@oxyhq/auth 2.0.5 → 2.0.7

package/dist/types/hooks/mutations/index.d.ts

@@ -6,3 +6,4 @@
  */
 export { useUpdateProfile, useUploadAvatar, useUpdateAccountSettings, useUpdatePrivacySettings, useUploadFile, } from './useAccountMutations';
 export { useSwitchSession, useLogoutSession, useLogoutAll, useUpdateDeviceName, useRemoveDevice, } from './useServicesMutations';
+export { useSetAppData, useDeleteAppData } from './useAppData';

package/dist/types/hooks/mutations/useAppData.d.ts

@@ -0,0 +1,47 @@
+/**
+ * App-Data Mutation Hooks
+ *
+ * Write side of the per-user JSON KV store. Both `useSetAppData` and
+ * `useDeleteAppData` apply optimistic updates against the two query keys
+ * that observe this data (`appDataQueryKeys.value` and the surrounding
+ * `appDataQueryKeys.namespace`) and roll back on error.
+ *
+ * When the underlying request fails because the endpoint isn't reachable
+ * (404 / network), the mutation still surfaces the error — write attempts
+ * are user-initiated and the caller may want to retry or fall back to
+ * local persistence. Reads are silent about missing endpoints; writes are
+ * not.
+ */
+interface SetAppDataVariables<T> {
+    namespace: string;
+    key: string;
+    value: T;
+}
+interface SetAppDataContext<T> {
+    previousValue: T | null | undefined;
+    previousNamespace: Record<string, T> | undefined;
+}
+/**
+ * Upsert a per-user JSON value. Returns the value the server confirmed it
+ * stored — typically identical to the input but consumers should prefer the
+ * returned value (the server is the source of truth).
+ *
+ * Applies optimistic updates against both the single-value query key and
+ * the surrounding namespace query key, then rolls back on error.
+ */
+export declare const useSetAppData: <T = unknown>() => import("@tanstack/react-query").UseMutationResult<T, Error, SetAppDataVariables<T>, SetAppDataContext<T>>;
+interface DeleteAppDataVariables {
+    namespace: string;
+    key: string;
+}
+interface DeleteAppDataContext<T> {
+    previousValue: T | null | undefined;
+    previousNamespace: Record<string, T> | undefined;
+}
+/**
+ * Delete a per-user JSON value. Optimistically removes the entry from the
+ * single-value cache and from the surrounding namespace map, then rolls back
+ * on error.
+ */
+export declare const useDeleteAppData: <T = unknown>() => import("@tanstack/react-query").UseMutationResult<void, Error, DeleteAppDataVariables, DeleteAppDataContext<T>>;
+export {};

package/dist/types/hooks/queries/appDataQueryKeys.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Query keys + error utilities for `useAppData` hooks.
+ *
+ * Lives next to the hook file so consumers can import the keys directly
+ * when they need to imperatively invalidate a value (e.g. after a non-React
+ * write through `oxyServices.setAppData`).
+ */
+export declare const appDataQueryKeys: {
+    readonly all: readonly ["appData"];
+    readonly namespaces: () => readonly ["appData", "namespace"];
+    readonly namespace: (namespace: string) => readonly ["appData", "namespace", string];
+    readonly values: () => readonly ["appData", "value"];
+    readonly value: (namespace: string, key: string) => readonly ["appData", "value", string, string];
+};
+/**
+ * True when `error` indicates the app-data endpoint isn't reachable — either
+ * because the API deployment doesn't have it yet (404) or there's a network
+ * failure with no response. We treat these as "no value stored" so consumers
+ * fall back to local persistence without surfacing a user-facing error.
+ *
+ * Anything else (401, 403, 500) propagates normally — those are real bugs
+ * the auth or retry pipeline needs to see.
+ */
+export declare function isMissingAppDataEndpointError(error: unknown): boolean;

