@oxyhq/core 3.4.0 → 3.4.2

package/dist/types/mixins/OxyServices.location.d.ts

@@ -43,7 +43,7 @@ export declare function OxyServicesLocationMixin<T extends typeof OxyServicesBas
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.managedAccounts.d.ts

@@ -100,7 +100,7 @@ export declare function OxyServicesManagedAccountsMixin<T extends typeof OxyServ
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.payment.d.ts

@@ -90,7 +90,7 @@ export declare function OxyServicesPaymentMixin<T extends typeof OxyServicesBase
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.popup.d.ts

@@ -1,25 +1,17 @@
-import type { OxyServicesBase } from '../OxyServices.base';
-import type { SessionLoginResponse } from '../models/session';
+import type { OxyServicesBase } from "../OxyServices.base";
+import type { SessionLoginResponse } from "../models/session";
 export interface PopupAuthOptions {
+    /** Legacy option. Popup auth is removed; dimensions are ignored. */
     width?: number;
+    /** Legacy option. Popup auth is removed; dimensions are ignored. */
     height?: number;
+    /** Legacy option. Popup auth is removed; timeout is ignored. */
     timeout?: number;
-    mode?: 'login' | 'signup';
+    /** Legacy option. Signup also fails closed. */
+    mode?: "login" | "signup";
     /**
-     * A popup window handle the caller already opened SYNCHRONOUSLY inside the
-     * user-gesture event handler (e.g. an `onClick`). The mixin will navigate
-     * this window to the auth URL instead of calling `window.open` itself.
-     *
-     * Why this exists: Chrome (and other modern browsers) only honor
-     * `window.open` while a transient user-activation is in scope. The
-     * activation is consumed by the FIRST `await` in the click handler — so any
-     * caller that awaits FedCM / silent SSO before reaching `signInWithPopup`
-     * loses the activation and sees the popup blocked. The caller can dodge
-     * this by opening a blank popup on the raw click via `openBlankPopup()`,
-     * then passing the handle in here.
-     *
-     * `null` is accepted (and is the same as omitting the option) so consumers
-     * can pass through the result of `openBlankPopup()` without an extra guard.
+     * A legacy popup window handle. `signInWithPopup` closes it and throws
+     * because popup auth has been removed.
      */
     popup?: Window | null;
 }
@@ -46,64 +38,22 @@ export interface SilentAuthOptions {
     authWebUrlOverride?: string;
 }
 /**
- * Popup-based Cross-Domain Authentication Mixin
- *
- * Implements OAuth2-style authentication using popup windows and postMessage.
- * This is the primary authentication method for modern browsers, providing a
- * Google-like experience without full page redirects.
- *
- * Flow:
- * 1. Opens small popup window to auth.oxy.so
- * 2. User signs in (auth.oxy.so sets its own first-party cookie)
- * 3. auth.oxy.so sends token back via postMessage
- * 4. Popup closes, parent app has the session
- *
- * Features:
- * - No full page redirect (preserves app state)
- * - Works across different domains (homiio.com, mention.earth, etc.)
- * - Silent refresh using hidden iframe for seamless SSO
- * - CSRF protection via state parameter
- * - XSS protection via origin validation
+ * Cross-domain browser auth helpers.
  *
- * Browser Support: All modern browsers (IE11+)
+ * Popup sign-in is intentionally fail-closed in the clean session model because
+ * the historical implementation required bearer-token callback URLs. FedCM,
+ * redirect SSO, and silent iframe SSO are the supported browser paths.
  */
 export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
         /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
         resolveAuthUrl(): string;
         /**
-         * Sign in using popup window
-         *
-         * Opens a centered popup window to auth.oxy.so where the user can sign in.
-         * The popup automatically closes after successful authentication and the
-         * session is returned to the parent window.
-         *
-         * @param options - Popup configuration options
-         * @returns Session with access token and user data
-         * @throws {OxyAuthenticationError} If popup is blocked or auth fails
-         *
-         * @example
-         * ```typescript
-         * const handleSignIn = async () => {
-         *   try {
-         *     const session = await oxyServices.signInWithPopup();
-         *     console.log('Signed in:', session.user);
-         *   } catch (error) {
-         *     if (error.message.includes('blocked')) {
