@iqauth/sdk 2.3.0 → 2.6.0

package/dist/react.mjs

@@ -1,11 +1,28 @@
 import {
+  AccountRegistry,
+  MultiAccountTokenStore,
   SessionManager,
+  defaultCookieStore,
+  enrollPasskey,
+  linkProvider,
+  listLinkedIdentities,
+  requestMagicLink,
+  signInWithPasskey,
+  unlinkProvider
+} from "./chunk-76W5TLQQ.mjs";
+import {
   handleAuthCallback,
   redirectToSignIn,
   signIn,
   signOut
-} from "./chunk-RACIPVLD.mjs";
+} from "./chunk-TKZTCPEK.mjs";
 import "./chunk-WQWBJSSS.mjs";
+import {
+  defaultBundle,
+  localizeErrorCode,
+  resolveBundle,
+  t
+} from "./chunk-5T7GHBX6.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
@@ -22,7 +39,57 @@ import {
   useState,
   useSyncExternalStore
 } from "react";
+
+// src/browser/returnTo.ts
+function normalizeOrigin(o) {
+  try {
+    return new URL(o).origin;
+  } catch {
+    return o.replace(/\/+$/, "");
+  }
+}
+function sanitizeReturnTo(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  if (!input || typeof input !== "string") return fallback;
+  const trimmed = input.trim();
+  if (!trimmed) return fallback;
+  if (trimmed.startsWith("//")) return fallback;
+  if (trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?")) {
+    return trimmed;
+  }
+  if (!/^[a-z][a-z0-9+\-.]*:/i.test(trimmed)) {
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    return fallback;
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") return fallback;
+  const currentOrigin = options.currentOrigin ?? (typeof window !== "undefined" ? window.location.origin : "");
+  const allowed = /* @__PURE__ */ new Set();
+  if (currentOrigin) allowed.add(normalizeOrigin(currentOrigin));
+  for (const o of options.allowedOrigins ?? []) allowed.add(normalizeOrigin(o));
+  if (allowed.has(parsed.origin)) return parsed.toString();
+  return fallback;
+}
+function isReturnToAllowed(input, options = {}) {
+  const fallback = options.fallback ?? "/";
+  const out = sanitizeReturnTo(input, options);
+  if (!input) return false;
+  return out !== fallback || input === fallback;
+}
+
+// src/react/index.tsx
 import { Fragment as Fragment2, jsx, jsxs } from "react/jsx-runtime";
+var globalManager = null;
+function setGlobalManager(m) {
+  globalManager = m;
+}
+function getGlobalManager() {
+  return globalManager;
+}
 var IQAuthContext = createContext(null);
 function IQAuthProvider({
   publishableKey,
@@ -30,6 +97,11 @@ function IQAuthProvider({
   channelName,
   proactiveRefresh,
   manager: externalManager,
+  allowedReturnOrigins,
+  appearance,
+  roleMapper,
+  cookieNames,
+  localization,
   children
 }) {
   const managerRef = useRef(null);
@@ -38,8 +110,10 @@ function IQAuthProvider({
       publishableKey,
       issuer,
       channelName,
-      proactiveRefresh
+      proactiveRefresh,
+      cookieNames
     });
+    setGlobalManager(managerRef.current);
   }
   const manager = managerRef.current;
   const subscribe = useCallback(
@@ -65,7 +139,21 @@ function IQAuthProvider({
       }
     };
   }, [manager]);
-  const value = useMemo(() => ({ manager, snapshot }), [manager, snapshot]);
+  const resolvedLocalization = useMemo(
+    () => resolveBundle(localization),
+    [localization]
+  );
+  const value = useMemo(
+    () => ({
+      manager,
+      snapshot,
+      allowedReturnOrigins: allowedReturnOrigins ?? [],
+      appearance: appearance ?? null,
+      roleMapper: roleMapper ?? null,
+      localization: resolvedLocalization
+    }),
+    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization]
+  );
   return createElement(IQAuthContext.Provider, { value }, children);
 }
 function useCtx() {
@@ -73,16 +161,56 @@ function useCtx() {
   if (!ctx) throw new Error("IQAuth hooks must be used inside <IQAuthProvider>");
   return ctx;
 }
+function useLocale() {
+  const ctx = useContext(IQAuthContext);
+  return ctx?.localization ?? defaultBundle;
+}
+function useT() {
+  const bundle = useLocale();
+  return useMemo(
+    () => (key, vars) => t(bundle, key, vars),
+    [bundle]
+  );
+}
+function localizeError(bundle, raw) {
+  if (!raw) return t(bundle, "errors.generic");
+  if (typeof raw === "string") {
+    if (/^[A-Z][A-Z0-9_]+$/.test(raw)) return localizeErrorCode(bundle, raw);
+    return raw;
+  }
+  if (raw.code) return localizeErrorCode(bundle, raw.code);
+  return raw.message || t(bundle, "errors.generic");
+}
 function useUser() {
-  const { snapshot } = useCtx();
+  const { snapshot, roleMapper } = useCtx();
   return useMemo(
-    () => ({
-      isLoaded: snapshot.status !== "loading",
-      isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
-      user: snapshot.user,
-      error: snapshot.error
-    }),
-    [snapshot.status, snapshot.user, snapshot.error, snapshot.version]
+    () => {
+      const user = snapshot.user ? {
+        ...snapshot.user,
+        // F13 — derive `role` via roleMapper, falling back to a sensible default
+        role: (() => {
+          if (roleMapper) {
+            try {
+              return roleMapper(snapshot.claims);
+            } catch {
+              return null;
+            }
+          }
+          const c = snapshot.claims;
+          if (!c) return null;
+          if (typeof c.role === "string" && c.role) return c.role;
+          if (Array.isArray(c.roles) && c.roles.length > 0 && typeof c.roles[0] === "string") return c.roles[0];
+          return null;
+        })()
+      } : null;
+      return {
+        isLoaded: snapshot.status !== "loading",
+        isSignedIn: snapshot.status === "authenticated" && !!snapshot.user,
+        user,
+        error: snapshot.error
+      };
+    },
+    [snapshot.status, snapshot.user, snapshot.claims, snapshot.error, snapshot.version, roleMapper]
   );
 }
 function useSession() {
@@ -134,6 +262,148 @@ function useAuthFetch() {
     [manager]
   );
 }
+function useSessionList() {
+  const { manager } = useCtx();
+  const [sessions, setSessions] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const base = manager.issuerUrl.replace(/\/$/, "");
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      const res = await manager.fetch(`${base}/api/v1/users/me/sessions`);
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+      setSessions(json?.data?.sessions || []);
+    } catch (err) {
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  }, [manager, base]);
+  useEffect(() => {
+    void refresh();
+  }, [refresh]);
+  const revoke = useCallback(async (sessionId) => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+    if (!res.ok) {
+      const j = await res.json().catch(() => ({}));
+      throw new Error(j?.error?.message || `HTTP ${res.status}`);
+    }
+    setSessions((prev) => prev.filter((s) => s.id !== sessionId));
+  }, [manager, base]);
+  const revokeAllOthers = useCallback(async () => {
+    const res = await manager.fetch(`${base}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST" });
+    const json = await res.json().catch(() => ({}));
+    if (!res.ok) throw new Error(json?.error?.message || `HTTP ${res.status}`);
+    setSessions((prev) => prev.filter((s) => s.isCurrent));
+    return { terminatedCount: json?.data?.terminatedCount ?? 0 };
+  }, [manager, base]);
+  return { sessions, loading, error, refresh, revoke, revokeAllOthers };
+}
+async function revokeSession(sessionId) {
+  const mgr = getGlobalManager();
+  if (!mgr) throw new Error("revokeSession() requires <IQAuthProvider> mounted");
+  const base = mgr.issuerUrl.replace(/\/$/, "");
+  const res = await mgr.fetch(`${base}/api/v1/users/me/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
+  if (!res.ok) {
+    const j = await res.json().catch(() => ({}));
+    throw new Error(j?.error?.message || `HTTP ${res.status}`);
+  }
+}
+var MultisessionContext = createContext(null);
+function MultisessionAppSupport({ children }) {
+  const { manager, snapshot } = useCtx();
+  const registryRef = useRef(null);
+  if (!registryRef.current) {
+    registryRef.current = new AccountRegistry(manager.appKey);
+  }
+  const registry = registryRef.current;
+  const [version, setVersion] = useState(0);
+  useEffect(() => {
+    const store = new MultiAccountTokenStore(registry, defaultCookieStore());
+    manager.setTokenStore(store);
+    const unsub = registry.subscribe(() => setVersion((v) => v + 1));
+    return () => {
+      unsub();
+      registry.destroy();
+    };
+  }, [manager]);
+  useEffect(() => {
+    if (snapshot.status !== "authenticated" || !snapshot.user) return;
+    const claims = snapshot.claims;
+    const rec = {
+      accountId: snapshot.user.sub,
+      userId: snapshot.user.sub,
+      email: snapshot.user.email,
+      name: snapshot.user.name,
+      tenantId: snapshot.tenantId ?? claims?.tenantId ?? null,
+      addedAt: Date.now()
+    };
+    registry.upsert(rec);
+    if (registry.active() !== rec.accountId) {
+      registry.setActive(rec.accountId);
+    }
+  }, [snapshot.user?.sub, snapshot.tenantId, snapshot.status]);
+  const value = useMemo(
+    () => ({ registry, version }),
+    [registry, version]
+  );
+  return createElement(MultisessionContext.Provider, { value }, children);
+}
+function useMultiCtx() {
+  const ctx = useContext(MultisessionContext);
+  if (!ctx) throw new Error("F22 hooks must be used inside <MultisessionAppSupport>");
+  return ctx;
+}
+function useAccountList() {
+  const { registry, version } = useMultiCtx();
+  const { isLoaded } = useUser();
+  const accounts = useMemo(() => {
+    const active = registry.active();
+    return registry.list().map((a) => ({
+      accountId: a.accountId,
+      userId: a.userId,
+      email: a.email,
+      name: a.name,
+      tenantId: a.tenantId,
+      isActive: a.accountId === active
+    }));
+  }, [registry, version]);
+  return { accounts, loading: !isLoaded };
+}
+function useAccountSwitcher() {
+  const { manager } = useCtx();
+  const { registry } = useMultiCtx();
+  const addAccount = useCallback(
+    async (opts = {}) => {
+      registry.setActive(null);
+      await signIn(manager, { ...opts, prompt: "login" });
+    },
+    [manager, registry]
+  );
+  const switchTo = useCallback(
+    async (accountId) => {
+      const target = registry.get(accountId);
+      if (!target) throw new Error(`Unknown accountId: ${accountId}`);
+      registry.setActive(accountId);
+      const ok = await manager.refresh();
+      if (!ok) {
+        registry.remove(accountId);
+        throw new Error("Could not switch account; session may have been revoked");
+      }
+    },
+    [manager, registry]
+  );
+  const removeAccount = useCallback(
+    (accountId) => {
+      registry.remove(accountId);
+    },
+    [registry]
+  );
+  return { addAccount, switchTo, removeAccount };
+}
 function SignedIn({ children }) {
   const { isSignedIn, isLoaded } = useUser();
   if (!isLoaded || !isSignedIn) return null;
@@ -197,6 +467,113 @@ function RedirectToSignIn(props = {}) {
   }
   return null;
 }
+function asArray(v) {
+  if (v == null) return [];
+  return Array.isArray(v) ? v : [v];
+}
+function claimRoles(c) {
+  if (!c) return [];
+  const x = c;
+  if (Array.isArray(x.roles)) return x.roles.filter((r) => typeof r === "string");
+  if (typeof x.role === "string") return [x.role];
+  return [];
+}
+function claimPermissions(c) {
+  if (!c) return [];
+  const x = c;
+  const out = /* @__PURE__ */ new Set();
+  if (Array.isArray(x.permissions)) {
+    for (const p of x.permissions) if (typeof p === "string") out.add(p);
+  }
+  if (Array.isArray(x.entitlements)) {