package/dist/types/hooks/queries/index.d.ts

@@ -8,3 +8,5 @@ export { useUserProfile, useUserProfiles, useCurrentUser, useUserById, useUserBy
 export { useSessions, useSession, useDeviceSessions, useUserDevices, useSecurityInfo, } from './useServicesQueries';
 export { useSecurityActivity, useRecentSecurityActivity, } from './useSecurityQueries';
 export { queryKeys, invalidateAccountQueries, invalidateUserQueries, invalidateSessionQueries } from './queryKeys';
+export { useAppData, useAppDataNamespace } from './useAppData';
+export { appDataQueryKeys, isMissingAppDataEndpointError } from './appDataQueryKeys';

package/dist/types/hooks/queries/useAppData.d.ts

@@ -0,0 +1,46 @@
+/**
+ * App-Data Query Hooks
+ *
+ * Read side of the `/users/me/app-data/...` per-user JSON KV store. Gated on
+ * `isAuthenticated` — when signed out the query stays `enabled: false` and
+ * `data` is `null`, so consumers can fall back to localStorage without ever
+ * issuing a doomed request.
+ *
+ * Errors from the network (404 because the endpoint isn't deployed yet,
+ * 401 because the session lapsed, etc.) are not user-facing here. Hooks
+ * return `data: null` on error so the calling component renders the
+ * "nothing yet" state and the consuming app can quietly fall back to local
+ * persistence. Mutations still propagate errors so write attempts surface
+ * a toast — only reads are silent.
+ */
+import { type UseQueryResult } from '@tanstack/react-query';
+interface AppDataQueryOptions {
+    /** Disable the query without unmounting the component. */
+    enabled?: boolean;
+    /** Override the default 1-minute stale time. */
+    staleTime?: number;
+    /** Override the default 30-minute gc time. */
+    gcTime?: number;
+}
+/**
+ * Read a single per-user JSON value.
+ *
+ * @param namespace - kebab/snake-case identifier (e.g. `"academy"`).
+ * @param key       - kebab/snake-case identifier (e.g. course slug).
+ * @param options   - optional `enabled`/`staleTime`/`gcTime` overrides.
+ *
+ * @returns A `useQuery` result with `data` of type `T | null`. The query
+ *   stays disabled when the user is signed out; when enabled but the server
+ *   has no stored value, `data` is `null`. Reads that fail because the
+ *   endpoint isn't reachable also resolve to `null` so the consumer can
+ *   fall back to local persistence.
+ */
+export declare const useAppData: <T = unknown>(namespace: string, key: string, options?: AppDataQueryOptions) => UseQueryResult<T | null, Error>;
+/**
+ * Read every value in a namespace.
+ *
+ * @returns A `useQuery` result with `data` as a `Record<string, T>`. Empty
+ *   object when the namespace contains nothing (or when fetching failed).
+ */
+export declare const useAppDataNamespace: <T = unknown>(namespace: string, options?: AppDataQueryOptions) => UseQueryResult<Record<string, T>, Error>;
+export {};

package/dist/types/index.d.ts

@@ -29,8 +29,8 @@ export { useAssetStore, useAssets as useAssetsStore, useAsset, useUploadProgress
 export { useAccountStore, useAccounts, useAccountLoading, useAccountError, useAccountLoadingSession, } from './stores/accountStore';
 export type { QuickAccount } from './stores/accountStore';
 export { useFollowStore, } from './stores/followStore';
-export { useUserProfile, useUserProfiles, useCurrentUser, useUserById, useUserByUsername, useUsersBySessions, usePrivacySettings, useSessions, useSession, useDeviceSessions, useUserDevices, useSecurityInfo, useSecurityActivity, useRecentSecurityActivity, } from './hooks/queries';
-export { useUpdateProfile, useUploadAvatar, useUpdateAccountSettings, useUpdatePrivacySettings, useUploadFile, useSwitchSession, useLogoutSession, useLogoutAll, useUpdateDeviceName, useRemoveDevice, } from './hooks/mutations';
+export { useUserProfile, useUserProfiles, useCurrentUser, useUserById, useUserByUsername, useUsersBySessions, usePrivacySettings, useSessions, useSession, useDeviceSessions, useUserDevices, useSecurityInfo, useSecurityActivity, useRecentSecurityActivity, useAppData, useAppDataNamespace, appDataQueryKeys, isMissingAppDataEndpointError, } from './hooks/queries';
+export { useUpdateProfile, useUploadAvatar, useUpdateAccountSettings, useUpdatePrivacySettings, useUploadFile, useSwitchSession, useLogoutSession, useLogoutAll, useUpdateDeviceName, useRemoveDevice, useSetAppData, useDeleteAppData, } from './hooks/mutations';
 export { createProfileMutation, createGenericMutation, } from './hooks/mutations/mutationFactory';
 export type { ProfileMutationConfig, GenericMutationConfig, } from './hooks/mutations/mutationFactory';
 export { useWebSSO, isWebBrowser } from './hooks/useWebSSO';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/auth",
-  "version": "2.0.5",
+  "version": "2.0.7",
   "description": "OxyHQ Web Authentication SDK — headless auth with React hooks for Next.js, Vite, and web apps",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/WebOxyProvider.tsx

