@oxyhq/services 5.18.4 → 5.19.0

package/lib/module/ui/components/WebOxyProvider.js

@@ -5,10 +5,12 @@
  *
  * This provider is specifically for web environments and doesn't include
  * React Native-specific dependencies. It provides:
- * - Automatic cross-domain SSO via hidden iframe
+ * - Automatic cross-domain SSO via FedCM (Chrome 108+, Safari 16.4+, Edge 108+)
  * - Session management
  * - All useOxy/useAuth functionality
  *
+ * Zero-config: Just wrap your app and SSO works automatically across domains.
+ *
  * Usage:
  * ```tsx
  * import { WebOxyProvider, useAuth } from '@oxyhq/services';
@@ -20,6 +22,12 @@
  *     </WebOxyProvider>
  *   );
  * }
+ *
+ * function LoginButton() {
+ *   const { isAuthenticated, signIn, user } = useAuth();
+ *   if (isAuthenticated) return <span>Welcome, {user?.username}!</span>;
+ *   return <button onClick={() => signIn()}>Sign In</button>;
+ * }
  * ```
  */
 
@@ -33,7 +41,8 @@ import { jsx as _jsx } from "react/jsx-runtime";
  * OxyProvider for web applications
  *
  * Features:
- * - Automatic cross-domain SSO (checks auth.oxy.so/auth/silent on mount)
+ * - Automatic cross-domain SSO via FedCM (browser-native identity API)
+ * - Works across different TLDs (alia.onl, mention.earth, homiio.com, etc.)
  * - Session persistence in localStorage
  * - TanStack Query for data fetching
  * - No React Native dependencies

package/lib/module/ui/components/WebOxyProvider.js.map

@@ -1 +1 @@
-{"version":3,"names":["useEffect","useRef","useState","OxyContextProvider","QueryClientProvider","createQueryClient","createPlatformStorage","jsx","_jsx","WebOxyProvider","children","baseURL","authWebUrl","onAuthStateChange","storageKeyPrefix","queryClient","providedQueryClient","storageRef","queryClientRef","setQueryClient","current","mounted","then","storage","client","catch"],"sourceRoot":"../../../../src","sources":["ui/components/WebOxyProvider.tsx"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,EAAEC,MAAM,EAAEC,QAAQ,QAAiC,OAAO;AAC5E,SAASC,kBAAkB,QAAQ,0BAAuB;AAC1D,SAASC,mBAAmB,QAAQ,uBAAuB;AAC3D,SAASC,iBAAiB,QAAQ,yBAAsB;AACxD,SAASC,qBAAqB,QAA+B,4BAAyB;AAAC,SAAAC,GAAA,IAAAC,IAAA;AAWvF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,cAAuC,GAAGA,CAAC;EAC/CC,QAAQ;EACRC,OAAO;EACPC,UAAU;EACVC,iBAAiB;EACjBC,gBAAgB;EAChBC,WAAW,EAAEC;AACf,CAAC,KAAK;EACJ,MAAMC,UAAU,GAAGhB,MAAM,CAA0B,IAAI,CAAC;EACxD,MAAMiB,cAAc,GAAGjB,MAAM,CAA8C,IAAI,CAAC;EAChF,MAAM,CAACc,WAAW,EAAEI,cAAc,CAAC,GAAGjB,QAAQ,CAA8C,IAAI,CAAC;EAEjGF,SAAS,CAAC,MAAM;IACd,IAAIgB,mBAAmB,EAAE;MACvBE,cAAc,CAACE,OAAO,GAAGJ,mBAAmB;MAC5CG,cAAc,CAACH,mBAAmB,CAAC;MACnC;IACF;IAEA,IAAIK,OAAO,GAAG,IAAI;IAClBf,qBAAqB,CAAC,CAAC,CACpBgB,IAAI,CAAEC,OAAO,IAAK;MACjB,IAAIF,OAAO,IAAI,CAACH,cAAc,CAACE,OAAO,EAAE;QACtCH,UAAU,CAACG,OAAO,GAAGG,OAAO;QAC5B,MAAMC,MAAM,GAAGnB,iBAAiB,CAACkB,OAAO,CAAC;QACzCL,cAAc,CAACE,OAAO,GAAGI,MAAM;QAC/BL,cAAc,CAACK,MAAM,CAAC;MACxB;IACF,CAAC,CAAC,CACDC,KAAK,CAAC,MAAM;MACX,IAAIJ,OAAO,IAAI,CAACH,cAAc,CAACE,OAAO,EAAE;QACtC,MAAMI,MAAM,GAAGnB,iBAAiB,CAAC,IAAI,CAAC;QACtCa,cAAc,CAACE,OAAO,GAAGI,MAAM;QAC/BL,cAAc,CAACK,MAAM,CAAC;MACxB;IACF,CAAC,CAAC;IAEJ,OAAO,MAAM;MACXH,OAAO,GAAG,KAAK;IACjB,CAAC;EACH,CAAC,EAAE,CAACL,mBAAmB,CAAC,CAAC;;EAEzB;EACA,IAAI,CAACD,WAAW,EAAE;IAChB,OAAO,IAAI;EACb;EAEA,oBACEP,IAAA,CAACJ,mBAAmB;IAACoB,MAAM,EAAET,WAAY;IAAAL,QAAA,eACvCF,IAAA,CAACL,kBAAkB;MACjBQ,OAAO,EAAEA,OAAQ;MACjBC,UAAU,EAAEA,UAAW;MACvBE,gBAAgB,EAAEA,gBAAiB;MACnCD,iBAAiB,EAAEA,iBAAkB;MAAAH,QAAA,EAEpCA;IAAQ,CACS;EAAC,CACF,CAAC;AAE1B,CAAC;AAED,eAAeD,cAAc","ignoreList":[]}
