@oxyhq/services 10.1.0 → 10.2.1

package/src/ui/components/AccountMenuButton.tsx

@@ -3,7 +3,7 @@ import { useCallback, useRef, useState } from 'react';
 import { TouchableOpacity, StyleSheet, Platform, type LayoutChangeEvent } from 'react-native';
 import { getAccountDisplayName } from '@oxyhq/core';
 import Avatar from './Avatar';
-import AccountMenu from './AccountMenu';
+import AccountMenu, { type AccountMenuAnchor } from './AccountMenu';
 import { useOxy } from '../context/OxyContext';
 import { useI18n } from '../hooks/useI18n';
 
@@ -33,7 +33,7 @@ const AccountMenuButton: React.FC<AccountMenuButtonProps> = ({
     const { user, oxyServices, isAuthenticated } = useOxy();
     const { t, locale } = useI18n();
     const [open, setOpen] = useState(false);
-    const [anchor, setAnchor] = useState<{ top: number; right: number } | null>(null);
+    const [anchor, setAnchor] = useState<AccountMenuAnchor | null>(null);
     const triggerRef = useRef<React.ComponentRef<typeof TouchableOpacity>>(null);
 
     const measureAnchor = useCallback(() => {

package/src/ui/components/OxySignInButton.tsx

@@ -100,7 +100,7 @@ export const OxySignInButton: React.FC<OxySignInButtonProps> = ({
     }, []);
 
     // Handle button press
-    // - Web: legacy full-screen Modal (dialog UX fits desktop / browser)
+    // - Web: full-screen modal (dialog UX fits desktop / browser)
     // - Native: bottom sheet (sheet UX fits iOS/Android)
     const handlePress = useCallback(() => {
         if (onPress) {

package/src/ui/components/SignInModal.tsx

@@ -3,7 +3,7 @@
  *
  * A semi-transparent full-screen modal that displays:
  * - QR code for scanning with Oxy Accounts app
- * - Button to open Oxy Auth popup
+ * - Button to open the Oxy Auth approval page
  *
  * Animates with fade-in effect.
  */
@@ -143,12 +143,11 @@ const SignInModal: React.FC = () => {
     // this is the device-flow equivalent of OAuth's code-for-token
     // exchange (RFC 8628 §3.4).
     //
-    // Without that exchange the SDK has no bearer token and every
-    // subsequent call (including `switchSession` -> `getTokenBySession`)
-    // would 401 against the C1-hardened API. Once `claimSessionByToken`
-    // plants the tokens in the HttpService, the rest of the session
-    // wiring (state, persistence, language preference) flows through
-    // the normal `switchSession` path.
+    // Without that exchange the SDK has no bearer token and the app never
+    // becomes authenticated even though the session is authorized server-side.
+    // Once `claimSessionByToken` plants the tokens in the HttpService, the rest
+    // of the session wiring (state, persistence, language preference) flows
+    // through the normal `switchSession` path.
     const handleAuthSuccess = useCallback(async (sessionId: string, sessionToken: string) => {
         if (isProcessingRef.current) return;
         isProcessingRef.current = true;
@@ -233,8 +232,14 @@ const SignInModal: React.FC = () => {
         });
     }, [oxyServices, handleAuthSuccess, cleanup]);
 
-    // Start polling for authorization (fallback)
+    // Start polling for authorization.
+    //
+    // Idempotent: if a poll interval is already running this is a no-op, so the
+    // `connect_error` path (which also calls this) cannot stack a second
+    // interval on top of the always-on poll started in `generateAuthSession`.
     const startPolling = useCallback((sessionToken: string) => {
+        if (pollingIntervalRef.current) return;
+
         pollingIntervalRef.current = setInterval(async () => {
             if (isProcessingRef.current) return;
 
@@ -292,13 +297,18 @@ const SignInModal: React.FC = () => {
 
             setAuthSession({ sessionToken, expiresAt });
             setIsWaiting(true);
+            // Socket is the fast path; the poll is a transport-independent
+            // backstop that guarantees completion even if the socket connects
+            // but silently never delivers auth_update (RN transport /
+            // idle-timeout).
             connectSocket(sessionToken);
+            startPolling(sessionToken);
         } catch (err: unknown) {
             setError((err instanceof Error ? err.message : null) || 'Failed to create auth session');
         } finally {
             setIsLoading(false);
         }
-    }, [oxyServices, connectSocket, clientId]);
+    }, [oxyServices, connectSocket, startPolling, clientId]);
 
