@omnikit-ai/sdk 2.0.3

package/dist/auth-utils.d.mts

@@ -0,0 +1,68 @@
+/**
+ * Authentication utility functions for Omnikit SDK
+ * Provides helpers for token management
+ */
+/**
+ * Set the app-specific localStorage key for tokens
+ * This ensures each app has its own isolated token storage
+ * Called by APIClient during initialization
+ * @param appId - The app ID to use for the storage key
+ */
+declare function setAccessTokenKey(appId: string): void;
+/**
+ * Check if token exists in URL parameters
+ * @returns True if token is present in URL
+ */
+declare function isTokenInUrl(): boolean;
+/**
+ * Remove token from URL without page reload
+ * Cleans up the URL after token has been saved to localStorage
+ */
+declare function cleanTokenFromUrl(): void;
+/**
+ * Remove OAuth token from URL hash without page reload
+ * Cleans up the hash after token has been saved to localStorage
+ */
+declare function cleanTokenFromHash(): void;
+/**
+ * Save access token to localStorage
+ * @param token - The access token to save
+ */
+declare function saveAccessToken(token: string): void;
+/**
+ * Remove access token from localStorage
+ * Call this on logout to clear the saved token
+ */
+declare function removeAccessToken(): void;
+/**
+ * Get access token from URL or localStorage (cookie-less auth for CSRF protection)
+ *
+ * Priority:
+ * 1. Check URL hash fragment (e.g., #_auth_token=xxx from OAuth redirect - most secure)
+ * 2. Check URL query parameters (e.g., ?token=xxx - legacy support)
+ * 3. Check localStorage (previously saved token)
+ *
+ * If token is found in URL (hash or query), it will be automatically saved to localStorage
+ * and removed from the URL to prevent token exposure in browser history.
+ *
+ * @returns The access token or null if not found
+ *
+ * @example
+ * ```typescript
+ * import { createClient, getAccessToken } from '@omnikit/sdk';
+ *
+ * const omnikit = createClient({
+ *   appId: 'your-app-id',
+ *   token: getAccessToken() // Auto-retrieves from URL or localStorage
+ * });
+ * ```
+ */
+declare function getAccessToken(): string | null;
+/**
+ * Set access token (saves to localStorage)
+ * Alias for saveAccessToken for consistency with getAccessToken
+ * @param token - The access token to set
+ */
+declare function setAccessToken(token: string): void;
+
+export { cleanTokenFromHash, cleanTokenFromUrl, getAccessToken, isTokenInUrl, removeAccessToken, saveAccessToken, setAccessToken, setAccessTokenKey };

package/dist/auth-utils.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Authentication utility functions for Omnikit SDK
+ * Provides helpers for token management
+ */
+/**
+ * Set the app-specific localStorage key for tokens
+ * This ensures each app has its own isolated token storage
+ * Called by APIClient during initialization
+ * @param appId - The app ID to use for the storage key
+ */
+declare function setAccessTokenKey(appId: string): void;
+/**
+ * Check if token exists in URL parameters
+ * @returns True if token is present in URL
+ */
+declare function isTokenInUrl(): boolean;
+/**
+ * Remove token from URL without page reload
+ * Cleans up the URL after token has been saved to localStorage
+ */
+declare function cleanTokenFromUrl(): void;
+/**
+ * Remove OAuth token from URL hash without page reload
+ * Cleans up the hash after token has been saved to localStorage
+ */
+declare function cleanTokenFromHash(): void;
+/**
+ * Save access token to localStorage
+ * @param token - The access token to save
+ */
+declare function saveAccessToken(token: string): void;
+/**
+ * Remove access token from localStorage
+ * Call this on logout to clear the saved token
+ */
+declare function removeAccessToken(): void;
+/**
+ * Get access token from URL or localStorage (cookie-less auth for CSRF protection)
+ *
+ * Priority:
+ * 1. Check URL hash fragment (e.g., #_auth_token=xxx from OAuth redirect - most secure)
+ * 2. Check URL query parameters (e.g., ?token=xxx - legacy support)
+ * 3. Check localStorage (previously saved token)
+ *
+ * If token is found in URL (hash or query), it will be automatically saved to localStorage
+ * and removed from the URL to prevent token exposure in browser history.