@@ -58,6 +58,23 @@ export interface WebOxyContextValue extends WebAuthState, WebAuthActions {
 
 const WebOxyContext = createContext<WebOxyContextValue | null>(null);
 
+/**
+ * Module-level run-once guard for FedCM silent sign-in.
+ *
+ * The init effect runs again whenever the provider remounts (route change,
+ * StrictMode double-invoke, error-boundary recovery). The redirect-callback
+ * and local-session-restore steps are cheap and idempotent, but the FedCM
+ * `silentSignIn()` step triggers `navigator.credentials.get`, which must fire
+ * AT MOST ONCE per page load — otherwise a remount storm becomes a credential
+ * request storm. Keyed by origin so the guard survives instance churn; never
+ * cleared because only a fresh page load can change the IdP session state.
+ */
+const fedcmSilentSignInAttempted = new Set<string>();
+
+function silentSignInKey(): string {
+  return typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+}
+
 export interface WebOxyProviderProps {
   children: ReactNode;
   baseURL: string;
@@ -191,14 +208,21 @@ export function WebOxyProvider({
           }
         }
 
-        try {
-          const session = await crossDomainAuth.silentSignIn();
-          if (mounted && session?.user) {
-            await handleAuthSuccess(session, 'fedcm');
-            return;
+        // FedCM silent sign-in: run AT MOST ONCE per page load. A remount
+        // (route change / StrictMode / error recovery) must not re-trigger
+        // the browser credential request.
+        const ssoKey = silentSignInKey();
+        if (!fedcmSilentSignInAttempted.has(ssoKey)) {
+          fedcmSilentSignInAttempted.add(ssoKey);
+          try {
+            const session = await crossDomainAuth.silentSignIn();
+            if (mounted && session?.user) {
+              await handleAuthSuccess(session, 'fedcm');
+              return;
+            }
+          } catch {
+            // Silent sign-in failed — resolve to unauthenticated below.
           }
-        } catch {
-          // Silent sign-in failed
         }
 
         if (mounted) setIsLoading(false);

package/src/hooks/mutations/index.ts

@@ -23,3 +23,6 @@ export {
   useRemoveDevice,
 } from './useServicesMutations';
 
+// App-data KV store mutation hooks
+export { useSetAppData, useDeleteAppData } from './useAppData';
+