-         *       alert('Please allow popups for this site');
-         *     }
-         *   }
-         * };
-         * ```
+         * Removed popup sign-in. Closes a caller-supplied popup handle and throws.
          */
         signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
         /**
-         * Sign up using popup window
-         *
-         * Same as signInWithPopup but opens the signup page by default.
-         *
-         * @param options - Popup configuration options
-         * @returns Session with access token and user data
+         * Removed popup signup. Closes a caller-supplied popup handle and throws.
          */
         signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
         /**
@@ -114,7 +64,7 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
          *
          * How it works:
          * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
-         * 2. If user has valid session at auth.oxy.so, it sends token via postMessage
+         * 2. If user has valid session at auth.oxy.so, it exchanges an opaque SSO code
          * 3. If not, iframe responds with null (no error thrown)
          *
          * This should be called on app startup to check for existing sessions.
@@ -139,23 +89,8 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
         /**
          * Open a blank, centered popup window SYNCHRONOUSLY.
          *
-         * Use this in a click (or other user-gesture) handler BEFORE any `await`
-         * to capture the transient user-activation. Pass the returned handle into
-         * `signInWithPopup({ popup })` once the async portion of the flow runs.
-         *
-         * Returns `null` if the browser's popup blocker rejected the open.
-         *
-         * @example
-         * ```typescript
-         * const onSignInClick = () => {
-         *   const popup = oxyServices.openBlankPopup();
-         *   (async () => {
-         *     const silent = await oxyServices.silentSignInWithFedCM();
-         *     if (silent) { popup?.close(); return; }
-         *     await oxyServices.signInWithPopup({ popup });
-         *   })();
-         * };
-         * ```
+         * Kept only so legacy callers can pass a handle to the removed popup method,
+         * which closes it before throwing. New auth code should use FedCM or redirect.
          */
         openBlankPopup(width?: number, height?: number): Window | null;
         /**
@@ -164,54 +99,18 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
          * @private
          */
         openCenteredPopup(url: string, title: string, width: number, height: number): Window | null;
-        /**
-         * Wait for authentication response from popup
-         *
-         * @private
-         */
-        waitForPopupAuth(popup: Window, expectedState: string, timeout: number): Promise<SessionLoginResponse>;
         /**
          * Wait for authentication response from iframe
          *
          * @private
          */
         waitForIframeAuth(iframe: HTMLIFrameElement, timeout: number, expectedOrigin: string): Promise<SessionLoginResponse | null>;
-        /**
-         * Build authentication URL with query parameters
-         *
-         * @private
-         */
-        buildAuthUrl(params: {
-            mode: string;
-            state: string;
-            nonce: string;
-            clientId: string;
-            redirectUri: string;
-        }): string;
-        /**
-         * Generate cryptographically secure state for CSRF protection
-         *
-         * @private
-         */
-        generateState(): string;
         /**
          * Generate nonce for replay attack prevention
          *
          * @private
          */
         generateNonce(): string;
-        /**
-         * Store auth state in session storage
-         *
-         * @private
-         */
-        storeAuthState(state: string, nonce: string): void;
-        /**
-         * Clear auth state from session storage
-         *
-         * @private
-         */
-        clearAuthState(state: string): void;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
         config: import("../OxyServices.base").OxyConfig;
@@ -266,7 +165,6 @@ export declare function OxyServicesPopupAuthMixin<T extends typeof OxyServicesBa
     readonly DEFAULT_AUTH_URL: "https://auth.oxy.so";
     readonly POPUP_WIDTH: 500;
     readonly POPUP_HEIGHT: 700;
-    readonly POPUP_TIMEOUT: 60000;
     readonly SILENT_TIMEOUT: 5000;
 } & T;
 export { OxyServicesPopupAuthMixin as PopupAuthMixin };