+ *
+ * @returns The access token or null if not found
+ *
+ * @example
+ * ```typescript
+ * import { createClient, getAccessToken } from '@omnikit/sdk';
+ *
+ * const omnikit = createClient({
+ *   appId: 'your-app-id',
+ *   token: getAccessToken() // Auto-retrieves from URL or localStorage
+ * });
+ * ```
+ */
+declare function getAccessToken(): string | null;
+/**
+ * Set access token (saves to localStorage)
+ * Alias for saveAccessToken for consistency with getAccessToken
+ * @param token - The access token to set
+ */
+declare function setAccessToken(token: string): void;
+
+export { cleanTokenFromHash, cleanTokenFromUrl, getAccessToken, isTokenInUrl, removeAccessToken, saveAccessToken, setAccessToken, setAccessTokenKey };

package/dist/auth-utils.js

@@ -0,0 +1,124 @@
+'use strict';
+
+// src/auth-utils.ts
+var ACCESS_TOKEN_KEY = "access_token";
+var TOKEN_URL_PARAM = "token";
+function setAccessTokenKey(appId) {
+  ACCESS_TOKEN_KEY = `omnikit_token_${appId}`;
+}
+function isBrowser() {
+  return typeof window !== "undefined" && typeof window.localStorage !== "undefined";
+}
+function getTokenFromUrl() {
+  if (!isBrowser()) return null;
+  try {
+    const urlParams = new URLSearchParams(window.location.search);
+    return urlParams.get(TOKEN_URL_PARAM);
+  } catch (error) {
+    console.warn("Failed to get token from URL:", error);
+    return null;
+  }
+}
+function getTokenFromStorage() {
+  if (!isBrowser()) return null;
+  try {
+    return localStorage.getItem(ACCESS_TOKEN_KEY);
+  } catch (error) {
+    console.warn("Failed to get token from localStorage:", error);
+    return null;
+  }
+}
+function isTokenInUrl() {
+  return getTokenFromUrl() !== null;
+}
+function cleanTokenFromUrl() {
+  if (!isBrowser()) return;
+  try {
+    const url = new URL(window.location.href);
+    if (url.searchParams.has(TOKEN_URL_PARAM)) {
+      url.searchParams.delete(TOKEN_URL_PARAM);
+      window.history.replaceState({}, "", url.toString());
+    }
+  } catch (error) {
+    console.warn("Failed to clean token from URL:", error);
+  }
+}
+function getTokenFromHash() {
+  if (!isBrowser()) return null;
+  const hash = window.location.hash;
+  if (!hash) return null;
+  try {
+    const params = new URLSearchParams(hash.substring(1));
+    return params.get("_auth_token");
+  } catch (error) {
+    console.warn("Failed to get token from hash:", error);
+    return null;
+  }
+}
+function cleanTokenFromHash() {
+  if (!isBrowser()) return;
+  try {
+    window.history.replaceState(
+      null,
+      "",
+      window.location.pathname + window.location.search
+    );
+  } catch (error) {
+    console.warn("Failed to clean token from hash:", error);
+  }
+}
+function saveAccessToken(token) {
+  if (!isBrowser()) {
+    console.warn("Cannot save token: not in browser environment");
+    return;
+  }
+  try {
+    localStorage.setItem(ACCESS_TOKEN_KEY, token);
+  } catch (error) {
+    console.error("Failed to save token to localStorage:", error);
+  }
+}
+function removeAccessToken() {
+  if (!isBrowser()) return;
+  try {
+    localStorage.removeItem(ACCESS_TOKEN_KEY);
+  } catch (error) {
+    console.warn("Failed to remove token from localStorage:", error);
+  }
+}
+function getAccessToken() {
+  const hashToken = getTokenFromHash();
+  if (hashToken) {
+    saveAccessToken(hashToken);
+    cleanTokenFromHash();
+    console.log("\u2705 OAuth token captured from URL hash");
+    if (isBrowser()) {
+      window.dispatchEvent(new CustomEvent("omnikit:auth-change"));
+    }
+    return hashToken;
+  }
+  const urlToken = getTokenFromUrl();
+  if (urlToken) {
+    saveAccessToken(urlToken);
+    cleanTokenFromUrl();
+    if (isBrowser()) {
+      window.dispatchEvent(new CustomEvent("omnikit:auth-change"));
+    }
+    return urlToken;
+  }
+  return getTokenFromStorage();
+}
+function setAccessToken(token) {
+  saveAccessToken(token);
+}
+
+exports.cleanTokenFromHash = cleanTokenFromHash;
