@iqauth/sdk 2.6.0 → 2.6.2

package/README.md

@@ -17,6 +17,8 @@ The canonical TypeScript SDK for **IQAuthService** — DispositionIQ's multi-ten
 - [Install](#install)
 - [Five-line integration](#five-line-integration)
 - [Pick your environment](#pick-your-environment)
+- [What's new in 2.6.2](#whats-new-in-262)
+- [What's new in 2.6.1](#whats-new-in-261)
 - [What's new in 2.0.3](#whats-new-in-203)
 - [Browser apps with a backend (recommended)](#browser-apps-with-a-backend-recommended)
 - [Server reference (Express, Fastify, Hono, Next.js)](#server-reference)
@@ -89,6 +91,13 @@ gap, mirroring Clerk's `<ClerkLoading/>` / `<ClerkLoaded/>`.
 Available hooks: `useUser()`, `useSession()`, `useAuth()`, `useOrganization()`. Each returns `{ data, isLoading, error }`.
 Drop-in components: `<SignIn/>`, `<SignUp/>`, `<UserButton/>`, `<UserProfile/>`, `<OrganizationSwitcher/>`, `<AuthCallback/>`.
 
+> **Silent SSO is opt-in as of 2.6.1.** `<SignIn/>` always renders the
+> form on first paint by default — even for returning users with an active
+> issuer-side `iq_sso` session. To restore the old auto-resume behavior,
+> add `silentSso` to the provider or a specific `<SignIn/>` instance:
+> `<IQAuthProvider publishableKey={…} silentSso>` or `<SignIn silentSso />`.
+> See "What's new in 2.6.1" below.
+
 ### Express
 
 ```ts
@@ -165,6 +174,74 @@ The SDK is not "one auth model for every environment". The safe pattern depends
 
 ---
 
+## What's new in 2.6.2
+
+### Card grows responsively on desktop (no more phone-sized form)
+
+`.iqauth-sdk-card` used to cap at `max-width: 460px` at every viewport,
+which meant a desktop user staring at a 1440px monitor saw a thin mobile
+column floating inside a 720px-wide pane. The cap is now responsive:
+
+- mobile (default): **480px**
+- tablet / desktop (`@container ≥ 768px`): **540px**
+- extra-wide (`@container ≥ 1280px`): **580px**
+
+Inner header/body padding and the title size also bump up at the desktop
+breakpoint so the form actually fills its half of the split layout. No
+opt-in required — the change applies to every consumer of `<SignIn/>` and
+`<SignUp/>` after upgrading.
+
+---
+
+## What's new in 2.6.1
+
+### 1. Silent SSO is now opt-in (default off)
+
+Previously, `<SignIn/>` would detect an active issuer-side `iq_sso` session
+on mount and silently redirect through `/oidc/sso-resume` — users never saw
+the form, never clicked anything, and were transparently signed back in.
+That was surprising for embedded use cases and made it impossible to switch
+accounts without reaching for `?prompt=login`. As of 2.6.1, silent SSO is
+**disabled by default** and must be explicitly enabled:
+
+```tsx
+// Provider-wide opt-in (covers every <SignIn/> below it)
+<IQAuthProvider publishableKey={…} silentSso>
+  …
+</IQAuthProvider>
+
+// Per-instance opt-in (overrides the provider value)
+<SignIn silentSso />
+```
+
+When silent SSO is off (default), `<SignIn/>` always renders the form on
+first paint regardless of `iq_sso` cookie state. `prompt="login"` and
+`?prompt=login` continue to work as additional force-form switches.
+
+### 2. Embedded card no longer forces full-viewport height
+
+The internal `.iqauth-sdk-pane` declared `min-height: 100vh` unconditionally,
+which worked for hosted full-page sign-in but broke when `<SignIn/>` was
+embedded in a card, modal, or sidebar — pushing content below the fold and
+creating large empty areas. The 100vh height now applies only inside the
+wide side-by-side layout (`@container iqauth-sdk (min-width: 768px)`) where
+the hero pane needs height parity. Narrow embeds size naturally to their
+content.
