@oxyhq/core 3.4.1 → 3.4.2

package/dist/types/AuthManager.d.ts

@@ -24,7 +24,7 @@ export type AuthStateChangeCallback = (user: MinimalUserData | null) => void;
 /**
  * Auth method types.
  */
-export type AuthMethod = 'fedcm' | 'popup' | 'redirect' | 'credentials' | 'identity';
+export type AuthMethod = 'fedcm' | 'redirect' | 'credentials' | 'identity';
 /**
  * Auth manager configuration.
  */
@@ -37,20 +37,6 @@ export interface AuthManagerConfig {
     refreshBuffer?: number;
     /** Enable cross-tab coordination via BroadcastChannel (default: true in browsers) */
     crossTabSync?: boolean;
-    /**
-     * "Cookie-only" mode for web apps that rely exclusively on the
-     * `oxy_rt_${authuser}` httpOnly refresh cookies and refuse to fall back
-     * to the legacy localStorage token/refresh-token path.
-     *
-     * - `false` (default): `initialize()` tries `restoreFromCookies()` first;
-     *   if no accounts are restored it falls back to the legacy localStorage
-     *   path (`oxy_access_token` / `oxy_session`).
-     * - `true`: `initialize()` ONLY uses `restoreFromCookies()`. No token /
-     *   refresh-token / session JSON is read from or written to localStorage.
-     *   This is the secure default for apps that ship the cookie path end-to-
-     *   end and want to guarantee no tokens leak to JS-accessible storage.
-     */
-    cookieOnly?: boolean;
 }
 /**
  * AuthManager - Centralized authentication management.
@@ -82,6 +68,7 @@ export declare class AuthManager {
     private storage;
     private listeners;
     private currentUser;
+    private currentAuthMethod;
     private refreshTimer;
     private refreshPromise;
     private config;
@@ -89,8 +76,6 @@ export declare class AuthManager {
     private _lastKnownAccessToken;
     /** BroadcastChannel for coordinating token refreshes across browser tabs. */
     private _broadcastChannel;
-    /** Set to true when another tab broadcasts a successful refresh, so this tab can skip its own. */
-    private _otherTabRefreshed;
     /**
      * Identifier for this AuthManager instance (≈ "this tab"). Random hex
      * generated at construction; advertised in every outgoing broadcast and
@@ -216,13 +201,11 @@ export declare class AuthManager {
      * @param method - Auth method used
      */
     handleAuthSuccess(session: SessionLoginResponse, method?: AuthMethod): Promise<void>;
-    /**
-     * Setup automatic token refresh.
-     */
-    private setupTokenRefresh;
     /**
      * Refresh the access token. Deduplicates concurrent calls so only one
-     * refresh request is in-flight at a time.
+     * refresh request is in-flight at a time. The only refresh authority is the
+     * active httpOnly refresh-cookie slot; this method never reads access tokens
+     * from storage.
      */
     refreshToken(): Promise<boolean>;
     private _doRefreshToken;
@@ -231,7 +214,8 @@ export declare class AuthManager {
      */
     signOut(): Promise<void>;
     /**
-     * Clear session data from storage.
+     * Clear local cookie-path state. The only persisted AuthManager value is the
+     * active numeric slot; tokens and user objects are intentionally memory-only.
      */
     private clearSession;
     /**
@@ -243,7 +227,8 @@ export declare class AuthManager {
      */
     isAuthenticated(): boolean;
     /**
-     * Get a valid access token, refreshing automatically if expired or expiring soon.
+     * Get a valid access token, refreshing automatically if expired or expiring
+     * soon. The token is read from memory only.
      */
     getAccessToken(): Promise<string | null>;
     /**
@@ -253,21 +238,13 @@ export declare class AuthManager {
     /**
      * Initialize auth state on app startup.
      *
-     * Order of operations:
-     *   1. Try the cookie path via `restoreFromCookies()`. This is the
-     *      preferred path because the httpOnly refresh cookies are
-     *      cross-tab, persist across hard reloads, and don't expose any
-     *      refresh-token material to JS.
-     *   2. If the cookie path yielded zero accounts AND `cookieOnly` is
-     *      `false`, fall back to the legacy localStorage path
