@oxyhq/core 1.11.22 → 1.11.24

package/dist/types/HttpService.d.ts

@@ -50,6 +50,16 @@ export declare class HttpService {
     private tokenRefreshPromise;
     private tokenRefreshCooldownUntil;
     private _onTokenRefreshed;
+    /**
+     * Fan-out listeners notified on EVERY access-token change on this instance:
+     * explicit `setTokens`, `clearTokens`, a successful silent refresh, and the
+     * internal 401-driven clear. Unlike the single-slot `_onTokenRefreshed`
+     * (owned by AuthManager for the refresh path only), this is a Set so multiple
+     * independent observers can mirror token state without clobbering each other.
+     *
+     * Each listener receives the resulting access token, or `null` when cleared.
+     */
+    private _tokenChangeListeners;
     private _actingAsUserId;
     private requestMetrics;
     constructor(config: OxyConfig);
@@ -134,6 +144,27 @@ export declare class HttpService {
     setTokens(accessToken: string, refreshToken?: string): void;
     set onTokenRefreshed(callback: ((accessToken: string) => void) | null);
     clearTokens(): void;
+    /**
+     * Subscribe to access-token changes on this instance.
+     *
+     * Fires on every mutation of the access token — `setTokens`, `clearTokens`,
+     * a successful silent refresh, and the internal 401-driven clear — passing
+     * the resulting token (or `null` when cleared). Returns an unsubscribe
+     * function; call it on teardown to avoid leaks.
+     *
+     * This is the single hook downstream code (e.g. @oxyhq/services' OxyProvider)
+     * uses to keep an external token sink — such as the shared `oxyClient`
+     * singleton — in lockstep with the active session, regardless of which code
+     * path mutated the token.
+     */
+    addTokenChangeListener(listener: (accessToken: string | null) => void): () => void;
+    /**
+     * Notify all token-change listeners with the current access token.
+     * Listener exceptions are isolated so one bad subscriber cannot break token
+     * propagation to the others or to the calling auth flow.
+     * @internal
+     */
+    private notifyTokenChange;
     getAccessToken(): string | null;
     hasAccessToken(): boolean;
     getBaseURL(): string;

package/dist/types/OxyServices.base.d.ts

@@ -73,6 +73,20 @@ export declare class OxyServicesBase {
      * Clear stored authentication tokens
      */
     clearTokens(): void;
+    /**
+     * Subscribe to access-token changes on this client.
+     *
+     * The listener fires on every access-token mutation — explicit
+     * `setTokens`/`clearTokens`, a successful silent refresh, and the internal
+     * 401-driven clear — receiving the resulting token, or `null` when cleared.
+     * Returns an unsubscribe function.
+     *
+     * Primary use: keeping an external token sink (e.g. the shared `oxyClient`
+     * singleton) in lockstep with whichever `OxyServices` instance actually owns
+     * the session, so imperative consumers reading the singleton always observe
+     * the live token regardless of the code path that changed it.
+     */
+    onTokensChanged(listener: (accessToken: string | null) => void): () => void;
     /** @internal */ _cachedUserId: string | null | undefined;
     /** @internal */ _cachedAccessToken: string | null;
     /**

package/dist/types/OxyServices.d.ts

@@ -98,6 +98,15 @@ import { composeOxyServices } from './mixins';
  */
 declare const OxyServicesComposed: import("./mixins").ComposedOxyServicesConstructor;
 export declare class OxyServices extends OxyServicesComposed {
+    /**
+     * FedCM credential-request timeouts (ms). The runtime values are defined on
+     * the FedCM mixin and inherited here via `extends`; these `declare` members
+     * surface their types to TypeScript without re-emitting (or duplicating) the
+     * literals, so consumers/tests can reference `OxyServices.FEDCM_SILENT_TIMEOUT`
+     * with full typing.
+     */
+    static readonly FEDCM_TIMEOUT: number;
+    static readonly FEDCM_SILENT_TIMEOUT: number;
     constructor(config: OxyConfig);
 }
 export interface OxyServices extends InstanceType<ReturnType<typeof composeOxyServices>> {

package/dist/types/mixins/OxyServices.analytics.d.ts

@@ -46,6 +46,7 @@ export declare function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBa
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.appData.d.ts

@@ -82,6 +82,7 @@ export declare function OxyServicesAppDataMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.assets.d.ts

@@ -119,6 +119,7 @@ export declare function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.auth.d.ts

@@ -313,6 +313,7 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.contacts.d.ts

@@ -74,6 +74,7 @@ export declare function OxyServicesContactsMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.developer.d.ts