+
+### 3. Better error reporting on misconfigured `<SignIn/>`
+
+- `useIQAuthSignInContext` now detects HTML responses (CORS preflight, wrong
+  `iqAuthBaseUrl`, wrong `appKey`) and prints an actionable `console.error`
+  naming the three likely causes — instead of the cryptic
+  `Unexpected token '<' in JSON`.
+- The "returnTo not in allowed origins" console error now also lists the
+  app's actual `allowedOrigins`, so the diff with the rejected `returnTo`
+  is visible at a glance instead of requiring a Network-tab spelunk.
+
+For older versions see [`CHANGELOG.md`](./CHANGELOG.md).
+
+---
+
 ## What's new in 2.0.3
 
 ### 1. `serverManagedSession: true` for `SessionManager` / `IQAuthProvider`
@@ -547,6 +624,54 @@ Common codes you'll handle:
 | Cross-origin call to a sister IQAuth-protected app gets CORS-blocked | Add the caller's origin to the target app's `app_allowed_origins`. Allow up to 60s for the cache to refresh. |
 | `req.auth` is undefined under Passport | Verify you're reading `req.auth`, not `req.user`. The SDK deliberately uses `req.auth` to avoid Passport collision. |
 | Hosted sign-in page won't accept your `return_to` | The origin isn't in this app's allowlist. Add it in the admin dashboard. |
+| Server logs `[AUTH-MW] Missing auth credentials` on `GET /api/v1/auth/me` at app boot — **once**, immediately followed by a successful `[OIDC] SSO resume issued code` AND the next `/auth/me` returns 200 | **Benign.** SDK's `bootstrap()` probe. See ["Why does the server log `Missing auth credentials` at startup?"](#why-does-the-server-log-missing-auth-credentials-at-startup) below. |
+| `[AUTH-MW] Missing auth credentials` repeats in a **loop** (warn → resume → token → warn → resume → token …), user can't actually finish login | **NOT benign.** The SDK's callback handler on YOUR app's domain isn't completing the token exchange, so no cookie ever gets set. See ["When the bootstrap loop never ends"](#when-the-bootstrap-loop-never-ends) below — almost always a middleware-ordering bug on the consumer app. |
+| Same `Missing auth credentials` warning on `/api/v1/auth/me` but **no** subsequent `SSO resume issued code` or `/oidc/token` for the same user within ~1s | Real problem — your fetch is dropping cookies. Check `credentials: "include"`, CORS `Access-Control-Allow-Credentials: true`, `SameSite`/`COOKIE_DOMAIN`. |
+
+### Why does the server log `Missing auth credentials` at startup?
+
+When `<IQAuthProvider>` mounts, the SDK's `bootstrap()` runs `GET /api/v1/auth/me` once to ask the issuer "do I already have a session on this app?" That call is *defined* to be anonymous when the user has never signed in here yet — there is no `iqauth_at` cookie scoped to your origin yet to send.
+
+So the very first request you'll see for a returning user is:
+
+```
+WARN  [AUTH-MW] Missing auth credentials  GET /api/v1/auth/me  origin=https://your-app.com
+INFO  [OIDC]    SSO resume issued code     userId=…  clientId=iq_…
+INFO  [AuthMetrics] /oidc/token latency
+```
+
+That sequence is the **happy path** for silent SSO: probe → no session here → resume from the issuer's `iq_sso` cookie → exchange code for tokens → cookie now set on your origin → subsequent requests succeed against the cookie. The warning was misleading log severity for a defined-anonymous endpoint, and as of the next IQAuth server release the bootstrap probe on `/auth/me` and `/auth/refresh` is logged at **`debug`** rather than `warn`. Other routes still log at `warn` — so seeing this message on, say, `GET /api/v1/users` remains a real signal that cookies aren't traveling.
+
+**If you're on an older IQAuth server and want to silence the noise without an upgrade,** add a server-side log filter on the `[AUTH-MW] Missing auth credentials` line where `route` matches `/api/v1/auth/(me|refresh)`. Don't blanket-mute the message — you'll lose visibility on real CORS/cookie failures.