+exports.cleanTokenFromUrl = cleanTokenFromUrl;
+exports.getAccessToken = getAccessToken;
+exports.isTokenInUrl = isTokenInUrl;
+exports.removeAccessToken = removeAccessToken;
+exports.saveAccessToken = saveAccessToken;
+exports.setAccessToken = setAccessToken;
+exports.setAccessTokenKey = setAccessTokenKey;
+//# sourceMappingURL=auth-utils.js.map
+//# sourceMappingURL=auth-utils.js.map

package/dist/auth-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth-utils.ts"],"names":[],"mappings":";;;AAOA,IAAI,gBAAA,GAAmB,cAAA;AACvB,IAAM,eAAA,GAAkB,OAAA;AAQjB,SAAS,kBAAkB,KAAA,EAAqB;AACrD,EAAA,gBAAA,GAAmB,iBAAiB,KAAK,CAAA,CAAA;AAC3C;AAKA,SAAS,SAAA,GAAqB;AAC5B,EAAA,OAAO,OAAO,MAAA,KAAW,WAAA,IAAe,OAAO,OAAO,YAAA,KAAiB,WAAA;AACzE;AAMA,SAAS,eAAA,GAAiC;AACxC,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,IAAI,eAAA,CAAgB,MAAA,CAAO,SAAS,MAAM,CAAA;AAC5D,IAAA,OAAO,SAAA,CAAU,IAAI,eAAe,CAAA;AAAA,EACtC,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,iCAAiC,KAAK,CAAA;AACnD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,SAAS,mBAAA,GAAqC;AAC5C,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,IAAI;AACF,IAAA,OAAO,YAAA,CAAa,QAAQ,gBAAgB,CAAA;AAAA,EAC9C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,0CAA0C,KAAK,CAAA;AAC5D,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,YAAA,GAAwB;AACtC,EAAA,OAAO,iBAAgB,KAAM,IAAA;AAC/B;AAMO,SAAS,iBAAA,GAA0B;AACxC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,MAAA,CAAO,SAAS,IAAI,CAAA;AACxC,IAAA,IAAI,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAe,CAAA,EAAG;AACzC,MAAA,GAAA,CAAI,YAAA,CAAa,OAAO,eAAe,CAAA;AACvC,MAAA,MAAA,CAAO,QAAQ,YAAA,CAAa,IAAI,EAAA,EAAI,GAAA,CAAI,UAAU,CAAA;AAAA,IACpD;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,mCAAmC,KAAK,CAAA;AAAA,EACvD;AACF;AAQA,SAAS,gBAAA,GAAkC;AACzC,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,MAAM,IAAA,GAAO,OAAO,QAAA,CAAS,IAAA;AAC7B,EAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,EAAA,IAAI;AAEF,IAAA,MAAM,SAAS,IAAI,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA;AAEpD,IAAA,OAAO,MAAA,CAAO,IAAI,aAAa,CAAA;AAAA,EACjC,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,kCAAkC,KAAK,CAAA;AACpD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,kBAAA,GAA2B;AACzC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AAEF,IAAA,MAAA,CAAO,OAAA,CAAQ,YAAA;AAAA,MACb,IAAA;AAAA,MACA,EAAA;AAAA,MACA,MAAA,CAAO,QAAA,CAAS,QAAA,GAAW,MAAA,CAAO,QAAA,CAAS;AAAA,KAC7C;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,oCAAoC,KAAK,CAAA;AAAA,EACxD;AACF;AAMO,SAAS,gBAAgB,KAAA,EAAqB;AACnD,EAAA,IAAI,CAAC,WAAU,EAAG;AAChB,IAAA,OAAA,CAAQ,KAAK,+CAA+C,CAAA;AAC5D,IAAA;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,YAAA,CAAa,OAAA,CAAQ,kBAAkB,KAAK,CAAA;AAAA,EAC9C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,KAAK,CAAA;AAAA,EAC9D;AACF;AAMO,SAAS,iBAAA,GAA0B;AACxC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AACF,IAAA,YAAA,CAAa,WAAW,gBAAgB,CAAA;AAAA,EAC1C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,6CAA6C,KAAK,CAAA;AAAA,EACjE;AACF;AAyBO,SAAS,cAAA,GAAgC;AAG9C,EAAA,MAAM,YAAY,gBAAA,EAAiB;AACnC,EAAA,IAAI,SAAA,EAAW;AAEb,IAAA,eAAA,CAAgB,SAAS,CAAA;AAGzB,IAAA,kBAAA,EAAmB;AAEnB,IAAA,OAAA,CAAQ,IAAI,2CAAsC,CAAA;AAIlD,IAAA,IAAI,WAAU,EAAG;AACf,MAAA,MAAA,CAAO,aAAA,CAAc,IAAI,WAAA,CAAY,qBAAqB,CAAC,CAAA;AAAA,IAC7D;AAEA,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,MAAM,WAAW,eAAA,EAAgB;AACjC,EAAA,IAAI,QAAA,EAAU;AAEZ,IAAA,eAAA,CAAgB,QAAQ,CAAA;AAGxB,IAAA,iBAAA,EAAkB;AAGlB,IAAA,IAAI,WAAU,EAAG;AACf,MAAA,MAAA,CAAO,aAAA,CAAc,IAAI,WAAA,CAAY,qBAAqB,CAAC,CAAA;AAAA,IAC7D;AAEA,IAAA,OAAO,QAAA;AAAA,EACT;AAIA,EAAA,OAAO,mBAAA,EAAoB;AAC7B;AAOO,SAAS,eAAe,KAAA,EAAqB;AAClD,EAAA,eAAA,CAAgB,KAAK,CAAA;AACvB","file":"auth-utils.js","sourcesContent":["/**\n * Authentication utility functions for Omnikit SDK\n * Provides helpers for token management\n */\n\n// App-specific localStorage key to prevent token sharing between apps\n// Format: omnikit_token_{appId} for app-specific isolation\nlet ACCESS_TOKEN_KEY = 'access_token'; // Default fallback for backwards compatibility\nconst TOKEN_URL_PARAM = 'token';\n\n/**\n * Set the app-specific localStorage key for tokens\n * This ensures each app has its own isolated token storage\n * Called by APIClient during initialization\n * @param appId - The app ID to use for the storage key\n */\nexport function setAccessTokenKey(appId: string): void {\n  ACCESS_TOKEN_KEY = `omnikit_token_${appId}`;\n}\n\n/**\n * Check if code is running in browser environment\n */\nfunction isBrowser(): boolean {\n  return typeof window !