@oxyhq/core 1.11.8 → 1.11.10

package/dist/types/AuthManager.d.ts

@@ -34,6 +34,8 @@ export interface AuthManagerConfig {
     autoRefresh?: boolean;
     /** Token refresh interval in milliseconds (default: 5 minutes before expiry) */
     refreshBuffer?: number;
+    /** Enable cross-tab coordination via BroadcastChannel (default: true in browsers) */
+    crossTabSync?: boolean;
 }
 /**
  * AuthManager - Centralized authentication management.
@@ -68,7 +70,26 @@ export declare class AuthManager {
     private refreshTimer;
     private refreshPromise;
     private config;
+    /** Tracks the access token this instance last knew about, for cross-tab adoption. */
+    private _lastKnownAccessToken;
+    /** BroadcastChannel for coordinating token refreshes across browser tabs. */
+    private _broadcastChannel;
+    /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
+    private _otherTabRefreshed;
     constructor(oxyServices: OxyServices, config?: AuthManagerConfig);
+    /**
+     * Initialize BroadcastChannel for cross-tab token refresh coordination.
+     * Only called in browser environments where BroadcastChannel is available.
+     */
+    private _initBroadcastChannel;
+    /**
+     * Handle messages from other tabs about token refresh activity.
+     */
+    private _handleCrossTabMessage;
+    /**
+     * Broadcast a message to other tabs.
+     */
+    private _broadcast;
     /**
      * Get default storage based on environment.
      */

package/dist/types/mixins/OxyServices.fedcm.d.ts

@@ -33,8 +33,7 @@ export interface FedCMConfig {
  */
 export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
-        /** Resolved FedCM config URL: derived from config.authWebUrl or uses the static default */
-        get fedcmConfigUrl(): string;
+        resolveFedcmConfigUrl(): string;
         /**
          * Instance method to check FedCM support
          */
@@ -204,7 +203,6 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
             [key: string]: any;
         }>;
     };
-    readonly DEFAULT_AUTH_URL: "https://auth.oxy.so";
     readonly DEFAULT_CONFIG_URL: "https://auth.oxy.so/fedcm.json";
     readonly FEDCM_TIMEOUT: 15000;
     readonly FEDCM_SILENT_TIMEOUT: 3000;

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -33,8 +33,8 @@ export interface SilentAuthOptions {
  */
 export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
-        /** Resolved auth URL: config.authWebUrl takes precedence over the static default */
-        get authUrl(): string;
+        /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+        resolveAuthUrl(): string;
         /**
          * Sign in using popup window
          *

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -31,8 +31,6 @@ export interface RedirectAuthOptions {
  */
 export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
-        /** Resolved auth URL: config.authWebUrl takes precedence over the static default */
-        get authUrl(): string;
         /**
          * Sign in using full page redirect
          *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/core",
-  "version": "1.11.8",
+  "version": "1.11.10",
   "description": "OxyHQ SDK Foundation — API client, authentication, cryptographic identity, and shared utilities",
   "main": "dist/cjs/index.js",
   "module": "dist/esm/index.js",

package/src/AuthManager.ts

@@ -48,6 +48,17 @@ export interface AuthManagerConfig {
   autoRefresh?: boolean;
   /** Token refresh interval in milliseconds (default: 5 minutes before expiry) */
   refreshBuffer?: number;
+  /** Enable cross-tab coordination via BroadcastChannel (default: true in browsers) */
+  crossTabSync?: boolean;
+}
+
+/**
+ * Messages sent between tabs via BroadcastChannel for token refresh coordination.
+ */
+interface CrossTabMessage {
+  type: 'refresh_starting' | 'tokens_refreshed' | 'signed_out';
+  sessionId?: string;
+  timestamp: number;
 }
 
