@oxyhq/core 1.0.1 → 1.1.0

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -100,6 +100,8 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -216,6 +216,8 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;

package/dist/types/mixins/OxyServices.security.d.ts

@@ -56,6 +56,8 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -160,6 +160,8 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;

package/dist/types/mixins/OxyServices.utility.d.ts

@@ -71,6 +71,8 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
         hasValidToken(): boolean;
         getAccessToken(): string | null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",
@@ -65,7 +65,6 @@
     "lint": "biome lint --error-on-warnings ./src"
   },
   "dependencies": {
-    "axios": "^1.9.0",
     "bip39": "^3.1.0",
     "buffer": "^6.0.3",
     "elliptic": "^6.6.1",
@@ -81,4 +80,4 @@
     "@types/node": "^20.19.9",
     "typescript": "^5.9.2"
   }
-}
+}

package/src/AuthManager.ts

@@ -10,13 +10,13 @@
 import type { OxyServices } from './OxyServices';
 import type { HttpService } from './HttpService';
 import type { SessionLoginResponse, MinimalUserData } from './models/session';
+import { retryAsync } from './utils/asyncUtils';
 
 /**
- * OxyServices with optional FedCM methods (provided by FedCM mixin).
+ * OxyServices already declares revokeFedCMCredential via mixin type augmentation.
+ * This alias is kept for readability in the signOut method.
  */
-interface OxyServicesWithFedCM extends OxyServices {
-  revokeFedCMCredential?: () => Promise<void>;
-}
+type OxyServicesWithFedCM = OxyServices;
 
 /**
  * Storage adapter interface for platform-agnostic storage.
@@ -270,19 +270,29 @@ export class AuthManager {
     }
 
     try {
-      // Cast httpService to proper type (needed due to mixin composition)
-      const httpService = this.oxyServices.httpService as HttpService;
-      const response = await httpService.request<SessionLoginResponse>({
-        method: 'POST',
-        url: '/api/auth/refresh',
-        data: { refreshToken },
-        cache: false,
-      });
-
-      await this.handleAuthSuccess(response, 'credentials');
+      await retryAsync(
+        async () => {
+          const httpService = this.oxyServices.httpService as HttpService;
+          const response = await httpService.request<SessionLoginResponse>({
+            method: 'POST',
+            url: '/api/auth/refresh',
+            data: { refreshToken },
+            cache: false,
+          });
+          await this.handleAuthSuccess(response, 'credentials');
+        },
+        2,    // 2 retries = 3 total attempts
+        1000, // 1s base delay with exponential backoff + jitter
+        (error: any) => {
+          // Don't retry on 4xx client errors (invalid/revoked token)
+          const status = error?.status ?? error?.response?.status;
+          if (status && status >= 400 && status < 500) return false;
+          return true;
+        }
+      );
       return true;
     } catch {
-      // Refresh failed, clear session and update state
+      // All retry attempts exhausted, clear session
       await this.clearSession();
       this.currentUser = null;
       this.notifyListeners();

package/src/CrossDomainAuth.ts

@@ -10,7 +10,7 @@
  *
  * Usage:
  * ```typescript
- * import { CrossDomainAuth } from '@oxyhq/services';
+ * import { CrossDomainAuth } from '@oxyhq/core';
  *
  * const auth = new CrossDomainAuth(oxyServices);
  *
@@ -287,7 +287,7 @@ export class CrossDomainAuth {
  *
  * @example
  * ```typescript
- * import { createCrossDomainAuth } from '@oxyhq/services';
+ * import { createCrossDomainAuth } from '@oxyhq/core';
  *
  * const oxyServices = new OxyServices({ baseURL: 'https://api.oxy.so' });
  * const auth = createCrossDomainAuth(oxyServices);

package/src/HttpService.ts

@@ -17,6 +17,7 @@ import { TTLCache, registerCacheForCleanup } from './utils/cache';
 import { RequestDeduplicator, RequestQueue, SimpleLogger } from './utils/requestUtils';
 import { retryAsync } from './utils/asyncUtils';
 import { handleHttpError } from './utils/errorUtils';
+import { isDev } from './shared/utils/debugUtils';
 import { jwtDecode } from 'jwt-decode';
 import { isNative, getPlatformOS } from './utils/platform';
 import type { OxyConfig } from './models/interfaces';
@@ -279,7 +280,7 @@ export class HttpService {
         }
 