-     *      (`oxy_access_token` / `oxy_session`) for backwards compatibility
-     *      with apps that haven't migrated to the cookie endpoint yet.
-     *   3. If `cookieOnly` is `true`, skip the legacy fallback entirely.
-     *      This guarantees no tokens or refresh tokens are ever read from
-     *      or written to JS-accessible storage.
+     * Only the cookie path is authoritative. `restoreFromCookies()` refreshes
+     * the httpOnly `oxy_rt_${authuser}` slots through `/auth/refresh-all`,
+     * plants the active access token in memory, and returns the active user.
+     * No access token, refresh token, or session JSON is read from localStorage.
      *
-     * Returns the active user on success, or `null` when neither path
-     * restored a session.
+     * Returns the active user on success, or `null` when no cookie-backed
+     * account was restored.
      */
     initialize(options?: RestoreFromCookiesOptions): Promise<MinimalUserData | null>;
     /**
@@ -290,15 +267,14 @@ export declare class AuthManager {
     private clearActiveAuthuser;
     /**
      * Build a `MinimalUserData` from a `RefreshAllAccount`. Returns `null` when
-     * the wire entry has no user shape (legacy `/auth/refresh` fallback) — the
-     * AuthManager's caller is expected to hydrate via `/users/me` in that
-     * case.
+     * the wire entry has no user shape; the AuthManager's caller is expected to
+     * hydrate via `/users/me` in that case.
      */
     private static toMinimalUser;
     /**
      * Hydrate the user shape for a slot whose AuthManagerAccount currently has
-     * `user: null` (legacy refresh fallback, or a switch onto a previously
-     * unknown slot). Calls `/users/me` with the slot's freshly-planted access
+     * `user: null` (for example, a switch onto a previously unknown slot). Calls
+     * `/users/me` with the slot's freshly-planted access
      * token already on the HTTP client; merges the result back into the
      * registry entry. Network failures are non-fatal — the slot remains with
      * `user: null` and the UI is expected to render the public-key fallback
@@ -326,9 +302,7 @@ export declare class AuthManager {
      * Calls `oxyServices.refreshAllSessions()` (`POST /auth/refresh-all` with
      * `credentials: 'include'`). The server rotates every presented
      * `oxy_rt_${authuser}` cookie in parallel and returns one entry per
-     * VALID slot. The SDK transparently falls back to the legacy single-slot
-     * `/auth/refresh` against older servers (handled inside
-     * `refreshAllSessions`).
+     * valid slot.
      *
      * Plants the active account's access token on the shared HTTP client;
      * sibling slots' tokens stay in the in-memory registry so a later
@@ -374,16 +348,14 @@ export declare class AuthManager {
      *
      * Calls `oxyServices.logoutAllSessionsViaCookie()`: server-side revokes
      * every presented family and `Set-Cookie`s an immediate expiry for every
-     * recognised `oxy_rt_${n}` slot AND the legacy `oxy_rt` cookie. The
-     * in-memory registry is wiped, the active slot is cleared, and the
-     * persisted `oxy_active_authuser` is removed so the next cold boot
-     * starts fresh.
+     * recognised `oxy_rt_${n}` slot. The in-memory registry is wiped, the active
+     * slot is cleared, and the persisted `oxy_active_authuser` is removed so the
+     * next cold boot starts fresh.
      */
     signOutAllViaCookies(): Promise<void>;
     /**
-     * Schedule an auto-refresh for the cookie path on the active slot. Reuses
-     * the same single `refreshTimer` as the legacy path (the AuthManager has
-     * exactly ONE active slot at a time, so one timer suffices).
+     * Schedule an auto-refresh for the cookie path on the active slot. The
+     * AuthManager has exactly one active slot at a time, so one timer suffices.
      */
     private setupCookieRefresh;
     /**
@@ -392,6 +364,7 @@ export declare class AuthManager {
      * signature when minting the token. Returns `null` on malformed input.
      */
     private static decodeSessionIdFromAccessToken;
+    private static decodeAuthuserFromAccessToken;
     /**
      * Destroy the auth manager and clean up resources.
      */