     // Generate a cryptographically random session token.
     // 16 random bytes -> 32 hex chars (128 bits of entropy) — unguessable.
@@ -316,8 +326,8 @@ const SignInModal: React.FC = () => {
         return `oxyauth://${authSession.sessionToken}`;
     };
 
-    // Open Oxy Auth popup
-    const handleOpenAuthPopup = useCallback(async () => {
+    // Open Oxy Auth approval page for this device-flow session.
+    const handleOpenAuthApproval = useCallback(async () => {
         if (!authSession) return;
 
         const baseURL = oxyServices.getBaseURL();
@@ -343,7 +353,7 @@ const SignInModal: React.FC = () => {
         webUrl.searchParams.set('token', authSession.sessionToken);
 
         if (Platform.OS === 'web') {
-            // Open popup window on web
+            // Open a separate approval window on web for the device-flow token.
             const width = 500;
             const height = 650;
             const screenWidth = window.screen?.width ?? width;
@@ -353,8 +363,8 @@ const SignInModal: React.FC = () => {
 
             window.open(
                 webUrl.toString(),
-                'oxy-auth-popup',
-                `width=${width},height=${height},left=${left},top=${top},popup=1`
+                'oxy-auth-approval',
+                `width=${width},height=${height},left=${left},top=${top}`
             );
         } else {
             // Open in browser on native
@@ -438,9 +448,9 @@ const SignInModal: React.FC = () => {
                                 <View style={[styles.divider, { backgroundColor: 'rgba(255,255,255,0.3)' }]} />
                             </View>
 
-                            {/* Open Auth Popup Button */}
+                            {/* Open approval window */}
                             <Button
-                                onPress={handleOpenAuthPopup}
+                                onPress={handleOpenAuthApproval}
                                 icon={<OxyLogo variant="icon" size={20} fillColor={theme.colors.card} />}
                             >
                                 Open Oxy Auth

package/src/ui/components/accountMenuRows.ts

@@ -1,60 +1,48 @@
-import type { User, ClientSession } from '@oxyhq/core';
-import { getAccountDisplayName, getAccountFallbackHandle } from '@oxyhq/core';
+import type { DeviceAccount, DeviceAccountUser } from '../hooks/useDeviceAccounts';
 
 export interface AccountRow {
     sessionId: string;
+    /** Device-local refresh-cookie slot index (web silent-switch). */
+    authuser?: number;
     isActive: boolean;
     displayName: string;
     secondary: string | null;
     avatarUri?: string;
-    user: User | null;
+    user: DeviceAccountUser | null;
 }
 
 export interface BuildAccountRowsInput {
-    sessions: ClientSession[] | null | undefined;
-    activeSessionId: string | null | undefined;
-    user: User | null | undefined;
-    locale: string;
-    getAvatarUrl: (avatarId: string) => string;
+    /**
+     * Per-device account entries from {@link useDeviceAccounts}. Each entry
+     * already carries real per-account `displayName` / `email` / `avatarUrl` /
+     * `color`, so EVERY row (not just the active one) renders full identity.
+     */
+    accounts: DeviceAccount[];
 }
 