package/dist/types/mixins/OxyServices.privacy.d.ts

@@ -101,7 +101,7 @@ export declare function OxyServicesPrivacyMixin<T extends typeof OxyServicesBase
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.redirect.d.ts

@@ -6,190 +6,35 @@ export interface RedirectAuthOptions {
     preserveUrl?: boolean;
 }
 /**
- * Redirect-based Cross-Domain Authentication Mixin
+ * Redirect-based authentication without bearer tokens in URLs.
  *
- * Implements traditional OAuth2 redirect flow as a fallback when popup or
- * FedCM are not available or fail (e.g., mobile browsers, popup blockers).
- *
- * Flow:
- * 1. Save current URL
- * 2. Redirect to auth.oxy.so/login
- * 3. User signs in
- * 4. Redirect back with token in URL
- * 5. Extract token, restore session, clean URL
- *
- * Features:
- * - Works on all browsers (including old mobile browsers)
- * - Automatic URL cleanup after auth
- * - State preservation option
- * - CSRF protection via state parameter
- *
- * Trade-offs:
- * - Loses JavaScript app state (full page navigation)
- * - Visible redirect (user sees navigation)
- * - Slower perceived performance
+ * The redirect fallback now uses the same central SSO code-return contract as
+ * cold boot: the RP stores CSRF/destination state in sessionStorage, navigates
+ * to the central IdP, receives only an opaque one-time code in the URL fragment,
+ * and the provider's `sso-return` step exchanges that code for the real session.
  */
 export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
     new (...args: any[]): {
         /**
-         * Sign in using full page redirect
-         *
-         * Redirects the user to auth.oxy.so for authentication. After successful
-         * sign-in, the user will be redirected back to the current page (or custom
-         * redirect URI) with authentication tokens in the URL.
-         *
-         * Call handleAuthCallback() on app startup to complete the flow.
-         *
-         * @param options - Redirect configuration options
-         *
-         * @example
-         * ```typescript
-         * // Initiate sign-in
-         * const handleSignIn = () => {
-         *   oxyServices.signInWithRedirect();
-         * };
+         * Start a full-page redirect through the central SSO flow.
          *
-         * // Handle callback on app startup
-         * useEffect(() => {
-         *   const session = oxyServices.handleAuthCallback();
-         *   if (session) {
-         *     setUser(session.user);
-         *   }
-         * }, []);
-         * ```
+         * No access token, refresh token, or session id is ever put in the URL or
+         * localStorage. The caller's provider must run `consumeSsoReturn` on startup
+         * to complete the code exchange and commit the session.
          */
         signInWithRedirect(options?: RedirectAuthOptions): void;
-        /**
-         * Sign up using full page redirect
-         *
-         * Same as signInWithRedirect but opens the signup page by default.
-         */
         signUpWithRedirect(options?: RedirectAuthOptions): void;
         /**
-         * Handle authentication callback
-         *
-         * Call this on app startup to check if the current page load is a
-         * redirect back from the authentication server. If it is, this method
-         * will extract the tokens, store them, and clean up the URL.
-         *
-         * @returns Session data if this is a callback, null otherwise
-         * @throws {OxyAuthenticationError} If state validation fails (CSRF attack)
-         *
-         * @example
-         * ```typescript
-         * // In your app's root component or startup logic
-         * useEffect(() => {
-         *   try {
-         *     const session = oxyServices.handleAuthCallback();
-         *     if (session) {
-         *       console.log('Logged in:', session.user);
-         *       setUser(session.user);
-         *     } else {
-         *       // Not a callback, check for existing session
-         *       const restored = oxyServices.restoreSession();
-         *       if (!restored) {
-         *         // No session, show login button
-         *       }
-         *     }
-         *   } catch (error) {
-         *     console.error('Auth callback failed:', error);
-         *   }
-         * }, []);
-         * ```
+         * Legacy token-query callbacks are intentionally rejected. Modern providers
+         * complete redirect auth through `consumeSsoReturn`, which accepts only
+         * `#oxy_sso=ok&code=...`.
          */
         handleAuthCallback(): SessionLoginResponse | null;
-        /**
-         * Restore session from storage
-         *
-         * Attempts to restore a previously authenticated session from localStorage.
-         * Call this on app startup if handleAuthCallback() returns null.
-         *
-         * @returns True if session was restored, false otherwise
-         *
-         * @example
-         * ```typescript
-         * useEffect(() => {
-         *   const session = oxyServices.handleAuthCallback();
-         *   if (!session) {
-         *     const restored = oxyServices.restoreSession();
-         *     if (!restored) {
-         *       // No session, user needs to sign in
-         *       setShowLogin(true);
-         *     }
-         *   }
-         * }, []);
-         * ```
-         */
         restoreSession(): boolean;
-        /**
-         * Clear stored session
-         *
-         * Removes all authentication data from storage. Call this on logout.
-         */
         clearStoredSession(): void;
-        /**
-         * Get stored session ID
-         */
         getStoredSessionId(): string | null;
-        /**
-         * Build authentication URL with query parameters
-         *
-         * @private
-         */
-        buildAuthUrl(params: {
-            mode: string;
-            redirectUri: string;
-            state: string;
-            nonce: string;
-            clientId: string;
-        }): string;
-        /**
-         * Store tokens in localStorage
-         *
-         * @private
-         */
-        storeTokens(accessToken: string, sessionId: string): void;
-        /**
-         * Generate cryptographically secure state for CSRF protection
-         *
-         * @private
-         */
         generateState(): string;
-        /**
-         * Generate nonce for replay attack prevention
-         *
-         * @private
-         */
         generateNonce(): string;
-        /**
-         * Store auth state in session storage
-         *
-         * @private
-         */
-        storeAuthState(state: string, nonce: string): void;
-        /**
-         * Get stored state
-         *
-         * @private
-         */
-        getStoredState(): string | null;
-        /**
-         * Clear auth state from storage
-         *
-         * @private
-         */
-        clearAuthState(): void;
-        /**
-         * Save pre-authentication URL to restore later
-         *
-         * @private
-         */
-        savePreAuthUrl(url: string): void;
-        /**
-         * Clean authentication parameters from URL
-         *
-         * @private
-         */
         cleanAuthCallbackUrl(url: URL): void;
         httpService: import("../HttpService").HttpService;
         cloudURL: string;
@@ -217,7 +62,7 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;
@@ -242,11 +87,5 @@ export declare function OxyServicesRedirectAuthMixin<T extends typeof OxyService
             [key: string]: any;
         }>;
     };
-    readonly DEFAULT_AUTH_URL: "https://auth.oxy.so";
-    readonly TOKEN_STORAGE_KEY: "oxy_access_token";
-    readonly SESSION_STORAGE_KEY: "oxy_session_id";
-    readonly STATE_STORAGE_KEY: "oxy_auth_state";
-    readonly PRE_AUTH_URL_KEY: "oxy_pre_auth_url";
-    readonly NONCE_STORAGE_KEY: "oxy_auth_nonce";
 } & T;
 export { OxyServicesRedirectAuthMixin as RedirectAuthMixin };