 /**
@@ -145,21 +156,117 @@ export class AuthManager {
   private currentUser: MinimalUserData | null = null;
   private refreshTimer: ReturnType<typeof setTimeout> | null = null;
   private refreshPromise: Promise<boolean> | null = null;
-  private config: Required<AuthManagerConfig>;
+  private config: Required<Omit<AuthManagerConfig, 'crossTabSync'>> & { crossTabSync: boolean };
+
+  /** Tracks the access token this instance last knew about, for cross-tab adoption. */
+  private _lastKnownAccessToken: string | null = null;
+
+  /** BroadcastChannel for coordinating token refreshes across browser tabs. */
+  private _broadcastChannel: BroadcastChannel | null = null;
+
+  /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
+  private _otherTabRefreshed = false;
 
   constructor(oxyServices: OxyServices, config: AuthManagerConfig = {}) {
     this.oxyServices = oxyServices;
+    const crossTabSync = config.crossTabSync ?? (typeof BroadcastChannel !== 'undefined');
     this.config = {
       storage: config.storage ?? this.getDefaultStorage(),
       autoRefresh: config.autoRefresh ?? true,
       refreshBuffer: config.refreshBuffer ?? 5 * 60 * 1000, // 5 minutes
+      crossTabSync,
     };
     this.storage = this.config.storage;
 
     // Persist tokens to storage when HttpService refreshes them automatically
     this.oxyServices.httpService.onTokenRefreshed = (accessToken: string) => {
+      this._lastKnownAccessToken = accessToken;
       this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, accessToken);
     };
+
+    // Setup cross-tab coordination in browser environments
+    if (this.config.crossTabSync) {
+      this._initBroadcastChannel();
+    }
+  }
+
+  /**
+   * Initialize BroadcastChannel for cross-tab token refresh coordination.
+   * Only called in browser environments where BroadcastChannel is available.
+   */
+  private _initBroadcastChannel(): void {
+    if (typeof BroadcastChannel === 'undefined') return;
+
+    try {
+      this._broadcastChannel = new BroadcastChannel('oxy_auth_sync');
+      this._broadcastChannel.onmessage = (event: MessageEvent<CrossTabMessage>) => {
+        this._handleCrossTabMessage(event.data);
+      };
+    } catch {
+      // BroadcastChannel not supported or blocked (e.g., opaque origins)
+      this._broadcastChannel = null;
+    }
+  }
+
+  /**
+   * Handle messages from other tabs about token refresh activity.
+   */
+  private async _handleCrossTabMessage(message: CrossTabMessage): Promise<void> {
+    if (!message || !message.type) return;
+
+    switch (message.type) {
+      case 'tokens_refreshed': {
+        // Another tab successfully refreshed. Signal to cancel our pending refresh.
+        this._otherTabRefreshed = true;
+
+        // Adopt the new tokens from shared storage
+        const newToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+        if (newToken && newToken !== this._lastKnownAccessToken) {
+          this._lastKnownAccessToken = newToken;
+          this.oxyServices.httpService.setTokens(newToken);
+
+          // Re-read session for updated expiry and schedule next refresh
+          const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+          if (sessionJson) {
+            try {
+              const session = JSON.parse(sessionJson);
+              if (session.expiresAt && this.config.autoRefresh) {
+                this.setupTokenRefresh(session.expiresAt);
+              }
+            } catch {
+              // Ignore parse errors
+            }
+          }
+        }
+        break;
+      }
+
+      case 'signed_out': {
+        // Another tab signed out. Clear our local state to stay consistent.
+        if (this.refreshTimer) {
+          clearTimeout(this.refreshTimer);
+          this.refreshTimer = null;
+        }
+        this.refreshPromise = null;
+        this._lastKnownAccessToken = null;
+        this.oxyServices.httpService.setTokens('');
+        this.currentUser = null;
+        this.notifyListeners();
+        break;
+      }
+      // 'refresh_starting' is informational; we don't need to act on it currently
+    }
+  }
+
+  /**
+   * Broadcast a message to other tabs.
+   */
+  private _broadcast(message: CrossTabMessage): void {
+    try {
+      this._broadcastChannel?.postMessage(message);
+    } catch {
+      // Channel closed or unavailable
+    }
   }
 