+
+### When the bootstrap loop never ends
+
+If you see `Missing auth credentials` → `SSO resume issued code` → `/oidc/token` happen **on repeat** and the user never actually gets signed in, the issuer side is doing its job perfectly — the failure is on **your** server. The SDK's callback helper at `/api/iqauth/callback` is responsible for taking the `?code=` from the OAuth redirect, POSTing it to `/oidc/token`, and setting the `iqauth_at` cookie on your app's domain. If that handler doesn't run (or returns an error), no cookie ever gets set and the SDK's next bootstrap probe is anonymous again — forever.
+
+The single most common cause: **your own auth middleware is intercepting `/api/iqauth/callback` before `attachHelpers()` can handle it.** The OAuth return trip is a fresh GET from the issuer with no `Authorization` header (correctly so — that's the whole point of the callback), so an `app.use(requireAuth)` mounted globally will reject it as 401.
+
+Confirm with these signals — if you see *any* of them, this is your bug:
+
+- Browser: `GET https://your-app.com/api/iqauth/callback?code=…` returns **401** (or any 4xx other than 302)
+- Browser DevTools → Application → Cookies for your app's domain: **no `iqauth_at` cookie present** after a sign-in attempt
+- Your app's server log shows your **own** auth middleware rejecting `path=/iqauth/callback` or `/api/iqauth/callback` with "missing authorization header"
+
+**Fix — pick one:**
+
+```ts
+// ✅ Option 1 (recommended) — mount SDK helpers BEFORE your auth middleware.
+const auth = iqAuth({ publishableKey, secretKey });
+auth.attachHelpers(app);          // public: /api/iqauth/{callback,refresh,signout}
+app.use(yourAuthMiddleware);      // anything below here requires a session
+
+// ✅ Option 2 — exempt /api/iqauth/* from your own auth gate.
+app.use((req, res, next) => {
+  if (req.path.startsWith("/api/iqauth/")) return next();
+  return yourAuthMiddleware(req, res, next);
+});
+```
+
+After the fix you should see `/api/iqauth/callback` return **302**, a `Set-Cookie: iqauth_at=…` header on the response, the cookie appearing under your app's domain in DevTools, and the next `/api/v1/auth/me` returning 200. The `Missing auth credentials` warning drops to the one harmless boot probe per fresh visitor.
 
 ---
 

package/dist/react.d.mts

@@ -116,6 +116,13 @@ interface IQAuthContextValue {
     roleMapper: ((claims: JwtClaims | null) => string | null) | null;
     /** Task #95 — fully resolved localization bundle (default + override). */
     localization: IQAuthLocaleBundle;
+    /**
+     * 2.6.1 — Whether `<SignIn/>` is allowed to silently resume an active SSO
+     * session and redirect the user without showing the form. Opt-in. Default
+     * `false` so consumers always see the sign-in UI on first paint unless they
+     * explicitly enable it. Per-instance `<SignIn silentSso>` overrides this.
+     */
+    silentSso: boolean;
 }
 interface IQAuthProviderProps {
     publishableKey: string;
@@ -154,6 +161,14 @@ interface IQAuthProviderProps {
      * default `enUS` strings.
      */
     localization?: IQAuthLocaleBundle | IQAuthLocaleOverride;
+    /**
+     * 2.6.1 — Opt into silent SSO resume in `<SignIn/>` (default `false`).
+     * When `true`, `<SignIn/>` will detect an active issuer-side `iq_sso`
+     * session and redirect through `/oidc/sso-resume` without rendering the
+     * form. When `false` (default) the form always renders and users must
+     * click to continue. Per-instance `<SignIn silentSso>` overrides this.
+     */
+    silentSso?: boolean;
     children?: ReactNode;
 }
 /**
@@ -162,7 +177,7 @@ interface IQAuthProviderProps {
  * safe — a single SessionManager instance is created per provider and reused
  * across remounts.