 /**
  * Pure builder for `AccountMenu` rows. Extracted so the multi-account display
  * logic can be unit-tested without rendering React Native.
  *
- * Each `sessions[i]` becomes one row. Only the row matching `activeSessionId`
- * carries the loaded `user` payload — the others are placeholders shown by
- * fallback handle. This mirrors how `OxyContext` only hydrates one user at a
- * time.
+ * Maps each {@link DeviceAccount} (sourced from `useDeviceAccounts()`, which
+ * hydrates EVERY account with real name/email/avatar/color from the shared
+ * apex `refresh-all` path or the local fallback) into an `AccountRow`.
+ *
+ * `secondary` is the account's real email when present; otherwise it falls
+ * back to the `@handle` line. A missing email is NEVER synthesized into a fake
+ * `username@oxy.so` — the device-account layer already resolved `email` to the
+ * real value or the `@handle` fallback.
  */
 export function buildAccountRows({
-    sessions,
-    activeSessionId,
-    user,
-    locale,
-    getAvatarUrl,
+    accounts,
 }: BuildAccountRowsInput): AccountRow[] {
-    return (sessions ?? []).map((session: ClientSession) => {
-        const isActive = session.sessionId === activeSessionId;
-        const candidate: Partial<User> | null = isActive ? user ?? null : null;
-        const displayName = getAccountDisplayName(
-            candidate ?? { username: undefined },
-            locale,
-        );
-        const handle = getAccountFallbackHandle(candidate ?? { username: undefined });
-        const secondary = (candidate?.email)
-            ?? (handle && candidate?.username ? `@${handle}` : handle)
-            ?? null;
-        const avatarUri = candidate?.avatar
-            ? getAvatarUrl(candidate.avatar)
-            : undefined;
-        return {
-            sessionId: session.sessionId,
-            isActive,
-            displayName,
-            secondary,
-            avatarUri,
-            user: isActive ? user ?? null : null,
-        };
-    });
+    return accounts.map((account: DeviceAccount): AccountRow => ({
+        sessionId: account.sessionId,
+        authuser: account.authuser,
+        isActive: account.isCurrent,
+        displayName: account.displayName,
+        secondary: account.email,
+        avatarUri: account.avatarUrl,
+        user: account.user,
+    }));
 }

package/src/ui/context/OxyContext.tsx

@@ -89,10 +89,10 @@ export interface OxyContextState {
   signIn: (publicKey: string, deviceName?: string) => Promise<User>;
 
   /**
-   * Handle session from popup authentication
-   * Updates auth state, persists session to storage
+   * Handle a session returned by web SSO.
+   * Updates auth state, persists session metadata to storage.
    */
-  handlePopupSession: (session: SessionLoginResponse) => Promise<void>;
+  handleWebSession: (session: SessionLoginResponse) => Promise<void>;
 
   // Session management
   logout: (targetSessionId?: string) => Promise<void>;
@@ -206,7 +206,7 @@ function silentColdBootKey(oxyServices: OxyServices): string {
  * iframe never posts a message, so the full wait would be dead latency in front
  * of the terminal `/sso` bounce. `silentSignIn` already fails fast on a load
  * error via `iframe.onerror`; this caps the no-message case. 2.5s is well above
- * a same-origin iframe handshake yet a fraction of the legacy 5s default.
+ * a same-origin iframe handshake without blocking cold boot for several seconds.
  */
 const SILENT_IFRAME_TIMEOUT = 2500;
 