+    for (const p of x.entitlements) if (typeof p === "string") out.add(p);
+  }
+  if (typeof x.scope === "string") {
+    for (const s of x.scope.split(/\s+/)) if (s) out.add(s);
+  }
+  return Array.from(out);
+}
+function Protect({ role, permission, condition, fallback = null, children }) {
+  const { snapshot } = useCtx();
+  if (snapshot.status !== "authenticated") return createElement(Fragment, null, fallback);
+  const wantedRoles = asArray(role);
+  const wantedPerms = asArray(permission);
+  if (wantedRoles.length) {
+    const have = new Set(claimRoles(snapshot.claims));
+    if (!wantedRoles.some((r) => have.has(r))) return createElement(Fragment, null, fallback);
+  }
+  if (wantedPerms.length) {
+    const have = new Set(claimPermissions(snapshot.claims));
+    if (!wantedPerms.some((p) => have.has(p))) return createElement(Fragment, null, fallback);
+  }
+  if (condition && !condition(snapshot.claims)) return createElement(Fragment, null, fallback);
+  return createElement(Fragment, null, children);
+}
+function RedirectToSignedIn({ to = "/", replace = true } = {}) {
+  const { snapshot, allowedReturnOrigins } = useCtx();
+  useEffect(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    const safe = sanitizeReturnTo(to, { allowedOrigins: allowedReturnOrigins, fallback: "/" });
+    if (replace) window.location.replace(safe);
+    else window.location.assign(safe);
+  }, [snapshot.status, to, replace, allowedReturnOrigins]);
+  return null;
+}
+function useReturnTo(options = {}) {
+  const { allowedReturnOrigins } = useCtx();
+  const paramName = options.paramName ?? "return_to";
+  const storageKey = options.storageKey ?? "iqauth_return_to";
+  const fallback = options.fallback ?? "/";
+  return useMemo(() => {
+    if (typeof window === "undefined") return fallback;
+    let raw = null;
+    try {
+      const params = new URLSearchParams(window.location.search);
+      raw = params.get(paramName) || params.get("next");
+    } catch {
+    }
+    if (!raw) {
+      try {
+        raw = window.sessionStorage.getItem(storageKey);
+      } catch {
+      }
+    }
+    const safe = sanitizeReturnTo(raw, { allowedOrigins: allowedReturnOrigins, fallback });
+    if (safe !== fallback) {
+      try {
+        window.sessionStorage.setItem(storageKey, safe);
+      } catch {
+      }
+    }
+    return safe;
+  }, [paramName, storageKey, fallback, allowedReturnOrigins]);
+}
+function IQAuthReturnToBouncer({ children, ...opts }) {
+  const { snapshot } = useCtx();
+  const returnTo = useReturnTo(opts);
+  useEffect(() => {
+    if (snapshot.status !== "authenticated") return;
+    if (typeof window === "undefined") return;
+    window.location.replace(returnTo);
+  }, [snapshot.status, returnTo]);
+  if (snapshot.status === "authenticated") return null;
+  return createElement(Fragment, null, children);
+}
+async function preflightReturnTo(args) {
+  const f = args.fetchImpl ?? fetch;
+  const url = `${args.iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(args.appKey)}/sign-in-context?return_to=${encodeURIComponent(args.returnTo)}`;
+  try {
+    const r = await f(url, { credentials: "include" });
+    const body = await r.json().catch(() => null);
+    if (!r.ok || !body?.success || !body.data) {
+      return { ok: false, allowedOrigins: [], reason: body?.error?.message || `HTTP ${r.status}` };
+    }
+    return { ok: !!body.data.returnAllowed, allowedOrigins: body.data.allowedOrigins ?? [], reason: body.data.returnAllowed ? void 0 : "returnTo not in app allowedOrigins" };
+  } catch (err) {
+    return { ok: false, allowedOrigins: [], reason: err.message };
+  }
+}
 function AuthCallback({ onComplete, fallback } = {}) {
   const { manager } = useCtx();
   useEffect(() => {
@@ -252,7 +629,19 @@ function useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo) {
     let cancelled = false;
     setLoading(true);
     const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/public/apps/${encodeURIComponent(appKey)}/sign-in-context?return_to=${encodeURIComponent(returnTo)}`;
-    fetch(url, { credentials: "include" }).then((r) => r.json()).then((payload) => {
+    fetch(url, { credentials: "include" }).then(async (r) => {
+      const contentType = r.headers.get("content-type") || "";
+      if (!r.ok || !contentType.includes("json")) {
+        const bodyPreview = await r.text().then((t2) => t2.slice(0, 160)).catch(() => "");
+        console.error(
+          `[IQAuth] sign-in-context request failed: ${r.status} ${r.statusText} (content-type: ${contentType || "\u2014"}). URL: ${url}. Common causes: (1) iqAuthBaseUrl points at the wrong host (it should be your IQAuth issuer, e.g. https://auth.dispositioniq.com \u2014 NOT your own app's domain); (2) the app key "${appKey}" is wrong or revoked; (3) CORS preflight is blocked because this origin isn't in the app's allowed-origins list. Response body preview: ${bodyPreview}`
+        );
+        throw new Error(
+          r.status >= 500 ? "Failed to load sign-in context (server error)" : `Failed to load sign-in context (HTTP ${r.status})`
+        );
+      }
+      return r.json();
+    }).then((payload) => {
       if (cancelled) return;
       if (payload?.success === false) throw new Error(payload?.error?.message || "Failed to load sign-in context");
       setCtx(payload.data);
@@ -275,6 +664,14 @@ var SHELL_CSS = `
   grid-template-columns: 1fr;
   background: var(--brand-bg, #f7f7f6);
   color: var(--brand-text, #0f172a);
+  /* Container queries so the two-pane layout responds to the SDK's
+     RENDERED width, not the viewport. This keeps the form usable when
+     a host app embeds <SignIn/> inside a narrower card or sidebar
+     instead of full-screen \u2014 the previous viewport @media query would
+     happily render the side-by-side hero+form into a 200px container
+     and wrap text one character per line. */
+  container-type: inline-size;
+  container-name: iqauth-sdk;
 }
 .iqauth-sdk-hero { display: none; }
 .iqauth-sdk-pane {
@@ -324,7 +721,7 @@ var SHELL_CSS = `
 .iqauth-sdk-google-btn:hover { background: #f8fafc; border-color: rgba(15,23,42,0.28); }
 .iqauth-sdk-google-btn[disabled] { opacity: 0.6; cursor: not-allowed; }
 
-@media (min-width: 768px) {
+@container iqauth-sdk (min-width: 768px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
@@ -345,7 +742,7 @@ var SHELL_CSS = `
   .iqauth-sdk-hero-foot { font-size: 12px; opacity: 0.7; }
   .iqauth-sdk-mobile-brand { display: none; }
 }
-@media (min-width: 1280px) {
+@container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
 }
 `;
@@ -482,10 +879,12 @@ function Shell({
   className,
   children,
   title,
-  subtitle
+  subtitle,
+  appearance
 }) {
   ensureSdkShellStyles();
-  useDocumentBranding(branding, title || "Sign in");
+  const t2 = useT();
+  useDocumentBranding(branding, title || t2("signIn.title"));
   const brandVars = brandStyle(branding);
   const brandName = branding?.brandName || "IQAuth";
   const heroImage = branding?.heroImageUrl || null;
@@ -496,14 +895,16 @@ function Shell({
   const heroStyle = heroImage ? { ["--iqauth-sdk-hero-image"]: `url("${heroImage.replace(/"/g, '\\"')}")` } : {};
   const shellStyle = {
     ...brandVars,
-    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {}
+    ...layout === "full_bleed" && bgImage ? { backgroundImage: `linear-gradient(rgba(15,23,42,0.35), rgba(15,23,42,0.45)), url("${bgImage.replace(/"/g, '\\"')}")` } : {},
+    ...appearance?.elements?.rootBox?.style || {}
   };
+  const ap = appearance?.elements;
   const supportLink = branding?.supportUrl ? branding.supportUrl : branding?.supportEmail ? `mailto:${branding.supportEmail}` : null;
   const hasFooterLinks = !!(branding?.termsUrl || branding?.privacyUrl || supportLink);
   return /* @__PURE__ */ jsxs(
     "div",
     {
-      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}`,
+      className: `iqauth-sdk-shell${className ? ` ${className}` : ""}${ap?.rootBox?.className ? ` ${ap.rootBox.className}` : ""}`,
       "data-layout": layout,
       "data-social-style": socialStyle || void 0,
       style: shellStyle,
@@ -524,13 +925,34 @@ function Shell({
         ] }),
         /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-pane", children: /* @__PURE__ */ jsxs("main", { style: { width: "100%", maxWidth: 420 }, children: [
           /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-mobile-brand", children: /* @__PURE__ */ jsx(SdkBrandLogo, { branding, alt: `${brandName} logo`, fallback: /* @__PURE__ */ jsx("span", { children: brandName }) }) }),
-          /* @__PURE__ */ jsxs("section", { className: "iqauth-sdk-card", children: [
-            title || subtitle ? /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-card-header", children: [
-              title ? /* @__PURE__ */ jsx("h1", { children: title }) : null,
-              subtitle ? /* @__PURE__ */ jsx("p", { children: subtitle }) : null
-            ] }) : null,
-            /* @__PURE__ */ jsx("div", { className: "iqauth-sdk-card-body", children })
-          ] }),
+          /* @__PURE__ */ jsxs(
+            "section",
+            {
+              className: `iqauth-sdk-card${ap?.card?.className ? ` ${ap.card.className}` : ""}`,
+              style: ap?.card?.style,
+              children: [
+                title || subtitle ? /* @__PURE__ */ jsxs(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-header${ap?.cardHeader?.className ? ` ${ap.cardHeader.className}` : ""}`,
+                    style: ap?.cardHeader?.style,
+                    children: [
+                      title ? /* @__PURE__ */ jsx("h1", { className: ap?.headerTitle?.className, style: ap?.headerTitle?.style, children: title }) : null,
+                      subtitle ? /* @__PURE__ */ jsx("p", { className: ap?.headerSubtitle?.className, style: ap?.headerSubtitle?.style, children: subtitle }) : null
+                    ]
+                  }
+                ) : null,
+                /* @__PURE__ */ jsx(
+                  "div",
+                  {
+                    className: `iqauth-sdk-card-body${ap?.cardBody?.className ? ` ${ap.cardBody.className}` : ""}`,
+                    style: ap?.cardBody?.style,
+                    children
+                  }
+                )
+              ]
+            }
+          ),
           hasFooterLinks || branding?.footerText ? /* @__PURE__ */ jsxs("footer", { className: "iqauth-sdk-footer", children: [
             branding?.footerText ? /* @__PURE__ */ jsx("div", { "data-testid": "text-brand-footer-sdk", style: { fontSize: 12, opacity: 0.75 }, children: branding.footerText }) : null,
             hasFooterLinks ? /* @__PURE__ */ jsxs("div", { className: "iqauth-sdk-footer-links", children: [
@@ -621,8 +1043,30 @@ function isSilentSsoEligible(ctx, effectivePrompt) {
   if (!ctx.returnAllowed) return false;
   return true;
 }
-function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt }) {
+function SignIn(props) {
+  const providerCtx = useContext(IQAuthContext);
+  const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
+  const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
+  const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
+  const { onRedirect, className, prompt, appearance: instanceAppearance } = props;
+  const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
+  if (!iqAuthBaseUrl || !appKey) {
+    console.error(
+      "[IQAuth] <SignIn /> could not determine iqAuthBaseUrl/appKey. Either pass them explicitly OR wrap the component in <IQAuthProvider publishableKey=\u2026/>."