+{"version":3,"names":["useEffect","useRef","useState","OxyContextProvider","QueryClientProvider","createQueryClient","createPlatformStorage","jsx","_jsx","WebOxyProvider","children","baseURL","authWebUrl","onAuthStateChange","storageKeyPrefix","queryClient","providedQueryClient","storageRef","queryClientRef","setQueryClient","current","mounted","then","storage","client","catch"],"sourceRoot":"../../../../src","sources":["ui/components/WebOxyProvider.tsx"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,EAAEC,MAAM,EAAEC,QAAQ,QAAiC,OAAO;AAC5E,SAASC,kBAAkB,QAAQ,0BAAuB;AAC1D,SAASC,mBAAmB,QAAQ,uBAAuB;AAC3D,SAASC,iBAAiB,QAAQ,yBAAsB;AACxD,SAASC,qBAAqB,QAA+B,4BAAyB;AAAC,SAAAC,GAAA,IAAAC,IAAA;AAWvF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,cAAuC,GAAGA,CAAC;EAC/CC,QAAQ;EACRC,OAAO;EACPC,UAAU;EACVC,iBAAiB;EACjBC,gBAAgB;EAChBC,WAAW,EAAEC;AACf,CAAC,KAAK;EACJ,MAAMC,UAAU,GAAGhB,MAAM,CAA0B,IAAI,CAAC;EACxD,MAAMiB,cAAc,GAAGjB,MAAM,CAA8C,IAAI,CAAC;EAChF,MAAM,CAACc,WAAW,EAAEI,cAAc,CAAC,GAAGjB,QAAQ,CAA8C,IAAI,CAAC;EAEjGF,SAAS,CAAC,MAAM;IACd,IAAIgB,mBAAmB,EAAE;MACvBE,cAAc,CAACE,OAAO,GAAGJ,mBAAmB;MAC5CG,cAAc,CAACH,mBAAmB,CAAC;MACnC;IACF;IAEA,IAAIK,OAAO,GAAG,IAAI;IAClBf,qBAAqB,CAAC,CAAC,CACpBgB,IAAI,CAAEC,OAAO,IAAK;MACjB,IAAIF,OAAO,IAAI,CAACH,cAAc,CAACE,OAAO,EAAE;QACtCH,UAAU,CAACG,OAAO,GAAGG,OAAO;QAC5B,MAAMC,MAAM,GAAGnB,iBAAiB,CAACkB,OAAO,CAAC;QACzCL,cAAc,CAACE,OAAO,GAAGI,MAAM;QAC/BL,cAAc,CAACK,MAAM,CAAC;MACxB;IACF,CAAC,CAAC,CACDC,KAAK,CAAC,MAAM;MACX,IAAIJ,OAAO,IAAI,CAACH,cAAc,CAACE,OAAO,EAAE;QACtC,MAAMI,MAAM,GAAGnB,iBAAiB,CAAC,IAAI,CAAC;QACtCa,cAAc,CAACE,OAAO,GAAGI,MAAM;QAC/BL,cAAc,CAACK,MAAM,CAAC;MACxB;IACF,CAAC,CAAC;IAEJ,OAAO,MAAM;MACXH,OAAO,GAAG,KAAK;IACjB,CAAC;EACH,CAAC,EAAE,CAACL,mBAAmB,CAAC,CAAC;;EAEzB;EACA,IAAI,CAACD,WAAW,EAAE;IAChB,OAAO,IAAI;EACb;EAEA,oBACEP,IAAA,CAACJ,mBAAmB;IAACoB,MAAM,EAAET,WAAY;IAAAL,QAAA,eACvCF,IAAA,CAACL,kBAAkB;MACjBQ,OAAO,EAAEA,OAAQ;MACjBC,UAAU,EAAEA,UAAW;MACvBE,gBAAgB,EAAEA,gBAAiB;MACnCD,iBAAiB,EAAEA,iBAAkB;MAAAH,QAAA,EAEpCA;IAAQ,CACS;EAAC,CACF,CAAC;AAE1B,CAAC;AAED,eAAeD,cAAc","ignoreList":[]}

package/lib/module/ui/hooks/useAuth.js

@@ -18,10 +18,16 @@
  *   return <Welcome user={user} />;
  * }
  * ```
+ *
+ * Cross-domain SSO:
+ * - Web: Automatic via FedCM (Chrome 108+, Safari 16.4+)
+ * - Native: Automatic via shared Keychain/Account Manager
+ * - Manual sign-in: signIn() opens popup (web) or auth sheet (native)
  */
 
 import { useCallback } from 'react';
 import { useOxy } from "../context/OxyContext.js";
+import { isWebBrowser } from "./useWebSSO.js";
 /**
  * Unified auth hook for all Oxy apps
  *
@@ -48,6 +54,30 @@ export function useAuth() {
     showBottomSheet
   } = useOxy();
   const signIn = useCallback(async publicKey => {
+    // Web: Use popup-based authentication
+    if (isWebBrowser() && !publicKey) {
+      try {
+        // Try FedCM first (instant if user already signed in)
+        if (oxyServices.isFedCMSupported?.()) {
+          const fedcmSession = await oxyServices.signInWithFedCM?.();