== 'undefined' && typeof window.localStorage !== 'undefined';\n}\n\n/**\n * Get access token from URL parameters\n * @returns Token string or null if not found\n */\nfunction getTokenFromUrl(): string | null {\n  if (!isBrowser()) return null;\n\n  try {\n    const urlParams = new URLSearchParams(window.location.search);\n    return urlParams.get(TOKEN_URL_PARAM);\n  } catch (error) {\n    console.warn('Failed to get token from URL:', error);\n    return null;\n  }\n}\n\n/**\n * Get access token from localStorage\n * @returns Token string or null if not found\n */\nfunction getTokenFromStorage(): string | null {\n  if (!isBrowser()) return null;\n\n  try {\n    return localStorage.getItem(ACCESS_TOKEN_KEY);\n  } catch (error) {\n    console.warn('Failed to get token from localStorage:', error);\n    return null;\n  }\n}\n\n/**\n * Check if token exists in URL parameters\n * @returns True if token is present in URL\n */\nexport function isTokenInUrl(): boolean {\n  return getTokenFromUrl() !== null;\n}\n\n/**\n * Remove token from URL without page reload\n * Cleans up the URL after token has been saved to localStorage\n */\nexport function cleanTokenFromUrl(): void {\n  if (!isBrowser()) return;\n\n  try {\n    const url = new URL(window.location.href);\n    if (url.searchParams.has(TOKEN_URL_PARAM)) {\n      url.searchParams.delete(TOKEN_URL_PARAM);\n      window.history.replaceState({}, '', url.toString());\n    }\n  } catch (error) {\n    console.warn('Failed to clean token from URL:', error);\n  }\n}\n\n/**\n * Get OAuth token from URL hash fragment\n * Checks for _auth_token (primary) from OAuth callback\n * Hash fragments are more secure than query params (not sent to server)\n * @returns Token string or null if not found\n */\nfunction getTokenFromHash(): string | null {\n  if (!isBrowser()) return null;\n\n  const hash = window.location.hash;\n  if (!hash) return null;\n\n  try {\n    // Remove # prefix and parse as URLSearchParams\n    const params = new URLSearchParams(hash.substring(1));\n    // Check for _auth_token (used by OAuth callback)\n    return params.get('_auth_token');\n  } catch (error) {\n    console.warn('Failed to get token from hash:', error);\n    return null;\n  }\n}\n\n/**\n * Remove OAuth token from URL hash without page reload\n * Cleans up the hash after token has been saved to localStorage\n */\nexport function cleanTokenFromHash(): void {\n  if (!isBrowser()) return;\n\n  try {\n    // Remove hash entirely, keeping only path and query string\n    window.history.replaceState(\n      null,\n      '',\n      window.location.pathname + window.location.search\n    );\n  } catch (error) {\n    console.warn('Failed to clean token from hash:', error);\n  }\n}\n\n/**\n * Save access token to localStorage\n * @param token - The access token to save\n */\nexport function saveAccessToken(token: string): void {\n  if (!isBrowser()) {\n    console.warn('Cannot save token: not in browser environment');\n    return;\n  }\n\n  try {\n    localStorage.setItem(ACCESS_TOKEN_KEY, token);\n  } catch (error) {\n    console.error('Failed to save token to localStorage:', error);\n  }\n}\n\n/**\n * Remove access token from localStorage\n * Call this on logout to clear the saved token\n */\nexport function removeAccessToken(): void {\n  if (!isBrowser()) return;\n\n  try {\n    localStorage.removeItem(ACCESS_TOKEN_KEY);\n  } catch (error) {\n    console.warn('Failed to remove token from localStorage:', error);\n  }\n}\n\n/**\n * Get access token from URL or localStorage (cookie-less auth for CSRF protection)\n *\n * Priority:\n * 1. Check URL hash fragment (e.g., #_auth_token=xxx from OAuth redirect - most secure)\n * 2. Check URL query parameters (e.g., ?token=xxx - legacy support)\n * 3. Check localStorage (previously saved token)\n *\n * If token is found in URL (hash or query), it will be automatically saved to localStorage\n * and removed from the URL to prevent token exposure in browser history.