+    );
+  }
+  const t2 = useT();
+  const localeBundle = useLocale();
   const { ctx, loading, error } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo);
+  const preflightLoggedRef = useRef(false);
+  useEffect(() => {
+    if (!ctx || preflightLoggedRef.current) return;
+    if (ctx.returnAllowed) return;
+    preflightLoggedRef.current = true;
+    console.error(
+      `[IQAuth] returnTo "${returnTo}" is NOT in the app's allowed origins. Add it via the IQAuth admin console: Apps \u2192 ${ctx.app.key} \u2192 Allowed Origins. Currently allowed: [${ctx.allowedOrigins.join(", ") || "\u2014"}].`
+    );
+  }, [ctx, returnTo]);
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [submitting, setSubmitting] = useState(false);
@@ -681,9 +1125,9 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
         body: JSON.stringify({ email, password, ...oidcPayload() })
       });
       const payload = await r.json().catch(() => ({}));
-      if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Sign-in failed");
+      if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     } catch (err) {
-      setFormError(err.message || "Network error");
+      setFormError(err.message || t(localeBundle, "errors.network"));
     }
     setSubmitting(false);
   };
@@ -705,7 +1149,7 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       })
     });
     const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "MFA verification failed");
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
   const submitTenant = async (tenantId) => {
@@ -719,7 +1163,7 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       body: JSON.stringify({ tenantSelectionToken: tenantSel.token, tenantId, ...oidcPayload() })
     });
     const payload = await r.json().catch(() => ({}));
-    if (!handlePayload(payload)) setFormError(payload.error_description || payload.error || "Tenant selection failed");
+    if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
   const startGoogleLogin = () => {
@@ -817,36 +1261,36 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
       setOauthExchanging(false);
     })();
   }, [ctx?.app.defaultClientId]);
-  if (loading || oauthExchanging) return /* @__PURE__ */ jsx(Shell, { branding: ctx?.branding || null, className, title: oauthExchanging ? "Completing sign-in\u2026" : "Loading\u2026", children: /* @__PURE__ */ jsx("p", { children: oauthExchanging ? "Completing sign-in\u2026" : "Loading\u2026" }) });
-  if (error || !ctx) return /* @__PURE__ */ jsx(Shell, { branding: null, className, title: "Application unavailable", children: /* @__PURE__ */ jsx(ErrorBanner, { message: error || "Failed to load app context" }) });
-  if (!ctx.returnAllowed) return /* @__PURE__ */ jsx(Shell, { branding: ctx.branding, className, title: "Invalid redirect", children: /* @__PURE__ */ jsx(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
+  if (loading || oauthExchanging) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx?.branding || null, className, title: oauthExchanging ? t2("signIn.submitting") : t2("common.loading"), children: /* @__PURE__ */ jsx("p", { children: oauthExchanging ? t2("signIn.submitting") : t2("common.loading") }) });
+  if (error || !ctx) return /* @__PURE__ */ jsx(Shell, { appearance, branding: null, className, title: t2("errors.serverError"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: error || t2("errors.serverError") }) });
+  if (!ctx.returnAllowed) return /* @__PURE__ */ jsx(Shell, { appearance, branding: ctx.branding, className, title: t2("errors.generic"), children: /* @__PURE__ */ jsx(ErrorBanner, { message: `returnTo "${returnTo}" is not in this app's allowed origins.` }) });
   const silentEligible = isSilentSsoEligible(ctx, effectivePrompt);
   if (silentEligible && silent !== "failed") {
-    return /* @__PURE__ */ jsxs(Shell, { branding: ctx.branding, className, title: "Signing you in\u2026", subtitle: ctx.session ? `Welcome back, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
-      /* @__PURE__ */ jsx("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: "Resuming your session." }),
-      /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: "Not you? Use a different account" })
+    return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: t2("signIn.resumingSession"), subtitle: ctx.session ? `${t2("signIn.subtitle")}, ${ctx.session.name || ctx.session.email}.` : void 0, children: [
+      /* @__PURE__ */ jsx("p", { "data-testid": "text-silent-resume", style: { fontSize: 14, opacity: 0.8 }, children: t2("signIn.resumingSession") }),
+      /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", style: { fontSize: 13 }, children: t2("signIn.useDifferentAccount") })
     ] });
   }
-  const cardTitle = ctx.branding?.loginHeadline || `Sign in to ${ctx.app.name}`;
+  const cardTitle = ctx.branding?.loginHeadline || t2("signIn.titleWithApp", { appName: ctx.app.name });
   const cardSubtitle = ctx.branding?.loginSubheadline || void 0;
-  return /* @__PURE__ */ jsxs(Shell, { branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
+  return /* @__PURE__ */ jsxs(Shell, { appearance, branding: ctx.branding, className, title: cardTitle, subtitle: cardSubtitle, children: [
     formError ? /* @__PURE__ */ jsx(ErrorBanner, { message: formError }) : null,
-    tenantSel ? /* @__PURE__ */ jsx("div", { role: "radiogroup", "aria-label": "Choose tenant", style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((t) => /* @__PURE__ */ jsxs(
+    tenantSel ? /* @__PURE__ */ jsx("div", { role: "radiogroup", "aria-label": t2("signIn.selectTenant"), style: { display: "flex", flexDirection: "column", gap: 8 }, children: tenantSel.tenants.map((tn) => /* @__PURE__ */ jsxs(
       "button",
       {
         type: "button",
-        "data-iqauth-tenant": t.tenantId,
-        onClick: () => submitTenant(t.tenantId),
+        "data-iqauth-tenant": tn.tenantId,
+        onClick: () => submitTenant(tn.tenantId),
         style: { textAlign: "left", padding: "10px 14px", border: "1px solid rgba(15,23,42,0.15)", borderRadius: 8, background: "transparent", color: "inherit", cursor: "pointer" },
         children: [
-          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontWeight: 500 }, children: t.tenantName || t.tenantSlug || t.tenantId }),
-          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: t.roles.join(", ") })
+          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontWeight: 500 }, children: tn.tenantName || tn.tenantSlug || tn.tenantId }),
+          /* @__PURE__ */ jsx("p", { style: { margin: 0, fontSize: 12, opacity: 0.6 }, children: tn.roles.join(", ") })
         ]
       },
-      t.tenantId
-    )) }) : mfa ? /* @__PURE__ */ jsxs("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": "MFA verification", children: [
-      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ jsx(Field, { label: "Method", children: /* @__PURE__ */ jsx("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ jsx("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
-      /* @__PURE__ */ jsx(Field, { label: mfa.backup ? "Backup code" : "Verification code", children: /* @__PURE__ */ jsx(
+      tn.tenantId
+    )) }) : mfa ? /* @__PURE__ */ jsxs("form", { onSubmit: submitMfa, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("mfa.title"), children: [
+      !mfa.backup && mfa.methods.length > 1 ? /* @__PURE__ */ jsx(Field, { label: t2("mfa.title"), children: /* @__PURE__ */ jsx("select", { style: inputStyle(), value: mfa.selected, onChange: (e) => setMfa({ ...mfa, selected: e.target.value }), children: mfa.methods.map((m) => /* @__PURE__ */ jsx("option", { value: m, children: m.toUpperCase() }, m)) }) }) : null,
+      /* @__PURE__ */ jsx(Field, { label: mfa.backup ? t2("mfa.backupCodeLabel") : t2("mfa.totpLabel"), children: /* @__PURE__ */ jsx(
         "input",
         {
           style: { ...inputStyle(), fontFamily: "monospace", textAlign: mfa.backup ? "left" : "center", letterSpacing: mfa.backup ? "0.04em" : "0.3em" },
@@ -856,34 +1300,33 @@ function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt
           inputMode: mfa.backup ? "text" : "numeric"
         }
       ) }),
-      /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? "Verifying\u2026" : "Verify" }),
-      /* @__PURE__ */ jsx(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? "Use verification code" : "Use backup code" })
+      /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !mfa.code, children: submitting ? t2("mfa.submitting") : t2("mfa.submit") }),
+      /* @__PURE__ */ jsx(GhostButton, { type: "button", onClick: () => setMfa({ ...mfa, backup: !mfa.backup, code: "" }), children: mfa.backup ? t2("mfa.useAuthenticator") : t2("mfa.useBackupCode") })
     ] }) : /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
       ctx.providers?.google ? /* @__PURE__ */ jsxs(Fragment2, { children: [
-        /* @__PURE__ */ jsxs("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || "Continue with Google", children: [
+        /* @__PURE__ */ jsxs("button", { type: "button", className: "iqauth-sdk-google-btn", onClick: startGoogleLogin, disabled: submitting, "aria-label": ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle"), children: [
           /* @__PURE__ */ jsxs("svg", { width: "18", height: "18", viewBox: "0 0 18 18", "aria-hidden": "true", children: [
             /* @__PURE__ */ jsx("path", { fill: "#4285F4", d: "M17.64 9.2c0-.64-.06-1.25-.17-1.84H9v3.48h4.84a4.14 4.14 0 0 1-1.8 2.71v2.26h2.92a8.78 8.78 0 0 0 2.68-6.61z" }),
             /* @__PURE__ */ jsx("path", { fill: "#34A853", d: "M9 18c2.43 0 4.47-.81 5.96-2.18l-2.92-2.26a5.4 5.4 0 0 1-8.04-2.83H.96v2.33A9 9 0 0 0 9 18z" }),
             /* @__PURE__ */ jsx("path", { fill: "#FBBC05", d: "M3.96 10.71A5.41 5.41 0 0 1 3.68 9c0-.59.1-1.17.29-1.71V4.96H.96a9 9 0 0 0 0 8.08l3-2.33z" }),
             /* @__PURE__ */ jsx("path", { fill: "#EA4335", d: "M9 3.58c1.32 0 2.5.45 3.44 1.35l2.58-2.59A9 9 0 0 0 .96 4.96l3 2.33A5.4 5.4 0 0 1 9 3.58z" })
           ] }),
-          ctx.branding?.googleButtonLabel || "Continue with Google"
+          ctx.branding?.googleButtonLabel || t2("signIn.continueWithGoogle")
         ] }),
-        /* @__PURE__ */ jsx("div", { role: "separator", "aria-label": "or", className: "iqauth-sdk-divider", children: "OR" })
+        /* @__PURE__ */ jsx("div", { role: "separator", "aria-label": t2("common.or"), className: "iqauth-sdk-divider", children: t2("signIn.dividerOr").toUpperCase() })
       ] }) : null,
-      /* @__PURE__ */ jsxs("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": `Sign in to ${ctx.app.name}`, children: [
-        /* @__PURE__ */ jsx(Field, { label: "Email", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
-        /* @__PURE__ */ jsx(Field, { label: "Password", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
-        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? "Signing in\u2026" : "Sign in" })
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitLogin, style: { display: "flex", flexDirection: "column", gap: 12 }, "aria-label": t2("signIn.titleWithApp", { appName: ctx.app.name }), children: [
+        /* @__PURE__ */ jsx(Field, { label: t2("signIn.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", required: true, value: email, onChange: (e) => setEmail(e.target.value) }) }),