         // Debug logging for CSRF issues
-        if (isStateChangingMethod && __DEV__) {
+        if (isStateChangingMethod && isDev()) {
           console.log('[HttpService] CSRF Debug:', {
             url,
             method,
@@ -484,20 +485,20 @@ export class HttpService {
     // Return cached token if available
     const cachedToken = this.tokenStore.getCsrfToken();
     if (cachedToken) {
-      if (__DEV__) console.log('[HttpService] Using cached CSRF token');
+      if (isDev()) console.log('[HttpService] Using cached CSRF token');
       return cachedToken;
     }
 
     // Deduplicate concurrent CSRF token fetches
     const existingPromise = this.tokenStore.getCsrfTokenFetchPromise();
     if (existingPromise) {
-      if (__DEV__) console.log('[HttpService] Waiting for existing CSRF fetch');
+      if (isDev()) console.log('[HttpService] Waiting for existing CSRF fetch');
       return existingPromise;
     }
 
     const fetchPromise = (async () => {
       try {
-        if (__DEV__) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
+        if (isDev()) console.log('[HttpService] Fetching CSRF token from:', `${this.baseURL}/api/csrf-token`);
 
         // Use AbortController for timeout (more compatible than AbortSignal.timeout)
         const controller = new AbortController();
@@ -512,11 +513,11 @@ export class HttpService {
 
         clearTimeout(timeoutId);
 
-        if (__DEV__) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
+        if (isDev()) console.log('[HttpService] CSRF fetch response:', response.status, response.ok);
 
         if (response.ok) {
           const data = await response.json() as { csrfToken?: string };
-          if (__DEV__) console.log('[HttpService] CSRF response data:', data);
+          if (isDev()) console.log('[HttpService] CSRF response data:', data);
           const token = data.csrfToken || null;
           this.tokenStore.setCsrfToken(token);
           this.logger.debug('CSRF token fetched');
@@ -531,11 +532,11 @@ export class HttpService {
           return headerToken;
         }
 
-        if (__DEV__) console.log('[HttpService] CSRF fetch failed with status:', response.status);
+        if (isDev()) console.log('[HttpService] CSRF fetch failed with status:', response.status);
         this.logger.warn('Failed to fetch CSRF token:', response.status);
         return null;
       } catch (error) {
-        if (__DEV__) console.log('[HttpService] CSRF fetch error:', error);
+        if (isDev()) console.log('[HttpService] CSRF fetch error:', error);
         this.logger.warn('CSRF token fetch error:', error);
         return null;
       } finally {

package/src/OxyServices.base.ts

@@ -131,21 +131,38 @@ export class OxyServicesBase {
    */
   public clearTokens(): void {
     this.httpService.clearTokens();
+    this._cachedUserId = undefined;
+    this._cachedAccessToken = null;
   }
 
+  /** @internal */ _cachedUserId: string | null | undefined = undefined;
+  /** @internal */ _cachedAccessToken: string | null = null;
+
   /**
-   * Get the current user ID from the access token
+   * Get the current user ID from the access token.
+   * Caches the decoded value and invalidates when the token changes.
    */
   public getCurrentUserId(): string | null {
     const accessToken = this.httpService.getAccessToken();
+
+    // Return cached value if token hasn't changed
+    if (accessToken === this._cachedAccessToken && this._cachedUserId !== undefined) {
+      return this._cachedUserId;
+    }
+
+    this._cachedAccessToken = accessToken;
+
     if (!accessToken) {
+      this._cachedUserId = null;
       return null;
     }
-    
+
     try {
       const decoded = jwtDecode<JwtPayload>(accessToken);
-      return decoded.userId || decoded.id || null;
-    } catch (error) {
+      this._cachedUserId = decoded.userId || decoded.id || null;
+      return this._cachedUserId;
+    } catch {
+      this._cachedUserId = null;
       return null;
     }
   }