+          if (fedcmSession?.user) {
+            return fedcmSession.user;
+          }
+        }
+
+        // Fallback to popup (opens auth.oxy.so in popup window)
+        const popupSession = await oxyServices.signInWithPopup?.();
+        if (popupSession?.user) {
+          return popupSession.user;
+        }
+        throw new Error('Sign-in failed');
+      } catch (error) {
+        // If popup blocked or FedCM failed, suggest redirect
+        throw new Error(error instanceof Error && error.message.includes('blocked') ? 'Popup blocked. Please allow popups or try again.' : 'Sign-in failed. Please try again.');
+      }
+    }
+
+    // Native: Use cryptographic identity
     // If public key provided, use it directly
     if (publicKey) {
       return oxySignIn(publicKey);
@@ -62,19 +92,14 @@ export function useAuth() {
       }
     }
 
-    // No identity - show auth UI
-    // On native: shows bottom sheet for identity creation
-    // On web: could trigger popup auth
+    // No identity - show auth UI (native bottom sheet)
     showBottomSheet?.('OxyAuth');
 
     // Return a promise that resolves when auth completes
-    // This is a simplified version - real implementation would
-    // wait for the auth flow to complete
-    return new Promise((resolve, reject) => {
-      // For now, just reject - the bottom sheet handles the flow
+    return new Promise((_, reject) => {
       reject(new Error('Please complete sign-in in the auth sheet'));
     });
-  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet]);
+  }, [oxySignIn, hasIdentity, getPublicKey, showBottomSheet, oxyServices]);
   const signOut = useCallback(async () => {
     await logout();
   }, [logout]);

package/lib/module/ui/hooks/useAuth.js.map

@@ -1 +1 @@
-{"version":3,"names":["useCallback","useOxy","useAuth","user","isAuthenticated","isLoading","isTokenReady","error","signIn","oxySignIn","logout","logoutAll","refreshSessions","oxyServices","hasIdentity","getPublicKey","showBottomSheet","publicKey","hasExisting","existingKey","Promise","resolve","reject","Error","signOut","signOutAll","refresh","isReady"],"sourceRoot":"../../../../src","sources":["ui/hooks/useAuth.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,WAAW,QAAQ,OAAO;AACnC,SAASC,MAAM,QAAQ,0BAAuB;AAiD9C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,OAAOA,CAAA,EAAkB;EACvC,MAAM;IACJC,IAAI;IACJC,eAAe;IACfC,SAAS;IACTC,YAAY;IACZC,KAAK;IACLC,MAAM,EAAEC,SAAS;IACjBC,MAAM;IACNC,SAAS;IACTC,eAAe;IACfC,WAAW;IACXC,WAAW;IACXC,YAAY;IACZC;EACF,CAAC,GAAGf,MAAM,CAAC,CAAC;EAEZ,MAAMO,MAAM,GAAGR,WAAW,CAAC,MAAOiB,SAAkB,IAAoB;IACtE;IACA,IAAIA,SAAS,EAAE;MACb,OAAOR,SAAS,CAACQ,SAAS,CAAC;IAC7B;;IAEA;IACA,MAAMC,WAAW,GAAG,MAAMJ,WAAW,CAAC,CAAC;IAEvC,IAAII,WAAW,EAAE;MACf,MAAMC,WAAW,GAAG,MAAMJ,YAAY,CAAC,CAAC;MACxC,IAAII,WAAW,EAAE;QACf,OAAOV,SAAS,CAACU,WAAW,CAAC;MAC/B;IACF;;IAEA;IACA;IACA;IACAH,eAAe,GAAG,SAAS,CAAC;;IAE5B;IACA;IACA;IACA,OAAO,IAAII,OAAO,CAAC,CAACC,OAAO,EAAEC,MAAM,KAAK;MACtC;MACAA,MAAM,CAAC,IAAIC,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAChE,CAAC,CAAC;EACJ,CAAC,EAAE,CAACd,SAAS,EAAEK,WAAW,EAAEC,YAAY,EAAEC,eAAe,CAAC,CAAC;EAE3D,MAAMQ,OAAO,GAAGxB,WAAW,CAAC,YAA2B;IACrD,MAAMU,MAAM,CAAC,CAAC;EAChB,CAAC,EAAE,CAACA,MAAM,CAAC,CAAC;EAEZ,MAAMe,UAAU,GAAGzB,WAAW,CAAC,YAA2B;IACxD,MAAMW,SAAS,CAAC,CAAC;EACnB,CAAC,EAAE,CAACA,SAAS,CAAC,CAAC;EAEf,MAAMe,OAAO,GAAG1B,WAAW,CAAC,YAA2B;IACrD,MAAMY,eAAe,CAAC,CAAC;EACzB,CAAC,EAAE,CAACA,eAAe,CAAC,CAAC;EAErB,OAAO;IACL;IACAT,IAAI;IACJC,eAAe;IACfC,SAAS;IACTsB,OAAO,EAAErB,YAAY;IACrBC,KAAK;IAEL;IACAC,MAAM;IACNgB,OAAO;IACPC,UAAU;IACVC,OAAO;IAEP;IACAb;EACF,CAAC;AACH;;AAEA;AACA,SAASZ,MAAM,QAAQ,0BAAuB","ignoreList":[]}