+        /* @__PURE__ */ jsx(Field, { label: t2("signIn.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", required: true, value: password, onChange: (e) => setPassword(e.target.value) }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password, children: submitting ? t2("signIn.submitting") : t2("signIn.submit") })
       ] })
     ] }),
-    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ jsxs("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: [
-      silent === "failed" && ctx.session ? "Couldn't resume your session. " : null,
-      /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: "Use a different account" })
-    ] }) : null
+    (silent === "failed" || effectivePrompt === "login" && ctx.session) && !mfa ? /* @__PURE__ */ jsx("p", { style: { marginTop: 12, fontSize: 13, opacity: 0.75 }, children: /* @__PURE__ */ jsx("a", { href: "#", onClick: switchAccount, "data-testid": "link-switch-account", children: t2("signIn.useDifferentAccount") }) }) : null
   ] });
 }
 function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
   const { ctx, loading } = useIQAuthSignInContext(iqAuthBaseUrl, appKey, returnTo || "");
   const [name, setName] = useState("");
   const [email, setEmail] = useState("");
@@ -905,22 +1348,19 @@ function SignUp({ iqAuthBaseUrl, appKey, returnTo, onSuccess, className }) {
       setDone(true);
       onSuccess?.();
     } catch (err) {
-      setError(err.message);
+      setError(localizeError(localeBundle, err.message));
     }
     setSubmitting(false);
   };
-  if (loading) return /* @__PURE__ */ jsx(Shell, { branding: null, className, children: /* @__PURE__ */ jsx("p", { children: "Loading\u2026" }) });
-  return /* @__PURE__ */ jsxs(Shell, { branding: ctx?.branding || null, className, children: [
-    /* @__PURE__ */ jsx("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Create your account" }),
-    done ? /* @__PURE__ */ jsx("div", { role: "status", children: /* @__PURE__ */ jsx("p", { children: "Account created. Check your email for verification." }) }) : /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
-      error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
-      /* @__PURE__ */ jsx(Field, { label: "Full name", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
-      /* @__PURE__ */ jsx(Field, { label: "Email", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
-      /* @__PURE__ */ jsx(Field, { label: "Organization (optional)", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
-      /* @__PURE__ */ jsx(Field, { label: "Password", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
-      /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? "Creating\u2026" : "Create account" })
-    ] })
-  ] });
+  if (loading) return /* @__PURE__ */ jsx(Shell, { branding: null, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ jsx(Shell, { branding: ctx?.branding || null, className, title: t2("signUp.title"), children: done ? /* @__PURE__ */ jsx("div", { role: "status", children: /* @__PURE__ */ jsx("p", { children: t2("magicLink.subtitle", { email }) }) }) : /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.nameLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.emailLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "email", autoComplete: "email", value: email, onChange: (e) => setEmail(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(Field, { label: `${t2("signUp.tenantNameLabel")} (${t2("common.optional")})`, children: /* @__PURE__ */ jsx("input", { style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: t2("signUp.passwordLabel"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: password, onChange: (e) => setPassword(e.target.value), required: true }) }),
+    /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: submitting || !email || !password || !name, children: submitting ? t2("signUp.submitting") : t2("signUp.submit") })
+  ] }) });
 }
 function initialsOf(name, email) {
   const src = name || email || "?";
@@ -929,6 +1369,7 @@ function initialsOf(name, email) {
   return src.substring(0, 2).toUpperCase();
 }
 function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
+  const t2 = useT();
   const [user, setUser] = useState(null);
   const [open, setOpen] = useState(false);
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
@@ -999,7 +1440,7 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
             /* @__PURE__ */ jsx("div", { style: { fontWeight: 500, color: "#0f172a" }, children: user.name }),
             /* @__PURE__ */ jsx("div", { children: user.email })
           ] }),
-          /* @__PURE__ */ jsx("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: "Account" }),
+          /* @__PURE__ */ jsx("a", { href: target, role: "menuitem", style: { display: "block", padding: "8px 10px", fontSize: 13, color: primary, textDecoration: "none" }, children: t2("userButton.manageAccount") }),
           /* @__PURE__ */ jsx(
             "button",
             {
@@ -1007,7 +1448,7 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
               type: "button",
               onClick: signOut2,
               style: { display: "block", width: "100%", textAlign: "left", padding: "8px 10px", fontSize: 13, background: "transparent", border: "none", cursor: "pointer", color: "#b91c1c" },
-              children: "Sign out"
+              children: t2("userButton.signOut")
             }
           )
         ] }) : null
@@ -1016,19 +1457,27 @@ function UserButton({ iqAuthBaseUrl, accountUrl, onSignOut, className }) {
   );
 }
 function UserProfile({ iqAuthBaseUrl, className }) {
+  const t2 = useT();
+  const localeBundle = useLocale();
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
   const [user, setUser] = useState(null);
   const [oldPassword, setOldPassword] = useState("");
   const [newPassword, setNewPassword] = useState("");
   const [pwState, setPwState] = useState({ submitting: false, message: "", error: "" });
   const [sessions, setSessions] = useState([]);
+  const [revokeAllBusy, setRevokeAllBusy] = useState(false);
+  const loadSessions = () => {
+    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions`, { credentials: "include" }).then((r) => r.ok ? r.json() : Promise.reject(r)).then((p) => setSessions(p?.data?.sessions || [])).catch(() => {
+      fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
+      });
+    });
+  };
   useEffect(() => {
     fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()).then((p) => {
       if (p?.data) setUser(p.data);
     }).catch(() => {
     });
-    fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions`, { credentials: "include" }).then((r) => r.json()).then((p) => setSessions(p?.data?.sessions || p?.data || [])).catch(() => {
-    });
+    loadSessions();
   }, [iqAuthBaseUrl]);
   const changePassword = async (e) => {
     e.preventDefault();
@@ -1039,53 +1488,96 @@ function UserProfile({ iqAuthBaseUrl, className }) {
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ oldPassword, newPassword })
       });
-      setPwState({ submitting: false, message: "Password updated.", error: "" });
+      setPwState({ submitting: false, message: t(localeBundle, "userProfile.passwordUpdated"), error: "" });
       setOldPassword("");
       setNewPassword("");
     } catch (err) {
-      setPwState({ submitting: false, message: "", error: err.message });
+      setPwState({ submitting: false, message: "", error: localizeError(localeBundle, err.message) });
     }
   };
   const revoke = async (sessionId) => {
-    await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    const newRes = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    if (!newRes.ok && newRes.status === 404) {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/sessions/${sessionId}`, { method: "DELETE", credentials: "include" });
+    }
     setSessions((prev) => prev.filter((s) => s.id !== sessionId));
   };
-  if (!user) return /* @__PURE__ */ jsx(Shell, { branding, className, children: /* @__PURE__ */ jsx("p", { children: "Loading account\u2026" }) });
-  return /* @__PURE__ */ jsxs(Shell, { branding, className, children: [
-    /* @__PURE__ */ jsx("h2", { style: { fontSize: 20, fontWeight: 600, margin: "0 0 12px" }, children: "Your account" }),
+  const revokeAllOthers = async () => {
+    setRevokeAllBusy(true);
+    try {
+      await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/users/me/sessions/revoke-all-others`, { method: "POST", credentials: "include" });
+      setSessions((prev) => prev.filter((s) => s.isCurrent));
+    } finally {
+      setRevokeAllBusy(false);
+    }
+  };
+  if (!user) return /* @__PURE__ */ jsx(Shell, { branding, className, children: /* @__PURE__ */ jsx("p", { children: t2("common.loading") }) });
+  return /* @__PURE__ */ jsxs(Shell, { branding, className, title: t2("userProfile.title"), children: [
     /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-profile", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: "Profile" }),
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-profile", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.profileTab") }),
       /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ jsx("strong", { children: "Name:" }),
+        /* @__PURE__ */ jsxs("strong", { children: [
+          t2("common.name"),
+          ":"
+        ] }),
         " ",
         user.name
       ] }),
       /* @__PURE__ */ jsxs("p", { style: { fontSize: 13, margin: "4px 0" }, children: [
-        /* @__PURE__ */ jsx("strong", { children: "Email:" }),
+        /* @__PURE__ */ jsxs("strong", { children: [
+          t2("common.email"),
+          ":"
+        ] }),
         " ",
         user.email
       ] })
     ] }),
     /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-pw", style: { marginBottom: 20 }, children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: "Change password" }),
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-pw", style: { fontSize: 14, fontWeight: 600 }, children: t2("userProfile.changePassword") }),
       pwState.error ? /* @__PURE__ */ jsx(ErrorBanner, { message: pwState.error }) : null,
       pwState.message ? /* @__PURE__ */ jsx("div", { role: "status", style: { fontSize: 13, color: "#047857" }, children: pwState.message }) : null,
       /* @__PURE__ */ jsxs("form", { onSubmit: changePassword, style: { display: "flex", flexDirection: "column", gap: 10 }, children: [
-        /* @__PURE__ */ jsx(Field, { label: "Current password", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ jsx(Field, { label: "New password", children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
-        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? "Updating\u2026" : "Change password" })
+        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.currentPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "current-password", value: oldPassword, onChange: (e) => setOldPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ jsx(Field, { label: t2("userProfile.newPassword"), children: /* @__PURE__ */ jsx("input", { style: inputStyle(), type: "password", autoComplete: "new-password", minLength: 8, value: newPassword, onChange: (e) => setNewPassword(e.target.value), required: true }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { type: "submit", disabled: pwState.submitting || !oldPassword || !newPassword, children: pwState.submitting ? t2("common.saving") : t2("userProfile.changePassword") })
       ] })
     ] }),
     /* @__PURE__ */ jsxs("section", { "aria-labelledby": "iqauth-sessions", children: [