package/dist/types/AuthManagerTypes.d.ts

@@ -28,13 +28,10 @@ export interface AuthManagerAccount {
      * Projected user shape from the wire (username/avatar/color/email).
      *
      * `null` when a refresh-via-cookie planted a fresh access token for a slot
-     * that the AuthManager has no prior in-memory user metadata for — e.g. the
-     * legacy `/auth/refresh` 404 fallback path inside `refreshAllSessions`, or
-     * a `switchAuthuser` against a slot that wasn't present in the previous
-     * `restoreFromCookies` snapshot. Callers (or the AuthManager itself) are
-     * expected to hydrate the user shape via `getCurrentUser()` after the token
-     * is planted; the chooser UI must render the public-key fallback handle
-     * until the hydration completes.
+     * that the AuthManager has no prior in-memory user metadata for. Callers (or
+     * the AuthManager itself) are expected to hydrate the user shape via
+     * `getCurrentUser()` after the token is planted; the chooser UI must render
+     * the public-key fallback handle until the hydration completes.
      */
     user: RefreshAllAccountUser | null;
     /** Currently-valid access token for this slot (in-memory only). */
@@ -75,8 +72,7 @@ export interface RestoreFromCookiesOptions {
 /**
  * Outcome of `AuthManager.switchAuthuser()`.
  *
- * Mirrors the wire `RefreshCookieResponse` but with `authuser` narrowed to
- * `number` (the SDK boundary normalises the legacy `null` slot to `0`).
+ * Mirrors the wire `RefreshCookieResponse`.
  */
 export interface SwitchAuthuserResult {
     accessToken: string;