+{"version":3,"names":["useCallback","useOxy","isWebBrowser","useAuth","user","isAuthenticated","isLoading","isTokenReady","error","signIn","oxySignIn","logout","logoutAll","refreshSessions","oxyServices","hasIdentity","getPublicKey","showBottomSheet","publicKey","isFedCMSupported","fedcmSession","signInWithFedCM","popupSession","signInWithPopup","Error","message","includes","hasExisting","existingKey","Promise","_","reject","signOut","signOutAll","refresh","isReady"],"sourceRoot":"../../../../src","sources":["ui/hooks/useAuth.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,WAAW,QAAkB,OAAO;AAC7C,SAASC,MAAM,QAAQ,0BAAuB;AAE9C,SAASC,YAAY,QAAQ,gBAAa;AAgD1C;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,OAAOA,CAAA,EAAkB;EACvC,MAAM;IACJC,IAAI;IACJC,eAAe;IACfC,SAAS;IACTC,YAAY;IACZC,KAAK;IACLC,MAAM,EAAEC,SAAS;IACjBC,MAAM;IACNC,SAAS;IACTC,eAAe;IACfC,WAAW;IACXC,WAAW;IACXC,YAAY;IACZC;EACF,CAAC,GAAGhB,MAAM,CAAC,CAAC;EAEZ,MAAMQ,MAAM,GAAGT,WAAW,CAAC,MAAOkB,SAAkB,IAAoB;IACtE;IACA,IAAIhB,YAAY,CAAC,CAAC,IAAI,CAACgB,SAAS,EAAE;MAChC,IAAI;QACF;QACA,IAAKJ,WAAW,CAASK,gBAAgB,GAAG,CAAC,EAAE;UAC7C,MAAMC,YAAY,GAAG,MAAON,WAAW,CAASO,eAAe,GAAG,CAAC;UACnE,IAAID,YAAY,EAAEhB,IAAI,EAAE;YACtB,OAAOgB,YAAY,CAAChB,IAAI;UAC1B;QACF;;QAEA;QACA,MAAMkB,YAAY,GAAG,MAAOR,WAAW,CAASS,eAAe,GAAG,CAAC;QACnE,IAAID,YAAY,EAAElB,IAAI,EAAE;UACtB,OAAOkB,YAAY,CAAClB,IAAI;QAC1B;QAEA,MAAM,IAAIoB,KAAK,CAAC,gBAAgB,CAAC;MACnC,CAAC,CAAC,OAAOhB,KAAK,EAAE;QACd;QACA,MAAM,IAAIgB,KAAK,CACbhB,KAAK,YAAYgB,KAAK,IAAIhB,KAAK,CAACiB,OAAO,CAACC,QAAQ,CAAC,SAAS,CAAC,GACvD,kDAAkD,GAClD,mCACN,CAAC;MACH;IACF;;IAEA;IACA;IACA,IAAIR,SAAS,EAAE;MACb,OAAOR,SAAS,CAACQ,SAAS,CAAC;IAC7B;;IAEA;IACA,MAAMS,WAAW,GAAG,MAAMZ,WAAW,CAAC,CAAC;IAEvC,IAAIY,WAAW,EAAE;MACf,MAAMC,WAAW,GAAG,MAAMZ,YAAY,CAAC,CAAC;MACxC,IAAIY,WAAW,EAAE;QACf,OAAOlB,SAAS,CAACkB,WAAW,CAAC;MAC/B;IACF;;IAEA;IACAX,eAAe,GAAG,SAAS,CAAC;;IAE5B;IACA,OAAO,IAAIY,OAAO,CAAC,CAACC,CAAC,EAAEC,MAAM,KAAK;MAChCA,MAAM,CAAC,IAAIP,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAChE,CAAC,CAAC;EACJ,CAAC,EAAE,CAACd,SAAS,EAAEK,WAAW,EAAEC,YAAY,EAAEC,eAAe,EAAEH,WAAW,CAAC,CAAC;EAExE,MAAMkB,OAAO,GAAGhC,WAAW,CAAC,YAA2B;IACrD,MAAMW,MAAM,CAAC,CAAC;EAChB,CAAC,EAAE,CAACA,MAAM,CAAC,CAAC;EAEZ,MAAMsB,UAAU,GAAGjC,WAAW,CAAC,YAA2B;IACxD,MAAMY,SAAS,CAAC,CAAC;EACnB,CAAC,EAAE,CAACA,SAAS,CAAC,CAAC;EAEf,MAAMsB,OAAO,GAAGlC,WAAW,CAAC,YAA2B;IACrD,MAAMa,eAAe,CAAC,CAAC;EACzB,CAAC,EAAE,CAACA,eAAe,CAAC,CAAC;EAErB,OAAO;IACL;IACAT,IAAI;IACJC,eAAe;IACfC,SAAS;IACT6B,OAAO,EAAE5B,YAAY;IACrBC,KAAK;IAEL;IACAC,MAAM;IACNuB,OAAO;IACPC,UAAU;IACVC,OAAO;IAEP;IACApB;EACF,CAAC;AACH;;AAEA;AACA,SAASb,MAAM,QAAQ,0BAAuB","ignoreList":[]}

package/lib/module/ui/hooks/useWebSSO.js

@@ -3,11 +3,18 @@
 /**
  * Web SSO Hook
  *
- * Automatically handles cross-domain SSO for web apps.
- * Uses the OxyServices.silentSignIn() method which loads a hidden iframe
- * to check for existing session at auth.oxy.so.
