=${encodeURIComponent(resolvedAppId)}` : ""}`;
-  const cached = sdkBrandingCache.get(url);
+  const url2 = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/branding${resolvedAppId ? `?appId=${encodeURIComponent(resolvedAppId)}` : ""}`;
+  const cached = sdkBrandingCache.get(url2);
   const fresh = cached && Date.now() - cached.ts < SDK_BRANDING_TTL_MS ? cached.data : null;
   const [b, setB] = (0, import_react.useState)(fresh);
   (0, import_react.useEffect)(() => {
     let cancelled = false;
-    const entry = sdkBrandingCache.get(url);
-    const headers = {};
-    if (entry?.rev) headers["If-None-Match"] = `W/"brand-${entry.rev}"`;
+    const entry = sdkBrandingCache.get(url2);
+    const headers2 = {};
+    if (entry?.rev) headers2["If-None-Match"] = `W/"brand-${entry.rev}"`;
     if (entry) setB(entry.data);
-    fetch(url, { credentials: "include", headers }).then(async (r) => {
+    fetch(url2, { credentials: "include", headers: headers2 }).then(async (r) => {
       if (cancelled) return;
       if (r.status === 304 && entry) {
-        sdkBrandingCache.set(url, { ...entry, ts: Date.now() });
+        sdkBrandingCache.set(url2, { ...entry, ts: Date.now() });
         return;
       }
       if (!r.ok) return;
       const p = await r.json().catch(() => null);
       if (!p?.data) return;
       const flat = flattenBrandingPayload(p.data);
-      sdkBrandingCache.set(url, { ts: Date.now(), rev: flat.brandingRev || "", data: flat });
+      sdkBrandingCache.set(url2, { ts: Date.now(), rev: flat.brandingRev || "", data: flat });
       setB(flat);
     }).catch(() => {
     });
     return () => {
       cancelled = true;
     };
-  }, [url]);
+  }, [url2]);
   return b;
 }
 function ensureSdkShellStyles() {
@@ -1232,10 +2624,12 @@ function Shell({
   className,
   children,
   title,
-  subtitle
+  subtitle,
+  appearance
 }) {
   ensureSdkShellStyles();
-  useDocumentBranding(branding, title || "Sign in");
+  const t2 = useT();
+  useDocumentBranding(branding, title || t2("signIn.title"));
   const brandVars = brandStyle(branding);
   const brandName = branding?.brandName || "IQAuth";
   const heroImage = branding?.heroImageUrl || null;
@@ -1246,14 +2640,16 @@ function Shell({
   const heroStyle = heroImage ? { ["--iqauth-sdk-hero-image"]: `url("${heroImage.replace(/"/g, '\\"')}")` } : {};
   const shellStyle = {
     ...brandVars,
-    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {}
+    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {},
+    ...appearance?.elements?.rootBox?.style || {}
   };
+  const ap = appearance?.elements;
   const supportLink = branding?.supportUrl ? branding.supportUrl : branding?.supportEmail ? `mailto:${branding.supportEmail}` : null;
   const hasFooterLinks = !!(branding?.termsUrl || branding?.privacyUrl || supportLink);
   return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
     "div",
     {
-      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}`,
+      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}${ap?.rootBox?.className ? ` ${ap.rootBox.className}` : ""}`,
       "data-layout": layout,
       "data-social-style": socialStyle || void 0,
       style: shellStyle,
@@ -1274,13 +2670,34 @@ function Shell({
         ] }),
         /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { className: "iqauth-sdk-pane", children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("main", { style: { width: "100%", maxWidth: 420 }, children: [
           /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { className: "iqauth-sdk-mobile-brand", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(SdkBrandLogo, { branding, alt: `${brandName} logo`, fallback: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { children: brandName }) }) }),
-          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { className: "iqauth-sdk-card", children: [
-            title || subtitle ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className: "iqauth-sdk-card-header", children: [
-              title ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h1", { children: title }) : null,
-              subtitle ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: subtitle }) : null
-            ] }) : null,
-            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { className: "iqauth-sdk-card-body", children })
-          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+            "section",
+            {
+              className: `iqauth-sdk-card${ap?.card?.className ? ` ${ap.card.className}` : ""}`,
+              style: ap?.card?.style,
+              children: [
+                title || subtitle ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-header${ap?.cardHeader?.className ? ` ${ap.cardHeader.className}` : ""}`,
+                    style: ap?.cardHeader?.style,
+                    children: [
+                      title ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h1", { className: ap?.headerTitle?.className, style: ap?.headerTitle?.style, children: title }) : null,
+                      subtitle ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { className: ap?.headerSubtitle?.className, style: ap?.headerSubtitle?.style, children: subtitle }) : null
+                    ]
+                  }
+                ) : null,
+                /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-body${ap?.cardBody?.className ? ` ${ap.cardBody.className}` : ""}`,
+                    style: ap?.cardBody?.style,
+                    children
+                  }
+                )
+              ]
+            }
+          ),
           hasFooterLinks || branding?.footerText ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("footer", { className: "iqauth-sdk-footer", children: [
             branding?.footerText ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { "data-testid": "text-brand-footer-sdk", style: { fontSize: 12, opacity: 0.75 }, children: branding.footerText }) : null,
             hasFooterLinks ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className: "iqauth-sdk-footer-links", children: [
@@ -1371,8 +2788,30 @@ function isSilentSsoEligible(ctx, effectivePrompt) {
   if (!ctx.returnAllowed) return false;
   return true;
 }
-function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt }) {
+function SignIn(props) {
+  const providerCtx = (0, import_react.useContext)(IQAuthContext);
+  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
+  const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
+  const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
+  const { onRedirect, className, prompt, appearance: instanceAppearance } = props;
+  const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
+  if (!iqAuthBaseUrl || !appKey) {
+    console.error(
+      "[IQAuth] <SignIn /> could not determine iqAuthBaseUrl/appKey. Either pass them explicitly OR wrap the component in <IQAuthProvider publishableKey=\u2026/>."