-      /* @__PURE__ */ jsx("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600 }, children: "Sessions" }),
-      sessions.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No active sessions." }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ jsxs("li", { style: { display: "flex", justifyContent: "space-between", fontSize: 13, padding: "6px 10px", background: "#f8fafc", borderRadius: 6 }, children: [
-        /* @__PURE__ */ jsx("span", { children: s.userAgent || s.deviceName || "Unknown" }),
-        /* @__PURE__ */ jsx("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: "Revoke" })
+      /* @__PURE__ */ jsxs("div", { style: { display: "flex", alignItems: "center", justifyContent: "space-between" }, children: [
+        /* @__PURE__ */ jsx("h3", { id: "iqauth-sessions", style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: t2("userProfile.sessionsTab") }),
+        sessions.some((s) => !s.isCurrent) && /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            disabled: revokeAllBusy,
+            onClick: revokeAllOthers,
+            style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "4px 10px", cursor: "pointer" },
+            children: revokeAllBusy ? t2("common.submitting") : t2("userProfile.revokeAllOthers")
+          }
+        )
+      ] }),
+      sessions.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: t2("userProfile.sessionsEmpty") }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: "8px 0 0", display: "flex", flexDirection: "column", gap: 6 }, children: sessions.map((s) => /* @__PURE__ */ jsxs("li", { style: { display: "flex", justifyContent: "space-between", alignItems: "center", fontSize: 13, padding: "8px 10px", background: s.isCurrent ? "#ecfdf5" : "#f8fafc", borderRadius: 6, border: s.isCurrent ? "1px solid #a7f3d0" : "1px solid transparent" }, children: [
+        /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 2 }, children: [
+          /* @__PURE__ */ jsxs("span", { style: { fontWeight: 500 }, children: [
+            s.device || s.userAgent || s.deviceName || "\u2014",
+            s.isCurrent && /* @__PURE__ */ jsxs("span", { style: { marginLeft: 8, fontSize: 11, color: "#047857" }, children: [
+              "(",
+              t2("userProfile.thisDevice"),
+              ")"
+            ] })
+          ] }),
+          /* @__PURE__ */ jsxs("span", { style: { fontSize: 11, opacity: 0.65 }, children: [
+            s.ip || "\u2014",
+            s.lastActiveAt ? ` \xB7 ${new Date(s.lastActiveAt).toLocaleString()}` : ""
+          ] })
+        ] }),
+        !s.isCurrent && /* @__PURE__ */ jsx("button", { type: "button", onClick: () => revoke(s.id), style: { fontSize: 12, color: "#b91c1c", background: "transparent", border: "1px solid #fecaca", borderRadius: 4, padding: "2px 8px", cursor: "pointer" }, children: t2("userProfile.revokeSession") })
       ] }, s.id)) })
     ] })
   ] });
 }
-function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
+function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, appearance: _appearance, className }) {
+  const t2 = useT();
   const branding = useResolvedSdkBranding(iqAuthBaseUrl);
   const accent = branding?.accentColor || "#6366f1";
   const [memberships, setMemberships] = useState([]);
@@ -1129,7 +1621,7 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
             "aria-expanded": open,
             onClick: () => setOpen((o) => !o),
             style: { background: "transparent", border: `1px solid ${accent}55`, color: branding?.primaryColor || "#0f172a", padding: "6px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13 },
-            children: active?.tenantName || active?.tenantSlug || "Select organization"
+            children: active?.tenantName || active?.tenantSlug || t2("orgSwitcher.label")
           }
         ),
         open ? /* @__PURE__ */ jsx("div", { role: "menu", style: {
@@ -1143,7 +1635,7 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
           boxShadow: "0 4px 12px rgba(0,0,0,0.08)",
           padding: 8,
           zIndex: 100
-        }, children: memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: "No memberships" }) : memberships.map((m) => /* @__PURE__ */ jsxs(
+        }, children: memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6, padding: "4px 6px" }, children: t2("orgSwitcher.noOrgs") }) : memberships.map((m) => /* @__PURE__ */ jsxs(
           "button",
           {
             role: "menuitem",
@@ -1172,28 +1664,979 @@ function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }) {
     }
   );
 }
+function useImpersonation() {
+  const { snapshot } = useCtx();
+  return useMemo(() => {
+    const claims = snapshot.claims;
+    const isImpersonating = claims?.purpose === "impersonation" && !!claims?.act?.sub;
+    return {
+      isImpersonating,
+      actor: isImpersonating ? claims.act : null,
+      target: isImpersonating ? snapshot.user : null
+    };
+  }, [snapshot]);
+}
+function ImpersonationBanner({ render, onExit, className, style } = {}) {
+  const t2 = useT();
+  const info = useImpersonation();
+  const { manager } = useCtx();
+  const exit = useCallback(async () => {
+    if (onExit) return void onExit();
+    const { exitImpersonation } = await import("./reverify-4UEJXUS6.mjs");
+    const restored = exitImpersonation(manager);
+    if (restored) return;
+    const { signOut: signOut2 } = await import("./signIn-CCY4JE5G.mjs");
+    await signOut2(manager);
+  }, [manager, onExit]);
+  if (!info.isImpersonating) return null;
+  if (render) return createElement(Fragment, null, render({ ...info, exit }));
+  const targetLabel = info.target?.email || info.target?.name || info.target?.sub || "user";
+  const _actorLabel = info.actor?.email || info.actor?.name || info.actor?.sub || "admin";
+  void _actorLabel;
+  return createElement(
+    "div",
+    {
+      role: "alert",
+      className,
+      style: {
+        position: "sticky",
+        top: 0,
+        left: 0,
+        right: 0,
+        zIndex: 9999,
+        background: "#b91c1c",
+        color: "#fff",
+        padding: "8px 16px",
+        display: "flex",
+        alignItems: "center",
+        justifyContent: "space-between",
+        fontSize: 13,
+        fontFamily: "system-ui, sans-serif",
+        ...style
+      }
+    },
+    createElement(
+      "span",
+      null,
+      t2("impersonation.banner", { targetEmail: targetLabel })
+    ),
+    createElement(
+      "button",
+      {
+        type: "button",
+        onClick: exit,
+        style: {
+          background: "rgba(255,255,255,0.18)",
+          color: "#fff",
+          border: "1px solid rgba(255,255,255,0.4)",
+          borderRadius: 4,
+          padding: "4px 10px",
+          cursor: "pointer",
+          fontSize: 12
+        }
+      },
+      t2("impersonation.exit")
+    )
+  );
+}
+function useReverification(fn, opts = {}) {
+  const { manager } = useCtx();
+  const level = opts.level ?? "password";
+  return (async (...args) => {
+    let token = null;
+    let res = await fn(token)(...args);
+    const code = await peekErrorCode(res);
+    const isReverifyError = res.status === 401 && code && (code === "REVERIFICATION_REQUIRED" || code === "REVERIFICATION_EXPIRED" || code === "REVERIFICATION_INVALID" || code === "REVERIFICATION_USED" || code === "REVERIFICATION_LEVEL_INSUFFICIENT");
+    if (!isReverifyError) return res;
+    const prompt = opts.prompt ?? defaultReverifyPrompt;
+    const credentials = await prompt(level);
+    if (!credentials) {
+      throw new Error("Reverification cancelled");
+    }
+    const { reverify } = await import("./reverify-4UEJXUS6.mjs");
+    const minted = await reverify(manager, { level, ...credentials });
+    token = minted.token;
+    res = await fn(token)(...args);
+    return res;
+  });
+}
+async function peekErrorCode(res) {
+  try {
+    const cloned = res.clone();
+    const body = await cloned.json();
+    return body?.error?.code ?? null;
+  } catch {
+    return null;
+  }
+}
+async function defaultReverifyPrompt(level) {
+  if (typeof window === "undefined") return null;
+  if (level === "password") {
+    const password = window.prompt("Confirm your password to continue");
+    if (!password) return null;
+    return { password };
+  }
+  const totp = window.prompt("Enter your MFA code to continue");
+  if (!totp) return null;
+  return { totp, method: "totp" };
+}
+function slugify(input) {
+  return input.toLowerCase().normalize("NFKD").replace(/[\u0300-\u036f]/g, "").replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 64);
+}
+function CreateOrganization({ iqAuthBaseUrl, onCreated, redirectUrl, unstyled, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const [name, setName] = useState("");
+  const [slug, setSlug] = useState("");
+  const [slugTouched, setSlugTouched] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState(null);
+  const [created, setCreated] = useState(null);
+  const [slugCheck, setSlugCheck] = useState({ status: "idle" });
+  useEffect(() => {
+    if (!slugTouched) setSlug(slugify(name));
+  }, [name, slugTouched]);
+  useEffect(() => {
+    const s = slug.trim().toLowerCase();
+    if (!s) {
+      setSlugCheck({ status: "idle" });
+      return;
+    }
+    if (!/^[a-z0-9-]{2,64}$/.test(s)) {
+      setSlugCheck({ status: "invalid", checked: s });
+      return;
+    }
+    setSlugCheck({ status: "checking", checked: s });
+    const handle = setTimeout(async () => {
+      try {
+        const res = await fetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants/check-slug?slug=${encodeURIComponent(s)}`, {
+          credentials: "include",
+          headers: { Accept: "application/json" }
+        });
+        const body = await res.json().catch(() => ({}));
+        const data = body.data;
+        if (!data) {
+          setSlugCheck({ status: "idle", checked: s });
+          return;
+        }
+        if (data.reason === "INVALID_FORMAT") {
+          setSlugCheck({ status: "invalid", checked: s });
+          return;
+        }
+        setSlugCheck({ status: data.available ? "available" : "taken", checked: s });
+      } catch {
+        setSlugCheck({ status: "idle", checked: s });
+      }
+    }, 350);
+    return () => clearTimeout(handle);
+  }, [slug, iqAuthBaseUrl]);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/tenants`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ name: name.trim(), slug: slug.trim() })
+      });
+      const payload = res;
+      const tenant = payload.data ?? payload;
+      const next = { id: tenant.id, name: tenant.name, slug: tenant.slug };
+      setCreated(next);
+      onCreated?.(next);
+      setName("");
+      setSlug("");
+      setSlugTouched(false);
+      if (redirectUrl && typeof window !== "undefined") {
+        const url = typeof redirectUrl === "function" ? redirectUrl(next) : redirectUrl;
+        if (url) window.location.assign(url);
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to create organization");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  const form = /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-create-org": "", "aria-labelledby": "iqauth-create-org-heading", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    created ? /* @__PURE__ */ jsxs("p", { role: "status", style: { fontSize: 13, color: "#047857" }, children: [
+      "Organization \u201C",
+      created.name,
+      "\u201D created."