+ * Handles cross-domain SSO for web apps using FedCM (Federated Credential Management).
+ *
+ * FedCM is the modern, privacy-preserving standard for cross-domain identity federation.
+ * It works across completely different TLDs (alia.onl, mention.earth, homiio.com, etc.)
+ * without relying on third-party cookies.
+ *
+ * For browsers without FedCM support, users will need to click a sign-in button
+ * which triggers a popup-based authentication flow.
  *
  * This is called automatically by OxyContext on web platforms.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
  */
 
 import { useEffect, useRef, useCallback } from 'react';
@@ -15,56 +22,88 @@ import { useEffect, useRef, useCallback } from 'react';
  * Check if we're running in a web browser environment (not React Native)
  */
 function isWebBrowser() {
-  // Check for browser globals and that we have a real DOM (React Native has window but not documentElement)
   return typeof window !== 'undefined' && typeof document !== 'undefined' && typeof document.documentElement !== 'undefined';
 }
 
 /**
- * Hook for automatic web SSO
+ * Hook for automatic cross-domain web SSO
  *
- * Automatically checks for existing cross-domain session on mount.
- * Only runs on web platforms. Uses OxyServices.silentSignIn() internally.
+ * Uses FedCM (Federated Credential Management) - the modern browser-native
+ * identity federation API. This is the same technology that powers
+ * Google's cross-domain SSO (YouTube, Gmail, Maps, etc.).
+ *
+ * Key benefits:
+ * - Works across different TLDs (alia.onl ↔ mention.earth ↔ homiio.com)
+ * - No third-party cookies required
+ * - Privacy-preserving (browser mediates identity, IdP can't track)
+ * - Automatic silent sign-in after initial authentication
+ *
+ * For browsers without FedCM (Firefox, older browsers), automatic SSO
+ * is not possible. Users will see a sign-in button instead.
  */
 export function useWebSSO({
   oxyServices,
   onSessionFound,
+  onSSOUnavailable,
   onError,
   enabled = true
 }) {
   const isCheckingRef = useRef(false);
   const hasCheckedRef = useRef(false);
+
+  // Check FedCM support once
+  const fedCMSupported = isWebBrowser() && oxyServices.isFedCMSupported?.();
   const checkSSO = useCallback(async () => {
     if (!isWebBrowser() || isCheckingRef.current) {
       return null;
     }
+
+    // FedCM is the only reliable cross-domain SSO mechanism
+    // Third-party cookies are deprecated and unreliable
+    if (!fedCMSupported) {
+      onSSOUnavailable?.();
+      return null;
+    }
     isCheckingRef.current = true;
     try {
-      // Use the existing silentSignIn method from OxyServices
-      // which handles iframe creation, postMessage, and token storage
-      const session = await oxyServices.silentSignIn?.();
+      // Use FedCM for cross-domain SSO
+      // This works because browser treats IdP requests as first-party
+      const session = await oxyServices.silentSignInWithFedCM?.();
       if (session) {
         await onSessionFound(session);
+        return session;
       }
-      return session;
+
+      // No session found - user needs to sign in
+      onSSOUnavailable?.();
+      return null;
     } catch (error) {
+      // FedCM failed - could be network error, user not signed in, etc.
+      onSSOUnavailable?.();
       onError?.(error instanceof Error ? error : new Error(String(error)));
       return null;
     } finally {
       isCheckingRef.current = false;
     }
-  }, [oxyServices, onSessionFound, onError]);
+  }, [oxyServices, onSessionFound, onSSOUnavailable, onError, fedCMSupported]);
 
-  // Auto-check SSO on mount (web only)
+  // Auto-check SSO on mount (web only, FedCM only)
   useEffect(() => {
     if (!enabled || !isWebBrowser() || hasCheckedRef.current) {
       return;
     }
     hasCheckedRef.current = true;
-    checkSSO();
-  }, [enabled, checkSSO]);
+    if (fedCMSupported) {
+      checkSSO();
+    } else {
+      // Browser doesn't support FedCM - notify caller
+      onSSOUnavailable?.();
+    }
+  }, [enabled, checkSSO, fedCMSupported, onSSOUnavailable]);