+    );
+  }
+  const t2 = useT();
+  const localeBundle = useLocale();
   const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
+  const preflightLoggedRef = (0, import_react.useRef)(false);
+  (0, import_react.useEffect)(() => {
+    if (!ctx || preflightLoggedRef.current) return;
+    if (ctx.returnAllowed) return;
+    preflightLoggedRef.current = true;
+    console.error(
+      `[IQAuth] returnTo "${returnTo}" is NOT in the app's allowed origins. Add it via the IQAuth admin console: Apps \u2192 ${ctx.app.key} \u2192 Allowed Origins. Currently allowed: [${ctx.allowedOrigins.join(", ") || "\u2014"}].`
+    );
+  }, [ctx, returnTo]);
   const [email, setEmail] = (0, import_react.useState)("");
   const [password, setPassword] = (0, import_react.useState)("");
   const [submitting, setSubmitting] = (0, import_react.useState)(false);
@@ -1431,9 +2870,9 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
         body: JSON.stringify({ email, password, ...oidcPayload() })
       });
       const payload = await r.json().catch(() => ({}));
-      if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Sign-in failed");
+      if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     } catch (err) {
-      setFormError(err.message || "Network error");
+      setFormError(err.message || t(localeBundle, "errors.network"));
     }
     setSubmitting(false);
   };
@@ -1455,7 +2894,7 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       })
     });
     const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "MFA verification failed");
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
   const submitTenant = async (tenantId) => {
@@ -1469,7 +2908,7 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload() })
     });
     const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Tenant selection failed");
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
   const startGoogleLogin = () => {
@@ -1478,8 +2917,8 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       return;
     }
     const bridgeUrl = window.location.href;
-    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
-    window.location.href = url;
+    const url2 = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
+    window.location.href = url2;
   };
   (0, import_react.useEffect)(() => {
     if (loading || error || !ctx) return;
@@ -1567,36 +3006,36 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       setOauthExchanging(false);
     })();
   }, [ctx?.app.defaultClientId]);
-  if (loading || oauthExchanging) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: ctx?.branding || null, className, title: oauthExchanging ? "Completing sign-in\u2026" : "Loading\u2026", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: oauthExchanging ? "Completing sign-in\u2026" : "Loading\u2026" }) });
-  if (error || !ctx) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, title: "Application unavailable", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error || "Failed to load app context" }) });
-  if (!ctx.returnAllowed) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: ctx.branding, className, title: "Invalid redirect", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
+  if (loading || oauthExchanging) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding: ctx?.branding || null, className, title: oauthExchanging ? t2("signIn.submitting") : t2("common.loading"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: oauthExchanging ? t2("signIn.submitting") : t2("common.loading") }) });
+  if (error || !ctx) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding: null, className, title: t2("errors.serverError"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error || t2("errors.serverError") }) });
+  if (!ctx.returnAllowed) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding: ctx.branding, className, title: t2("errors.generic"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
   const silentEligible = isSilentSsoEligible(ctx, effectivePrompt);
   if (silentEligible && silent !== "failed") {
-    return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: ctx.branding, className, title: "Signing you in\u2026", subtitle: ctx.session ? `Welcome back, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: "Resuming your session." }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: "Not you? Use a different account" })
+    return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { appearance, branding: ctx.branding, className, title: t2("signIn.resumingSession"), subtitle: ctx.session ? `${t2("signIn.subtitle")}, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: t2("signIn.resumingSession") }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: t2("signIn.useDifferentAccount") })
     ] });
   }
-  const cardTitle = ctx.branding?.loginHeadline || `Sign in to ${ctx.app.name}`;
+  const cardTitle = ctx.branding?.loginHeadline || t2("signIn.titleWithApp", { appName: ctx.app.name });
   const cardSubtitle = ctx.branding?.loginSubheadline || void 0;
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { appearance, branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
     formError ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: formError }) : null,
-    tenantSel ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "radiogroup", "aria-label": "Choose tenant", style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((t) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+    tenantSel ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "radiogroup", "aria-label": t2("signIn.selectTenant"), style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((tn) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
       "button",
       {
         type: "button",
-        "data-iqauth-tenant": t.tenantId,
-        onClick: () => submitTenant(t.tenantId),
+        "data-iqauth-tenant": tn.tenantId,
+        onClick: () => submitTenant(tn.tenantId),
         style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
         children: [
-          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontWeight: 500 }, children: t.tenantName || t.tenantSlug || t.tenantId }),
-          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: t.roles.join(", ") })
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontWeight: 500 }, children: tn.tenantName || tn.tenantSlug || tn.tenantId }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: tn.roles.join(", ") })
         ]
       },
-      t.tenantId
-    )) }) : mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": "MFA verification", children: [
-      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Method", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: mfa.backup ? "Backup code" : "Verification code", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      tn.tenantId
+    )) }) : mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
+      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("mfa.title"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: mfa.backup ? t2("mfa.backupCodeLabel") : t2("mfa.totpLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
         "input",
         {
           style: { ...inputStyle(), fontFamily: "monospace", textAlign: mfa.backup ? "left" : "center", letterSpacing: mfa.backup ? "0.04em" : "0.3em" },
@@ -1606,34 +3045,33 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
           inputMode: mfa.backup ? "text" : "numeric"
         }
       ) }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? "Verifying\u2026" : "Verify" }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? "Use verification code" : "Use backup code" })
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? t2("mfa.submitting") : t2("mfa.submit") }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? t2("mfa.useAuthenticator") : t2("mfa.useBackupCode") })
     ] }) : /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
       ctx.providers?.google ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_jsx_runtime.Fragment, { children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || "Continue with Google", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle"), children: [
           /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("svg", { width: "18", height: "18", viewBox: "0 0 18 18", "aria-hidden": "true", children: [
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#4285F4", d: "M17.64 9.2c0-.64-.06-1.25-.17-1.84H9v3.48h4.84a4.14 4.14 0 0 1-1.8 2.71v2.26h2.92a8.78 8.78 0 0 0 2.68-6.61z" }),
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#34A853", d: "M9 18c2.43 0 4.47-.81 5.96-2.18l-2.92-2.26a5.4 5.4 0 0 1-8.04-2.83H.96v2.33A9 9 0 0 0 9 18z" }),
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#FBBC05", d: "M3.96 10.71A5.41 5.41 0 0 1 3.68 9c0-.59.1-1.17.29-1.71V4.96H.96a9 9 0 0 0 0 8.08l3-2.33z" }),
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("path", { fill: "#EA4335", d: "M9 3.58c1.32 0 2.5.45 3.44 1.35l2.58-2.59A9 9 0 0 0 .96 4.96l3 2.33A5.4 5.4 0 0 1 9 3.58z" })
           ] }),
-          ctx.branding?.googleButtonLabel || "Continue with Google"
+          ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle")
         ] }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "separator", "aria-label": "or", className: "iqauth-sdk-divider", children: "OR" })
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "separator", "aria-label": t2("common.or"), className: "iqauth-sdk-divider", children: t2("signIn.dividerOr").toUpperCase() })
       ] }) : null,
-      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": `Sign in to ${ctx.app.name}`, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Email", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? "Signing in\u2026" : "Sign in" })
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("signIn.titleWithApp", { appName: ctx.app.name }), children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("signIn.emailLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("signIn.passwordLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? t2("signIn.submitting") : t2("signIn.submit") })
       ] })
     ] }),
-    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: [
-      silent === "failed" && ctx.session ? "Couldn't resume your session. " : null,
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: "Use a different account" })
-    ] }) : null
+    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: t2("signIn.useDifferentAccount") }) }) : null
   ] });
 }
 function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