package/dist/types/CrossDomainAuth.d.ts

@@ -5,8 +5,7 @@
  * selects the best authentication method based on browser capabilities:
  *
  * 1. FedCM (if supported) - Modern, Google-style browser-native auth
- * 2. Popup (fallback) - OAuth2-style popup window
- * 3. Redirect (final fallback) - Traditional full-page redirect
+ * 2. Redirect (fallback) - Tokenless central SSO full-page redirect
  *
  * Usage:
  * ```typescript
@@ -17,8 +16,8 @@
  * // Automatic method selection
  * const session = await auth.signIn();
  *
- * // Or use specific method
- * const session = await auth.signInWithPopup();
+ * // Or use a specific method
+ * auth.signInWithRedirect();
  * ```
  */
 import type { OxyServices } from './OxyServices';
@@ -28,10 +27,9 @@ export interface CrossDomainAuthOptions {
      * Preferred authentication method
      * - 'auto': Automatically select best method (default)
      * - 'fedcm': Use FedCM (browser-native)
-     * - 'popup': Use popup window
      * - 'redirect': Use full-page redirect
      */
-    method?: 'auto' | 'fedcm' | 'popup' | 'redirect';
+    method?: 'auto' | 'fedcm' | 'redirect';
     /**
      * Custom redirect URI (for redirect method)
      */
@@ -40,24 +38,10 @@ export interface CrossDomainAuthOptions {
      * Whether to open signup page instead of login
      */
     isSignup?: boolean;
-    /**
-     * Popup window dimensions (for popup method)
-     */
-    popupDimensions?: {
-        width?: number;
-        height?: number;
-    };
     /**
      * Callback when auth method is selected
      */
-    onMethodSelected?: (method: 'fedcm' | 'popup' | 'redirect') => void;
-    /**
-     * A popup window the caller already opened SYNCHRONOUSLY in the user-gesture
-     * handler. Forwarded to `OxyServices.signInWithPopup` so the popup is not
-     * blocked by Chrome after any prior `await` (FedCM / silent SSO) has
-     * consumed the transient user activation. See `OxyServices.openBlankPopup`.
-     */
-    popup?: Window | null;
+    onMethodSelected?: (method: 'fedcm' | 'redirect') => void;
 }
 export declare class CrossDomainAuth {
     private oxyServices;
@@ -67,21 +51,12 @@ export declare class CrossDomainAuth {
      *
      * Tries methods in this order:
      * 1. FedCM (if supported and not in private browsing)
-     * 2. Popup (if not blocked)
-     * 3. Redirect (always works)
+     * 2. Redirect (always works)
      *
      * @param options - Authentication options
      * @returns Session with user data and access token
      */
     signIn(options?: CrossDomainAuthOptions): Promise<SessionLoginResponse | null>;
-    /**
-     * Close a caller-supplied popup window that is no longer needed (e.g. the
-     * resolved auth method didn't end up using it). Safe against null / already
-     * closed handles.
-     *
-     * @private
-     */
-    private closeOrphanPopup;
     /**
      * Automatic sign-in with progressive enhancement
      *
@@ -91,15 +66,9 @@ export declare class CrossDomainAuth {
     /**
      * Sign in using FedCM (Federated Credential Management)
      *
-     * Best method - browser-native, no popups, Google-like experience
+     * Best method - browser-native, Google-like experience
      */
     signInWithFedCM(options?: CrossDomainAuthOptions): Promise<SessionLoginResponse>;
-    /**
-     * Sign in using popup window
-     *
-     * Good method - preserves app state, no full page reload
-     */
-    signInWithPopup(options?: CrossDomainAuthOptions): Promise<SessionLoginResponse>;
     /**
      * Sign in using full-page redirect
      *
@@ -116,25 +85,18 @@ export declare class CrossDomainAuth {
      * Silent sign-in (check for existing session)
      *
      * Tries to automatically sign in without user interaction.
-     * Works with both FedCM and popup/iframe methods.
+     * Works with FedCM and iframe-based silent auth.
      *
      * @returns Session if user is already signed in, null otherwise
      */
     silentSignIn(): Promise<SessionLoginResponse | null>;
     /**
-     * Restore session from storage
+     * Restore session from storage.
      *
-     * For redirect method - restores previously authenticated session from localStorage
+     * Access tokens are no longer persisted in browser storage; providers restore
+     * through refresh cookies / SSO code exchange instead.
      */
     restoreSession(): boolean;
-    /**
-     * Open a blank popup SYNCHRONOUSLY (call from a raw user-gesture handler
-     * BEFORE any `await`). Returns `null` if the popup was blocked. Pass the
-     * handle into `signIn({ popup })` / `signInWithPopup({ popup })` so the
-     * popup is not blocked by Chrome after any prior `await` consumed the
-     * transient user activation. Delegates to `OxyServices.openBlankPopup`.
-     */
-    openBlankPopup(width?: number, height?: number): Window | null;
     /**
      * Check if FedCM is supported in current browser
      */
@@ -145,7 +107,7 @@ export declare class CrossDomainAuth {
      * @returns Recommended method name and reason
      */
     getRecommendedMethod(): {
-        method: 'fedcm' | 'popup' | 'redirect';
+        method: 'fedcm' | 'redirect';
         reason: string;
     };
     /**
@@ -153,8 +115,7 @@ export declare class CrossDomainAuth {
      *
      * This handles:
      * 1. Redirect callback (if returning from auth.oxy.so)
-     * 2. Session restoration (from localStorage)
-     * 3. Silent sign-in (check for existing SSO session)
+     * 2. Silent sign-in (check for existing SSO session)
      *
      * @returns Session if user is authenticated, null otherwise
      */