   return {
     checkSSO,
-    isChecking: isCheckingRef.current
+    isChecking: isCheckingRef.current,
+    isFedCMSupported: fedCMSupported
   };
 }
 export { isWebBrowser };

package/lib/module/ui/hooks/useWebSSO.js.map

@@ -1 +1 @@
-{"version":3,"names":["useEffect","useRef","useCallback","isWebBrowser","window","document","documentElement","useWebSSO","oxyServices","onSessionFound","onError","enabled","isCheckingRef","hasCheckedRef","checkSSO","current","session","silentSignIn","error","Error","String","isChecking"],"sourceRoot":"../../../../src","sources":["ui/hooks/useWebSSO.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,EAAEC,MAAM,EAAEC,WAAW,QAAQ,OAAO;AAgBtD;AACA;AACA;AACA,SAASC,YAAYA,CAAA,EAAY;EAC/B;EACA,OAAO,OAAOC,MAAM,KAAK,WAAW,IAC7B,OAAOC,QAAQ,KAAK,WAAW,IAC/B,OAAOA,QAAQ,CAACC,eAAe,KAAK,WAAW;AACxD;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,SAASA,CAAC;EACxBC,WAAW;EACXC,cAAc;EACdC,OAAO;EACPC,OAAO,GAAG;AACM,CAAC,EAAmB;EACpC,MAAMC,aAAa,GAAGX,MAAM,CAAC,KAAK,CAAC;EACnC,MAAMY,aAAa,GAAGZ,MAAM,CAAC,KAAK,CAAC;EAEnC,MAAMa,QAAQ,GAAGZ,WAAW,CAAC,YAAkD;IAC7E,IAAI,CAACC,YAAY,CAAC,CAAC,IAAIS,aAAa,CAACG,OAAO,EAAE;MAC5C,OAAO,IAAI;IACb;IAEAH,aAAa,CAACG,OAAO,GAAG,IAAI;IAE5B,IAAI;MACF;MACA;MACA,MAAMC,OAAO,GAAG,MAAOR,WAAW,CAASS,YAAY,GAAG,CAAC;MAE3D,IAAID,OAAO,EAAE;QACX,MAAMP,cAAc,CAACO,OAAO,CAAC;MAC/B;MAEA,OAAOA,OAAO;IAChB,CAAC,CAAC,OAAOE,KAAK,EAAE;MACdR,OAAO,GAAGQ,KAAK,YAAYC,KAAK,GAAGD,KAAK,GAAG,IAAIC,KAAK,CAACC,MAAM,CAACF,KAAK,CAAC,CAAC,CAAC;MACpE,OAAO,IAAI;IACb,CAAC,SAAS;MACRN,aAAa,CAACG,OAAO,GAAG,KAAK;IAC/B;EACF,CAAC,EAAE,CAACP,WAAW,EAAEC,cAAc,EAAEC,OAAO,CAAC,CAAC;;EAE1C;EACAV,SAAS,CAAC,MAAM;IACd,IAAI,CAACW,OAAO,IAAI,CAACR,YAAY,CAAC,CAAC,IAAIU,aAAa,CAACE,OAAO,EAAE;MACxD;IACF;IAEAF,aAAa,CAACE,OAAO,GAAG,IAAI;IAC5BD,QAAQ,CAAC,CAAC;EACZ,CAAC,EAAE,CAACH,OAAO,EAAEG,QAAQ,CAAC,CAAC;EAEvB,OAAO;IACLA,QAAQ;IACRO,UAAU,EAAET,aAAa,CAACG;EAC5B,CAAC;AACH;AAEA,SAASZ,YAAY","ignoreList":[]}
+{"version":3,"names":["useEffect","useRef","useCallback","isWebBrowser","window","document","documentElement","useWebSSO","oxyServices","onSessionFound","onSSOUnavailable","onError","enabled","isCheckingRef","hasCheckedRef","fedCMSupported","isFedCMSupported","checkSSO","current","session","silentSignInWithFedCM","error","Error","String","isChecking"],"sourceRoot":"../../../../src","sources":["ui/hooks/useWebSSO.ts"],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA,SAASA,SAAS,EAAEC,MAAM,EAAEC,WAAW,QAAQ,OAAO;AAqBtD;AACA;AACA;AACA,SAASC,YAAYA,CAAA,EAAY;EAC/B,OAAO,OAAOC,MAAM,KAAK,WAAW,IAC7B,OAAOC,QAAQ,KAAK,WAAW,IAC/B,OAAOA,QAAQ,CAACC,eAAe,KAAK,WAAW;AACxD;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,SAASC,SAASA,CAAC;EACxBC,WAAW;EACXC,cAAc;EACdC,gBAAgB;EAChBC,OAAO;EACPC,OAAO,GAAG;AACM,CAAC,EAAmB;EACpC,MAAMC,aAAa,GAAGZ,MAAM,CAAC,KAAK,CAAC;EACnC,MAAMa,aAAa,GAAGb,MAAM,CAAC,KAAK,CAAC;;EAEnC;EACA,MAAMc,cAAc,GAAGZ,YAAY,CAAC,CAAC,IAAKK,WAAW,CAASQ,gBAAgB,GAAG,CAAC;EAElF,MAAMC,QAAQ,GAAGf,WAAW,CAAC,YAAkD;IAC7E,IAAI,CAACC,YAAY,CAAC,CAAC,IAAIU,aAAa,CAACK,OAAO,EAAE;MAC5C,OAAO,IAAI;IACb;;IAEA;IACA;IACA,IAAI,CAACH,cAAc,EAAE;MACnBL,gBAAgB,GAAG,CAAC;MACpB,OAAO,IAAI;IACb;IAEAG,aAAa,CAACK,OAAO,GAAG,IAAI;IAE5B,IAAI;MACF;MACA;MACA,MAAMC,OAAO,GAAG,MAAOX,WAAW,CAASY,qBAAqB,GAAG,CAAC;MAEpE,IAAID,OAAO,EAAE;QACX,MAAMV,cAAc,CAACU,OAAO,CAAC;QAC7B,OAAOA,OAAO;MAChB;;MAEA;MACAT,gBAAgB,GAAG,CAAC;MACpB,OAAO,IAAI;IACb,CAAC,CAAC,OAAOW,KAAK,EAAE;MACd;MACAX,gBAAgB,GAAG,CAAC;MACpBC,OAAO,GAAGU,KAAK,YAAYC,KAAK,GAAGD,KAAK,GAAG,IAAIC,KAAK,CAACC,MAAM,CAACF,KAAK,CAAC,CAAC,CAAC;MACpE,OAAO,IAAI;IACb,CAAC,SAAS;MACRR,aAAa,CAACK,OAAO,GAAG,KAAK;IAC/B;EACF,CAAC,EAAE,CAACV,WAAW,EAAEC,cAAc,EAAEC,gBAAgB,EAAEC,OAAO,EAAEI,cAAc,CAAC,CAAC;;EAE5E;EACAf,SAAS,CAAC,MAAM;IACd,IAAI,CAACY,OAAO,IAAI,CAACT,YAAY,CAAC,CAAC,IAAIW,aAAa,CAACI,OAAO,EAAE;MACxD;IACF;IAEAJ,aAAa,CAACI,OAAO,GAAG,IAAI;IAE5B,IAAIH,cAAc,EAAE;MAClBE,QAAQ,CAAC,CAAC;IACZ,CAAC,MAAM;MACL;MACAP,gBAAgB,GAAG,CAAC;IACtB;EACF,CAAC,EAAE,CAACE,OAAO,EAAEK,QAAQ,EAAEF,cAAc,EAAEL,gBAAgB,CAAC,CAAC;EAEzD,OAAO;IACLO,QAAQ;IACRO,UAAU,EAAEX,aAAa,CAACK,OAAO;IACjCF,gBAAgB,EAAED;EACpB,CAAC;AACH;AAEA,SAASZ,YAAY","ignoreList":[]}