\n *\n * @returns The access token or null if not found\n *\n * @example\n * ```typescript\n * import { createClient, getAccessToken } from '@omnikit/sdk';\n *\n * const omnikit = createClient({\n *   appId: 'your-app-id',\n *   token: getAccessToken() // Auto-retrieves from URL or localStorage\n * });\n * ```\n */\nexport function getAccessToken(): string | null {\n  // Priority 1: Check URL hash (OAuth callback: #_auth_token=xxx)\n  // Hash fragments are more secure - not sent to server in HTTP requests\n  const hashToken = getTokenFromHash();\n  if (hashToken) {\n    // Save to localStorage for future use\n    saveAccessToken(hashToken);\n\n    // Clean hash to prevent token exposure in browser history\n    cleanTokenFromHash();\n\n    console.log('✅ OAuth token captured from URL hash');\n\n    // Dispatch auth-change event so AuthGate can re-check auth state\n    // This triggers a re-render after OAuth callback\n    if (isBrowser()) {\n      window.dispatchEvent(new CustomEvent('omnikit:auth-change'));\n    }\n\n    return hashToken;\n  }\n\n  // Priority 2: Check URL query params (legacy: ?token=xxx)\n  const urlToken = getTokenFromUrl();\n  if (urlToken) {\n    // Save to localStorage for future use\n    saveAccessToken(urlToken);\n\n    // Clean URL to prevent token exposure in browser history\n    cleanTokenFromUrl();\n\n    // Dispatch auth-change event so AuthGate can re-check auth state\n    if (isBrowser()) {\n      window.dispatchEvent(new CustomEvent('omnikit:auth-change'));\n    }\n\n    return urlToken;\n  }\n\n  // Priority 3: Fall back to localStorage\n  // No cookies used (cookie-less auth for CSRF protection)\n  return getTokenFromStorage();\n}\n\n/**\n * Set access token (saves to localStorage)\n * Alias for saveAccessToken for consistency with getAccessToken\n * @param token - The access token to set\n */\nexport function setAccessToken(token: string): void {\n  saveAccessToken(token);\n}\n"]}

package/dist/auth-utils.mjs

@@ -0,0 +1,115 @@
+// src/auth-utils.ts
+var ACCESS_TOKEN_KEY = "access_token";
+var TOKEN_URL_PARAM = "token";
+function setAccessTokenKey(appId) {
+  ACCESS_TOKEN_KEY = `omnikit_token_${appId}`;
+}
+function isBrowser() {
+  return typeof window !== "undefined" && typeof window.localStorage !== "undefined";
+}
+function getTokenFromUrl() {
+  if (!isBrowser()) return null;
+  try {
+    const urlParams = new URLSearchParams(window.location.search);
+    return urlParams.get(TOKEN_URL_PARAM);
+  } catch (error) {
+    console.warn("Failed to get token from URL:", error);
+    return null;
+  }
+}
+function getTokenFromStorage() {
+  if (!isBrowser()) return null;
+  try {
+    return localStorage.getItem(ACCESS_TOKEN_KEY);
+  } catch (error) {
+    console.warn("Failed to get token from localStorage:", error);
+    return null;
+  }
+}
+function isTokenInUrl() {
+  return getTokenFromUrl() !== null;
+}
+function cleanTokenFromUrl() {
+  if (!isBrowser()) return;
+  try {
+    const url = new URL(window.location.href);
+    if (url.searchParams.has(TOKEN_URL_PARAM)) {
+      url.searchParams.delete(TOKEN_URL_PARAM);
+      window.history.replaceState({}, "", url.toString());
+    }
+  } catch (error) {
+    console.warn("Failed to clean token from URL:", error);
+  }
+}
+function getTokenFromHash() {
+  if (!isBrowser()) return null;
+  const hash = window.location.hash;
+  if (!hash) return null;
+  try {
+    const params = new URLSearchParams(hash.substring(1));