package/src/OxyServices.ts

@@ -58,6 +58,10 @@
  */
 import { OxyServicesBase, type OxyConfig } from './OxyServices.base';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
+import type { SessionLoginResponse } from './models/session';
+import type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
+import type { PopupAuthOptions } from './mixins/OxyServices.popup';
+import type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 
 // Import mixin composition helper
 import { composeOxyServices } from './mixins';
@@ -106,8 +110,25 @@ export class OxyServices extends (OxyServicesComposed as any) {
 }
 
 // Type augmentation to expose mixin methods to TypeScript
-// This allows proper type checking while avoiding complex mixin type inference
-export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {}
+// This allows proper type checking while avoiding complex mixin type inference.
+// Explicit declarations are added for cross-domain auth methods that downstream
+// packages (auth-sdk, services) need without casting to `any`.
+export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {
+  // FedCM authentication
+  isFedCMSupported(): boolean;
+  signInWithFedCM(options?: FedCMAuthOptions): Promise<SessionLoginResponse>;
+  silentSignInWithFedCM(): Promise<SessionLoginResponse | null>;
+  revokeFedCMCredential(): Promise<void>;
+  getFedCMConfig(): FedCMConfig;
+
+  // Popup authentication
+  signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+  signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
+
+  // Redirect authentication
+  signInWithRedirect(options?: RedirectAuthOptions): void;
+  signUpWithRedirect(options?: RedirectAuthOptions): void;
+}
 
 // Re-export error classes for convenience
 export { OxyAuthenticationError, OxyAuthenticationTimeoutError };

package/src/crypto/keyManager.ts

@@ -9,6 +9,7 @@ import { ec as EC } from 'elliptic';
 import type { ECKeyPair } from 'elliptic';
 import { isWeb, isIOS, isAndroid } from '../utils/platform';
 import { logger } from '../utils/loggerUtils';
+import { isDev } from '../shared/utils/debugUtils';
 
 // Lazy imports for React Native specific modules
 let SecureStore: typeof import('expo-secure-store') | null = null;
@@ -49,7 +50,9 @@ const ANDROID_ACCOUNT_TYPE = 'com.oxy.account';
 async function initSecureStore(): Promise<typeof import('expo-secure-store')> {
   if (!SecureStore) {
     try {
-      SecureStore = await import('expo-secure-store');
+      // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+      const moduleName = 'expo-secure-store';
+      SecureStore = await import(moduleName);
     } catch (error) {
       const errorMessage = error instanceof Error ? error.message : String(error);
       throw new Error(`Failed to load expo-secure-store: ${errorMessage}. Make sure expo-secure-store is installed and properly configured.`);
@@ -85,9 +88,11 @@ function isWebPlatform(): boolean {
 
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
@@ -238,7 +243,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity created successfully', { component: 'KeyManager' });
     }
 
@@ -277,7 +282,7 @@ export class KeyManager {
 
       return publicKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared public key', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedSharedPublicKey = null;
@@ -312,7 +317,7 @@ export class KeyManager {
 
       return privateKey;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared private key', { component: 'KeyManager' }, error);
       }
       return null;
@@ -343,7 +348,7 @@ export class KeyManager {
 
       return hasShared;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check shared identity', { component: 'KeyManager' }, error);
       }
       KeyManager.cachedHasSharedIdentity = false;
@@ -392,7 +397,7 @@ export class KeyManager {
     KeyManager.cachedSharedPublicKey = publicKey;
     KeyManager.cachedHasSharedIdentity = true;
 
-    if (__DEV__) {
+    if (isDev()) {
       logger.debug('Shared identity imported successfully', { component: 'KeyManager' });
     }
 