  */
-declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, allowedReturnOrigins, appearance, roleMapper, cookieNames, localization, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
+declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, allowedReturnOrigins, appearance, roleMapper, cookieNames, localization, silentSso, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
 /**
  * Task #95 — Returns the active localization bundle resolved from the
  * `localization` prop on `<IQAuthProvider>` (merged on top of `enUS`). Safe
@@ -578,6 +593,13 @@ interface SignInProps extends Partial<SharedComponentProps> {
     prompt?: "login";
     /** F11 — Per-instance appearance overrides; merged on top of provider-level appearance. */
     appearance?: IQAuthAppearance;
+    /**
+     * 2.6.1 — Per-instance opt-in to silent SSO resume. Overrides the
+     * `<IQAuthProvider silentSso>` value when supplied. Default (when both are
+     * unset): `false` — the form always renders and the user must click to
+     * continue.
+     */
+    silentSso?: boolean;
 }
 /**
  * Pure render-decision helper. When this returns `true`, `<SignIn/>` MUST

package/dist/react.d.ts

@@ -116,6 +116,13 @@ interface IQAuthContextValue {
     roleMapper: ((claims: JwtClaims | null) => string | null) | null;
     /** Task #95 — fully resolved localization bundle (default + override). */
     localization: IQAuthLocaleBundle;
+    /**
+     * 2.6.1 — Whether `<SignIn/>` is allowed to silently resume an active SSO
+     * session and redirect the user without showing the form. Opt-in. Default
+     * `false` so consumers always see the sign-in UI on first paint unless they
+     * explicitly enable it. Per-instance `<SignIn silentSso>` overrides this.
+     */
+    silentSso: boolean;
 }
 interface IQAuthProviderProps {
     publishableKey: string;
@@ -154,6 +161,14 @@ interface IQAuthProviderProps {
      * default `enUS` strings.
      */
     localization?: IQAuthLocaleBundle | IQAuthLocaleOverride;
+    /**
+     * 2.6.1 — Opt into silent SSO resume in `<SignIn/>` (default `false`).
+     * When `true`, `<SignIn/>` will detect an active issuer-side `iq_sso`
+     * session and redirect through `/oidc/sso-resume` without rendering the
+     * form. When `false` (default) the form always renders and users must
+     * click to continue. Per-instance `<SignIn silentSso>` overrides this.
+     */
+    silentSso?: boolean;
     children?: ReactNode;
 }
 /**
@@ -162,7 +177,7 @@ interface IQAuthProviderProps {
  * safe — a single SessionManager instance is created per provider and reused
  * across remounts.
  */
-declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, allowedReturnOrigins, appearance, roleMapper, cookieNames, localization, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
+declare function IQAuthProvider({ publishableKey, issuer, channelName, proactiveRefresh, manager: externalManager, allowedReturnOrigins, appearance, roleMapper, cookieNames, localization, silentSso, children, }: IQAuthProviderProps): React.FunctionComponentElement<React.ProviderProps<IQAuthContextValue | null>>;
 /**
  * Task #95 — Returns the active localization bundle resolved from the
  * `localization` prop on `<IQAuthProvider>` (merged on top of `enUS`). Safe
@@ -578,6 +593,13 @@ interface SignInProps extends Partial<SharedComponentProps> {
     prompt?: "login";
     /** F11 — Per-instance appearance overrides; merged on top of provider-level appearance. */
     appearance?: IQAuthAppearance;
+    /**
+     * 2.6.1 — Per-instance opt-in to silent SSO resume. Overrides the
+     * `<IQAuthProvider silentSso>` value when supplied. Default (when both are
+     * unset): `false` — the form always renders and the user must click to
+     * continue.