+    return params.get("_auth_token");
+  } catch (error) {
+    console.warn("Failed to get token from hash:", error);
+    return null;
+  }
+}
+function cleanTokenFromHash() {
+  if (!isBrowser()) return;
+  try {
+    window.history.replaceState(
+      null,
+      "",
+      window.location.pathname + window.location.search
+    );
+  } catch (error) {
+    console.warn("Failed to clean token from hash:", error);
+  }
+}
+function saveAccessToken(token) {
+  if (!isBrowser()) {
+    console.warn("Cannot save token: not in browser environment");
+    return;
+  }
+  try {
+    localStorage.setItem(ACCESS_TOKEN_KEY, token);
+  } catch (error) {
+    console.error("Failed to save token to localStorage:", error);
+  }
+}
+function removeAccessToken() {
+  if (!isBrowser()) return;
+  try {
+    localStorage.removeItem(ACCESS_TOKEN_KEY);
+  } catch (error) {
+    console.warn("Failed to remove token from localStorage:", error);
+  }
+}
+function getAccessToken() {
+  const hashToken = getTokenFromHash();
+  if (hashToken) {
+    saveAccessToken(hashToken);
+    cleanTokenFromHash();
+    console.log("\u2705 OAuth token captured from URL hash");
+    if (isBrowser()) {
+      window.dispatchEvent(new CustomEvent("omnikit:auth-change"));
+    }
+    return hashToken;
+  }
+  const urlToken = getTokenFromUrl();
+  if (urlToken) {
+    saveAccessToken(urlToken);
+    cleanTokenFromUrl();
+    if (isBrowser()) {
+      window.dispatchEvent(new CustomEvent("omnikit:auth-change"));
+    }
+    return urlToken;
+  }
+  return getTokenFromStorage();
+}
+function setAccessToken(token) {
+  saveAccessToken(token);
+}
+
+export { cleanTokenFromHash, cleanTokenFromUrl, getAccessToken, isTokenInUrl, removeAccessToken, saveAccessToken, setAccessToken, setAccessTokenKey };
+//# sourceMappingURL=auth-utils.mjs.map
+//# sourceMappingURL=auth-utils.mjs.map

package/dist/auth-utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth-utils.ts"],"names":[],"mappings":";AAOA,IAAI,gBAAA,GAAmB,cAAA;AACvB,IAAM,eAAA,GAAkB,OAAA;AAQjB,SAAS,kBAAkB,KAAA,EAAqB;AACrD,EAAA,gBAAA,GAAmB,iBAAiB,KAAK,CAAA,CAAA;AAC3C;AAKA,SAAS,SAAA,GAAqB;AAC5B,EAAA,OAAO,OAAO,MAAA,KAAW,WAAA,IAAe,OAAO,OAAO,YAAA,KAAiB,WAAA;AACzE;AAMA,SAAS,eAAA,GAAiC;AACxC,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,IAAI,eAAA,CAAgB,MAAA,CAAO,SAAS,MAAM,CAAA;AAC5D,IAAA,OAAO,SAAA,CAAU,IAAI,eAAe,CAAA;AAAA,EACtC,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,iCAAiC,KAAK,CAAA;AACnD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMA,SAAS,mBAAA,GAAqC;AAC5C,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,IAAI;AACF,IAAA,OAAO,YAAA,CAAa,QAAQ,gBAAgB,CAAA;AAAA,EAC9C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,0CAA0C,KAAK,CAAA;AAC5D,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,YAAA,GAAwB;AACtC,EAAA,OAAO,iBAAgB,KAAM,IAAA;AAC/B;AAMO,SAAS,iBAAA,GAA0B;AACxC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,MAAA,CAAO,SAAS,IAAI,CAAA;AACxC,IAAA,IAAI,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAe,CAAA,EAAG;AACzC,MAAA,GAAA,CAAI,YAAA,CAAa,OAAO,eAAe,CAAA;AACvC,MAAA,MAAA,CAAO,QAAQ,YAAA,CAAa,IAAI,EAAA,EAAI,GAAA,CAAI,UAAU,CAAA;AAAA,IACpD;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,mCAAmC,KAAK,CAAA;AAAA,EACvD;AACF;AAQA,SAAS,gBAAA,GAAkC;AACzC,EAAA,IAAI,CAAC,SAAA,EAAU,EAAG,OAAO,IAAA;AAEzB,EAAA,MAAM,IAAA,GAAO,OAAO,QAAA,CAAS,IAAA;AAC7B,EAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAElB,EAAA,IAAI;AAEF,IAAA,MAAM,SAAS,IAAI,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,CAAC,CAAC,CAAA;AAEpD,IAAA,OAAO,MAAA,CAAO,IAAI,aAAa,CAAA;AAAA,EACjC,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,kCAAkC,KAAK,CAAA;AACpD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,kBAAA,GAA2B;AACzC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AAEF,IAAA,MAAA,CAAO,OAAA,CAAQ,YAAA;AAAA,MACb,IAAA;AAAA,MACA,EAAA;AAAA,MACA,MAAA,CAAO,QAAA,CAAS,QAAA,GAAW,MAAA,CAAO,QAAA,CAAS;AAAA,KAC7C;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