package/dist/types/HttpService.d.ts

@@ -13,6 +13,8 @@
  * - Request queuing
  */
 import type { OxyConfig } from './models/interfaces';
+export type AuthRefreshReason = 'preflight' | 'response-401';
+export type AuthRefreshHandler = (reason: AuthRefreshReason) => Promise<string | null>;
 export interface RequestOptions {
     cache?: boolean;
     cacheTTL?: number;
@@ -49,13 +51,12 @@ export declare class HttpService {
     private config;
     private tokenRefreshPromise;
     private tokenRefreshCooldownUntil;
-    private _onTokenRefreshed;
+    private authRefreshHandler;
     /**
      * Fan-out listeners notified on EVERY access-token change on this instance:
-     * explicit `setTokens`, `clearTokens`, a successful silent refresh, and the
-     * internal 401-driven clear. Unlike the single-slot `_onTokenRefreshed`
-     * (owned by AuthManager for the refresh path only), this is a Set so multiple
-     * independent observers can mirror token state without clobbering each other.
+     * explicit `setTokens`, `clearTokens`, an AuthManager-owned refresh, and the
+     * internal 401-driven clear. This is a Set so multiple independent observers
+     * can mirror token state without clobbering each other.
      *
      * Each listener receives the resulting access token, or `null` when cleared.
      */
@@ -171,7 +172,7 @@ export declare class HttpService {
      * Get auth header with automatic token refresh
      */
     private getAuthHeader;
-    private _refreshTokenFromSession;
+    private refreshAccessToken;
     /**
      * Unwrap standardized API response format
      */
@@ -187,8 +188,8 @@ export declare class HttpService {
     delete<T = unknown>(url: string, config?: Omit<RequestConfig, 'method' | 'url'>): Promise<T>;
     setActingAs(userId: string | null): void;
     getActingAs(): string | null;
-    setTokens(accessToken: string, refreshToken?: string): void;
-    set onTokenRefreshed(callback: ((accessToken: string) => void) | null);
+    setTokens(accessToken: string): void;
+    setAuthRefreshHandler(handler: AuthRefreshHandler | null): void;
     clearTokens(): void;
     /**
      * Subscribe to access-token changes on this instance.

package/dist/types/OxyServices.base.d.ts

@@ -82,7 +82,7 @@ export declare class OxyServicesBase {
     /**
      * Set authentication tokens
      */
-    setTokens(accessToken: string, refreshToken?: string): void;
+    setTokens(accessToken: string): void;
     /**
      * Clear stored authentication tokens
      */

package/dist/types/OxyServices.d.ts

@@ -60,7 +60,7 @@ import { type OxyConfig } from './OxyServices.base';
 import { OxyAuthenticationError, OxyAuthenticationTimeoutError } from './OxyServices.errors';
 import type { SessionLoginResponse } from './models/session';
 import type { FedCMAuthOptions, FedCMConfig } from './mixins/OxyServices.fedcm';
-import type { PopupAuthOptions } from './mixins/OxyServices.popup';
+import type { SilentAuthOptions } from './mixins/OxyServices.silent';
 import type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 import { composeOxyServices } from './mixins';
 /**
@@ -116,15 +116,9 @@ export interface OxyServices extends InstanceType<ReturnType<typeof composeOxySe
     silentSignInWithFedCM(): Promise<SessionLoginResponse | null>;
     revokeFedCMCredential(): Promise<void>;
     getFedCMConfig(): FedCMConfig;
-    signInWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
-    signUpWithPopup(options?: PopupAuthOptions): Promise<SessionLoginResponse>;
-    /**
-     * Open a blank popup SYNCHRONOUSLY (call from a raw user-gesture handler
-     * BEFORE any `await`). Returns `null` if the popup was blocked. Pass the
-     * handle into `signInWithPopup({ popup })` to navigate it to auth.oxy.so
-     * after the async portion of the sign-in flow runs.
-     */
-    openBlankPopup(width?: number, height?: number): Window | null;
+    resolveAuthUrl(): string;
+    silentSignIn(options?: SilentAuthOptions): Promise<SessionLoginResponse | null>;
+    waitForIframeAuth(iframe: HTMLIFrameElement, timeout: number, expectedOrigin: string): Promise<SessionLoginResponse | null>;
     signInWithRedirect(options?: RedirectAuthOptions): void;
     signUpWithRedirect(options?: RedirectAuthOptions): void;
     exchangeSsoCode(code: string): Promise<SessionLoginResponse>;