+    ] }) : null,
+    /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-create-org-name", autoFocus: true, style: inputStyle(), value: name, onChange: (e) => setName(e.target.value), required: true, minLength: 2, "aria-required": "true" }) }),
+    /* @__PURE__ */ jsxs(Field, { label: "Organization slug", children: [
+      /* @__PURE__ */ jsx(
+        "input",
+        {
+          "data-testid": "input-create-org-slug",
+          style: { ...inputStyle(), fontFamily: "monospace" },
+          value: slug,
+          onChange: (e) => {
+            setSlugTouched(true);
+            setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-"));
+          },
+          required: true,
+          pattern: "[a-z0-9-]+",
+          minLength: 2,
+          "aria-required": "true",
+          "aria-describedby": "iqauth-create-org-slug-hint",
+          "aria-invalid": slugCheck.status === "taken" || slugCheck.status === "invalid"
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        "p",
+        {
+          id: "iqauth-create-org-slug-hint",
+          "data-testid": "text-create-org-slug-status",
+          role: "status",
+          "aria-live": "polite",
+          style: { fontSize: 12, marginTop: 4, color: slugCheck.status === "taken" || slugCheck.status === "invalid" ? "#b91c1c" : slugCheck.status === "available" ? "#047857" : "inherit", opacity: slugCheck.status === "checking" ? 0.6 : 1 },
+          children: slugCheck.status === "checking" ? "Checking availability\u2026" : slugCheck.status === "available" ? "Slug is available." : slugCheck.status === "taken" ? "That slug is taken." : slugCheck.status === "invalid" ? "Slugs must be 2\u201364 chars, lowercase letters/numbers/hyphens." : "We'll auto-generate a slug from the name; you can override it."
+        }
+      )
+    ] }),
+    /* @__PURE__ */ jsx(
+      PrimaryButton,
+      {
+        "data-testid": "button-create-org-submit",
+        type: "submit",
+        disabled: submitting || !name.trim() || !slug.trim() || slugCheck.status === "taken" || slugCheck.status === "invalid" || slugCheck.status === "checking",
+        children: submitting ? "Creating\u2026" : "Create organization"
+      }
+    )
+  ] });
+  if (unstyled) {
+    return /* @__PURE__ */ jsxs("div", { className, "data-iqauth-sdk-create-org-bare": "", children: [
+      /* @__PURE__ */ jsx("h3", { id: "iqauth-create-org-heading", style: { fontSize: 14, fontWeight: 600, margin: "0 0 12px" }, children: "Create organization" }),
+      form
+    ] });
+  }
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Create organization", subtitle: "Spin up a new tenant for this app.", children: form });
+}
+function OrganizationProfile({ iqAuthBaseUrl, tenantId: tenantIdProp, tabs, onDeleted, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
+  const visibleTabs = tabs && tabs.length > 0 ? tabs : ["general", "members", "invitations", "danger"];
+  const [activeTab, setActiveTab] = useState(visibleTabs[0]);
+  const [tenantId, setTenantId] = useState(tenantIdProp || null);
+  const [tenant, setTenant] = useState(null);
+  const [members, setMembers] = useState([]);
+  const [pendingInvites, setPendingInvites] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [invitesLoading, setInvitesLoading] = useState(false);
+  const [error, setError] = useState(null);
+  const [renameValue, setRenameValue] = useState("");
+  const [slugValue, setSlugValue] = useState("");
+  const [renameSubmitting, setRenameSubmitting] = useState(false);
+  const [inviteEmail, setInviteEmail] = useState("");
+  const [inviteRole, setInviteRole] = useState("tenant_member");
+  const [inviteSubmitting, setInviteSubmitting] = useState(false);
+  const [actionMessage, setActionMessage] = useState(null);
+  const [confirmDeleteText, setConfirmDeleteText] = useState("");
+  const [confirmDeletePassword, setConfirmDeletePassword] = useState("");
+  const [deleteSubmitting, setDeleteSubmitting] = useState(false);
+  const { user } = useUser();
+  const callerRole = user?.role || null;
+  const callerIsAdmin = callerRole === "tenant_admin" || callerRole === "platform_admin";
+  const visibleTabsFiltered = visibleTabs.filter((t2) => t2 !== "danger" || callerIsAdmin);
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        let tid = tenantIdProp || null;
+        if (!tid) {
+          const me = await fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json());
+          tid = me?.data?.tenantId || null;
+        }
+        if (!tid) {
+          if (!cancelled) {
+            setError("No active tenant");
+            setLoading(false);
+          }
+          return;
+        }
+        const t2 = await fetch(`${baseUrl}/api/v1/tenants/${tid}`, { credentials: "include" }).then((r) => r.json());
+        const m = await fetch(`${baseUrl}/api/v1/tenants/${tid}/users`, { credentials: "include" }).then((r) => r.json());
+        if (cancelled) return;
+        setTenantId(tid);
+        setTenant(t2?.data ? { id: t2.data.id, name: t2.data.name, slug: t2.data.slug } : null);
+        setRenameValue(t2?.data?.name || "");
+        setSlugValue(t2?.data?.slug || "");
+        const rows = m?.data || [];
+        setMembers(rows.map((row) => ({
+          userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+          email: String(row.email ?? row.user?.email ?? ""),
+          name: String(row.name ?? row.user?.name ?? ""),
+          role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+          joinedAt: row.joinedAt ?? row.createdAt
+        })));
+      } catch (err) {
+        if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organization");
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl, tenantIdProp]);
+  const loadInvites = async (tid) => {
+    setInvitesLoading(true);
+    try {
+      const r = await fetch(`${baseUrl}/api/v1/invites?tenantId=${encodeURIComponent(tid)}&status=pending`, { credentials: "include" }).then((res) => res.json());
+      const rows = r?.data || [];
+      setPendingInvites(rows.map((inv) => ({
+        id: String(inv.id),
+        email: String(inv.email),
+        role: String(inv.role),
+        status: String(inv.status),
+        expiresAt: inv.expiresAt,
+        createdAt: inv.createdAt
+      })));
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to load invitations");
+    } finally {
+      setInvitesLoading(false);
+    }
+  };
+  useEffect(() => {
+    if (activeTab === "invitations" && tenantId) loadInvites(tenantId);
+  }, [activeTab, tenantId]);
+  const reloadMembers = async () => {
+    if (!tenantId) return;
+    const m = await fetch(`${baseUrl}/api/v1/tenants/${tenantId}/users`, { credentials: "include" }).then((r) => r.json());
+    const rows = m?.data || [];
+    setMembers(rows.map((row) => ({
+      userId: String(row.userId ?? row.user?.id ?? row.id ?? ""),
+      email: String(row.email ?? row.user?.email ?? ""),
+      name: String(row.name ?? row.user?.name ?? ""),
+      role: String(row.role ?? row.roles?.[0] ?? "tenant_member"),
+      joinedAt: row.joinedAt ?? row.createdAt
+    })));
+  };
+  const submitRename = async (e) => {
+    e.preventDefault();
+    if (!tenantId) return;
+    setRenameSubmitting(true);
+    setError(null);
+    try {
+      const body = {};
+      if (renameValue.trim() && renameValue.trim() !== tenant?.name) body.name = renameValue.trim();
+      if (slugValue.trim() && slugValue.trim() !== tenant?.slug) body.slug = slugValue.trim();
+      if (Object.keys(body).length === 0) {
+        setRenameSubmitting(false);
+        return;
+      }
+      const res = await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify(body)
+      });
+      const t2 = res?.data ?? res;
+      setTenant({ id: t2.id, name: t2.name, slug: t2.slug });
+      setActionMessage("Organization saved.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to save");
+    } finally {
+      setRenameSubmitting(false);
+    }
+  };
+  const submitInvite = async (e) => {
+    e.preventDefault();
+    if (!tenantId) return;
+    setInviteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/invite`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ email: inviteEmail.trim(), role: inviteRole })
+      });
+      setActionMessage(`Invitation sent to ${inviteEmail.trim()}.`);
+      setInviteEmail("");
+      if (activeTab === "invitations") await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to invite");
+    } finally {
+      setInviteSubmitting(false);
+    }
+  };
+  const changeRole = async (userId, role) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}/role`, {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ role })
+      });
+      await reloadMembers();
+      setActionMessage("Role updated.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to update role");
+    }
+  };
+  const removeMember = async (userId) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}/users/${userId}`, { method: "DELETE", credentials: "include" });
+      await reloadMembers();
+      setActionMessage("Member removed.");
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to remove member");
+    }
+  };
+  const resendInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/resend`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation resent.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to resend invitation");
+    }
+  };
+  const revokeInvite = async (id) => {
+    if (!tenantId) return;
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/invites/${id}/revoke`, { method: "POST", credentials: "include" });
+      setActionMessage("Invitation revoked.");
+      await loadInvites(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to revoke invitation");
+    }
+  };
+  const submitDelete = async () => {
+    if (!tenantId || !tenant) return;
+    if (confirmDeleteText !== tenant.slug) {
+      setError("Type the organization slug to confirm deletion.");
+      return;
+    }
+    if (!confirmDeletePassword) {
+      setError("Re-enter your password to confirm deletion.");
+      return;
+    }
+    setDeleteSubmitting(true);
+    setError(null);
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/tenants/${tenantId}`, {
+        method: "DELETE",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ confirmPassword: confirmDeletePassword })
+      });
+      setActionMessage("Organization deleted.");
+      setConfirmDeletePassword("");
+      onDeleted?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to delete organization");
+    } finally {
+      setDeleteSubmitting(false);
+    }
+  };
+  if (loading) {
+    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Organization", children: /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) });
+  }
+  const tabBtnStyle = (key) => ({
+    background: activeTab === key ? `${branding?.accentColor || "#6366f1"}1a` : "transparent",
+    border: `1px solid ${activeTab === key ? branding?.accentColor || "#6366f1" : "rgba(15,23,42,0.12)"}`,
+    color: branding?.primaryColor || "#0f172a",
+    padding: "6px 12px",
+    borderRadius: 6,
+    cursor: "pointer",
+    fontSize: 12,
+    fontWeight: 500
+  });
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: tenant?.name || "Organization", subtitle: tenant?.slug ? `slug: ${tenant.slug}` : void 0, children: /* @__PURE__ */ jsxs("div", { style: { display: "flex", flexDirection: "column", gap: 16 }, "data-iqauth-sdk-org-profile": "", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    actionMessage ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13, color: "#047857", margin: 0 }, children: actionMessage }) : null,
+    /* @__PURE__ */ jsx("div", { role: "tablist", "aria-label": "Organization sections", style: { display: "flex", gap: 6, flexWrap: "wrap" }, children: visibleTabsFiltered.map((t2) => /* @__PURE__ */ jsx(
+      "button",
+      {
+        role: "tab",
+        "aria-selected": activeTab === t2,
+        "aria-controls": `iqauth-org-tab-${t2}`,