+     */
+    silentSso?: boolean;
 }
 /**
  * Pure render-decision helper. When this returns `true`, `<SignIn/>` MUST

package/dist/react.js

@@ -1847,6 +1847,7 @@ function IQAuthProvider({
   roleMapper,
   cookieNames,
   localization,
+  silentSso,
   children
 }) {
   const managerRef = (0, import_react.useRef)(null);
@@ -1895,9 +1896,10 @@ function IQAuthProvider({
       allowedReturnOrigins: allowedReturnOrigins ?? [],
       appearance: appearance ?? null,
       roleMapper: roleMapper ?? null,
-      localization: resolvedLocalization
+      localization: resolvedLocalization,
+      silentSso: silentSso ?? false
     }),
-    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization]
+    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization, silentSso]
   );
   return (0, import_react.createElement)(IQAuthContext.Provider, { value }, children);
 }
@@ -2421,10 +2423,16 @@ var SHELL_CSS = `
 .iqauth-sdk-hero { display: none; }
 .iqauth-sdk-pane {
   display: flex; flex-direction: column; align-items: center; justify-content: center;
-  padding: 48px 24px; min-height: 100vh;
+  padding: 32px 20px;
+  /* 2.6.1 \u2014 Default to natural height so embedded usage (inside a card,
+     modal, or sidebar) sizes to its content instead of forcing a full
+     viewport. The hosted/full-page layout re-introduces 100vh below the
+     768px container-query threshold for the side-by-side hero variant. */
+  min-height: auto;
+  box-sizing: border-box;
 }
 .iqauth-sdk-card {
-  width: 100%; max-width: 460px;
+  width: 100%; max-width: 480px;
   background: var(--brand-surface, #ffffff);
   border: 1px solid rgba(15,23,42,0.08);
   border-radius: var(--brand-radius, 16px);
@@ -2468,6 +2476,16 @@ var SHELL_CSS = `
 
 @container iqauth-sdk (min-width: 768px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
+  /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
+     hero+pane need height parity. Embedded narrow uses keep natural height. */
+  .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
+  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
+     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
+     so the form fills its half of the split layout. */
+  .iqauth-sdk-card { max-width: 540px; }
+  .iqauth-sdk-card-header { padding: 40px 44px 0; }
+  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
+  .iqauth-sdk-card-header h1 { font-size: 26px; }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
     padding: clamp(32px, 4vw, 56px); color: #ffffff;
@@ -2489,6 +2507,9 @@ var SHELL_CSS = `
 }
 @container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
+  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
+     pace with the hero pane on 1440px+ monitors. */
+  .iqauth-sdk-card { max-width: 580px; }
 }
 `;
 var sdkShellStylesInjected = false;
@@ -2793,7 +2814,8 @@ function SignIn(props) {
   const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
   const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
   const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
-  const { onRedirect, className, prompt, appearance: instanceAppearance } = props;
+  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso } = props;
+  const silentSsoEnabled = instanceSilentSso ?? providerCtx?.silentSso ?? false;
   const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
   if (!iqAuthBaseUrl || !appKey) {
     console.error(
@@ -2823,6 +2845,7 @@ function SignIn(props) {
   const [forcePrompt, setForcePrompt] = (0, import_react.useState)(false);
   const effectivePrompt = (0, import_react.useMemo)(() => {
     if (prompt === "login" || forcePrompt) return "login";
+    if (!silentSsoEnabled) return "login";
     if (typeof window !== "undefined") {
       try {
         if (new URLSearchParams(window.location.search).get("prompt") === "login") return "login";
@@ -2830,7 +2853,7 @@ function SignIn(props) {
       }
     }
     return void 0;
-  }, [prompt, forcePrompt]);
+  }, [prompt, forcePrompt, silentSsoEnabled]);
   const oidcPayload = () => ({
     client_id: ctx?.app.defaultClientId,
     redirect_uri: returnTo,

package/dist/react.mjs

@@ -102,6 +102,7 @@ function IQAuthProvider({
   roleMapper,
   cookieNames,
   localization,
+  silentSso,
   children
 }) {
   const managerRef = useRef(null);
@@ -150,9 +151,10 @@ function IQAuthProvider({