package/dist/types/index.d.ts

@@ -25,7 +25,7 @@ export type { AuthManagerAccount, RestoreFromCookiesResult, RestoreFromCookiesOp
 export { CrossDomainAuth, createCrossDomainAuth } from './CrossDomainAuth';
 export type { CrossDomainAuthOptions } from './CrossDomainAuth';
 export type { FedCMAuthOptions, FedCMConfig, AuthorizedApp } from './mixins/OxyServices.fedcm';
-export type { PopupAuthOptions } from './mixins/OxyServices.popup';
+export type { SilentAuthOptions } from './mixins/OxyServices.silent';
 export type { RedirectAuthOptions } from './mixins/OxyServices.redirect';
 export { ServiceCredentialMismatchError } from './mixins/OxyServices.auth';
 export type { ServiceTokenResponse } from './mixins/OxyServices.auth';

package/dist/types/mixins/OxyServices.analytics.d.ts

@@ -45,7 +45,7 @@ export declare function OxyServicesAnalyticsMixin<T extends typeof OxyServicesBa
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.appData.d.ts

@@ -81,7 +81,7 @@ export declare function OxyServicesAppDataMixin<T extends typeof OxyServicesBase
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.applications.d.ts

@@ -389,7 +389,7 @@ export declare function OxyServicesApplicationsMixin<T extends typeof OxyService
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.assets.d.ts

@@ -118,7 +118,7 @@ export declare function OxyServicesAssetsMixin<T extends typeof OxyServicesBase>
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.auth.d.ts

@@ -23,8 +23,8 @@ export interface RefreshAllOptions {
      * or unreachable endpoint with no useful answer coming back. As one step of
      * the ordered cold-boot sequence, a stalled refresh is dead latency in front
      * of the steps that actually hold the answer. A bounded abort lets cold boot
-     * fall through quickly. Omit (or pass `0`/negative) to wait indefinitely
-     * (the legacy behaviour). The abort is treated identically to a 401 — the
+     * fall through quickly. Omit (or pass `0`/negative) to wait indefinitely.
+     * The abort is treated identically to a 401 — the
      * "not signed in on this device" path — never an error.
      */
     timeout?: number;
@@ -245,18 +245,6 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
             sessionId: string;
             user: User | null;
         }>>;
-        /**
-         * Get access token by session ID
-         *
-         * SECURITY: this endpoint requires the caller to already hold a
-         * bearer token whose user owns the referenced session (C1 hardening
-         * in the API). For the device-flow / QR sign-in case where the
-         * client has no bearer token yet, use `claimSessionByToken` instead.
-         */
-        getTokenBySession(sessionId: string): Promise<{
-            accessToken: string;
-            expiresAt: string;
-        }>;
         /**
          * Exchange a device-flow sessionToken for the first access token.
          *
@@ -282,7 +270,6 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
             deviceFingerprint?: string;
         }): Promise<{
             accessToken: string;
-            refreshToken: string;
             sessionId: string;
             deviceId: string;
             expiresAt: string;
@@ -293,19 +280,14 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
          * (Google-style multi-account rebuild).
          *
          * Calls `POST {sessionBaseUrl}/auth/refresh-all` with `credentials: 'include'`
-         * and NO bearer. The browser attaches every `oxy_rt*` cookie it has; the
-         * server rotates each in parallel and returns one entry per VALID account.
+         * and NO bearer. The browser attaches every indexed `oxy_rt_${authuser}`
+         * cookie it has; the server rotates each in parallel and returns one entry
+         * per VALID account.
          *
          * Failure handling:
          * - 401 → no signed-in accounts on this device → returns `{ accounts: [] }`
          *   (NOT an error; this is the cold-boot "not signed in" path).
-         * - 404 → server is older than the multi-account endpoint. We fall back to
-         *   `POST /auth/refresh` (single-slot) and wrap its response in the
-         *   refresh-all shape so callers can treat the two paths uniformly. The
-         *   fallback entry has `authuser: 0` (the legacy slot maps to slot 0 by
-         *   convention) and a minimal `user` shape — consumers needing the full
-         *   user must fetch it separately. Always exactly one account in this
-         *   shape.
+         * - 404 → endpoint not deployed → returns `{ accounts: [] }`.
          * - Any other non-2xx → throws via `handleError`.
          *
          * The refresh cookie itself never enters JS — only the rotated access
@@ -318,9 +300,8 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
          *
          * When `authuser` is provided, the server rotates ONLY that slot
          * (`oxy_rt_${authuser}`) — sibling accounts on the same device stay
-         * untouched. When omitted, the server picks the lowest indexed slot
-         * present (legacy fallback applies). The refresh cookie itself never
-         * enters JS.
+         * untouched. When omitted, the server picks the lowest indexed slot present.
+         * The refresh cookie itself never enters JS.
          *
          * Returns `null` on 401 (no cookie / expired / reused) so the caller can
          * fall through cleanly to the unauthenticated path.
@@ -344,9 +325,7 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
         logoutAllSessionsViaCookie(): Promise<void>;
         /**
          * Internal: raw `POST /auth/refresh[?authuser=N]` call returning the
-         * minted access token. Returns `null` on 401 / non-2xx. Used as both the
-         * implementation of `refreshTokenViaCookie` and the legacy fallback for
-         * `refreshAllSessions` against older servers.
+         * minted access token. Returns `null` on 401 / non-2xx.
          *
          * @internal
          */
@@ -437,7 +416,7 @@ export declare function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(B
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.contacts.d.ts