+        "data-testid": `tab-org-${t2}`,
+        type: "button",
+        onClick: () => setActiveTab(t2),
+        style: tabBtnStyle(t2),
+        children: t2 === "general" ? "General" : t2 === "members" ? `Members (${members.length})` : t2 === "invitations" ? "Invitations" : "Danger zone"
+      },
+      t2
+    )) }),
+    activeTab === "general" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-general", "aria-labelledby": "tab-org-general", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Settings" }),
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitRename, style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+        /* @__PURE__ */ jsx(Field, { label: "Organization name", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-rename", style: inputStyle(), value: renameValue, onChange: (e) => setRenameValue(e.target.value), required: true, minLength: 2 }) }),
+        /* @__PURE__ */ jsx(Field, { label: "Slug", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-slug", style: { ...inputStyle(), fontFamily: "monospace" }, value: slugValue, onChange: (e) => setSlugValue(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, "-")), required: true, pattern: "[a-z0-9-]+", minLength: 2 }) }),
+        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-rename", type: "submit", disabled: renameSubmitting || renameValue.trim() === tenant?.name && slugValue.trim() === tenant?.slug, children: renameSubmitting ? "Saving\u2026" : "Save changes" })
+      ] })
+    ] }) : null,
+    activeTab === "members" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-members", "aria-labelledby": "tab-org-members", style: { display: "flex", flexDirection: "column", gap: 12 }, children: [
+      /* @__PURE__ */ jsxs("form", { onSubmit: submitInvite, style: { display: "flex", gap: 8, flexWrap: "wrap" }, "aria-label": "Invite a new member", children: [
+        /* @__PURE__ */ jsx("input", { "data-testid": "input-org-invite-email", type: "email", placeholder: "email@company.com", "aria-label": "Email", style: { ...inputStyle(), flex: 1, minWidth: 180 }, value: inviteEmail, onChange: (e) => setInviteEmail(e.target.value), required: true }),
+        /* @__PURE__ */ jsxs("select", { "data-testid": "select-org-invite-role", "aria-label": "Role", style: { ...inputStyle(), width: "auto" }, value: inviteRole, onChange: (e) => setInviteRole(e.target.value), children: [
+          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-org-invite", type: "submit", disabled: inviteSubmitting || !inviteEmail.trim(), children: inviteSubmitting ? "Sending\u2026" : "Send invite" })
+      ] }),
+      members.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No members yet." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Members", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: members.map((m) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-member-${m.userId}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ jsxs("div", { children: [
+          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.name || m.email }),
+          /* @__PURE__ */ jsx("div", { style: { fontSize: 11, opacity: 0.7 }, children: m.email })
+        ] }),
+        /* @__PURE__ */ jsxs("select", { "data-testid": `select-org-member-role-${m.userId}`, "aria-label": `Role for ${m.email}`, value: m.role, onChange: (e) => changeRole(m.userId, e.target.value), style: { ...inputStyle(), width: "auto", padding: "4px 8px", fontSize: 12 }, children: [
+          /* @__PURE__ */ jsx("option", { value: "tenant_member", children: "tenant_member" }),
+          /* @__PURE__ */ jsx("option", { value: "tenant_admin", children: "tenant_admin" })
+        ] }),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-member-remove-${m.userId}`,
+            "aria-label": `Remove ${m.email}`,
+            onClick: () => removeMember(m.userId),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Remove"
+          }
+        )
+      ] }, m.userId)) })
+    ] }) : null,
+    activeTab === "invitations" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-invitations", "aria-labelledby": "tab-org-invitations", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0 }, children: "Pending invitations" }),
+      invitesLoading ? /* @__PURE__ */ jsx("p", { role: "status", "aria-live": "polite", style: { fontSize: 13 }, children: "Loading\u2026" }) : pendingInvites.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "No pending invitations." }) : /* @__PURE__ */ jsx("ul", { "aria-label": "Pending invitations", style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: pendingInvites.map((inv) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-org-invite-${inv.id}`, style: { display: "grid", gridTemplateColumns: "1fr auto auto", gap: 8, alignItems: "center", padding: "8px 10px", background: "rgba(15,23,42,0.04)", borderRadius: 6, fontSize: 13 }, children: [
+        /* @__PURE__ */ jsxs("div", { children: [
+          /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: inv.email }),
+          /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+            "role: ",
+            inv.role,
+            inv.expiresAt ? ` \u2022 expires ${new Date(inv.expiresAt).toLocaleDateString()}` : ""
+          ] })
+        ] }),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-resend-${inv.id}`,
+            onClick: () => resendInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(15,23,42,0.18)", color: "#0f172a", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Resend"
+          }
+        ),
+        /* @__PURE__ */ jsx(
+          "button",
+          {
+            type: "button",
+            "data-testid": `button-org-invite-revoke-${inv.id}`,
+            onClick: () => revokeInvite(inv.id),
+            style: { background: "transparent", border: "1px solid rgba(220,38,38,0.4)", color: "#b91c1c", borderRadius: 4, padding: "4px 10px", cursor: "pointer", fontSize: 12 },
+            children: "Revoke"
+          }
+        )
+      ] }, inv.id)) })
+    ] }) : null,
+    activeTab === "danger" ? /* @__PURE__ */ jsxs("section", { role: "tabpanel", id: "iqauth-org-tab-danger", "aria-labelledby": "tab-org-danger", style: { display: "flex", flexDirection: "column", gap: 10, border: "1px solid rgba(220,38,38,0.3)", padding: 12, borderRadius: 8, background: "rgba(220,38,38,0.04)" }, children: [
+      /* @__PURE__ */ jsx("h3", { style: { fontSize: 14, fontWeight: 600, margin: 0, color: "#b91c1c" }, children: "Delete organization" }),
+      /* @__PURE__ */ jsxs("p", { style: { fontSize: 12, opacity: 0.85, margin: 0 }, children: [
+        "This permanently deletes ",
+        /* @__PURE__ */ jsx("strong", { children: tenant?.name }),
+        " and all of its members, roles, and audit history. To confirm, type the slug ",
+        /* @__PURE__ */ jsx("code", { children: tenant?.slug }),
+        " below."
+      ] }),
+      /* @__PURE__ */ jsx(Field, { label: "Type the organization slug to confirm", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-confirm", autoComplete: "off", placeholder: tenant?.slug || "", "aria-label": "Type slug to confirm", style: { ...inputStyle(), fontFamily: "monospace" }, value: confirmDeleteText, onChange: (e) => setConfirmDeleteText(e.target.value) }) }),
+      /* @__PURE__ */ jsx(Field, { label: "Re-enter your password", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-org-delete-password", type: "password", autoComplete: "current-password", "aria-label": "Password to confirm deletion", style: inputStyle(), value: confirmDeletePassword, onChange: (e) => setConfirmDeletePassword(e.target.value) }) }),
+      /* @__PURE__ */ jsx(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-delete",
+          onClick: submitDelete,
+          disabled: deleteSubmitting || confirmDeleteText !== tenant?.slug || !confirmDeletePassword,
+          style: { background: "#b91c1c", color: "#fff", border: "none", padding: "8px 14px", borderRadius: 6, cursor: confirmDeleteText === tenant?.slug && confirmDeletePassword ? "pointer" : "not-allowed", fontSize: 13, opacity: confirmDeleteText === tenant?.slug && confirmDeletePassword ? 1 : 0.5 },
+          children: deleteSubmitting ? "Deleting\u2026" : "Permanently delete organization"
+        }
+      )
+    ] }) : null
+  ] }) });
+}
+function OrganizationList({ iqAuthBaseUrl, onSelect, showCreate = true, createRedirectUrl, appearance, className }) {
+  const [showCreateForm, setShowCreateForm] = useState(false);
+  const reloadList = () => {
+    setShowCreateForm(false);
+    if (typeof window !== "undefined") setTimeout(() => window.location.reload(), 50);
+  };
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl);
+  const baseUrl = iqAuthBaseUrl.replace(/\/$/, "");
+  const accent = branding?.accentColor || "#6366f1";
+  const [memberships, setMemberships] = useState([]);
+  const [activeTenantId, setActiveTenantId] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  useEffect(() => {
+    let cancelled = false;
+    Promise.all([
+      fetch(`${baseUrl}/api/v1/auth/me`, { credentials: "include" }).then((r) => r.json()),
+      fetch(`${baseUrl}/api/v1/tenants/memberships`, { credentials: "include" }).then((r) => r.json())
+    ]).then(([me, mems]) => {
+      if (cancelled) return;
+      setActiveTenantId(me?.data?.tenantId || null);
+      setMemberships(mems?.data?.memberships || mems?.data || []);
+    }).catch((err) => {
+      if (!cancelled) setError(err instanceof Error ? err.message : "Failed to load organizations");
+    }).finally(() => {
+      if (!cancelled) setLoading(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [baseUrl]);
+  const select = async (tenantId) => {
+    if (tenantId === activeTenantId) {
+      onSelect?.(tenantId);
+      return;
+    }
+    try {
+      await jsonFetch(`${baseUrl}/api/v1/auth/select-tenant`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include",
+        body: JSON.stringify({ tenantId })
+      });
+      setActiveTenantId(tenantId);
+      onSelect?.(tenantId);
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to switch organization");
+    }
+  };
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: "Your organizations", subtitle: "Select an organization to make it active.", children: /* @__PURE__ */ jsxs("div", { "data-iqauth-sdk-org-list": "", style: { display: "flex", flexDirection: "column", gap: 8 }, children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    loading ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13 }, children: "Loading\u2026" }) : memberships.length === 0 ? /* @__PURE__ */ jsx("p", { style: { fontSize: 13, opacity: 0.6 }, children: "You don\u2019t belong to any organizations yet." }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0, display: "flex", flexDirection: "column", gap: 6 }, children: memberships.map((m) => {
+      const active = m.tenantId === activeTenantId;
+      return /* @__PURE__ */ jsx("li", { children: /* @__PURE__ */ jsxs(
+        "button",
+        {
+          type: "button",
+          "data-testid": `button-org-list-${m.tenantId}`,
+          onClick: () => select(m.tenantId),
+          style: {
+            display: "block",
+            width: "100%",
+            textAlign: "left",
+            padding: "10px 12px",
+            borderRadius: 6,
+            cursor: "pointer",
+            fontSize: 13,
+            background: active ? `${accent}1a` : "transparent",
+            border: `1px solid ${active ? accent : "rgba(15,23,42,0.12)"}`,
+            color: branding?.primaryColor || "#0f172a"
+          },
+          children: [
+            /* @__PURE__ */ jsx("div", { style: { fontWeight: 500 }, children: m.tenantName || m.tenantSlug || m.tenantId }),
+            /* @__PURE__ */ jsxs("div", { style: { fontSize: 11, opacity: 0.7 }, children: [
+              (m.roles || []).join(", ") || "\u2014",
+              active ? /* @__PURE__ */ jsx("span", { style: { marginLeft: 8, color: accent, fontWeight: 600 }, children: "active" }) : null