   /**
@@ -212,6 +319,7 @@ export class AuthManager {
   ): Promise<void> {
     // Store tokens
     if (session.accessToken) {
+      this._lastKnownAccessToken = session.accessToken;
       await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, session.accessToken);
       this.oxyServices.httpService.setTokens(session.accessToken);
     }
@@ -287,6 +395,9 @@ export class AuthManager {
   }
 
   private async _doRefreshToken(): Promise<boolean> {
+    // Reset the cross-tab flag before starting
+    this._otherTabRefreshed = false;
+
     // Get session info to find sessionId for token refresh
     const sessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
     if (!sessionJson) {
@@ -298,14 +409,31 @@ export class AuthManager {
       const session = JSON.parse(sessionJson);
       sessionId = session.sessionId;
       if (!sessionId) return false;
-} catch (err) {
+    } catch (err) {
       console.error('AuthManager: Failed to parse session from storage.', err);
       return false;
     }
 
+    // Record the token we know about before attempting refresh
+    const tokenBeforeRefresh = this._lastKnownAccessToken;
+
+    // Broadcast that we're starting a refresh (informational for other tabs)
+    this._broadcast({ type: 'refresh_starting', sessionId, timestamp: Date.now() });
+
     try {
       await retryAsync(
         async () => {
+          // Before each attempt, check if another tab already refreshed
+          if (this._otherTabRefreshed) {
+            const adoptedToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+            if (adoptedToken && adoptedToken !== tokenBeforeRefresh) {
+              // Another tab succeeded. Adopt its tokens and short-circuit.
+              this._lastKnownAccessToken = adoptedToken;
+              this.oxyServices.httpService.setTokens(adoptedToken);
+              return;
+            }
+          }
+
           const httpService = this.oxyServices.httpService as HttpService;
           // Use session-based token endpoint which handles auto-refresh server-side
           const response = await httpService.request<{ accessToken: string; expiresAt: string }>({
@@ -320,6 +448,7 @@ export class AuthManager {
           }
 
           // Update access token in storage and HTTP client
+          this._lastKnownAccessToken = response.accessToken;
           await this.storage.setItem(STORAGE_KEYS.ACCESS_TOKEN, response.accessToken);
           this.oxyServices.httpService.setTokens(response.accessToken);
 
@@ -329,7 +458,7 @@ export class AuthManager {
               const session = JSON.parse(sessionJson);
               session.expiresAt = response.expiresAt;
               await this.storage.setItem(STORAGE_KEYS.SESSION, JSON.stringify(session));
-} catch (err) {
+            } catch (err) {
               // Ignore parse errors for session update, but log for debugging.
               console.error('AuthManager: Failed to re-save session after token refresh.', err);
             }
@@ -338,6 +467,9 @@ export class AuthManager {
               this.setupTokenRefresh(response.expiresAt);
             }
           }
+
+          // Broadcast success so other tabs can adopt these tokens
+          this._broadcast({ type: 'tokens_refreshed', sessionId, timestamp: Date.now() });
         },
         2,    // 2 retries = 3 total attempts
         1000, // 1s base delay with exponential backoff + jitter
@@ -350,7 +482,42 @@ export class AuthManager {
       );
       return true;
     } catch {
-      // All retry attempts exhausted, clear session
+      // All retry attempts exhausted. Before clearing the session, check if
+      // another tab managed to refresh successfully while we were retrying.
+      // Since all tabs share the same storage (localStorage), a successful
+      // refresh from another tab will have written a different access token.
+      const currentStoredToken = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
+      if (currentStoredToken && currentStoredToken !== tokenBeforeRefresh) {
+        // Another tab refreshed successfully. Adopt its tokens instead of logging out.
+        this._lastKnownAccessToken = currentStoredToken;
+        this.oxyServices.httpService.setTokens(currentStoredToken);
+
+        // Restore user from storage in case it was updated
+        const userJson = await this.storage.getItem(STORAGE_KEYS.USER);
+        if (userJson) {
+          try {
+            this.currentUser = JSON.parse(userJson);
+          } catch {
+            // Ignore parse errors
+          }
+        }
+
+        // Re-read session expiry and schedule next refresh
+        const updatedSessionJson = await this.storage.getItem(STORAGE_KEYS.SESSION);
+        if (updatedSessionJson) {
+          try {
+            const session = JSON.parse(updatedSessionJson);
+            if (session.expiresAt && this.config.autoRefresh) {
+              this.setupTokenRefresh(session.expiresAt);
+            }
+          } catch {
+            // Ignore parse errors
+          }
+        }
+        return true;
+      }
+
+      // No other tab rescued us -- truly clear the session
       await this.clearSession();
       this.currentUser = null;
       this.notifyListeners();
@@ -394,10 +561,14 @@ export class AuthManager {
 