package/src/hooks/mutations/useAppData.ts

@@ -0,0 +1,167 @@
+/**
+ * App-Data Mutation Hooks
+ *
+ * Write side of the per-user JSON KV store. Both `useSetAppData` and
+ * `useDeleteAppData` apply optimistic updates against the two query keys
+ * that observe this data (`appDataQueryKeys.value` and the surrounding
+ * `appDataQueryKeys.namespace`) and roll back on error.
+ *
+ * When the underlying request fails because the endpoint isn't reachable
+ * (404 / network), the mutation still surfaces the error — write attempts
+ * are user-initiated and the caller may want to retry or fall back to
+ * local persistence. Reads are silent about missing endpoints; writes are
+ * not.
+ */
+
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
+import { useWebOxy } from '../../WebOxyProvider';
+import { appDataQueryKeys } from '../queries/appDataQueryKeys';
+
+interface SetAppDataVariables<T> {
+  namespace: string;
+  key: string;
+  value: T;
+}
+
+interface SetAppDataContext<T> {
+  previousValue: T | null | undefined;
+  previousNamespace: Record<string, T> | undefined;
+}
+
+/**
+ * Upsert a per-user JSON value. Returns the value the server confirmed it
+ * stored — typically identical to the input but consumers should prefer the
+ * returned value (the server is the source of truth).
+ *
+ * Applies optimistic updates against both the single-value query key and
+ * the surrounding namespace query key, then rolls back on error.
+ */
+export const useSetAppData = <T = unknown>() => {
+  const { oxyServices, activeSessionId } = useWebOxy();
+  const queryClient = useQueryClient();
+
+  return useMutation<T, Error, SetAppDataVariables<T>, SetAppDataContext<T>>({
+    mutationKey: ['appData', 'set'],
+    mutationFn: async ({ namespace, key, value }) => {
+      return authenticatedApiCall(oxyServices, activeSessionId, () =>
+        oxyServices.setAppData<T>(namespace, key, value),
+      );
+    },
+    onMutate: async ({ namespace, key, value }) => {
+      const valueKey = appDataQueryKeys.value(namespace, key);
+      const namespaceKey = appDataQueryKeys.namespace(namespace);
+
+      await Promise.all([
+        queryClient.cancelQueries({ queryKey: valueKey }),
+        queryClient.cancelQueries({ queryKey: namespaceKey }),
+      ]);
+
+      const previousValue = queryClient.getQueryData<T | null>(valueKey);
+      const previousNamespace = queryClient.getQueryData<Record<string, T>>(namespaceKey);
+
+      queryClient.setQueryData<T | null>(valueKey, value);
+      if (previousNamespace) {
+        queryClient.setQueryData<Record<string, T>>(namespaceKey, {
+          ...previousNamespace,
+          [key]: value,
+        });
+      }
+
+      return { previousValue, previousNamespace };
+    },
+    onError: (_error, { namespace, key }, context) => {
+      if (!context) return;
+      const valueKey = appDataQueryKeys.value(namespace, key);
+      const namespaceKey = appDataQueryKeys.namespace(namespace);
+
+      // Restore exactly the snapshots we captured in onMutate. Don't merge
+      // with whatever's currently in the cache — that could splice in writes
+      // from concurrent mutations and undo their state.
+      queryClient.setQueryData(valueKey, context.previousValue ?? null);
+      if (context.previousNamespace !== undefined) {
+        queryClient.setQueryData(namespaceKey, context.previousNamespace);
+      }
+    },
+    onSuccess: (data, { namespace, key }) => {
+      const valueKey = appDataQueryKeys.value(namespace, key);
+      const namespaceKey = appDataQueryKeys.namespace(namespace);
+
+      queryClient.setQueryData(valueKey, data);
+      const existingNamespace = queryClient.getQueryData<Record<string, T>>(namespaceKey);
+      if (existingNamespace) {
+        queryClient.setQueryData<Record<string, T>>(namespaceKey, {
+          ...existingNamespace,
+          [key]: data,
+        });
+      }
+    },
+  });
+};
+
+interface DeleteAppDataVariables {
+  namespace: string;
+  key: string;
+}
+
+interface DeleteAppDataContext<T> {
+  previousValue: T | null | undefined;
+  previousNamespace: Record<string, T> | undefined;
+}
+
+/**
+ * Delete a per-user JSON value. Optimistically removes the entry from the
+ * single-value cache and from the surrounding namespace map, then rolls back
+ * on error.
+ */
+export const useDeleteAppData = <T = unknown>() => {
+  const { oxyServices, activeSessionId } = useWebOxy();
+  const queryClient = useQueryClient();
+
+  return useMutation<void, Error, DeleteAppDataVariables, DeleteAppDataContext<T>>({
+    mutationKey: ['appData', 'delete'],
+    mutationFn: async ({ namespace, key }) => {
+      await authenticatedApiCall(oxyServices, activeSessionId, () =>
+        oxyServices.deleteAppData(namespace, key),
+      );
+    },
+    onMutate: async ({ namespace, key }) => {
+      const valueKey = appDataQueryKeys.value(namespace, key);
+      const namespaceKey = appDataQueryKeys.namespace(namespace);
+
+      await Promise.all([
+        queryClient.cancelQueries({ queryKey: valueKey }),
+        queryClient.cancelQueries({ queryKey: namespaceKey }),
+      ]);
+
+      const previousValue = queryClient.getQueryData<T | null>(valueKey);
+      const previousNamespace = queryClient.getQueryData<Record<string, T>>(namespaceKey);
+
+      queryClient.setQueryData<T | null>(valueKey, null);
+      if (previousNamespace && key in previousNamespace) {
+        const next: Record<string, T> = { ...previousNamespace };
+        delete next[key];
+        queryClient.setQueryData(namespaceKey, next);
+      }
+
+      return { previousValue, previousNamespace };
+    },
+    onError: (_error, { namespace, key }, context) => {
+      if (!context) return;
+      const valueKey = appDataQueryKeys.value(namespace, key);
+      const namespaceKey = appDataQueryKeys.namespace(namespace);
+
+      queryClient.setQueryData(valueKey, context.previousValue ?? null);
+      if (context.previousNamespace !== undefined) {
+        queryClient.setQueryData(namespaceKey, context.previousNamespace);
+      }
+    },
+    onSuccess: (_data, { namespace, key }) => {
+      queryClient.setQueryData(appDataQueryKeys.value(namespace, key), null);
+      // Confirm the value is gone from the namespace cache too. If the
+      // optimistic update wasn't applied (e.g. cache was empty), this is a
+      // no-op; if it was, we already removed it in onMutate, so this is also
+      // a no-op. The work happens in onMutate — onSuccess is the commit point.
+    },
+  });
+};