@@ -403,8 +403,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // plumbing and regardless of which auth code path fired.
   //
   // When the app passed the singleton itself as `oxyServices` (Mention's
-  // pattern), `oxyServices === oxyClient`, so we skip the redundant self-write
-  // and the subscription is a no-op mirror — fully backward compatible.
+  // pattern), `oxyServices === oxyClient`, so we skip the redundant self-write.
   useEffect(() => {
     if (oxyServices === oxyClient) {
       return;
@@ -635,7 +634,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // init. Callers MUST invoke this BEFORE any work that can trigger a route
   // navigation (`onAuthStateChange`) — navigation can interrupt a still-pending
   // async write, which is exactly what once left `session_ids` empty after a
-  // successful sign-in. Shared by the FedCM/popup path and the cold-boot
+    // successful sign-in. Shared by the FedCM/SSO path and the cold-boot
   // refresh-cookie restore so both land the same durable record.
   const persistSessionDurably = useCallback(async (sessionId: string): Promise<void> => {
     const readyStorage = await getReadyStorage();
@@ -663,7 +662,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Idempotent and monotonic via `authResolvedRef`: the first call wins and the
   // setters fire at most once, so the restore `finally` backstop becomes a no-op
   // once a commit site has already marked resolution. Called from EVERY place a
-  // user is actually committed (the FedCM/iframe/redirect/SSO path
+  // user is actually committed (the FedCM/iframe/SSO path
   // `handleWebSSOSession`, the cookie-restore path, and the stored-session path)
   // so the common reload case unblocks the loading gate without sitting behind
   // the remaining (now-skipped) cold-boot steps.
@@ -691,10 +690,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Calls `oxyServices.refreshAllSessions()` → `POST /auth/refresh-all` with
   // `credentials: 'include'`. The server rotates every device-local
   // `oxy_rt_${authuser}` cookie in parallel and returns one entry per valid
-  // account (Google-style multi-account). On an older server that lacks the
-  // multi-account endpoint, the SDK transparently falls back to the legacy
-  // `/auth/refresh` single-account path and wraps the result in the same
-  // shape, so this caller doesn't branch.
+  // account (Google-style multi-account).
   //
   // Active-account selection: the persisted `oxy_active_authuser` slot index
   // wins when it matches a returned account; otherwise the lowest `authuser`
@@ -787,23 +783,31 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // Native (and offline) stored-session restore — the ONLY restore path that
   // runs on React Native, and the web fallback when no cross-domain step won.
   //
-  // Verbatim-extracted from the previous `restoreSessionsFromStorage` body: it
-  // reads the durable `session_ids` / `active_session_id` slots, validates each
-  // stored session in parallel (bearer `validateSession`), and switches to the
-  // stored active session via the session-management `switchSession`. This body
-  // is platform-agnostic and gated by NO `enabled()` predicate so it runs on
-  // every platform — on native it is reached unconditionally (every web-only
-  // step ahead of it is disabled by `isWebBrowser()`), so native restore is
-  // exactly this and nothing else (no FedCM / iframe / refresh-all /
-  // handleAuthCallback).
+  // Stored-session restore. Web uses this only as a fast local winner after
+  // URL-return handling; native uses it as the durable SecureStore path. Native
+  // first plants the shared access token from KeyManager, then validates the
+  // stored session ids with the bearer already in memory.
   const restoreStoredSession = useCallback(async (): Promise<boolean> => {
     if (!storage) {
       return false;
     }
 
     const storedSessionIdsJson = await storage.getItem(storageKeys.sessionIds);
-    const storedSessionIds: string[] = storedSessionIdsJson ? JSON.parse(storedSessionIdsJson) : [];
-    const storedActiveSessionId = await storage.getItem(storageKeys.activeSessionId);
+    const storedSessionIdsFromStorage: string[] = storedSessionIdsJson ? JSON.parse(storedSessionIdsJson) : [];
+    let storedActiveSessionId = await storage.getItem(storageKeys.activeSessionId);
+
+    const nativeSharedSession = !isWebBrowser()
+      ? await KeyManager.getSharedSession().catch(() => null)
+      : null;
+    if (nativeSharedSession?.accessToken) {
+      oxyServices.setTokens(nativeSharedSession.accessToken);
+      storedActiveSessionId = storedActiveSessionId ?? nativeSharedSession.sessionId;
+    }
+
+    const storedSessionIds = Array.from(new Set([
+      ...storedSessionIdsFromStorage,
+      ...(nativeSharedSession?.sessionId ? [nativeSharedSession.sessionId] : []),
+    ]));
 
     let validSessions: ClientSession[] = [];
 