@@ -79,6 +79,7 @@ export declare function OxyServicesDeveloperMixin<T extends typeof OxyServicesBa
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.devices.d.ts

@@ -76,6 +76,7 @@ export declare function OxyServicesDevicesMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.features.d.ts

@@ -204,6 +204,7 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
@@ -215,7 +216,11 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
         withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
             maxRetries?: number;
             retryDelay?: number;
-            authTimeoutMs?: number;
+            authTimeoutMs
+            /**
+             * Get user statistics
+             */
+            ?: number;
         }): Promise<T_1>;
         validate(): Promise<boolean>;
         handleError(error: unknown): Error;

package/dist/types/mixins/OxyServices.fedcm.d.ts

@@ -82,6 +82,24 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
          * ```
          */
         signInWithFedCM(options?: FedCMAuthOptions): Promise<SessionLoginResponse>;
+        /**
+         * Run a single interactive FedCM credential request + token exchange for the
+         * given (possibly undefined) loginHint. A successful exchange plants the
+         * access token and persists the user id as the future loginHint — the hint is
+         * therefore only ever stored after a GENUINELY successful sign-in, never
+         * speculatively.
+         *
+         * @private
+         */
+        attemptInteractiveSignIn(options: FedCMAuthOptions, loginHint: string | undefined): Promise<SessionLoginResponse>;
+        /**
+         * Map a raw FedCM/exchange failure to a user-facing {@link OxyAuthenticationError}
+         * (or pass it through). Extracted so the clear-and-retry path can reuse the
+         * exact same error normalisation as the first attempt.
+         *
+         * @private
+         */
+        normalizeInteractiveSignInError(error: unknown): unknown;
         /**
          * Silent sign-in using FedCM
          *
@@ -243,6 +261,7 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;
@@ -267,7 +286,7 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
     };
     readonly DEFAULT_CONFIG_URL: "https://auth.oxy.so/fedcm.json";
     readonly FEDCM_TIMEOUT: 15000;
-    readonly FEDCM_SILENT_TIMEOUT: 3000;
+    readonly FEDCM_SILENT_TIMEOUT: 10000;
     /**
      * Check if FedCM is supported in the current browser
      */

package/dist/types/mixins/OxyServices.karma.d.ts

@@ -65,6 +65,7 @@ export declare function OxyServicesKarmaMixin<T extends typeof OxyServicesBase>(
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.language.d.ts

@@ -61,6 +61,7 @@ export declare function OxyServicesLanguageMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.location.d.ts

@@ -44,6 +44,7 @@ export declare function OxyServicesLocationMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.managedAccounts.d.ts

@@ -101,6 +101,7 @@ export declare function OxyServicesManagedAccountsMixin<T extends typeof OxyServ
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.payment.d.ts

@@ -91,6 +91,7 @@ export declare function OxyServicesPaymentMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -181,6 +181,7 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -102,6 +102,7 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -218,6 +218,7 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.security.d.ts

@@ -58,6 +58,7 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.topics.d.ts

@@ -84,6 +84,7 @@ export declare function OxyServicesTopicsMixin<T extends typeof OxyServicesBase>
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -229,6 +229,7 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/dist/types/mixins/OxyServices.utility.d.ts

@@ -267,6 +267,7 @@ export declare function OxyServicesUtilityMixin<T extends typeof OxyServicesBase
         getCloudURL(): string;
         setTokens(accessToken: string, refreshToken?: string): void;
         clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
         _cachedAccessToken: string | null;
         getCurrentUserId(): string | null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.11.22",
+  "version": "1.11.24",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/HttpService.ts

@@ -176,6 +176,17 @@ export class HttpService {
   private tokenRefreshCooldownUntil: number = 0;
   private _onTokenRefreshed: ((accessToken: string) => void) | null = null;
 
+  /**
+   * Fan-out listeners notified on EVERY access-token change on this instance:
+   * explicit `setTokens`, `clearTokens`, a successful silent refresh, and the
+   * internal 401-driven clear. Unlike the single-slot `_onTokenRefreshed`
+   * (owned by AuthManager for the refresh path only), this is a Set so multiple
+   * independent observers can mirror token state without clobbering each other.
+   *
+   * Each listener receives the resulting access token, or `null` when cleared.
+   */
+  private _tokenChangeListeners = new Set<(accessToken: string | null) => void>();
+
   // Acting-as identity for managed accounts
   private _actingAsUserId: string | null = null;
 