@@ -73,7 +73,7 @@ export declare function OxyServicesContactsMixin<T extends typeof OxyServicesBas
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.devices.d.ts

@@ -75,7 +75,7 @@ export declare function OxyServicesDevicesMixin<T extends typeof OxyServicesBase
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.features.d.ts

@@ -202,7 +202,7 @@ export declare function OxyServicesFeaturesMixin<T extends typeof OxyServicesBas
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.fedcm.d.ts

@@ -42,7 +42,7 @@ interface FedCMTokenResult {
  * - Firefox: Not yet supported (fallback required)
  *
  * Key Features:
- * - No redirects or popups required
+ * - No redirects or secondary windows required
  * - Browser-native UI prompts
  * - Privacy-preserving (IdP can't track users)
  * - Automatic SSO across domains
@@ -62,7 +62,7 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
          *
          * This provides a Google-style authentication experience:
          * - Browser shows native "Sign in with Oxy" prompt
-         * - No redirect or popup required
+         * - No redirect or secondary window required
          * - User approves → credential exchange happens in browser
          * - All apps automatically get SSO after first sign-in
          *
@@ -76,8 +76,8 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
          *   const session = await oxyServices.signInWithFedCM();
          *   console.log('Signed in:', session.user);
          * } catch (error) {
-         *   // Fallback to popup or redirect auth
-         *   await oxyServices.signInWithPopup();
+         *   // Fallback to redirect auth
+         *   oxyServices.signInWithRedirect();
          * }
          * ```
          */
@@ -277,7 +277,7 @@ export declare function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;

package/dist/types/mixins/OxyServices.language.d.ts

@@ -60,7 +60,7 @@ export declare function OxyServicesLanguageMixin<T extends typeof OxyServicesBas
             hitRate: number;
         };
         getCloudURL(): string;
-        setTokens(accessToken: string, refreshToken?: string): void;
+        setTokens(accessToken: string): void;
         clearTokens(): void;
         onTokensChanged(listener: (accessToken: string | null) => void): () => void;
         _cachedUserId: string | null | undefined;