package/dist/types/mixins/OxyServices.reputation.d.ts

@@ -408,7 +408,7 @@ export declare function OxyServicesReputationMixin<T extends typeof OxyServicesB
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.security.d.ts

@@ -57,7 +57,7 @@ export declare function OxyServicesSecurityMixin<T extends typeof OxyServicesBas
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.silent.d.ts

@@ -0,0 +1,131 @@
+import type { OxyServicesBase } from "../OxyServices.base";
+import type { SessionLoginResponse } from "../models/session";
+export interface SilentAuthOptions {
+    timeout?: number;
+    /**
+     * Override the auth-web (IdP) origin used for the silent iframe, instead of
+     * the instance's configured `resolveAuthUrl()`.
+     *
+     * Why this exists: an instance configured with the CENTRAL IdP
+     * (`authWebUrl=https://auth.oxy.so`, for the opaque-code `/sso` bounce and
+     * FedCM) cannot read the DURABLE per-apex `fedcm_session` cookie via the
+     * central host — that cookie is first-party only on `auth.<rp-apex>` (e.g.
+     * `auth.mention.earth`). The cross-domain reload-restore path must point the
+     * `/auth/silent` iframe at the PER-APEX host so the cookie is same-site to
+     * the RP page (first-party under Safari ITP / Firefox TCP) and the restore
+     * is NOT a top-level navigation (no flash, works in a backgrounded tab).
+     *
+     * When provided this value is used BOTH for the iframe `src` AND for the
+     * `postMessage` origin validation in {@link waitForIframeAuth}, so the
+     * security check still matches the exact origin the iframe was loaded from.
+     * Must be an absolute origin (`https://auth.<apex>`); ignored if empty.
+     */
+    authWebUrlOverride?: string;
+}
+/**
+ * Cross-domain silent browser auth helpers.
+ *
+ * The clean session model supports FedCM, tokenless redirect SSO, and silent
+ * iframe SSO. Bearer-token callback URLs are not part of this surface.
+ */
+export declare function OxyServicesSilentAuthMixin<T extends typeof OxyServicesBase>(Base: T): {
+    new (...args: any[]): {
+        /** Resolve auth URL from config or static default (method, not getter — getters break in TS mixins) */
+        resolveAuthUrl(): string;
+        /**
+         * Silent sign-in using hidden iframe
+         *
+         * Attempts to automatically re-authenticate the user without any UI.
+         * This is what enables seamless SSO across all Oxy domains.
+         *
+         * How it works:
+         * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
+         * 2. If user has valid session at auth.oxy.so, it exchanges an opaque SSO code
+         * 3. If not, iframe responds with null (no error thrown)
+         *
+         * This should be called on app startup to check for existing sessions.
+         *
+         * @param options - Silent auth options
+         * @returns Session if user is signed in, null otherwise
+         *
+         * @example
+         * ```typescript
+         * useEffect(() => {
+         *   const checkAuth = async () => {
+         *     const session = await oxyServices.silentSignIn();
+         *     if (session) {
+         *       setUser(session.user);
+         *     }
+         *   };
+         *   checkAuth();
+         * }, []);
+         * ```
+         */
+        silentSignIn(options?: SilentAuthOptions): Promise<SessionLoginResponse | null>;
+        /**
+         * Wait for authentication response from iframe
+         *
+         * @private
+         */
+        waitForIframeAuth(iframe: HTMLIFrameElement, timeout: number, expectedOrigin: string): Promise<SessionLoginResponse | null>;
+        /**
+         * Generate nonce for replay attack prevention
+         *
+         * @private
+         */
+        generateNonce(): string;
+        httpService: import("../HttpService").HttpService;
+        cloudURL: string;