+            ] })
+          ]
+        }
+      ) }, m.tenantId);
+    }) }),
+    showCreate ? /* @__PURE__ */ jsx("div", { style: { marginTop: 12, paddingTop: 12, borderTop: "1px solid rgba(15,23,42,0.08)" }, children: showCreateForm ? /* @__PURE__ */ jsxs(Fragment2, { children: [
+      /* @__PURE__ */ jsx(
+        CreateOrganization,
+        {
+          iqAuthBaseUrl,
+          unstyled: true,
+          appearance,
+          onCreated: (t2) => {
+            onSelect?.(t2.id);
+            reloadList();
+          },
+          redirectUrl: createRedirectUrl
+        }
+      ),
+      /* @__PURE__ */ jsx(
+        "button",
+        {
+          type: "button",
+          "data-testid": "button-org-list-create-cancel",
+          onClick: () => setShowCreateForm(false),
+          style: { marginTop: 8, background: "transparent", border: "none", color: branding?.accentColor || "#6366f1", cursor: "pointer", fontSize: 12, padding: 0 },
+          children: "Cancel"
+        }
+      )
+    ] }) : /* @__PURE__ */ jsx(
+      "button",
+      {
+        type: "button",
+        "data-testid": "button-org-list-create",
+        onClick: () => setShowCreateForm(true),
+        style: { background: "transparent", border: `1px dashed ${accent}`, color: branding?.primaryColor || "#0f172a", padding: "10px 12px", borderRadius: 6, cursor: "pointer", fontSize: 13, width: "100%" },
+        children: "+ Create new organization"
+      }
+    ) }) : null
+  ] }) });
+}
+function Waitlist({ iqAuthBaseUrl, appKey, appId, title, subtitle, successMessage, appearance, className }) {
+  const branding = useResolvedSdkBranding(iqAuthBaseUrl, appId);
+  const [email, setEmail] = useState("");
+  const [name, setName] = useState("");
+  const [organizationName, setOrganizationName] = useState("");
+  const [submitting, setSubmitting] = useState(false);
+  const [error, setError] = useState(null);
+  const [submitted, setSubmitted] = useState(null);
+  const submit = async (e) => {
+    e.preventDefault();
+    setSubmitting(true);
+    setError(null);
+    try {
+      const res = await jsonFetch(`${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/waitlist`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          email: email.trim().toLowerCase(),
+          name: name.trim() || void 0,
+          organizationName: organizationName.trim() || void 0,
+          appKey: appKey || void 0,
+          appId: appId || void 0
+        })
+      });
+      const data = res?.data ?? res;
+      setSubmitted({ duplicate: !!data?.duplicate });
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to join the waitlist");
+    } finally {
+      setSubmitting(false);
+    }
+  };
+  if (submitted) {
+    return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "You\u2019re on the list", children: /* @__PURE__ */ jsx("p", { "data-testid": "text-waitlist-success", style: { fontSize: 14 }, children: successMessage || (submitted.duplicate ? "You were already on the waitlist \u2014 we\u2019ll be in touch." : "Thanks! We\u2019ll email you when access opens up.") }) });
+  }
+  return /* @__PURE__ */ jsx(Shell, { appearance, branding, className, title: title || "Join the waitlist", subtitle: subtitle || "Enter your email and we\u2019ll be in touch when access opens up.", children: /* @__PURE__ */ jsxs("form", { onSubmit: submit, style: { display: "flex", flexDirection: "column", gap: 12 }, "data-iqauth-sdk-waitlist": "", children: [
+    error ? /* @__PURE__ */ jsx(ErrorBanner, { message: error }) : null,
+    /* @__PURE__ */ jsx(Field, { label: "Work email", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-email", type: "email", autoComplete: "email", required: true, style: inputStyle(), value: email, onChange: (e) => setEmail(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: "Name (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-name", autoComplete: "name", style: inputStyle(), value: name, onChange: (e) => setName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(Field, { label: "Organization (optional)", children: /* @__PURE__ */ jsx("input", { "data-testid": "input-waitlist-org", autoComplete: "organization", style: inputStyle(), value: organizationName, onChange: (e) => setOrganizationName(e.target.value) }) }),
+    /* @__PURE__ */ jsx(PrimaryButton, { "data-testid": "button-waitlist-submit", type: "submit", disabled: submitting || !email, children: submitting ? "Joining\u2026" : "Join the waitlist" })
+  ] }) });
+}
+function usePasswordlessOptions(override) {
+  const ctx = useContext(IQAuthContext);
+  const baseFromCtx = ctx?.manager?.issuerUrl;
+  const iqAuthBaseUrl = override?.iqAuthBaseUrl || baseFromCtx || (typeof window !== "undefined" ? window.location.origin : "");
+  return { iqAuthBaseUrl, cookieSession: override?.cookieSession ?? true };
+}
+function useMagicLink(override) {
+  const opts = usePasswordlessOptions(override);
+  const [sent, setSent] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState(null);
+  const request = useCallback(async (input) => {
+    setBusy(true);
+    setError(null);
+    setSent(false);
+    try {
+      await requestMagicLink(opts, input);
+      setSent(true);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Magic link request failed");
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl, opts.cookieSession]);
+  return { request, sent, busy, error };
+}
+function usePasskey(override) {
+  const opts = usePasswordlessOptions(override);
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState(null);
+  const signIn2 = useCallback(async (input = {}) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await signInWithPasskey(opts, input);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey sign-in failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const enroll = useCallback(async (name) => {
+    setBusy(true);
+    setError(null);
+    try {
+      return await enrollPasskey(opts, name);
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : "Passkey enrollment failed";
+      setError(msg);
+      throw e;
+    } finally {
+      setBusy(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  return { signIn: signIn2, enroll, busy, error };
+}
+function useLinkedIdentities(override) {
+  const opts = usePasswordlessOptions(override);
+  const [identities, setIdentities] = useState([]);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const refresh = useCallback(async () => {
+    setLoading(true);
+    setError(null);
+    try {
+      setIdentities(await listLinkedIdentities(opts));
+    } catch (e) {
+      setError(e instanceof Error ? e.message : "Failed to load identities");
+    } finally {
+      setLoading(false);
+    }
+  }, [opts.iqAuthBaseUrl]);
+  const link = useCallback(async (input) => {
+    await linkProvider(opts, input);
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  const unlink = useCallback(async (provider, password) => {
+    await unlinkProvider(opts, { provider, reauth: { password } });
+    await refresh();
+  }, [opts.iqAuthBaseUrl, refresh]);
+  useEffect(() => {
+    refresh();
+  }, [refresh]);
+  return { identities, loading, error, refresh, link, unlink };
+}
+function MagicLinkSignInForm(props) {
+  const { request, sent, busy, error } = useMagicLink(props);
+  const [email, setEmail] = useState("");
+  return /* @__PURE__ */ jsxs(
+    "form",
+    {
+      "data-testid": "form-magic-link",
+      className: props.className,
+      onSubmit: (e) => {
+        e.preventDefault();
+        if (email) void request({ email, appId: props.appId, redirectUri: props.redirectUri });
+      },
+      style: { display: "flex", flexDirection: "column", gap: 8 },
+      children: [
+        /* @__PURE__ */ jsx(
+          "input",
+          {
+            "data-testid": "input-magic-link-email",
+            type: "email",
+            required: true,
+            value: email,
+            placeholder: props.placeholder ?? "you@example.com",
+            onChange: (e) => setEmail(e.target.value),
+            style: { padding: 8, border: "1px solid rgba(15,23,42,0.15)", borderRadius: 6 }
+          }
+        ),
+        /* @__PURE__ */ jsx("button", { "data-testid": "button-magic-link-submit", type: "submit", disabled: busy || !email, children: busy ? "Sending\u2026" : props.buttonLabel ?? "Email me a sign-in link" }),
+        sent ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-sent", style: { fontSize: 12 }, children: "If the email is on file, a link is on the way." }) : null,
+        error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-magic-link-error", style: { fontSize: 12, color: "#b91c1c" }, children: error }) : null
+      ]
+    }
+  );
+}
+function PasskeySignInButton({ email, className, children, ...rest }) {
+  const { signIn: signIn2, busy, error } = usePasskey(rest);
+  return /* @__PURE__ */ jsxs("div", { className, children: [
+    /* @__PURE__ */ jsx(
+      "button",
+      {
+        "data-testid": "button-passkey-signin",
+        disabled: busy,
+        onClick: () => void signIn2({ email }).catch(() => {
+        }),
+        style: { padding: "8px 12px", borderRadius: 6, border: "1px solid rgba(15,23,42,0.15)", background: "transparent", cursor: "pointer" },
+        children: busy ? "Verifying\u2026" : children ?? "Sign in with a passkey"
+      }
+    ),
+    error ? /* @__PURE__ */ jsx("p", { "data-testid": "text-passkey-error", style: { fontSize: 12, color: "#b91c1c", marginTop: 4 }, children: error }) : null
+  ] });
+}
+function LinkedAccounts({ className, onChange, ...rest }) {
+  const { identities, loading, error, unlink } = useLinkedIdentities(rest);
+  return /* @__PURE__ */ jsx("div", { "data-testid": "section-linked-accounts", className, children: loading ? /* @__PURE__ */ jsx("p", { children: "Loading\u2026" }) : error ? /* @__PURE__ */ jsx("p", { style: { color: "#b91c1c" }, children: error }) : /* @__PURE__ */ jsx("ul", { style: { listStyle: "none", padding: 0, margin: 0 }, children: identities.map((i) => /* @__PURE__ */ jsxs("li", { "data-testid": `row-identity-${i.provider}`, style: { display: "flex", justifyContent: "space-between", padding: "6px 0" }, children: [
+    /* @__PURE__ */ jsxs("span", { children: [
+      /* @__PURE__ */ jsx("strong", { style: { textTransform: "capitalize" }, children: i.provider }),
+      " ",
+      /* @__PURE__ */ jsx("span", { style: { opacity: 0.7 }, children: i.label || i.providerUserId || "" })
+    ] }),
+    i.canUnlink ? /* @__PURE__ */ jsx(
+      "button",
+      {
+        "data-testid": `button-unlink-${i.provider}`,
+        onClick: async () => {
+          const pw = window.prompt("Confirm your password to unlink this identity") || void 0;
+          try {
+            await unlink(i.provider, pw);
+            onChange?.();
+          } catch {
+          }
+        },
+        children: "Unlink"
+      }
+    ) : null
+  ] }, i.id)) }) });
+}
 var __version__ = "phase-bc-1.0.0";
 export {
   AuthCallback,
+  CreateOrganization,
   IQAuthLoaded,
   IQAuthLoading,
   IQAuthProvider,
+  IQAuthReturnToBouncer,
+  ImpersonationBanner,
+  LinkedAccounts,
+  MagicLinkSignInForm,
+  MultisessionAppSupport,
+  OrganizationList,
+  OrganizationProfile,
   OrganizationSwitcher,
+  PasskeySignInButton,
+  Protect,
   RedirectToSignIn,
+  RedirectToSignedIn,
   SignIn,
   SignUp,
   SignedIn,
   SignedOut,
   UserButton,
   UserProfile,
+  Waitlist,
   __version__,
+  isReturnToAllowed,
   isSilentSsoEligible,
+  preflightReturnTo,
+  revokeSession,
   sanitizeBrandCss,
+  sanitizeReturnTo,
+  slugify,
+  useAccountList,
+  useAccountSwitcher,
   useAuth,
   useAuthFetch,
   useIQAuthSignInContext,
+  useImpersonation,
+  useLinkedIdentities,
+  useLocale,
+  useMagicLink,
   useOrganization,
+  usePasskey,
   useResolvedSdkBranding,
+  useReturnTo,
+  useReverification,
   useSession,
+  useSessionList,
+  useT,
   useUser
 };