package/src/hooks/queries/appDataQueryKeys.ts

@@ -0,0 +1,53 @@
+/**
+ * Query keys + error utilities for `useAppData` hooks.
+ *
+ * Lives next to the hook file so consumers can import the keys directly
+ * when they need to imperatively invalidate a value (e.g. after a non-React
+ * write through `oxyServices.setAppData`).
+ */
+
+export const appDataQueryKeys = {
+  all: ['appData'] as const,
+  namespaces: () => [...appDataQueryKeys.all, 'namespace'] as const,
+  namespace: (namespace: string) =>
+    [...appDataQueryKeys.namespaces(), namespace] as const,
+  values: () => [...appDataQueryKeys.all, 'value'] as const,
+  value: (namespace: string, key: string) =>
+    [...appDataQueryKeys.values(), namespace, key] as const,
+} as const;
+
+/**
+ * True when `error` indicates the app-data endpoint isn't reachable — either
+ * because the API deployment doesn't have it yet (404) or there's a network
+ * failure with no response. We treat these as "no value stored" so consumers
+ * fall back to local persistence without surfacing a user-facing error.
+ *
+ * Anything else (401, 403, 500) propagates normally — those are real bugs
+ * the auth or retry pipeline needs to see.
+ */
+export function isMissingAppDataEndpointError(error: unknown): boolean {
+  if (!error || typeof error !== 'object') {
+    return false;
+  }
+  const candidate = error as {
+    status?: number;
+    statusCode?: number;
+    response?: { status?: number };
+    code?: string;
+    message?: string;
+  };
+  const status =
+    candidate.status ?? candidate.statusCode ?? candidate.response?.status;
+
+  // 404: endpoint not deployed on this API instance yet.
+  if (status === 404) return true;
+
+  // Network errors: no response received at all. Common during local dev
+  // when the API server is down, or when offline.
+  if (candidate.code === 'NETWORK_ERROR') return true;
+  const message = typeof candidate.message === 'string' ? candidate.message : '';
+  if (message.includes('Network Error') || message.includes('Failed to fetch')) {
+    return true;
+  }
+  return false;
+}

package/src/hooks/queries/index.ts

@@ -34,3 +34,7 @@ export {
 // Query keys and invalidation helpers (for advanced usage)
 export { queryKeys, invalidateAccountQueries, invalidateUserQueries, invalidateSessionQueries } from './queryKeys';
 