@@ -430,6 +441,7 @@ export class HttpService {
             // Refresh failed or no token — clear tokens and stale CSRF
             this.tokenStore.clearTokens();
             this.tokenStore.clearCsrfToken();
+            this.notifyTokenChange();
           }
 
           // On 403 with CSRF error, clear cached token and retry once
@@ -844,6 +856,7 @@ export class HttpService {
         const { accessToken: newToken } = await response.json();
         this.tokenStore.setTokens(newToken);
         this._onTokenRefreshed?.(newToken);
+        this.notifyTokenChange();
         this.logger.debug('Token refreshed');
         return `Bearer ${newToken}`;
       }
@@ -920,6 +933,7 @@ export class HttpService {
   // Token management
   setTokens(accessToken: string, refreshToken = ''): void {
     this.tokenStore.setTokens(accessToken, refreshToken);
+    this.notifyTokenChange();
   }
 
   set onTokenRefreshed(callback: ((accessToken: string) => void) | null) {
@@ -929,6 +943,45 @@ export class HttpService {
   clearTokens(): void {
     this.tokenStore.clearTokens();
     this.tokenStore.clearCsrfToken();
+    this.notifyTokenChange();
+  }
+
+  /**
+   * Subscribe to access-token changes on this instance.
+   *
+   * Fires on every mutation of the access token — `setTokens`, `clearTokens`,
+   * a successful silent refresh, and the internal 401-driven clear — passing
+   * the resulting token (or `null` when cleared). Returns an unsubscribe
+   * function; call it on teardown to avoid leaks.
+   *
+   * This is the single hook downstream code (e.g. @oxyhq/services' OxyProvider)
+   * uses to keep an external token sink — such as the shared `oxyClient`
+   * singleton — in lockstep with the active session, regardless of which code
+   * path mutated the token.
+   */
+  addTokenChangeListener(listener: (accessToken: string | null) => void): () => void {
+    this._tokenChangeListeners.add(listener);
+    return () => {
+      this._tokenChangeListeners.delete(listener);
+    };
+  }
+
+  /**
+   * Notify all token-change listeners with the current access token.
+   * Listener exceptions are isolated so one bad subscriber cannot break token
+   * propagation to the others or to the calling auth flow.
+   * @internal
+   */
+  private notifyTokenChange(): void {
+    if (this._tokenChangeListeners.size === 0) return;
+    const accessToken = this.tokenStore.getAccessToken();
+    for (const listener of this._tokenChangeListeners) {
+      try {
+        listener(accessToken);
+      } catch (error) {
+        this.logger.error('Token change listener threw:', error);
+      }
+    }
   }
 
   getAccessToken(): string | null {

package/src/OxyServices.base.ts

@@ -146,6 +146,23 @@ export class OxyServicesBase {
     this._cachedAccessToken = null;
   }
 
+  /**
+   * Subscribe to access-token changes on this client.
+   *
+   * The listener fires on every access-token mutation — explicit
+   * `setTokens`/`clearTokens`, a successful silent refresh, and the internal
+   * 401-driven clear — receiving the resulting token, or `null` when cleared.
+   * Returns an unsubscribe function.
+   *
+   * Primary use: keeping an external token sink (e.g. the shared `oxyClient`
+   * singleton) in lockstep with whichever `OxyServices` instance actually owns
+   * the session, so imperative consumers reading the singleton always observe
+   * the live token regardless of the code path that changed it.
+   */
+  public onTokensChanged(listener: (accessToken: string | null) => void): () => void {
+    return this.httpService.addTokenChangeListener(listener);
+  }
+
   /** @internal */ _cachedUserId: string | null | undefined = undefined;
   /** @internal */ _cachedAccessToken: string | null = null;
 

package/src/OxyServices.ts

@@ -109,6 +109,16 @@ const OxyServicesComposed = composeOxyServices();
 // We extend the composed constructor directly — its public surface is broadened
 // to the full mixin set via the interface declaration that follows.
 export class OxyServices extends OxyServicesComposed {
+  /**
+   * FedCM credential-request timeouts (ms). The runtime values are defined on
+   * the FedCM mixin and inherited here via `extends`; these `declare` members
+   * surface their types to TypeScript without re-emitting (or duplicating) the
+   * literals, so consumers/tests can reference `OxyServices.FEDCM_SILENT_TIMEOUT`
+   * with full typing.
+   */
+  declare static readonly FEDCM_TIMEOUT: number;
+  declare static readonly FEDCM_SILENT_TIMEOUT: number;
+
   constructor(config: OxyConfig) {
     super(config);
   }