     // Clear HTTP client tokens
     this.oxyServices.httpService.setTokens('');
+    this._lastKnownAccessToken = null;
 
     // Clear storage
     await this.clearSession();
 
+    // Notify other tabs so they also sign out
+    this._broadcast({ type: 'signed_out', timestamp: Date.now() });
+
     // Update state and notify
     this.currentUser = null;
     this.notifyListeners();
@@ -479,6 +650,7 @@ export class AuthManager {
       // Restore token to HTTP client
       const token = await this.storage.getItem(STORAGE_KEYS.ACCESS_TOKEN);
       if (token) {
+        this._lastKnownAccessToken = token;
         this.oxyServices.httpService.setTokens(token);
       }
 
@@ -520,6 +692,16 @@ export class AuthManager {
       this.refreshTimer = null;
     }
     this.listeners.clear();
+
+    // Close BroadcastChannel
+    if (this._broadcastChannel) {
+      try {
+        this._broadcastChannel.close();
+      } catch {
+        // Ignore close errors
+      }
+      this._broadcastChannel = null;
+    }
   }
 }
 

package/src/crypto/keyManager.ts

@@ -102,13 +102,11 @@ async function getSecureRandomBytes(length: number): Promise<Uint8Array> {
   }
   
   // In Node.js, use Node's crypto module
-  // Use Function constructor to prevent Metro bundler from statically analyzing this require
-  // This ensures the require is only evaluated in Node.js runtime, not during Metro bundling
+  // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
   try {
-    // eslint-disable-next-line @typescript-eslint/no-implied-eval
-    const getCrypto = new Function('return require("crypto")');
-    const crypto = getCrypto();
-    return new Uint8Array(crypto.randomBytes(length));
+    const cryptoModuleName = 'crypto';
+    const nodeCrypto = await import(cryptoModuleName);
+    return new Uint8Array(nodeCrypto.randomBytes(length));
   } catch (error) {
     // Fallback to expo-crypto if Node crypto fails
     const Crypto = await initExpoCrypto();

package/src/crypto/polyfill.ts

@@ -31,28 +31,36 @@ type CryptoLike = {
 
 // Cache for expo-crypto module (lazy loaded only in React Native)
 let expoCryptoModule: { getRandomBytes: (count: number) => Uint8Array } | null = null;
-let expoCryptoLoadAttempted = false;
+let expoCryptoLoadPromise: Promise<void> | null = null;
 
-function getRandomBytesSync(byteCount: number): Uint8Array {
-  if (!expoCryptoLoadAttempted) {
-    expoCryptoLoadAttempted = true;
+/**
+ * Eagerly start loading expo-crypto. The module is cached once resolved so
+ * the synchronous getRandomValues shim can read from it immediately.
+ * Uses dynamic import with variable indirection to prevent ESM bundlers
+ * (Vite, webpack) from statically resolving the specifier.
+ */
+function startExpoCryptoLoad(): void {
+  if (expoCryptoLoadPromise) return;
+  expoCryptoLoadPromise = (async () => {
     try {
-      // Only use require() in CJS environments (Metro/Node). In ESM (Vite/browser),
-      // crypto.getRandomValues exists natively so this code path is never reached.
-      if (typeof require !== 'undefined') {
-        const moduleName = 'expo-crypto';
-        expoCryptoModule = require(moduleName);
-      }
+      const moduleName = 'expo-crypto';
+      expoCryptoModule = await import(moduleName);
     } catch {
       // expo-crypto not available — expected in non-RN environments
     }
-  }
+  })();
+}
+
+function getRandomBytesSync(byteCount: number): Uint8Array {
+  // Kick off loading if not already started (should have been started at module init)
+  startExpoCryptoLoad();
   if (expoCryptoModule) {
     return expoCryptoModule.getRandomBytes(byteCount);
   }
   throw new Error(
     'No crypto.getRandomValues implementation available. ' +
-    'In React Native, install expo-crypto.'
+    'In React Native, install expo-crypto. ' +
+    'If expo-crypto is installed, ensure the polyfill module is imported early enough for the async load to complete.'
   );
 }
 