+// App-data KV store query hooks
+export { useAppData, useAppDataNamespace } from './useAppData';
+export { appDataQueryKeys, isMissingAppDataEndpointError } from './appDataQueryKeys';
+

package/src/hooks/queries/useAppData.ts

@@ -0,0 +1,105 @@
+/**
+ * App-Data Query Hooks
+ *
+ * Read side of the `/users/me/app-data/...` per-user JSON KV store. Gated on
+ * `isAuthenticated` — when signed out the query stays `enabled: false` and
+ * `data` is `null`, so consumers can fall back to localStorage without ever
+ * issuing a doomed request.
+ *
+ * Errors from the network (404 because the endpoint isn't deployed yet,
+ * 401 because the session lapsed, etc.) are not user-facing here. Hooks
+ * return `data: null` on error so the calling component renders the
+ * "nothing yet" state and the consuming app can quietly fall back to local
+ * persistence. Mutations still propagate errors so write attempts surface
+ * a toast — only reads are silent.
+ */
+
+import { useQuery, type UseQueryResult } from '@tanstack/react-query';
+import { authenticatedApiCall } from '@oxyhq/core';
+import { useWebOxy } from '../../WebOxyProvider';
+import { appDataQueryKeys, isMissingAppDataEndpointError } from './appDataQueryKeys';
+
+interface AppDataQueryOptions {
+  /** Disable the query without unmounting the component. */
+  enabled?: boolean;
+  /** Override the default 1-minute stale time. */
+  staleTime?: number;
+  /** Override the default 30-minute gc time. */
+  gcTime?: number;
+}
+
+/**
+ * Read a single per-user JSON value.
+ *
+ * @param namespace - kebab/snake-case identifier (e.g. `"academy"`).
+ * @param key       - kebab/snake-case identifier (e.g. course slug).
+ * @param options   - optional `enabled`/`staleTime`/`gcTime` overrides.
+ *
+ * @returns A `useQuery` result with `data` of type `T | null`. The query
+ *   stays disabled when the user is signed out; when enabled but the server
+ *   has no stored value, `data` is `null`. Reads that fail because the
+ *   endpoint isn't reachable also resolve to `null` so the consumer can
+ *   fall back to local persistence.
+ */
+export const useAppData = <T = unknown>(
+  namespace: string,
+  key: string,
+  options?: AppDataQueryOptions,
+): UseQueryResult<T | null, Error> => {
+  const { oxyServices, activeSessionId, isAuthenticated } = useWebOxy();
+
+  return useQuery<T | null, Error>({
+    queryKey: appDataQueryKeys.value(namespace, key),
+    queryFn: async () => {
+      try {
+        return await authenticatedApiCall(oxyServices, activeSessionId, () =>
+          oxyServices.getAppData<T>(namespace, key),
+        );
+      } catch (error) {
+        // Endpoint not deployed yet, no network, etc. — return null so the
+        // consumer falls back to localStorage rather than rendering a broken
+        // UI state. Authentication errors still bubble up so the auth retry
+        // pipeline can surface them at the provider level.
+        if (isMissingAppDataEndpointError(error)) {
+          return null;
+        }
+        throw error;
+      }
+    },
+    enabled: (options?.enabled !== false) && isAuthenticated,
+    staleTime: options?.staleTime ?? 60 * 1000,
+    gcTime: options?.gcTime ?? 30 * 60 * 1000,
+  });
+};
+
+/**
+ * Read every value in a namespace.
+ *
+ * @returns A `useQuery` result with `data` as a `Record<string, T>`. Empty
+ *   object when the namespace contains nothing (or when fetching failed).
+ */
+export const useAppDataNamespace = <T = unknown>(
+  namespace: string,
+  options?: AppDataQueryOptions,
+): UseQueryResult<Record<string, T>, Error> => {
+  const { oxyServices, activeSessionId, isAuthenticated } = useWebOxy();
+
+  return useQuery<Record<string, T>, Error>({
+    queryKey: appDataQueryKeys.namespace(namespace),
+    queryFn: async () => {
+      try {
+        return await authenticatedApiCall(oxyServices, activeSessionId, () =>
+          oxyServices.listAppData<T>(namespace),
+        );
+      } catch (error) {
+        if (isMissingAppDataEndpointError(error)) {
+          return {};
+        }
+        throw error;
+      }
+    },
+    enabled: (options?.enabled !== false) && isAuthenticated,
+    staleTime: options?.staleTime ?? 60 * 1000,
+    gcTime: options?.gcTime ?? 30 * 60 * 1000,
+  });
+};