package/lib/typescript/commonjs/core/mixins/OxyServices.fedcm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OxyServices.fedcm.d.ts","sourceRoot":"","sources":["../../../../../src/core/mixins/OxyServices.fedcm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC;CACpD;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,OAAO,eAAe,EAAE,IAAI,EAAE,CAAC;kBAEtD,GAAG,EAAE;QAc5B;;WAEG;4BACiB,OAAO;QAI3B;;;;;;;;;;;;;;;;;;;;;;;WAuBG;kCAC4B,gBAAgB,GAAQ,OAAO,CAAC,oBAAoB,CAAC;QA2CpF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;iCAC4B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;QAiCnE;;;;WAIG;2CAC6C;YAC9C,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,SAAS,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAC;SAChD,GAAG,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QA+BrC;;;;;;;WAOG;2CAC6C,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;QAStF;;;;;WAKG;iCAC4B,OAAO,CAAC,IAAI,CAAC;QAmB5C;;;;WAIG;0BACe,WAAW;QAQ7B;;;;WAIG;yBACqB,MAAM;QAQ9B;;;;WAIG;uBACmB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAhH3B,CAAF;sBAEM,CAAC;yBAA6B,CAAC;;;;;;iBAgH/B,CAAC;qBAEJ,CAAD;;;;iCA3Q2C,gCAAgC;4BACrC,KAAK;IAE5C;;OAEG;wBACwB,OAAO;;MAwQnC;AAGD,OAAO,EAAE,qBAAqB,IAAI,UAAU,EAAE,CAAC"}
+{"version":3,"file":"OxyServices.fedcm.d.ts","sourceRoot":"","sources":["../../../../../src/core/mixins/OxyServices.fedcm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC;CACpD;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,OAAO,eAAe,EAAE,IAAI,EAAE,CAAC;kBAEtD,GAAG,EAAE;QAc5B;;WAEG;4BACiB,OAAO;QAI3B;;;;;;;;;;;;;;;;;;;;;;;WAuBG;kCAC4B,gBAAgB,GAAQ,OAAO,CAAC,oBAAoB,CAAC;QA2CpF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;iCAC4B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;QAiCnE;;;;WAIG;2CAC6C;YAC9C,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,SAAS,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAC;SAChD,GAAG,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QA+BrC;;;;;;;WAOG;2CAC6C,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;QAStF;;;;;WAKG;iCAC4B,OAAO,CAAC,IAAI,CAAC;QAmB5C;;;;WAIG;0BACe,WAAW;QAQ7B;;;;WAIG;yBACqB,MAAM;QAQ9B;;;;WAIG;uBACmB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAhH3B,CAAF;sBAEM,CAAC;yBAA6B,CAAC;;;;;;iBAgHzB,CAAA;qBAEN,CAAC;;;;iCA3QsC,gCAAgC;4BACrC,KAAK;IAE5C;;OAEG;wBACwB,OAAO;;MAwQnC;AAGD,OAAO,EAAE,qBAAqB,IAAI,UAAU,EAAE,CAAC"}

package/lib/typescript/commonjs/ui/components/OxySignInButton.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OxySignInButton.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/OxySignInButton.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAA4C,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAY,MAAM,cAAc,CAAC;AAIlI,MAAM,WAAW,oBAAoB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;IAE9C;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAErB;;OAEG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAE7B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAEjC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,oBAAoB,CA8E1D,CAAC;AA8DF,eAAe,eAAe,CAAC"}
+{"version":3,"file":"OxySignInButton.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/OxySignInButton.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,OAAO,EAA4C,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAY,MAAM,cAAc,CAAC;AAIlI,MAAM,WAAW,oBAAoB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;IAE9C;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAErB;;OAEG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAE7B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAEjC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,oBAAoB,CAoF1D,CAAC;AA8DF,eAAe,eAAe,CAAC"}

package/lib/typescript/commonjs/ui/components/WebOxyProvider.d.ts

@@ -3,10 +3,12 @@
  *
  * This provider is specifically for web environments and doesn't include
  * React Native-specific dependencies. It provides:
- * - Automatic cross-domain SSO via hidden iframe
+ * - Automatic cross-domain SSO via FedCM (Chrome 108+, Safari 16.4+, Edge 108+)
  * - Session management
  * - All useOxy/useAuth functionality
  *
+ * Zero-config: Just wrap your app and SSO works automatically across domains.