@@ -67,8 +75,11 @@ const cryptoPolyfill: CryptoLike = {
 
 // Only polyfill if crypto or crypto.getRandomValues is not available
 if (typeof globalObject.crypto === 'undefined') {
+  // Start loading expo-crypto eagerly so it is ready by the time getRandomValues is called
+  startExpoCryptoLoad();
   (globalObject as unknown as { crypto: CryptoLike }).crypto = cryptoPolyfill;
 } else if (typeof globalObject.crypto.getRandomValues !== 'function') {
+  startExpoCryptoLoad();
   (globalObject.crypto as CryptoLike).getRandomValues = cryptoPolyfill.getRandomValues;
 }
 

package/src/crypto/signatureService.ts

@@ -86,11 +86,11 @@ export class SignatureService {
     }
 
     // In Node.js, use Node's crypto module
+    // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
     if (isNodeJS()) {
       try {
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval
-        const getCrypto = new Function('return require("crypto")');
-        const nodeCrypto = getCrypto();
+        const cryptoModuleName = 'crypto';
+        const nodeCrypto = await import(cryptoModuleName);
         return nodeCrypto.randomBytes(32).toString('hex');
       } catch {
         // Fall through to Web Crypto API
@@ -162,7 +162,10 @@ export class SignatureService {
         // In React Native, use async verify instead
         throw new Error('verifySync should only be used in Node.js. Use verify() in React Native.');
       }
-      // Use Function constructor to prevent Metro bundler from statically analyzing this require
+      // Intentionally using Function constructor here: this method is synchronous by design
+      // (Node.js backend hot-path) so we cannot use `await import()`. The Function constructor
+      // prevents Metro/bundlers from statically resolving the require. This is acceptable because
+      // verifySync is gated by isNodeJS() and will never execute in browser/RN environments.
       // eslint-disable-next-line @typescript-eslint/no-implied-eval
       const getCrypto = new Function('return require("crypto")');
       const crypto = getCrypto();

package/src/mixins/OxyServices.fedcm.ts

@@ -51,15 +51,14 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
     constructor(...args: any[]) {
       super(...(args as [any]));
     }
-  public static readonly DEFAULT_AUTH_URL = 'https://auth.oxy.so';
   public static readonly DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
 
-  /** Resolved FedCM config URL: derived from config.authWebUrl or uses the static default */
-  public get fedcmConfigUrl(): string {
+  public resolveFedcmConfigUrl(): string {
     return this.config.authWebUrl
       ? `${this.config.authWebUrl}/fedcm.json`
       : (this.constructor as any).DEFAULT_CONFIG_URL;
   }
+
   public static readonly FEDCM_TIMEOUT = 15000; // 15 seconds for interactive
   public static readonly FEDCM_SILENT_TIMEOUT = 3000; // 3 seconds for silent mediation
 