@@ -964,7 +968,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // web-only step is gated by `isWebBrowser()`, so on native ONLY
   // `stored-session` runs.
   //
-  // Order (web): redirect callback → SSO return → stored session → FedCM silent
+  // Order (web): SSO return → stored session → FedCM silent
   // (central) → silent iframe (per-apex, the durable reload path) → cookie
   // restore → SSO bounce (terminal).
   //
@@ -972,8 +976,8 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   // (`fedcm-silent`, `silent-iframe`, `cookie-restore`). On a normal reload the
   // local bearer validates in one round-trip and wins, so `runColdBoot`
   // short-circuits and never sits through those probes' timeouts (the prior
-  // serial sum was a ~20-30s stall). `redirect` and `sso-return` MUST stay
-  // first — they consume the URL fragment before anything can strip it. On a
+  // serial sum was a ~20-30s stall). `sso-return` MUST stay first — it consumes
+  // the URL fragment before anything can strip it. On a
   // first visit with no local session, `stored-session` skips and the
   // cross-domain fallback chain (fedcm → iframe → cookie → sso-bounce) runs
   // exactly as before; the per-apex silent iframe still restores a durable
@@ -1006,26 +1010,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       const outcome = await runColdBoot<true>({
         steps: [
           {
-            // 0) Redirect callback wins: a popup/redirect sign-in just landed
-            // back on this page with `access_token`/`session_id` query params.
-            // `handleAuthCallback` plants the token but returns a PLACEHOLDER
-            // user (empty id), so we hydrate the REAL user via `getCurrentUser`
-            // and commit through `handleWebSSOSession` before claiming a
-            // session — never expose a placeholder user (R4).
-            id: 'redirect',
-            enabled: () => isWebBrowser(),
-            run: async () => {
-              const callbackSession = oxyServices.handleAuthCallback?.();
-              if (!callbackSession || !commitWebSession) {
-                return { kind: 'skip' };
-              }
-              const fullUser = await oxyServices.getCurrentUser();
-              await commitWebSession({ ...callbackSession, user: fullUser });
-              return { kind: 'session', session: true };
-            },
-          },
-          {
-            // 1) Central SSO return: we are landing back from an `auth.oxy.so/sso`
+            // 0) Central SSO return: we are landing back from an `auth.oxy.so/sso`
             // bounce with the result in the URL fragment. Parse it, validate the
             // CSRF state, exchange the opaque code, and commit. On any non-ok
             // outcome `runSsoReturn` sets the per-origin NO_SESSION flag so the
@@ -1048,8 +1033,8 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
             // normal reload the local bearer validates in one round-trip and
             // wins; `runColdBoot` then short-circuits and never even evaluates
             // the slow no-redirect probes that would otherwise time out (the
-            // ~20-30s serial stall). The `redirect` and `sso-return` steps stay
-            // AHEAD of this one — they must consume the URL fragment before any
+            // ~20-30s serial stall). The `sso-return` step stays AHEAD of this
+            // one — it must consume the URL fragment before any
             // later step (or anything else) strips it. On a first visit with no
             // local session this step skips and the cross-domain fallback chain
             // (fedcm → iframe → cookie → sso-bounce) runs exactly as before.
@@ -1348,8 +1333,8 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     });
   }, []);
 
-  // Web SSO: Automatically check for cross-domain session on web platforms
-  // Also used for popup auth - updates all state and persists session
+  // Web SSO: automatically check for cross-domain session on web platforms.
+  // Updates all state and persists session metadata.
   const handleWebSSOSession = useCallback(async (session: SessionLoginResponse) => {
     if (!session?.user || !session?.sessionId) {
       if (__DEV__) {
@@ -1358,12 +1343,10 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       return;
     }
 
-    // Set the access token on the HTTP client before updating UI state
-    if (session.accessToken) {
-      oxyServices.httpService.setTokens(session.accessToken);
-    } else {
-      await oxyServices.getTokenBySession(session.sessionId);
+    if (!session.accessToken) {
+      throw new Error('Session response did not include an access token');
     }
+    oxyServices.httpService.setTokens(session.accessToken);
 
     const clientSession = {
       sessionId: session.sessionId,
@@ -1405,14 +1388,14 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
       fullUser = session.user as unknown as User;
     }
     loginSuccess(fullUser);
-    // A session is now committed (FedCM silent / per-apex iframe / redirect /
-    // SSO-return / popup all funnel through here) — unblock the auth-resolution
+    // A session is now committed (FedCM silent / per-apex iframe /
+    // SSO-return all funnel through here) — unblock the auth-resolution
     // gate immediately, ahead of the cold-boot chain returning (idempotent).
     markAuthResolvedRef.current();
     onAuthStateChange?.(fullUser);
   }, [oxyServices, updateSessions, setActiveSessionId, loginSuccess, onAuthStateChange, persistSessionDurably]);
 