@@ -431,11 +436,11 @@ export class KeyManager {
         await store.setItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN, accessToken);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session stored successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to store shared session', error, { component: 'KeyManager' });
       }
       throw error;
@@ -479,7 +484,7 @@ export class KeyManager {
 
       return { sessionId, accessToken };
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to get shared session', { component: 'KeyManager' }, error);
       }
       return null;
@@ -512,11 +517,11 @@ export class KeyManager {
         await store.deleteItemAsync(STORAGE_KEYS.SHARED_SESSION_TOKEN);
       }
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Shared session cleared successfully', { component: 'KeyManager' });
       }
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to clear shared session', error, { component: 'KeyManager' });
       }
     }
@@ -540,7 +545,7 @@ export class KeyManager {
       // Check if we already have a shared identity
       const hasShared = await KeyManager.hasSharedIdentity();
       if (hasShared) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('Shared identity already exists, skipping migration', { component: 'KeyManager' });
         }
         return true;
@@ -549,7 +554,7 @@ export class KeyManager {
       // Get local identity
       const privateKey = await KeyManager.getPrivateKey();
       if (!privateKey) {
-        if (__DEV__) {
+        if (isDev()) {
           logger.debug('No local identity to migrate', { component: 'KeyManager' });
         }
         return false;
@@ -558,13 +563,13 @@ export class KeyManager {
       // Import to shared storage
       await KeyManager.importSharedIdentity(privateKey);
 
-      if (__DEV__) {
+      if (isDev()) {
         logger.debug('Successfully migrated local identity to shared identity', { component: 'KeyManager' });
       }
 
       return true;
     } catch (error) {
-      if (__DEV__) {
+      if (isDev()) {
         logger.error('Failed to migrate to shared identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -635,7 +640,7 @@ export class KeyManager {
     } catch (error) {
       // If secure store is not available, return null (no identity)
       // This allows the app to continue functioning even if secure store fails to load
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -665,7 +670,7 @@ export class KeyManager {
       // If secure store is not available, return null (no identity)
       // Cache null to avoid repeated failed attempts
       KeyManager.cachedPublicKey = null;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to access secure store', { component: 'KeyManager' }, error);
       }
       return null;
@@ -695,7 +700,7 @@ export class KeyManager {
       // If we can't check, assume no identity (safer default)
       // Cache false to avoid repeated failed attempts
       KeyManager.cachedHasIdentity = false;
-      if (__DEV__) {
+      if (isDev()) {
         logger.warn('Failed to check identity', { component: 'KeyManager' }, error);
       }
       return false;
@@ -736,11 +741,11 @@ export class KeyManager {
     if (!skipBackup) {
       try {
         const backupSuccess = await KeyManager.backupIdentity();
-        if (!backupSuccess && typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (!backupSuccess && isDev()) {
           logger.warn('Failed to backup identity before deletion - proceeding anyway', { component: 'KeyManager' });
         }
       } catch (backupError) {
-        if (typeof __DEV__ !== 'undefined' && __DEV__) {
+        if (isDev()) {
           logger.warn('Failed to backup identity before deletion', { component: 'KeyManager' }, backupError);
         }
       }
@@ -790,7 +795,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to backup identity', error, { component: 'KeyManager' });
       }
       return false;
@@ -836,7 +841,7 @@ export class KeyManager {
 
       return true;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Identity integrity check failed', error, { component: 'KeyManager' });
       }
       return false;
@@ -893,7 +898,7 @@ export class KeyManager {
 
       return false;
     } catch (error) {
-      if (typeof __DEV__ !== 'undefined' && __DEV__) {
+      if (isDev()) {
         logger.error('Failed to restore identity from backup', error, { component: 'KeyManager' });
       }
       return false;