,oCAAoC,KAAK,CAAA;AAAA,EACxD;AACF;AAMO,SAAS,gBAAgB,KAAA,EAAqB;AACnD,EAAA,IAAI,CAAC,WAAU,EAAG;AAChB,IAAA,OAAA,CAAQ,KAAK,+CAA+C,CAAA;AAC5D,IAAA;AAAA,EACF;AAEA,EAAA,IAAI;AACF,IAAA,YAAA,CAAa,OAAA,CAAQ,kBAAkB,KAAK,CAAA;AAAA,EAC9C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,KAAK,CAAA;AAAA,EAC9D;AACF;AAMO,SAAS,iBAAA,GAA0B;AACxC,EAAA,IAAI,CAAC,WAAU,EAAG;AAElB,EAAA,IAAI;AACF,IAAA,YAAA,CAAa,WAAW,gBAAgB,CAAA;AAAA,EAC1C,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,IAAA,CAAK,6CAA6C,KAAK,CAAA;AAAA,EACjE;AACF;AAyBO,SAAS,cAAA,GAAgC;AAG9C,EAAA,MAAM,YAAY,gBAAA,EAAiB;AACnC,EAAA,IAAI,SAAA,EAAW;AAEb,IAAA,eAAA,CAAgB,SAAS,CAAA;AAGzB,IAAA,kBAAA,EAAmB;AAEnB,IAAA,OAAA,CAAQ,IAAI,2CAAsC,CAAA;AAIlD,IAAA,IAAI,WAAU,EAAG;AACf,MAAA,MAAA,CAAO,aAAA,CAAc,IAAI,WAAA,CAAY,qBAAqB,CAAC,CAAA;AAAA,IAC7D;AAEA,IAAA,OAAO,SAAA;AAAA,EACT;AAGA,EAAA,MAAM,WAAW,eAAA,EAAgB;AACjC,EAAA,IAAI,QAAA,EAAU;AAEZ,IAAA,eAAA,CAAgB,QAAQ,CAAA;AAGxB,IAAA,iBAAA,EAAkB;AAGlB,IAAA,IAAI,WAAU,EAAG;AACf,MAAA,MAAA,CAAO,aAAA,CAAc,IAAI,WAAA,CAAY,qBAAqB,CAAC,CAAA;AAAA,IAC7D;AAEA,IAAA,OAAO,QAAA;AAAA,EACT;AAIA,EAAA,OAAO,mBAAA,EAAoB;AAC7B;AAOO,SAAS,eAAe,KAAA,EAAqB;AAClD,EAAA,eAAA,CAAgB,KAAK,CAAA;AACvB","file":"auth-utils.mjs","sourcesContent":["/**\n * Authentication utility functions for Omnikit SDK\n * Provides helpers for token management\n */\n\n// App-specific localStorage key to prevent token sharing between apps\n// Format: omnikit_token_{appId} for app-specific isolation\nlet ACCESS_TOKEN_KEY = 'access_token'; // Default fallback for backwards compatibility\nconst TOKEN_URL_PARAM = 'token';\n\n/**\n * Set the app-specific localStorage key for tokens\n * This ensures each app has its own isolated token storage\n * Called by APIClient during initialization\n * @param appId - The app ID to use for the storage key\n */\nexport function setAccessTokenKey(appId: string): void {\n  ACCESS_TOKEN_KEY = `omnikit_token_${appId}`;\n}\n\n/**\n * Check if code is running in browser environment\n */\nfunction isBrowser(): boolean {\n  return typeof window !== 'undefined' && typeof window.localStorage !== 'undefined';\n}\n\n/**\n * Get access token from URL parameters\n * @returns Token string or null if not found\n */\nfunction getTokenFromUrl(): string | null {\n  if (!isBrowser()) return null;\n\n  try {\n    const urlParams = new URLSearchParams(window.location.search);\n    return urlParams.get(TOKEN_URL_PARAM);\n  } catch (error) {\n    console.warn('Failed to get token from URL:', error);\n    return null;\n  }\n}\n\n/**\n * Get access token from localStorage\n * @returns Token string or null if not found\n */\nfunction getTokenFromStorage(): string | null {\n  if (!isBrowser()) return null;\n\n  try {\n    return localStorage.getItem(ACCESS_TOKEN_KEY);\n  } catch (error) {\n    console.warn('Failed to get token from localStorage:', error);\n    return null;\n  }\n}\n\n/**\n * Check if token exists in URL parameters\n * @returns True if token is present in URL\n */\nexport function isTokenInUrl(): boolean {\n  return getTokenFromUrl() !== null;\n}\n\n/**\n * Remove token from URL without page reload\n * Cleans up the URL after token has been saved to localStorage\n */\nexport function cleanTokenFromUrl(): void {\n  if (!isBrowser()) return;\n\n  try {\n    const url = new URL(window.location.href);\n    if (url.searchParams.has(TOKEN_URL_PARAM)) {\n      url.searchParams.delete(TOKEN_URL_PARAM);\n      window.history.replaceState({}, '', url.toString());\n    }\n  } catch (error) {\n    console.warn('Failed to clean token from URL:', error);\n  }\n}\n\n/**\n * Get OAuth token from URL hash fragment\n * Checks for _auth_token (primary) from OAuth callback\n * Hash fragments are more secure than query params (not sent to server)\n * @returns Token string or null if not found\n */\nfunction getTokenFromHash(): string | null {\n  if (!isBrowser()) return null;\n\n  const hash = window.location.hash;\n  if (!hash) return null;\n\n  try {\n    // Remove # prefix and parse