   const { ctx, loading } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo || "");
   const [name, setName] = (0, import_react.useState)("");
   const [email, setEmail] = (0, import_react.useState)("");
@@ -1655,22 +3093,19 @@ function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
       setDone(true);
       onSuccess?.();
     } catch (err) {
-      setError(err.message);
+      setError(localizeError(localeBundle, err.message));
     }
     setSubmitting(false);
   };
-  if (loading) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Loading\u2026" }) });
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding: ctx?.branding || null, className, children: [
-    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Create your account" }),
-    done ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Account created. Check your email for verification." }) }) : /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
-      error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Full name", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Email", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Organization (optional)", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? "Creating\u2026" : "Create account" })
-    ] })
-  ] });
+  if (loading) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: null, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding: ctx?.branding || null, className, title: t2("signUp.title"), children: done ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: t2("magicLink.subtitle", { email }) }) }) : /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("signUp.nameLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("signUp.emailLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: `${t2("signUp.tenantNameLabel")} (${t2("common.optional")})`, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("signUp.passwordLabel"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? t2("signUp.submitting") : t2("signUp.submit") })
+  ] }) });
 }
 function initialsOf(name, email) {
   const src = name || email || "?";
@@ -1679,6 +3114,7 @@ function initialsOf(name, email) {
   return src.substring(0, 2).toUpperCase();
 }
 function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
+  const t2 = useT();
   const [user, setUser] = (0, import_react.useState)(null);
   const [open, setOpen] = (0, import_react.useState)(false);
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
@@ -1749,7 +3185,7 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500, color: "#0f172a" }, children: user.name }),
             /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { children: user.email })
           ] }),
-          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: "Account" }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: t2("userButton.manageAccount") }),
           /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
             "button",
             {
@@ -1757,7 +3193,7 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
               type: "button",
               onClick: signOut2,
               style: { display: "block", width: "100%", textAlign: "left", padding: "8px 10px", fontSize: 13, background: "transparent", border: "none", cursor: "pointer", color: "#b91c1c" },
-              children: "Sign out"
+              children: t2("userButton.signOut")
             }
           )
         ] }) : null
@@ -1766,185 +3202,1187 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
   );
 }
 function UserProfile({ iqAuthBaseUrl, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
   const [user, setUser] = (0, import_react.useState)(null);
   const [oldPassword, setOldPassword] = (0, import_react.useState)("");
   const [newPassword, setNewPassword] = (0, import_react.useState)("");
   const [pwState, setPwState] = (0, import_react.useState)({ submitting: false, message: "", error: "" });
   const [sessions, setSessions] = (0, import_react.useState)([]);
+  const [revokeAllBusy, setRevokeAllBusy] = (0, import_react.useState)(false);
+  const loadSessions = () => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions`, { credentials: "include" }).then((r) => r.ok ? r.json() : Promise.reject(r)).then((p) => setSessions(p?.data?.sessions || [])).catch(() => {
+      fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
+      });
+    });
+  };
+  (0, import_react.useEffect)(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data) setUser(p.data);
+    }).catch(() => {
+    });
+    loadSessions();
+  }, [iqAuthBaseUrl]);
+  const changePassword = async (e) => {
+    e.preventDefault();
+    setPwState({ submitting: true, message: "", error: "" });
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/password/change`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ oldPassword, newPassword })
+      });
+      setPwState({ submitting: false, message: t(localeBundle, "userProfile.passwordUpdated"), error: "" });
+      setOldPassword("");
+      setNewPassword("");
+    } catch (err) {
+      setPwState({ submitting: false, message: "", error: localizeError(localeBundle, err.message) });
+    }
+  };
+  const revoke = async (sessionId) => {
+    const newRes = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    if (!newRes.ok && newRes.status === 404) {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    }
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  };
+  const revokeAllOthers = async () => {
+    setRevokeAllBusy(true);
+    try {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST", credentials: "include" });
+      setSessions((prev) => prev.filter((s) => s.isCurrent));
+    } finally {
+      setRevokeAllBusy(false);
+    }
+  };
+  if (!user) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding, className, title: t2("userProfile.title"), children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.profileTab") }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("strong", { children: [
+          t2("common.name"),
+          ":"
+        ] }),
+        " ",
+        user.name
+      ] }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("strong", { children: [
+          t2("common.email"),
+          ":"
+        ] }),
+        " ",
+        user.email
+      ] })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.changePassword") }),
+      pwState.error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: pwState.error }) : null,
+      pwState.message ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("userProfile.currentPassword"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: t2("userProfile.newPassword"), children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? t2("common.saving") : t2("userProfile.changePassword") })
+      ] })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-sessions", children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { display: "flex", alignItems: "center", justifyContent: "space-between" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: t2("userProfile.sessionsTab") }),
+        sessions.some((s) => !s.isCurrent) && /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+          "button",
+          {
+            type: "button",
+            disabled: revokeAllBusy,
+            onClick: revokeAllOthers,
+            style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "4px 10px", cursor: "pointer" },
+            children: revokeAllBusy ? t2("common.submitting") : t2("userProfile.revokeAllOthers")
+          }
+        )
+      ] }),
+      sessions.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: t2("userProfile.sessionsEmpty") }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: "8px 0 0", display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { style: { display: "flex", justifyContent: "space-between", alignItems: "center", fontSize: 13, padding: "8px 10px", background: s.isCurrent ? "#ecfdf5" : "#f8fafc", borderRadius: 6, border: s.isCurrent ? "1px solid #a7f3d0" : "1px solid transparent" }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { display: "flex", flexDirection: "column", gap: 2 }, children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("span", { style: { fontWeight: 500 }, children: [
+            s.device || s.userAgent || s.deviceName || "\u2014",
+            s.isCurrent && /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("span", { style: { marginLeft: 8, fontSize: 11, color: "#047857" }, children: [
+              "(",
+              t2("userProfile.thisDevice"),
+              ")"
+            ] })
+          ] }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("span", { style: { fontSize: 11, opacity: 0.65 }, children: [
+            s.ip || "\u2014",
+            s.lastActiveAt ? ` \xB7 ${new Date(s.lastActiveAt).toLocaleString()}` : ""
+          ] })
+        ] }),
+        !s.isCurrent && /* @__PURE__ */ (0, import_jsx_runtime.jsx)("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: t2("userProfile.revokeSession") })
+      ] }, s.id)) })
+    ] })
+  ] });
+}
+function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }) {
+  const t2 = useT();
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const accent = branding?.accentColor || "#6366f1";
+  const [memberships, setMemberships] = (0, import_react.useState)([]);
+  const [activeTenantId, setActiveTenantId] = (0, import_react.useState)(null);
+  const [open, setOpen] = (0, import_react.useState)(false);
+  (0, import_react.useEffect)(() => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
+      if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
+    }).catch(() => {
+    });
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json()).then((p) => setMemberships(p?.data?.memberships || p?.data || [])).catch(() => {
+    });
+  }, [iqAuthBaseUrl]);
+  const switchTo = async (tenantId) => {
+    try {
+      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ tenantId })
+      });
+      setActiveTenantId(tenantId);
+      setOpen(false);
+      onSwitched?.(tenantId);
+    } catch {
+    }
+  };
+  const active = memberships.find((m) => m.tenantId === activeTenantId);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+    "div",
+    {
+      className,
+      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
+      "data-iqauth-sdk-orgswitcher": "",
+      "data-branding-rev": branding?.brandingRev || "",
+      children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+          "button",
+          {
+            type: "button",
+            "aria-haspopup": "menu",
+            "aria-expanded": open,
+            onClick: () => setOpen((o) => !o),