package/src/hooks/useWebSSO.ts

@@ -38,6 +38,36 @@ interface UseWebSSOResult {
   isFedCMSupported: boolean;
 }
 
+/**
+ * Module-level guard tracking which (origin + API) signatures have already
+ * had a silent SSO attempt this page load.
+ *
+ * A per-component `useRef` guard resets whenever the provider remounts (route
+ * churn, StrictMode double-invoke, error-boundary recovery), which previously
+ * allowed silent SSO to re-fire and — combined with a routing redirect loop —
+ * produced an accelerating `navigator.credentials.get` retry storm. Keying the
+ * guard on a stable signature instead of the component instance makes silent
+ * SSO fire EXACTLY ONCE per page load regardless of how many times the
+ * provider mounts. The set is intentionally never cleared: a fresh page load
+ * (the only thing that can change the answer) starts a fresh module scope.
+ */
+const silentSSOAttempted = new Set<string>();
+
+/**
+ * Build a stable signature for the silent-SSO run-once guard. Two providers
+ * pointed at the same API from the same origin share one attempt.
+ */
+function ssoSignature(oxyServices: OxyServices): string {
+  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
+  let baseURL = '';
+  try {
+    baseURL = oxyServices.getBaseURL();
+  } catch {
+    baseURL = '';
+  }
+  return `${origin}|${baseURL}`;
+}
+
 /**
  * Check if we're running in a web browser environment (not React Native)
  */
@@ -158,7 +188,14 @@ export function useWebSSO({
     }
   }, [oxyServices, onSessionFound, onError, fedCMSupported]);
 
-  // Auto-check SSO on mount (web only, FedCM only, not on auth domain)
+  // Auto-check SSO on mount (web only, FedCM only, not on auth domain).
+  //
+  // Run-once is enforced by TWO guards:
+  //   1. `hasCheckedRef` — cheap per-instance fast-path so effect re-runs
+  //      (from changing deps) within one mount never re-fire.
+  //   2. `silentSSOAttempted` — module-level, survives remounts/StrictMode so
+  //      silent SSO fires exactly once per page load even if the provider
+  //      unmounts and remounts.
   useEffect(() => {
     if (!enabled || !isWebBrowser() || hasCheckedRef.current || isIdentityProvider()) {
       if (isIdentityProvider()) {
@@ -167,14 +204,23 @@ export function useWebSSO({
       return;
     }
 
+    const signature = ssoSignature(oxyServices);
+    if (silentSSOAttempted.has(signature)) {
+      // Already attempted this page load (e.g. before a remount) — do not
+      // re-fire. Mark the local fast-path too so subsequent re-renders skip.
+      hasCheckedRef.current = true;
+      return;
+    }
+
     hasCheckedRef.current = true;
+    silentSSOAttempted.add(signature);
 
     if (fedCMSupported) {
       checkSSO();
     } else {
       onSSOUnavailable?.();
     }
-  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable]);
+  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable, oxyServices]);
 
   return {
     checkSSO,

package/src/index.ts

@@ -74,6 +74,10 @@ export {
   useSecurityInfo,
   useSecurityActivity,
   useRecentSecurityActivity,
+  useAppData,
+  useAppDataNamespace,
+  appDataQueryKeys,
+  isMissingAppDataEndpointError,
 } from './hooks/queries';
 
 // --- Mutation Hooks ---
@@ -88,6 +92,8 @@ export {
   useLogoutAll,
   useUpdateDeviceName,
   useRemoveDevice,
+  useSetAppData,
+  useDeleteAppData,
 } from './hooks/mutations';
 
 export {