as URLSearchParams\n    const params = new URLSearchParams(hash.substring(1));\n    // Check for _auth_token (used by OAuth callback)\n    return params.get('_auth_token');\n  } catch (error) {\n    console.warn('Failed to get token from hash:', error);\n    return null;\n  }\n}\n\n/**\n * Remove OAuth token from URL hash without page reload\n * Cleans up the hash after token has been saved to localStorage\n */\nexport function cleanTokenFromHash(): void {\n  if (!isBrowser()) return;\n\n  try {\n    // Remove hash entirely, keeping only path and query string\n    window.history.replaceState(\n      null,\n      '',\n      window.location.pathname + window.location.search\n    );\n  } catch (error) {\n    console.warn('Failed to clean token from hash:', error);\n  }\n}\n\n/**\n * Save access token to localStorage\n * @param token - The access token to save\n */\nexport function saveAccessToken(token: string): void {\n  if (!isBrowser()) {\n    console.warn('Cannot save token: not in browser environment');\n    return;\n  }\n\n  try {\n    localStorage.setItem(ACCESS_TOKEN_KEY, token);\n  } catch (error) {\n    console.error('Failed to save token to localStorage:', error);\n  }\n}\n\n/**\n * Remove access token from localStorage\n * Call this on logout to clear the saved token\n */\nexport function removeAccessToken(): void {\n  if (!isBrowser()) return;\n\n  try {\n    localStorage.removeItem(ACCESS_TOKEN_KEY);\n  } catch (error) {\n    console.warn('Failed to remove token from localStorage:', error);\n  }\n}\n\n/**\n * Get access token from URL or localStorage (cookie-less auth for CSRF protection)\n *\n * Priority:\n * 1. Check URL hash fragment (e.g., #_auth_token=xxx from OAuth redirect - most secure)\n * 2. Check URL query parameters (e.g., ?token=xxx - legacy support)\n * 3. Check localStorage (previously saved token)\n *\n * If token is found in URL (hash or query), it will be automatically saved to localStorage\n * and removed from the URL to prevent token exposure in browser history.\n *\n * @returns The access token or null if not found\n *\n * @example\n * ```typescript\n * import { createClient, getAccessToken } from '@omnikit/sdk';\n *\n * const omnikit = createClient({\n *   appId: 'your-app-id',\n *   token: getAccessToken() // Auto-retrieves from URL or localStorage\n * });\n * ```\n */\nexport function getAccessToken(): string | null {\n  // Priority 1: Check URL hash (OAuth callback: #_auth_token=xxx)\n  // Hash fragments are more secure - not sent to server in HTTP requests\n  const hashToken = getTokenFromHash();\n  if (hashToken) {\n    // Save to localStorage for future use\n    saveAccessToken(hashToken);\n\n    // Clean hash to prevent token exposure in browser history\n    cleanTokenFromHash();\n\n    console.log('✅ OAuth token captured from URL hash');\n\n    // Dispatch auth-change event so AuthGate can re-check auth state\n    // This triggers a re-render after OAuth callback\n    if (isBrowser()) {\n      window.dispatchEvent(new CustomEvent('omnikit:auth-change'));\n    }\n\n    return hashToken;\n  }\n\n  // Priority 2: Check URL query params (legacy: ?token=xxx)\n  const urlToken = getTokenFromUrl();\n  if (urlToken) {\n    // Save to localStorage for future use\n    saveAccessToken(urlToken);\n\n    // Clean URL to prevent token exposure in browser history\n    cleanTokenFromUrl();\n\n    // Dispatch auth-change event so AuthGate can re-check auth state\n    if (isBrowser()) {\n      window.dispatchEvent(new CustomEvent('omnikit:auth-change'));\n    }\n\n    return urlToken;\n  }\n\n  // Priority 3: Fall back to localStorage\n  // No cookies used (cookie-less auth for CSRF protection)\n  return getTokenFromStorage();\n}\n\n/**\n * Set access token (saves to localStorage)\n * Alias for saveAccessToken for consistency with getAccessToken\n * @param token - The access token to set\n */\nexport function setAccessToken(token: string): void {\n  saveAccessToken(token);\n}\n"]}