+            style: { background: "transparent", border: `1px solid ${accent}55`, color: branding?.primaryColor || "#0f172a", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
+            children: active?.tenantName || active?.tenantSlug || t2("orgSwitcher.label")
+          }
+        ),
+        open ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "menu", style: {
+          position: "absolute",
+          left: 0,
+          top: 36,
+          minWidth: 220,
+          background: "#fff",
+          border: "1px solid rgba(15,23,42,0.12)",
+          borderRadius: 8,
+          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
+          padding: 8,
+          zIndex: 100
+        }, children: memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+          "button",
+          {
+            role: "menuitem",
+            type: "button",
+            onClick: () => switchTo(m.tenantId),
+            style: {
+              display: "block",
+              width: "100%",
+              textAlign: "left",
+              padding: "8px 10px",
+              background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
+              border: "none",
+              borderRadius: 4,
+              cursor: "pointer",
+              fontSize: 13,
+              color: "#0f172a"
+            },
+            children: [
+              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
+            ]
+          },
+          m.tenantId
+        )) }) : null
+      ]
+    }
+  );
+}
+function useImpersonation() {
+  const { snapshot } = useCtx();
+  return (0, import_react.useMemo)(() => {
+    const claims = snapshot.claims;
+    const isImpersonating = claims?.purpose === "impersonation" && !!claims?.act?.sub;
+    return {
+      isImpersonating,
+      actor: isImpersonating ? claims.act : null,
+      target: isImpersonating ? snapshot.user : null
+    };
+  }, [snapshot]);
+}
+function ImpersonationBanner({ render, onExit, className, style } = {}) {
+  const t2 = useT();
+  const info = useImpersonation();
+  const { manager } = useCtx();
+  const exit = (0, import_react.useCallback)(async () => {
+    if (onExit) return void onExit();
+    const { exitImpersonation: exitImpersonation2 } = await Promise.resolve().then(() => (init_reverify(), reverify_exports));
+    const restored = exitImpersonation2(manager);
+    if (restored) return;
+    const { signOut: signOut2 } = await Promise.resolve().then(() => (init_signIn(), signIn_exports));
+    await signOut2(manager);
+  }, [manager, onExit]);
+  if (!info.isImpersonating) return null;
+  if (render) return (0, import_react.createElement)(import_react.Fragment, null, render({ ...info, exit }));
+  const targetLabel = info.target?.email || info.target?.name || info.target?.sub || "user";
+  const _actorLabel = info.actor?.email || info.actor?.name || info.actor?.sub || "admin";
+  void _actorLabel;
+  return (0, import_react.createElement)(
+    "div",
+    {
+      role: "alert",
+      className,
+      style: {
+        position: "sticky",
+        top: 0,
+        left: 0,
+        right: 0,
+        zIndex: 9999,
+        background: "#b91c1c",
+        color: "#fff",
+        padding: "8px 16px",
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "space-between",
+        fontSize: 13,
+        fontFamily: "system-ui, sans-serif",
+        ...style
+      }
+    },
+    (0, import_react.createElement)(
+      "span",
+      null,
+      t2("impersonation.banner", { targetEmail: targetLabel })
+    ),
+    (0, import_react.createElement)(
+      "button",
+      {
+        type: "button",
+        onClick: exit,
+        style: {
+          background: "rgba(255,255,255,0.18)",
+          color: "#fff",
+          border: "1px solid rgba(255,255,255,0.4)",
+          borderRadius: 4,
+          padding: "4px 10px",
+          cursor: "pointer",
+          fontSize: 12
+        }
+      },
+      t2("impersonation.exit")
+    )
+  );
+}
+function useReverification(fn, opts = {}) {
+  const { manager } = useCtx();
+  const level = opts.level ?? "password";
+  return (async (...args) => {
+    let token = null;
+    let res = await fn(token)(...args);
+    const code = await peekErrorCode(res);
+    const isReverifyError = res.status === 401 && code && (code === "REVERIFICATION_REQUIRED" || code === "REVERIFICATION_EXPIRED" || code === "REVERIFICATION_INVALID" || code === "REVERIFICATION_USED" || code === "REVERIFICATION_LEVEL_INSUFFICIENT");
+    if (!isReverifyError) return res;
+    const prompt = opts.prompt ?? defaultReverifyPrompt;
+    const credentials = await prompt(level);
+    if (!credentials) {
+      throw new Error("Reverification cancelled");
+    }
+    const { reverify: reverify2 } = await Promise.resolve().then(() => (init_reverify(), reverify_exports));
+    const minted = await reverify2(manager, { level, ...credentials });
+    token = minted.token;
+    res = await fn(token)(...args);
+    return res;
+  });
+}
+async function peekErrorCode(res) {
+  try {
+    const cloned = res.clone();
+    const body = await cloned.json();
+    return body?.error?.code ?? null;
+  } catch {
+    return null;
+  }
+}
+async function defaultReverifyPrompt(level) {
+  if (typeof window === "undefined") return null;
+  if (level === "password") {
+    const password = window.prompt("Confirm your password to continue");
+    if (!password) return null;
+    return { password };
+  }
+  const totp = window.prompt("Enter your MFA code to continue");
+  if (!totp) return null;
+  return { totp, method: "totp" };
+}
+function slugify(input) {
+  return input.toLowerCase().normalize("NFKD").replace(/[\u0300-\u036f]/g, "").replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+}
+function CreateOrganization({ iqAuthBaseUrl, onCreated, redirectUrl, unstyled, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const [name, setName] = (0, import_react.useState)("");
+  const [slug, setSlug] = (0, import_react.useState)("");
+  const [slugTouched, setSlugTouched] = (0, import_react.useState)(false);
+  const [submitting, setSubmitting] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)(null);
+  const [created, setCreated] = (0, import_react.useState)(null);
+  const [slugCheck, setSlugCheck] = (0, import_react.useState)({ status: "idle" });
+  (0, import_react.useEffect)(() => {
+    if (!slugTouched) setSlug(slugify(name));
+  }, [name, slugTouched]);
+  (0, import_react.useEffect)(() => {
+    const s = slug.trim().toLowerCase();
+    if (!s) {
+      setSlugCheck({ status: "idle" });
+      return;
+    }
+    if (!/^[a-z0-9-]{2,64}$/.test(s)) {
+      setSlugCheck({ status: "invalid", checked: s });
+      return;
+    }
+    setSlugCheck({ status: "checking", checked: s });
+    const handle = setTimeout(async () => {
+      try {
+        const res = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/check-slug?slug=${encodeURIComponent(s)}`, {
+          credentials: "include",
+          headers: { Accept: "application/json" }
+        });
+        const body = await res.json().catch(() => ({}));
+        const data = body.data;
+        if (!data) {
+          setSlugCheck({ status: "idle", checked: s });
+          return;
+        }
+        if (data.reason === "INVALID_FORMAT") {
+          setSlugCheck({ status: "invalid", checked: s });
+          return;
+        }
+        setSlugCheck({ status: data.available ? "available" : "taken", checked: s });
+      } catch {
+        setSlugCheck({ status: "idle", checked: s });
+      }
+    }, 350);
+    return () => clearTimeout(handle);
+  }, [slug, iqAuthBaseUrl]);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ name: name.trim(), slug: slug.trim() })
+      });
+      const payload = res;
+      const tenant = payload.data ?? payload;
+      const next = { id: tenant.id, name: tenant.name, slug: tenant.slug };
+      setCreated(next);
+      onCreated?.(next);
+      setName("");
+      setSlug("");
+      setSlugTouched(false);
+      if (redirectUrl && typeof window !== "undefined") {
+        const url2 = typeof redirectUrl === "function" ? redirectUrl(next) : redirectUrl;
+        if (url2) window.location.assign(url2);
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to create organization");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  const form = /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-create-org": "", "aria-labelledby": "iqauth-create-org-heading", children: [
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    created ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { role: "status", style: { fontSize: 13, color: "#047857" }, children: [
+      "Organization \u201C",
+      created.name,
+      "\u201D created."
+    ] }) : null,
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Organization name", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-create-org-name", autoFocus: true, style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true, minLength: 2, "aria-required": "true" }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Field, { label: "Organization slug", children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "input",
+        {
+          "data-testid": "input-create-org-slug",
+          style: { ...inputStyle(), fontFamily: "monospace" },
+          value: slug,
+          onChange: (e) => {
+            setSlugTouched(true);
+            setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-"));
+          },
+          required: true,
+          pattern: "[a-z0-9-]+",
+          minLength: 2,
+          "aria-required": "true",
+          "aria-describedby": "iqauth-create-org-slug-hint",
+          "aria-invalid": slugCheck.status === "taken" || slugCheck.status === "invalid"
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "p",
+        {
+          id: "iqauth-create-org-slug-hint",
+          "data-testid": "text-create-org-slug-status",
+          role: "status",
+          "aria-live": "polite",
+          style: { fontSize: 12, marginTop: 4, color: slugCheck.status === "taken" || slugCheck.status === "invalid" ? "#b91c1c" : slugCheck.status === "available" ? "#047857" : "inherit", opacity: slugCheck.status === "checking" ? 0.6 : 1 },
+          children: slugCheck.status === "checking" ? "Checking availability\u2026" : slugCheck.status === "available" ? "Slug is available." : slugCheck.status === "taken" ? "That slug is taken." : slugCheck.status === "invalid" ? "Slugs must be 2\u201364 chars, lowercase letters/numbers/hyphens." : "We'll auto-generate a slug from the name; you can override it."