package/src/crypto/polyfill.ts

@@ -37,7 +37,12 @@ function getRandomBytesSync(byteCount: number): Uint8Array {
   if (!expoCryptoLoadAttempted) {
     expoCryptoLoadAttempted = true;
     try {
-      expoCryptoModule = require('expo-crypto');
+      // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
+      // crypto.getRandomValues exists natively so this code path is never reached.
+      if (typeof require !== 'undefined') {
+        const moduleName = 'expo-crypto';
+        expoCryptoModule = require(moduleName);
+      }
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }

package/src/crypto/signatureService.ts

@@ -32,40 +32,44 @@ function isNodeJS(): boolean {
  */
 async function initExpoCrypto(): Promise<typeof import('expo-crypto')> {
   if (!ExpoCrypto) {
-    ExpoCrypto = await import('expo-crypto');
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
+    const moduleName = 'expo-crypto';
+    ExpoCrypto = await import(moduleName);
   }
-  return ExpoCrypto;
+  return ExpoCrypto!;
 }
 
 /**
  * Compute SHA-256 hash of a string
  */
 async function sha256(message: string): Promise<string> {
-  // In React Native, always use expo-crypto
-  if (isReactNative() || !isNodeJS()) {
+  // In React Native, use expo-crypto
+  if (isReactNative()) {
     const Crypto = await initExpoCrypto();
     return Crypto.digestStringAsync(
       Crypto.CryptoDigestAlgorithm.SHA256,
       message
     );
   }
-  
+
   // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return crypto.createHash('sha256').update(message).digest('hex');
-  } catch (error) {
-    // Fallback to expo-crypto if Node crypto fails
-    const Crypto = await initExpoCrypto();
-    return Crypto.digestStringAsync(
-      Crypto.CryptoDigestAlgorithm.SHA256,
-      message
-    );
+  if (isNodeJS()) {
+    try {
+      // eslint-disable-next-line @typescript-eslint/no-implied-eval
+      const getCrypto = new Function('return require("crypto")');
+      const nodeCrypto = getCrypto();
+      return nodeCrypto.createHash('sha256').update(message).digest('hex');
+    } catch {
+      // Fall through to Web Crypto API
+    }
   }
+
+  // Browser: use Web Crypto API
+  const encoder = new TextEncoder();
+  const data = encoder.encode(message);
+  const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', data);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
 }
 
 export interface SignedMessage {
@@ -87,29 +91,33 @@ export class SignatureService {
    * Uses expo-crypto in React Native, crypto.randomBytes in Node.js
    */
   static async generateChallenge(): Promise<string> {
-    if (isReactNative() || !isNodeJS()) {
-      // Use expo-crypto for React Native (expo-random is deprecated)
+    // In React Native, use expo-crypto
+    if (isReactNative()) {
       const Crypto = await initExpoCrypto();
       const randomBytes = await Crypto.getRandomBytesAsync(32);
       return Array.from(randomBytes)
         .map((b: number) => b.toString(16).padStart(2, '0'))
         .join('');
     }
-    
-    // Node.js fallback
-    try {
-      // eslint-disable-next-line @typescript-eslint/no-implied-eval
-      const getCrypto = new Function('return require("crypto")');
-      const crypto = getCrypto();
-      return crypto.randomBytes(32).toString('hex');
-    } catch (error) {
-      // Fallback to expo-crypto if Node crypto fails
-      const Crypto = await initExpoCrypto();
-      const randomBytes = await Crypto.getRandomBytesAsync(32);
-      return Array.from(randomBytes)
-        .map((b: number) => b.toString(16).padStart(2, '0'))
-        .join('');
+
+    // In Node.js, use Node's crypto module
+    if (isNodeJS()) {
+      try {
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval
+        const getCrypto = new Function('return require("crypto")');
+        const nodeCrypto = getCrypto();
+        return nodeCrypto.randomBytes(32).toString('hex');
+      } catch {
+        // Fall through to Web Crypto API
+      }
     }
+
+    // Browser: use Web Crypto API
+    const bytes = new Uint8Array(32);
+    globalThis.crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
   }
 
   /**
@@ -319,5 +327,3 @@ export class SignatureService {
 }
 
 export default SignatureService;
-
-