-  // Expose `handleWebSSOSession` to the cold-boot FedCM/iframe/redirect steps,
+  // Expose `handleWebSSOSession` to the cold-boot FedCM/iframe/SSO steps,
   // which reference it through a ref because they are declared above this
   // callback. Assigned synchronously on every render so the ref is populated
   // before the cold-boot effect (gated on `storage`/`initialized`) can fire.
@@ -1670,7 +1653,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     hasIdentity,
     getPublicKey,
     signIn,
-    handlePopupSession: handleWebSSOSession,
+    handleWebSession: handleWebSSOSession,
     logout,
     logoutAll,
     switchSession: switchSessionForContext,
@@ -1777,7 +1760,7 @@ const LOADING_STATE: OxyContextState = {
   hasIdentity: () => Promise.resolve(false),
   getPublicKey: () => Promise.resolve(null),
   signIn: () => rejectMissingProvider<User>(),
-  handlePopupSession: () => rejectMissingProvider<void>(),
+  handleWebSession: () => rejectMissingProvider<void>(),
   logout: () => rejectMissingProvider<void>(),
   logoutAll: () => rejectMissingProvider<void>(),
   switchSession: () => rejectMissingProvider<User>(),
@@ -1809,4 +1792,3 @@ export const useOxy = (): OxyContextState => {
 };
 
 export default OxyContext;
-

package/src/ui/context/hooks/useAuthOperations.ts

@@ -184,12 +184,9 @@ export const useAuthOperations = ({
         // Verify and create session. `verifyChallenge` plants the first
         // access token (and refresh token) from the `/auth/verify` response
         // body internally — mirroring `claimSessionByToken` — so the client is
-        // authenticated as soon as this resolves. We deliberately do NOT fall
-        // back to the bearer-protected `GET /session/token/:sessionId` (C1
-        // hardening): for a brand-new identity with no bearer yet that route
-        // 401s, which previously broke the entire new-identity onboarding
-        // flow. A token-less verify response simply leaves the client without
-        // a bearer here rather than triggering that 401.
+        // authenticated as soon as this resolves. Session IDs are not public
+        // token-minting credentials; a token-less verify response simply leaves
+        // the client without a bearer here.
         sessionResponse = await oxyServices.verifyChallenge(
           publicKey,
           challenge,
@@ -302,11 +299,8 @@ export const useAuthOperations = ({
 
       try {
         const sessionToLogout = targetSessionId || activeSessionId;
-        // Web multi-account: when the target session carries an `authuser`
-        // slot index it is backed by an httpOnly `oxy_rt_${n}` cookie. Use
-        // the cookie-cleared logout endpoint so the server can `Set-Cookie`
-        // an immediate expiry alongside revoking the family. Native and
-        // legacy sessions (no `authuser` plumbed yet) fall through to the
+        // Web multi-account sessions carry an `authuser` slot index backed by
+        // an httpOnly `oxy_rt_${n}` cookie. Native sessions fall through to the
         // bearer-protected endpoint.
         const targetSession = sessionsRef.current.find((s) => s.sessionId === sessionToLogout);
         const targetAuthuser = targetSession?.authuser;
@@ -378,8 +372,8 @@ export const useAuthOperations = ({
       //   - Web: "Sign out of all accounts" = sign out every device-local
       //     account on THIS device. The cookie endpoint is the only path
       //     that can `Set-Cookie` an immediate expiry on every
-      //     `oxy_rt_${n}` slot (plus legacy `oxy_rt`) AND revoke every
-      //     presented family server-side. The bearer-protected
+      //     `oxy_rt_${n}` slots AND revoke every presented family server-side.
+      //     The bearer-protected
       //     `logoutAllSessions(activeSessionId)` would only revoke the
       //     active user's sessions across devices and leave sibling
       //     accounts' cookies sitting on this device — wrong UX for the

package/src/ui/hooks/useAuth.ts

@@ -20,7 +20,7 @@
  * Cross-domain SSO:
  * - Web: Automatic via FedCM (Chrome 108+, Safari 16.4+)
  * - Native: Automatic via shared Keychain/Account Manager
- * - Manual sign-in: signIn() opens popup (web) or auth sheet (native)
+ * - Manual sign-in: signIn() redirects to the IdP (web) or opens the auth sheet (native)
  */
 