+        }
+      )
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      PrimaryButton,
+      {
+        "data-testid": "button-create-org-submit",
+        type: "submit",
+        disabled: submitting || !name.trim() || !slug.trim() || slugCheck.status === "taken" || slugCheck.status === "invalid" || slugCheck.status === "checking",
+        children: submitting ? "Creating\u2026" : "Create organization"
+      }
+    )
+  ] });
+  if (unstyled) {
+    return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className, "data-iqauth-sdk-create-org-bare": "", children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-create-org-heading", style: { fontSize: 14, fontWeight: 600, margin: "0 0 12px" }, children: "Create organization" }),
+      form
+    ] });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: "Create organization", subtitle: "Spin up a new tenant for this app.", children: form });
+}
+function OrganizationProfile({ iqAuthBaseUrl, tenantId: tenantIdProp, tabs, onDeleted, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
+  const visibleTabs = tabs && tabs.length > 0 ? tabs : ["general", "members", "invitations", "danger"];
+  const [activeTab, setActiveTab] = (0, import_react.useState)(visibleTabs[0]);
+  const [tenantId, setTenantId] = (0, import_react.useState)(tenantIdProp || null);
+  const [tenant, setTenant] = (0, import_react.useState)(null);
+  const [members, setMembers] = (0, import_react.useState)([]);
+  const [pendingInvites, setPendingInvites] = (0, import_react.useState)([]);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [invitesLoading, setInvitesLoading] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)(null);
+  const [renameValue, setRenameValue] = (0, import_react.useState)("");
+  const [slugValue, setSlugValue] = (0, import_react.useState)("");
+  const [renameSubmitting, setRenameSubmitting] = (0, import_react.useState)(false);
+  const [inviteEmail, setInviteEmail] = (0, import_react.useState)("");
+  const [inviteRole, setInviteRole] = (0, import_react.useState)("tenant_member");
+  const [inviteSubmitting, setInviteSubmitting] = (0, import_react.useState)(false);
+  const [actionMessage, setActionMessage] = (0, import_react.useState)(null);
+  const [confirmDeleteText, setConfirmDeleteText] = (0, import_react.useState)("");
+  const [confirmDeletePassword, setConfirmDeletePassword] = (0, import_react.useState)("");
+  const [deleteSubmitting, setDeleteSubmitting] = (0, import_react.useState)(false);
+  const { user } = useUser();
+  const callerRole = user?.role || null;
+  const callerIsAdmin = callerRole === "tenant_admin" || callerRole === "platform_admin";
+  const visibleTabsFiltered = visibleTabs.filter((t2) => t2 !== "danger" || callerIsAdmin);
+  (0, import_react.useEffect)(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        let tid = tenantIdProp || null;
+        if (!tid) {
+          const me = await fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json());
+          tid = me?.data?.tenantId || null;
+        }
+        if (!tid) {
+          if (!cancelled) {
+            setError("No active tenant");
+            setLoading(false);
+          }
+          return;
+        }
+        const t2 = await fetch(`${baseUrl}/api/v1/tenants/${tid}`, { credentials: "include" }).then((r) => r.json());
+        const m = await fetch(`${baseUrl}/api/v1/tenants/${tid}/users`, { credentials: "include" }).then((r) => r.json());
+        if (cancelled) return;
+        setTenantId(tid);
+        setTenant(t2?.data ? { id: t2.data.id, name: t2.data.name, slug: t2.data.slug } : null);
+        setRenameValue(t2?.data?.name || "");
+        setSlugValue(t2?.data?.slug || "");
+        const rows = m?.data || [];
+        setMembers(rows.map((row) => ({
+          userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+          email: String(row.email ?? row.user?.email ?? ""),
+          name: String(row.name ?? row.user?.name ?? ""),
+          role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+          joinedAt: row.joinedAt ?? row.createdAt
+        })));
+      } catch (err) {
+        if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organization");
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl, tenantIdProp]);
+  const loadInvites = async (tid) => {
+    setInvitesLoading(true);
+    try {
+      const r = await fetch(`${baseUrl}/api/v1/invites?tenantId=${encodeURIComponent(tid)}&status=pending`, { credentials: "include" }).then((res) => res.json());
+      const rows = r?.data || [];
+      setPendingInvites(rows.map((inv) => ({
+        id: String(inv.id),
+        email: String(inv.email),
+        role: String(inv.role),
+        status: String(inv.status),
+        expiresAt: inv.expiresAt,
+        createdAt: inv.createdAt
+      })));
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to load invitations");
+    } finally {
+      setInvitesLoading(false);
+    }
+  };
   (0, import_react.useEffect)(() => {
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
-      if (p?.data) setUser(p.data);
-    }).catch(() => {
-    });
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
-    });
-  }, [iqAuthBaseUrl]);
-  const changePassword = async (e) => {
+    if (activeTab === "invitations" && tenantId) loadInvites(tenantId);
+  }, [activeTab, tenantId]);
+  const reloadMembers = async () => {
+    if (!tenantId) return;
+    const m = await fetch(`${baseUrl}/api/v1/tenants/${tenantId}/users`, { credentials: "include" }).then((r) => r.json());
+    const rows = m?.data || [];
+    setMembers(rows.map((row) => ({
+      userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+      email: String(row.email ?? row.user?.email ?? ""),
+      name: String(row.name ?? row.user?.name ?? ""),
+      role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+      joinedAt: row.joinedAt ?? row.createdAt
+    })));
+  };
+  const submitRename = async (e) => {
     e.preventDefault();
-    setPwState({ submitting: true, message: "", error: "" });
+    if (!tenantId) return;
+    setRenameSubmitting(true);
+    setError(null);
     try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/password/change`, {
+      const body = {};
+      if (renameValue.trim() && renameValue.trim() !== tenant?.name) body.name = renameValue.trim();
+      if (slugValue.trim() && slugValue.trim() !== tenant?.slug) body.slug = slugValue.trim();
+      if (Object.keys(body).length === 0) {
+        setRenameSubmitting(false);
+        return;
+      }
+      const res = await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify(body)
+      });
+      const t2 = res?.data ?? res;
+      setTenant({ id: t2.id, name: t2.name, slug: t2.slug });
+      setActionMessage("Organization saved.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to save");
+    } finally {
+      setRenameSubmitting(false);
+    }
+  };
+  const submitInvite = async (e) => {
+    e.preventDefault();
+    if (!tenantId) return;
+    setInviteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/invite`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ oldPassword, newPassword })
+        credentials: "include",
+        body: JSON.stringify({ email: inviteEmail.trim(), role: inviteRole })
       });
-      setPwState({ submitting: false, message: "Password updated.", error: "" });
-      setOldPassword("");
-      setNewPassword("");
+      setActionMessage(`Invitation sent to ${inviteEmail.trim()}.`);
+      setInviteEmail("");
+      if (activeTab === "invitations") await loadInvites(tenantId);
     } catch (err) {
-      setPwState({ submitting: false, message: "", error: err.message });
+      setError(err instanceof Error ? err.message : "Failed to invite");
+    } finally {
+      setInviteSubmitting(false);
     }
   };
-  const revoke = async (sessionId) => {
-    await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
-    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  const changeRole = async (userId, role) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}/role`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ role })
+      });
+      await reloadMembers();
+      setActionMessage("Role updated.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to update role");
+    }
   };
-  if (!user) return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { branding, className, children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Loading account\u2026" }) });
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(Shell, { branding, className, children: [
-    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Your account" }),
-    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: "Profile" }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { children: "Name:" }),
-        " ",
-        user.name
-      ] }),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { children: "Email:" }),
-        " ",
-        user.email
-      ] })
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: "Change password" }),
-      pwState.error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: pwState.error }) : null,
-      pwState.message ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
-      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Current password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "New password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? "Updating\u2026" : "Change password" })
+  const removeMember = async (userId) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}`, { method: "DELETE", credentials: "include" });
+      await reloadMembers();