@@ -121,7 +120,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       // Request credential from browser's native identity flow
       // mode: 'button' signals this is a user-gesture-initiated flow (Chrome 125+)
       const credential = await this.requestIdentityCredential({
-        configURL: this.fedcmConfigUrl,
+        configURL: this.resolveFedcmConfigUrl(),
         clientId,
         nonce,
         context: options.context,
@@ -224,7 +223,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       debug.log('Silent SSO: Attempting silent mediation...', loginHint ? `(hint: ${loginHint})` : '');
 
       credential = await this.requestIdentityCredential({
-        configURL: this.fedcmConfigUrl,
+        configURL: this.resolveFedcmConfigUrl(),
         clientId,
         nonce,
         loginHint,
@@ -469,7 +468,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
       if ('IdentityCredential' in window && 'disconnect' in (window as any).IdentityCredential) {
         const clientId = this.getClientId();
         await (window as any).IdentityCredential.disconnect({
-          configURL: this.fedcmConfigUrl,
+          configURL: this.resolveFedcmConfigUrl(),
           clientId,
           accountHint: accountHint || '*',
         });
@@ -488,7 +487,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   getFedCMConfig(): FedCMConfig {
     return {
       enabled: this.isFedCMSupported(),
-      configURL: this.fedcmConfigUrl,
+      configURL: this.resolveFedcmConfigUrl(),
       clientId: this.getClientId(),
     };
   }

package/src/mixins/OxyServices.popup.ts

@@ -45,10 +45,11 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     }
   public static readonly DEFAULT_AUTH_URL = 'https://auth.oxy.so';
 
-  /** Resolved auth URL: config.authWebUrl takes precedence over the static default */
-  public get authUrl(): string {
+  /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+  public resolveAuthUrl(): string {
     return this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL;
   }
+
   public static readonly POPUP_WIDTH = 500;
   public static readonly POPUP_HEIGHT = 700;
   public static readonly POPUP_TIMEOUT = 60000; // 1 minute
@@ -100,7 +101,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       state,
       nonce,
       clientId: window.location.origin,
-      redirectUri: `${this.authUrl}/auth/callback`,
+      redirectUri: `${this.resolveAuthUrl()}/auth/callback`,
     });
 
     const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
@@ -203,7 +204,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     iframe.style.height = '0';
     iframe.style.border = 'none';
 
-    const silentUrl = `${this.authUrl}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+    const silentUrl = `${this.resolveAuthUrl()}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
 
     iframe.src = silentUrl;
     document.body.appendChild(iframe);
@@ -265,7 +266,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
       }, timeout);
 
       const messageHandler = (event: MessageEvent) => {
-        const authUrl = this.authUrl;
+        const authUrl = this.resolveAuthUrl();
 
         // Log all messages for debugging
         if (event.data && typeof event.data === 'object' && event.data.type) {
@@ -352,7 +353,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
 
       const messageHandler = (event: MessageEvent) => {
         // Verify origin
-        if (event.origin !== this.authUrl) {
+        if (event.origin !== this.resolveAuthUrl()) {
           return;
         }
 
@@ -387,7 +388,7 @@ export function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base
     clientId: string;
     redirectUri: string;
   }): string {
-    const url = new URL(`${this.authUrl}/${params.mode}`);
+    const url = new URL(`${this.resolveAuthUrl()}/${params.mode}`);
     url.searchParams.set('response_type', 'token');
     url.searchParams.set('client_id', params.clientId);
     url.searchParams.set('redirect_uri', params.redirectUri);

package/src/mixins/OxyServices.redirect.ts

@@ -38,11 +38,6 @@ export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(B
       super(...(args as [any]));
     }
   public static readonly DEFAULT_AUTH_URL = 'https://auth.oxy.so';
-
-  /** Resolved auth URL: config.authWebUrl takes precedence over the static default */
-  public get authUrl(): string {
-    return this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL;
-  }
   public static readonly TOKEN_STORAGE_KEY = 'oxy_access_token';
   public static readonly SESSION_STORAGE_KEY = 'oxy_session_id';
   public static readonly STATE_STORAGE_KEY = 'oxy_auth_state';
@@ -275,7 +270,7 @@ export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(B
     nonce: string;
     clientId: string;
   }): string {
-    const url = new URL(`${this.authUrl}/${params.mode}`);
+    const url = new URL(`${(this.config.authWebUrl || (this.constructor as any).DEFAULT_AUTH_URL)}/${params.mode}`);
     url.searchParams.set('redirect_uri', params.redirectUri);
     url.searchParams.set('state', params.state);
     url.searchParams.set('nonce', params.nonce);