 import { useCallback, useState } from 'react';
@@ -60,16 +60,12 @@ export interface AuthState {
 export interface AuthActions {
   /**
    * Sign in
-   * - Web: Opens popup to auth.oxy.so (no public key needed)
+   * - Web: Redirects to auth.oxy.so (no public key needed)
    * - Native: Uses cryptographic identity from keychain
    *
    * @param publicKey - Native: identity public key. Ignored on web.
-   * @param preOpenedPopup - Web only: a popup the caller already opened
-   *   SYNCHRONOUSLY on the raw click via `oxyServices.openBlankPopup()`. This
-   *   keeps Chrome's user-activation alive across any prior `await` and is
-   *   the only reliable way to avoid the popup blocker on cross-domain flows.
    */
-  signIn: (publicKey?: string, preOpenedPopup?: Window | null) => Promise<User>;
+  signIn: (publicKey?: string) => Promise<User>;
 
   /**
    * Sign out current session
@@ -114,7 +110,6 @@ export function useAuth(): UseAuthReturn {
     isAuthResolved,
     error,
     signIn: oxySignIn,
-    handlePopupSession,
     logout,
     logoutAll,
     refreshSessions,
@@ -125,7 +120,7 @@ export function useAuth(): UseAuthReturn {
     openAvatarPicker,
   } = useOxy();
 
-  const signIn = useCallback(async (publicKey?: string, preOpenedPopup?: Window | null): Promise<User> => {
+  const signIn = useCallback(async (publicKey?: string): Promise<User> => {
     // Check if we're on the identity provider itself
     // Only the IdP has local login forms - other apps are client apps
     const authWebUrl = oxyServices.config?.authWebUrl;
@@ -136,44 +131,13 @@ export function useAuth(): UseAuthReturn {
     const isIdentityProvider = isWebBrowser() &&
       window.location.hostname === idpHostname;
 
-    // Web (not on IdP): Use popup-based authentication
-    // We go straight to popup to preserve the "user gesture" (click event)
-    // FedCM silent SSO already runs on page load via useWebSSO
-    // If user is clicking "Sign In", they need interactive auth NOW
+    // Web (not on IdP): use the tokenless redirect SSO flow. FedCM / silent SSO
+    // already run on page load; an explicit click needs interactive auth.
     if (isWebBrowser() && !publicKey && !isIdentityProvider) {
-      // Open the popup SYNCHRONOUSLY before any `await` runs so Chrome's
-      // transient user-activation is preserved across the async chain
-      // (React state updates + the `await` into `signInWithPopup`). If the
-      // caller already pre-opened one (e.g. they did so to be extra safe
-      // ahead of their own awaits), reuse it.
-      const popup: Window | null = preOpenedPopup
-        ?? oxyServices.openBlankPopup?.()
-        ?? null;
-      try {
-        const popupSession = await oxyServices.signInWithPopup?.({
-          popup,
-        });
-        if (popupSession?.user) {
-          // The popup auth flow fetches full user data, so the session user
-          // contains full User fields even though the base type is MinimalUserData.
-          // Cast to the expected shape for handlePopupSession.
-          const sessionWithUser = {
-            ...popupSession,
-            user: popupSession.user as unknown as User,
-          };
-          await handlePopupSession(sessionWithUser);
-          return sessionWithUser.user;
-        }
-        throw new Error('Sign-in failed. Please try again.');
-      } catch (popupError) {
-        if (popup && !popup.closed) {
-          popup.close();
-        }
-        if (popupError instanceof Error && popupError.message.includes('blocked')) {
-          throw new Error('Popup blocked. Please allow popups for this site.');
-        }
-        throw popupError;
-      }
+      oxyServices.signInWithRedirect?.({
+        redirectUri: window.location.href,
+      });
+      return new Promise<User>(() => undefined);
     }
 
     // Native: Use cryptographic identity
@@ -212,7 +176,7 @@ export function useAuth(): UseAuthReturn {
     }
 
     throw new Error('No authentication method available');
-  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices, handlePopupSession]);
+  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices]);
 
   const signOut = useCallback(async (): Promise<void> => {
     await logout();
@@ -247,4 +211,3 @@ export function useAuth(): UseAuthReturn {
     openAvatarPicker,
   };
 }
-