+      setActionMessage("Member removed.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to remove member");
+    }
+  };
+  const resendInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/resend`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation resent.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to resend invitation");
+    }
+  };
+  const revokeInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/revoke`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation revoked.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to revoke invitation");
+    }
+  };
+  const submitDelete = async () => {
+    if (!tenantId || !tenant) return;
+    if (confirmDeleteText !== tenant.slug) {
+      setError("Type the organization slug to confirm deletion.");
+      return;
+    }
+    if (!confirmDeletePassword) {
+      setError("Re-enter your password to confirm deletion.");
+      return;
+    }
+    setDeleteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "DELETE",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ confirmPassword: confirmDeletePassword })
+      });
+      setActionMessage("Organization deleted.");
+      setConfirmDeletePassword("");
+      onDeleted?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to delete organization");
+    } finally {
+      setDeleteSubmitting(false);
+    }
+  };
+  if (loading) {
+    return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: "Organization", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) });
+  }
+  const tabBtnStyle = (key) => ({
+    background: activeTab === key ? `${branding?.accentColor || "#6366f1"}1a` : "transparent",
+    border: `1px solid ${activeTab === key ? branding?.accentColor || "#6366f1" : "rgba(15,23,42,0.12)"}`,
+    color: branding?.primaryColor || "#0f172a",
+    padding: "6px 12px",
+    borderRadius: 6,
+    cursor: "pointer",
+    fontSize: 12,
+    fontWeight: 500
+  });
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: tenant?.name || "Organization", subtitle: tenant?.slug ? `slug: ${tenant.slug}` : void 0, children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { display: "flex", flexDirection: "column", gap: 16 }, "data-iqauth-sdk-org-profile": "", children: [
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    actionMessage ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { role: "status", "aria-live": "polite", style: { fontSize: 13, color: "#047857", margin: 0 }, children: actionMessage }) : null,
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "tablist", "aria-label": "Organization sections", style: { display: "flex", gap: 6, flexWrap: "wrap" }, children: visibleTabsFiltered.map((t2) => /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        role: "tab",
+        "aria-selected": activeTab === t2,
+        "aria-controls": `iqauth-org-tab-${t2}`,
+        "data-testid": `tab-org-${t2}`,
+        type: "button",
+        onClick: () => setActiveTab(t2),
+        style: tabBtnStyle(t2),
+        children: t2 === "general" ? "General" : t2 === "members" ? `Members (${members.length})` : t2 === "invitations" ? "Invitations" : "Danger zone"
+      },
+      t2
+    )) }),
+    activeTab === "general" ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { role: "tabpanel", id: "iqauth-org-tab-general", "aria-labelledby": "tab-org-general", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Settings" }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitRename, style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Organization name", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-org-rename", style: inputStyle(), value: renameValue, onChange: (e) => setRenameValue(e.target.value), required: true, minLength: 2 }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Slug", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-org-slug", style: { ...inputStyle(), fontFamily: "monospace" }, value: slugValue, onChange: (e) => setSlugValue(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-")), required: true, pattern: "[a-z0-9-]+", minLength: 2 }) }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { "data-testid": "button-org-rename", type: "submit", disabled: renameSubmitting || renameValue.trim() === tenant?.name && slugValue.trim() === tenant?.slug, children: renameSubmitting ? "Saving\u2026" : "Save changes" })
       ] })
-    ] }),
-    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { "aria-labelledby": "iqauth-sessions", children: [
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600 }, children: "Sessions" }),
-      sessions.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No active sessions." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { style: { display: "flex", justifyContent: "space-between", fontSize: 13, padding: "6px 10px", background: "#f8fafc", borderRadius: 6 }, children: [
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { children: s.userAgent || s.deviceName || "Unknown" }),
-        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: "Revoke" })
-      ] }, s.id)) })
-    ] })
-  ] });
+    ] }) : null,
+    activeTab === "members" ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { role: "tabpanel", id: "iqauth-org-tab-members", "aria-labelledby": "tab-org-members", style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submitInvite, style: { display: "flex", gap: 8, flexWrap: "wrap" }, "aria-label": "Invite a new member", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-org-invite-email", type: "email", placeholder: "email@company.com", "aria-label": "Email", style: { ...inputStyle(), flex: 1, minWidth: 180 }, value: inviteEmail, onChange: (e) => setInviteEmail(e.target.value), required: true }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("select", { "data-testid": "select-org-invite-role", "aria-label": "Role", style: { ...inputStyle(), width: "auto" }, value: inviteRole, onChange: (e) => setInviteRole(e.target.value), children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { "data-testid": "button-org-invite", type: "submit", disabled: inviteSubmitting || !inviteEmail.trim(), children: inviteSubmitting ? "Sending\u2026" : "Send invite" })
+      ] }),
+      members.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No members yet." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { "aria-label": "Members", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: members.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { "data-testid": `row-org-member-${m.userId}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.name || m.email }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.7 }, children: m.email })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("select", { "data-testid": `select-org-member-role-${m.userId}`, "aria-label": `Role for ${m.email}`, value: m.role, onChange: (e) => changeRole(m.userId, e.target.value), style: { ...inputStyle(), width: "auto", padding: "4px 8px", fontSize: 12 }, children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-member-remove-${m.userId}`,
+            "aria-label": `Remove ${m.email}`,
+            onClick: () => removeMember(m.userId),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Remove"
+          }
+        )
+      ] }, m.userId)) })
+    ] }) : null,
+    activeTab === "invitations" ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { role: "tabpanel", id: "iqauth-org-tab-invitations", "aria-labelledby": "tab-org-invitations", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Pending invitations" }),
+      invitesLoading ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) : pendingInvites.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No pending invitations." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { "aria-label": "Pending invitations", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: pendingInvites.map((inv) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { "data-testid": `row-org-invite-${inv.id}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: inv.email }),
+          /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+            "role: ",
+            inv.role,
+            inv.expiresAt ? ` \u2022 expires ${new Date(inv.expiresAt).toLocaleDateString()}` : ""
+          ] })
+        ] }),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-resend-${inv.id}`,
+            onClick: () => resendInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(15,23,42,0.18)", color: "#0f172a", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Resend"
+          }
+        ),
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-revoke-${inv.id}`,
+            onClick: () => revokeInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Revoke"
+          }
+        )
+      ] }, inv.id)) })
+    ] }) : null,
+    activeTab === "danger" ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("section", { role: "tabpanel", id: "iqauth-org-tab-danger", "aria-labelledby": "tab-org-danger", style: { display: "flex", flexDirection: "column", gap: 10, border: "1px solid rgba(220,38,38,0.3)", padding: 12, borderRadius: 8, background: "rgba(220,38,38,0.04)" }, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0, color: "#b91c1c" }, children: "Delete organization" }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("p", { style: { fontSize: 12, opacity: 0.85, margin: 0 }, children: [
+        "This permanently deletes ",
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { children: tenant?.name }),
+        " and all of its members, roles, and audit history. To confirm, type the slug ",
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("code", { children: tenant?.slug }),
+        " below."