       allowedReturnOrigins: allowedReturnOrigins ?? [],
       appearance: appearance ?? null,
       roleMapper: roleMapper ?? null,
-      localization: resolvedLocalization
+      localization: resolvedLocalization,
+      silentSso: silentSso ?? false
     }),
-    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization]
+    [manager, snapshot, allowedReturnOrigins, appearance, roleMapper, resolvedLocalization, silentSso]
   );
   return createElement(IQAuthContext.Provider, { value }, children);
 }
@@ -676,10 +678,16 @@ var SHELL_CSS = `
 .iqauth-sdk-hero { display: none; }
 .iqauth-sdk-pane {
   display: flex; flex-direction: column; align-items: center; justify-content: center;
-  padding: 48px 24px; min-height: 100vh;
+  padding: 32px 20px;
+  /* 2.6.1 \u2014 Default to natural height so embedded usage (inside a card,
+     modal, or sidebar) sizes to its content instead of forcing a full
+     viewport. The hosted/full-page layout re-introduces 100vh below the
+     768px container-query threshold for the side-by-side hero variant. */
+  min-height: auto;
+  box-sizing: border-box;
 }
 .iqauth-sdk-card {
-  width: 100%; max-width: 460px;
+  width: 100%; max-width: 480px;
   background: var(--brand-surface, #ffffff);
   border: 1px solid rgba(15,23,42,0.08);
   border-radius: var(--brand-radius, 16px);
@@ -723,6 +731,16 @@ var SHELL_CSS = `
 
 @container iqauth-sdk (min-width: 768px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 1fr) minmax(0, 1fr); }
+  /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
+     hero+pane need height parity. Embedded narrow uses keep natural height. */
+  .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
+  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
+     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
+     so the form fills its half of the split layout. */
+  .iqauth-sdk-card { max-width: 540px; }
+  .iqauth-sdk-card-header { padding: 40px 44px 0; }
+  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
+  .iqauth-sdk-card-header h1 { font-size: 26px; }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
     padding: clamp(32px, 4vw, 56px); color: #ffffff;
@@ -744,6 +762,9 @@ var SHELL_CSS = `
 }
 @container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
+  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
+     pace with the hero pane on 1440px+ monitors. */
+  .iqauth-sdk-card { max-width: 580px; }
 }
 `;
 var sdkShellStylesInjected = false;
@@ -1048,7 +1069,8 @@ function SignIn(props) {
   const iqAuthBaseUrl = props.iqAuthBaseUrl ?? providerCtx?.manager.issuerUrl ?? "";
   const appKey = props.appKey ?? providerCtx?.manager.appKey ?? "";
   const returnTo = props.returnTo ?? (typeof window !== "undefined" ? `${window.location.origin}/api/iqauth/callback` : "");
-  const { onRedirect, className, prompt, appearance: instanceAppearance } = props;
+  const { onRedirect, className, prompt, appearance: instanceAppearance, silentSso: instanceSilentSso } = props;
+  const silentSsoEnabled = instanceSilentSso ?? providerCtx?.silentSso ?? false;
   const appearance = instanceAppearance && providerCtx?.appearance ? { elements: { ...providerCtx.appearance.elements, ...instanceAppearance.elements } } : instanceAppearance ?? providerCtx?.appearance ?? null;
   if (!iqAuthBaseUrl || !appKey) {
     console.error(
@@ -1078,6 +1100,7 @@ function SignIn(props) {
   const [forcePrompt, setForcePrompt] = useState(false);
   const effectivePrompt = useMemo(() => {
     if (prompt === "login" || forcePrompt) return "login";
+    if (!silentSsoEnabled) return "login";
     if (typeof window !== "undefined") {
       try {
         if (new URLSearchParams(window.location.search).get("prompt") === "login") return "login";
@@ -1085,7 +1108,7 @@ function SignIn(props) {
       }
     }
     return void 0;
-  }, [prompt, forcePrompt]);
+  }, [prompt, forcePrompt, silentSsoEnabled]);
   const oidcPayload = () => ({
     client_id: ctx?.app.defaultClientId,
     redirect_uri: returnTo,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iqauth/sdk",
-  "version": "2.6.0",
+  "version": "2.6.2",
   "description": "TypeScript SDK for IQAuth — the canonical way for all IQ projects to integrate with IQAuthService",
   "main": "dist/index.js",
   "module": "dist/index.mjs",