+        config: import("../OxyServices.base").OxyConfig;
+        __resetTokensForTests(): void;
+        makeRequest<T_1>(method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE", url: string, data?: any, options?: import("../HttpService").RequestOptions): Promise<T_1>;
+        getBaseURL(): string;
+        getSessionBaseUrl(): string;
+        getClient(): import("../HttpService").HttpService;
+        getMetrics(): {
+            totalRequests: number;
+            successfulRequests: number;
+            failedRequests: number;
+            cacheHits: number;
+            cacheMisses: number;
+            averageResponseTime: number;
+        };
+        clearCache(): void;
+        clearCacheEntry(key: string): void;
+        clearCacheByPrefix(prefix: string): number;
+        getCacheStats(): {
+            size: number;
+            hits: number;
+            misses: number;
+            hitRate: number;
+        };
+        getCloudURL(): string;
+        setTokens(accessToken: string): void;
+        clearTokens(): void;
+        onTokensChanged(listener: (accessToken: string | null) => void): () => void;
+        _cachedUserId: string | null | undefined;
+        _cachedAccessToken: string | null;
+        getCurrentUserId(): string | null;
+        hasValidToken(): boolean;
+        getAccessToken(): string | null;
+        setActingAs(userId: string | null): void;
+        getActingAs(): string | null;
+        waitForAuth(timeoutMs?: number): Promise<boolean>;
+        withAuthRetry<T_1>(operation: () => Promise<T_1>, operationName: string, options?: {
+            maxRetries?: number;
+            retryDelay?: number;
+            authTimeoutMs?: number;
+        }): Promise<T_1>;
+        validate(): Promise<boolean>;
+        handleError(error: unknown): Error;
+        healthCheck(): Promise<{
+            status: string;
+            users?: number;
+            timestamp?: string;
+            [key: string]: any;
+        }>;
+    };
+    readonly DEFAULT_AUTH_URL: "https://auth.oxy.so";
+    readonly SILENT_TIMEOUT: 5000;
+} & T;
+export { OxyServicesSilentAuthMixin as SilentAuthMixin };

package/dist/types/mixins/OxyServices.sso.d.ts

@@ -29,8 +29,7 @@ import type { SessionLoginResponse } from '../models/session';
  *
  * Exposed as a module-level helper (in addition to the instance method below)
  * so consumers that do not yet hold an `OxyServices` instance can still mint a
- * bounce state. Reuses the same `crypto.randomUUID`-based generator the popup
- * mixin uses for its CSRF state, with a `getRandomValues` fallback.
+ * bounce state. Uses `crypto.randomUUID` with a `getRandomValues` fallback.
  */
 export declare function generateSsoState(): string;
 export declare function OxyServicesSsoMixin<T extends typeof OxyServicesBase>(Base: T): {
@@ -38,8 +37,8 @@ export declare function OxyServicesSsoMixin<T extends typeof OxyServicesBase>(Ba
         /**
          * Generate cryptographically secure state for the SSO bounce (CSRF
          * protection). Delegates to the module-level {@link generateSsoState}
-         * helper, which uses the same `crypto.randomUUID`-based generator the popup
-         * mixin's `generateState()` uses — one shared secure-random implementation.
+         * helper, which uses `crypto.randomUUID` when available and falls back to
+         * `crypto.getRandomValues`.
          */
         generateSsoState(): string;
         /**
@@ -83,7 +82,7 @@ export declare function OxyServicesSsoMixin<T extends typeof OxyServicesBase>(Ba
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.topics.d.ts

@@ -83,7 +83,7 @@ export declare function OxyServicesTopicsMixin<T extends typeof OxyServicesBase>
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.user.d.ts

@@ -249,7 +249,7 @@ export declare function OxyServicesUserMixin<T extends typeof OxyServicesBase>(B
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;