+      ] }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Type the organization slug to confirm", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-org-delete-confirm", autoComplete: "off", placeholder: tenant?.slug || "", "aria-label": "Type slug to confirm", style: { ...inputStyle(), fontFamily: "monospace" }, value: confirmDeleteText, onChange: (e) => setConfirmDeleteText(e.target.value) }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Re-enter your password", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-org-delete-password", type: "password", autoComplete: "current-password", "aria-label": "Password to confirm deletion", style: inputStyle(), value: confirmDeletePassword, onChange: (e) => setConfirmDeletePassword(e.target.value) }) }),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-delete",
+          onClick: submitDelete,
+          disabled: deleteSubmitting || confirmDeleteText !== tenant?.slug || !confirmDeletePassword,
+          style: { background: "#b91c1c", color: "#fff", border: "none", padding: "8px 14px", borderRadius: 6, cursor: confirmDeleteText === tenant?.slug && confirmDeletePassword ? "pointer" : "not-allowed", fontSize: 13, opacity: confirmDeleteText === tenant?.slug && confirmDeletePassword ? 1 : 0.5 },
+          children: deleteSubmitting ? "Deleting\u2026" : "Permanently delete organization"
+        }
+      )
+    ] }) : null
+  ] }) });
 }
-function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
+function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRedirectUrl, appearance, className }) {
+  const [showCreateForm, setShowCreateForm] = (0, import_react.useState)(false);
+  const reloadList = () => {
+    setShowCreateForm(false);
+    if (typeof window !== "undefined") setTimeout(() => window.location.reload(), 50);
+  };
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
   const accent = branding?.accentColor || "#6366f1";
   const [memberships, setMemberships] = (0, import_react.useState)([]);
   const [activeTenantId, setActiveTenantId] = (0, import_react.useState)(null);
-  const [open, setOpen] = (0, import_react.useState)(false);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
   (0, import_react.useEffect)(() => {
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
-      if (p?.data?.tenantId) setActiveTenantId(p.data.tenantId);
-    }).catch(() => {
-    });
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json()).then((p) => setMemberships(p?.data?.memberships || p?.data || [])).catch(() => {
+    let cancelled = false;
+    Promise.all([
+      fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()),
+      fetch(`${baseUrl}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json())
+    ]).then(([me, mems]) => {
+      if (cancelled) return;
+      setActiveTenantId(me?.data?.tenantId || null);
+      setMemberships(mems?.data?.memberships || mems?.data || []);
+    }).catch((err) => {
+      if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organizations");
+    }).finally(() => {
+      if (!cancelled) setLoading(false);
     });
-  }, [iqAuthBaseUrl]);
-  const switchTo = async (tenantId) => {
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl]);
+  const select = async (tenantId) => {
+    if (tenantId === activeTenantId) {
+      onSelect?.(tenantId);
+      return;
+    }
     try {
-      await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/select-tenant`, {
+      await jsonFetch(`${baseUrl}/api/v1/auth/select-tenant`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
+        credentials: "include",
         body: JSON.stringify({ tenantId })
       });
       setActiveTenantId(tenantId);
-      setOpen(false);
-      onSwitched?.(tenantId);
-    } catch {
+      onSelect?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to switch organization");
     }
   };
-  const active = memberships.find((m) => m.tenantId === activeTenantId);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: "Your organizations", subtitle: "Select an organization to make it active.", children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { "data-iqauth-sdk-org-list": "", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    loading ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13 }, children: "Loading\u2026" }) : memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6 }, children: "You don\u2019t belong to any organizations yet." }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: memberships.map((m) => {
+      const active = m.tenantId === activeTenantId;
+      return /* @__PURE__ */ (0, import_jsx_runtime.jsx)("li", { children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
+        "button",
+        {
+          type: "button",
+          "data-testid": `button-org-list-${m.tenantId}`,
+          onClick: () => select(m.tenantId),
+          style: {
+            display: "block",
+            width: "100%",
+            textAlign: "left",
+            padding: "10px 12px",
+            borderRadius: 6,
+            cursor: "pointer",
+            fontSize: 13,
+            background: active ? `${accent}1a` : "transparent",
+            border: `1px solid ${active ? accent : "rgba(15,23,42,0.12)"}`,
+            color: branding?.primaryColor || "#0f172a"
+          },
+          children: [
+            /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+            /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+              (m.roles || []).join(", ") || "\u2014",
+              active ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { style: { marginLeft: 8, color: accent, fontWeight: 600 }, children: "active" }) : null
+            ] })
+          ]
+        }
+      ) }, m.tenantId);
+    }) }),
+    showCreate ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { marginTop: 12, paddingTop: 12, borderTop: "1px solid rgba(15,23,42,0.08)" }, children: showCreateForm ? /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_jsx_runtime.Fragment, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        CreateOrganization,
+        {
+          iqAuthBaseUrl,
+          unstyled: true,
+          appearance,
+          onCreated: (t2) => {
+            onSelect?.(t2.id);
+            reloadList();
+          },
+          redirectUrl: createRedirectUrl
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-list-create-cancel",
+          onClick: () => setShowCreateForm(false),
+          style: { marginTop: 8, background: "transparent", border: "none", color: branding?.accentColor || "#6366f1", cursor: "pointer", fontSize: 12, padding: 0 },
+          children: "Cancel"
+        }
+      )
+    ] }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        type: "button",
+        "data-testid": "button-org-list-create",
+        onClick: () => setShowCreateForm(true),
+        style: { background: "transparent", border: `1px dashed ${accent}`, color: branding?.primaryColor || "#0f172a", padding: "10px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13, width: "100%" },
+        children: "+ Create new organization"
+      }
+    ) }) : null
+  ] }) });
+}
+function Waitlist({ iqAuthBaseUrl, appKey, appId, title, subtitle, successMessage, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl, appId);
+  const [email, setEmail] = (0, import_react.useState)("");
+  const [name, setName] = (0, import_react.useState)("");
+  const [organizationName, setOrganizationName] = (0, import_react.useState)("");
+  const [submitting, setSubmitting] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)(null);
+  const [submitted, setSubmitted] = (0, import_react.useState)(null);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/waitlist`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          email: email.trim().toLowerCase(),
+          name: name.trim() || void 0,
+          organizationName: organizationName.trim() || void 0,
+          appKey: appKey || void 0,
+          appId: appId || void 0
+        })
+      });
+      const data = res?.data ?? res;
+      setSubmitted({ duplicate: !!data?.duplicate });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to join the waitlist");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  if (submitted) {
+    return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: title || "You\u2019re on the list", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-waitlist-success", style: { fontSize: 14 }, children: successMessage || (submitted.duplicate ? "You were already on the waitlist \u2014 we\u2019ll be in touch." : "Thanks! We\u2019ll email you when access opens up.") }) });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Shell, { appearance, branding, className, title: title || "Join the waitlist", subtitle: subtitle || "Enter your email and we\u2019ll be in touch when access opens up.", children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-waitlist": "", children: [
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Work email", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-waitlist-email", type: "email", autoComplete: "email", required: true, style: inputStyle(), value: email, onChange: (e) => setEmail(e.target.value) }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Name (optional)", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-waitlist-name", autoComplete: "name", style: inputStyle(), value: name, onChange: (e) => setName(e.target.value) }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Field, { label: "Organization (optional)", children: /* @__PURE__ */ (0, import_jsx_runtime.jsx)("input", { "data-testid": "input-waitlist-org", autoComplete: "organization", style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(PrimaryButton, { "data-testid": "button-waitlist-submit", type: "submit", disabled: submitting || !email, children: submitting ? "Joining\u2026" : "Join the waitlist" })
+  ] }) });
+}
+function usePasswordlessOptions(override) {
+  const ctx = (0, import_react.useContext)(IQAuthContext);
+  const baseFromCtx = ctx?.manager?.issuerUrl;
+  const iqAuthBaseUrl = override?.iqAuthBaseUrl || baseFromCtx || (typeof window !== "undefined" ? window.location.origin : "");
+  return { iqAuthBaseUrl, cookieSession: override?.cookieSession ?? true };
+}
+function useMagicLink(override) {
+  const opts = usePasswordlessOptions(override);
+  const [sent, setSent] = (0, import_react.useState)(false);
+  const [busy, setBusy] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)(null);
+  const request = (0, import_react.useCallback)(async (input) => {
+    setBusy(true);
+    setError(null);
+    setSent(false);
+    try {
+      await requestMagicLink(opts, input);
+      setSent(true);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Magic link request failed");
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl, opts.cookieSession]);
+  return { request, sent, busy, error };
+}
+function usePasskey(override) {
+  const opts = usePasswordlessOptions(override);
+  const [busy, setBusy] = (0, import_react.useState)(false);
+  const [error, setError] = (0, import_react.useState)(null);
+  const signIn2 = (0, import_react.useCallback)(async (input = {}) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await signInWithPasskey(opts, input);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey sign-in failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const enroll = (0, import_react.useCallback)(async (name) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await enrollPasskey(opts, name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey enrollment failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  return { signIn: signIn2, enroll, busy, error };
+}
+function useLinkedIdentities(override) {
+  const opts = usePasswordlessOptions(override);
+  const [identities, setIdentities] = (0, import_react.useState)([]);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const [error, setError] = (0, import_react.useState)(null);
+  const refresh = (0, import_react.useCallback)(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      setIdentities(await listLinkedIdentities(opts));
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to load identities");
+    } finally {
+      setLoading(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const link = (0, import_react.useCallback)(async (input) => {
+    await linkProvider(opts, input);
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  const unlink = (0, import_react.useCallback)(async (provider, password) => {
+    await unlinkProvider(opts, { provider, reauth: { password } });
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  (0, import_react.useEffect)(() => {
+    refresh();
+  }, [refresh]);
+  return { identities, loading, error, refresh, link, unlink };
+}
+function MagicLinkSignInForm(props) {
+  const { request, sent, busy, error } = useMagicLink(props);
+  const [email, setEmail] = (0, import_react.useState)("");
   return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
-    "div",
+    "form",
     {
-      className,
-      style: { position: "relative", display: "inline-block", ...brandStyle(branding) },
-      "data-iqauth-sdk-orgswitcher": "",
-      "data-branding-rev": branding?.brandingRev || "",
+      "data-testid": "form-magic-link",
+      className: props.className,
+      onSubmit: (e) => {
+        e.preventDefault();
+        if (email) void request({ email, appId: props.appId, redirectUri: props.redirectUri });
+      },
+      style: { display: "flex", flexDirection: "column", gap: 8 },
       children: [
         /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
-          "button",
+          "input",
           {
-            type: "button",
-            "aria-haspopup": "menu",
-            "aria-expanded": open,
-            onClick: () => setOpen((o) => !o),
-            style: { background: "transparent", border: `1px solid ${accent}55`, color: branding?.primaryColor || "#0f172a", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
-            children: active?.tenantName || active?.tenantSlug || "Select organization"
+            "data-testid": "input-magic-link-email",
+            type: "email",
+            required: true,
+            value: email,
+            placeholder: props.placeholder ?? "you@example.com",
+            onChange: (e) => setEmail(e.target.value),
+            style: { padding: 8, border: "1px solid rgba(15,23,42,0.15)", borderRadius: 6 }
           }
         ),
-        open ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { role: "menu", style: {
-          position: "absolute",
-          left: 0,
-          top: 36,
-          minWidth: 220,
-          background: "#fff",
-          border: "1px solid rgba(15,23,42,0.12)",
-          borderRadius: 8,
-          boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
-          padding: 8,
-          zIndex: 100
-        }, children: memberships.length === 0 ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: "No memberships" }) : memberships.map((m) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(
-          "button",
-          {
-            role: "menuitem",
-            type: "button",
-            onClick: () => switchTo(m.tenantId),
-            style: {
-              display: "block",
-              width: "100%",
-              textAlign: "left",
-              padding: "8px 10px",
-              background: m.tenantId === activeTenantId ? `${accent}14` : "transparent",
-              border: "none",
-              borderRadius: 4,
-              cursor: "pointer",
-              fontSize: 13,
-              color: "#0f172a"
-            },
-            children: [
-              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
-              /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { style: { fontSize: 11, opacity: 0.6 }, children: m.roles.join(", ") })
-            ]
-          },
-          m.tenantId
-        )) }) : null
+        /* @__PURE__ */ (0, import_jsx_runtime.jsx)("button", { "data-testid": "button-magic-link-submit", type: "submit", disabled: busy || !email, children: busy ? "Sending\u2026" : props.buttonLabel ?? "Email me a sign-in link" }),
+        sent ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-magic-link-sent", style: { fontSize: 12 }, children: "If the email is on file, a link is on the way." }) : null,
+        error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-magic-link-error", style: { fontSize: 12, color: "#b91c1c" }, children: error }) : null
       ]
     }
   );
 }
+function PasskeySignInButton({ email, className, children, ...rest }) {
+  const { signIn: signIn2, busy, error } = usePasskey(rest);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        "data-testid": "button-passkey-signin",
+        disabled: busy,
+        onClick: () => void signIn2({ email }).catch(() => {
+        }),
+        style: { padding: "8px 12px", borderRadius: 6, border: "1px solid rgba(15,23,42,0.15)", background: "transparent", cursor: "pointer" },
+        children: busy ? "Verifying\u2026" : children ?? "Sign in with a passkey"
+      }
+    ),
+    error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { "data-testid": "text-passkey-error", style: { fontSize: 12, color: "#b91c1c", marginTop: 4 }, children: error }) : null
+  ] });
+}
+function LinkedAccounts({ className, onChange, ...rest }) {
+  const { identities, loading, error, unlink } = useLinkedIdentities(rest);
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { "data-testid": "section-linked-accounts", className, children: loading ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { children: "Loading\u2026" }) : error ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)("p", { style: { color: "#b91c1c" }, children: error }) : /* @__PURE__ */ (0, import_jsx_runtime.jsx)("ul", { style: { listStyle: "none", padding: 0, margin: 0 }, children: identities.map((i) => /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("li", { "data-testid": `row-identity-${i.provider}`, style: { display: "flex", justifyContent: "space-between", padding: "6px 0" }, children: [
+    /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("span", { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("strong", { style: { textTransform: "capitalize" }, children: i.provider }),
+      " ",
+      /* @__PURE__ */ (0, import_jsx_runtime.jsx)("span", { style: { opacity: 0.7 }, children: i.label || i.providerUserId || "" })
+    ] }),
+    i.canUnlink ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
+      "button",
+      {
+        "data-testid": `button-unlink-${i.provider}`,
+        onClick: async () => {
+          const pw = window.prompt("Confirm your password to unlink this identity") || void 0;
+          try {
+            await unlink(i.provider, pw);
+            onChange?.();
+          } catch {
+          }
+        },
+        children: "Unlink"
+      }
+    ) : null
+  ] }, i.id)) }) });
+}
 var __version__ = "phase-bc-1.0.0";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthCallback,
+  CreateOrganization,
   IQAuthLoaded,
   IQAuthLoading,
   IQAuthProvider,
+  IQAuthReturnToBouncer,
+  ImpersonationBanner,
+  LinkedAccounts,
+  MagicLinkSignInForm,
+  MultisessionAppSupport,
+  OrganizationList,
+  OrganizationProfile,
   OrganizationSwitcher,
+  PasskeySignInButton,
+  Protect,
   RedirectToSignIn,
+  RedirectToSignedIn,
   SignIn,
   SignUp,
   SignedIn,
   SignedOut,
   UserButton,
   UserProfile,
+  Waitlist,
   __version__,
+  isReturnToAllowed,
   isSilentSsoEligible,
+  preflightReturnTo,
+  revokeSession,
   sanitizeBrandCss,
+  sanitizeReturnTo,
+  slugify,
+  useAccountList,
+  useAccountSwitcher,
   useAuth,
   useAuthFetch,
   useIQAuthSignInContext,
+  useImpersonation,
+  useLinkedIdentities,
+  useLocale,
+  useMagicLink,
   useOrganization,
+  usePasskey,
   useResolvedSdkBranding,
+  useReturnTo,
+  useReverification,
   useSession,
+  useSessionList,
+  useT,
   useUser
 });