+ *
  * Usage:
  * ```tsx
  * import { WebOxyProvider, useAuth } from '@oxyhq/services';
@@ -18,6 +20,12 @@
  *     </WebOxyProvider>
  *   );
  * }
+ *
+ * function LoginButton() {
+ *   const { isAuthenticated, signIn, user } = useAuth();
+ *   if (isAuthenticated) return <span>Welcome, {user?.username}!</span>;
+ *   return <button onClick={() => signIn()}>Sign In</button>;
+ * }
  * ```
  */
 import { type FC, type ReactNode } from 'react';
@@ -34,7 +42,8 @@ export interface WebOxyProviderProps {
  * OxyProvider for web applications
  *
  * Features:
- * - Automatic cross-domain SSO (checks auth.oxy.so/auth/silent on mount)
+ * - Automatic cross-domain SSO via FedCM (browser-native identity API)
+ * - Works across different TLDs (alia.onl, mention.earth, homiio.com, etc.)
  * - Session persistence in localStorage
  * - TanStack Query for data fetching
  * - No React Native dependencies

package/lib/typescript/commonjs/ui/components/WebOxyProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"WebOxyProvider.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/WebOxyProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAA+B,KAAK,EAAE,EAAE,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAG7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAGzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;CACpD;AAED;;;;;;;;GAQG;AACH,QAAA,MAAM,cAAc,EAAE,EAAE,CAAC,mBAAmB,CA2D3C,CAAC;AAEF,eAAe,cAAc,CAAC"}
+{"version":3,"file":"WebOxyProvider.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/WebOxyProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAA+B,KAAK,EAAE,EAAE,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAG7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAGzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;CACpD;AAED;;;;;;;;;GASG;AACH,QAAA,MAAM,cAAc,EAAE,EAAE,CAAC,mBAAmB,CA2D3C,CAAC;AAEF,eAAe,cAAc,CAAC"}

package/lib/typescript/commonjs/ui/hooks/useAuth.d.ts

@@ -16,6 +16,11 @@
  *   return <Welcome user={user} />;
  * }
  * ```
+ *
+ * Cross-domain SSO:
+ * - Web: Automatic via FedCM (Chrome 108+, Safari 16.4+)
+ * - Native: Automatic via shared Keychain/Account Manager
+ * - Manual sign-in: signIn() opens popup (web) or auth sheet (native)
  */
 import { useOxy } from '../context/OxyContext';
 import type { User } from '../../models/interfaces';
@@ -33,9 +38,9 @@ export interface AuthState {
 }
 export interface AuthActions {
     /**
-     * Sign in with cryptographic identity
-     * On native: Uses device keychain
-     * On web: Opens auth popup/redirect
+     * Sign in
+     * - Web: Opens popup to auth.oxy.so (no public key needed)
+     * - Native: Uses cryptographic identity from keychain
      */
     signIn: (publicKey?: string) => Promise<User>;
     /**

package/lib/typescript/commonjs/ui/hooks/useAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AAEpD,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9C;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;CACvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA4EvC;AAGD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AAGpD,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9C;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;CACvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CAoGvC;AAGD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC"}

package/lib/typescript/commonjs/ui/hooks/useWebSSO.d.ts

@@ -1,34 +1,56 @@
 /**
  * Web SSO Hook
  *
- * Automatically handles cross-domain SSO for web apps.
- * Uses the OxyServices.silentSignIn() method which loads a hidden iframe
- * to check for existing session at auth.oxy.so.
+ * Handles cross-domain SSO for web apps using FedCM (Federated Credential Management).
+ *
+ * FedCM is the modern, privacy-preserving standard for cross-domain identity federation.
+ * It works across completely different TLDs (alia.onl, mention.earth, homiio.com, etc.)
+ * without relying on third-party cookies.
+ *
+ * For browsers without FedCM support, users will need to click a sign-in button
+ * which triggers a popup-based authentication flow.
  *
  * This is called automatically by OxyContext on web platforms.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
  */
 import type { OxyServices } from '../../core/OxyServices';
 import type { SessionLoginResponse } from '../../models/session';
 interface UseWebSSOOptions {
     oxyServices: OxyServices;
     onSessionFound: (session: SessionLoginResponse) => Promise<void>;
+    onSSOUnavailable?: () => void;
     onError?: (error: Error) => void;
     enabled?: boolean;
 }
 interface UseWebSSOResult {
+    /** Manually trigger SSO check */
     checkSSO: () => Promise<SessionLoginResponse | null>;
+    /** Whether SSO check is in progress */
     isChecking: boolean;
+    /** Whether FedCM is supported in this browser */
+    isFedCMSupported: boolean;
 }
 /**
  * Check if we're running in a web browser environment (not React Native)
  */
 declare function isWebBrowser(): boolean;
 /**
- * Hook for automatic web SSO
+ * Hook for automatic cross-domain web SSO
+ *
+ * Uses FedCM (Federated Credential Management) - the modern browser-native
+ * identity federation API. This is the same technology that powers
+ * Google's cross-domain SSO (YouTube, Gmail, Maps, etc.).
+ *
+ * Key benefits:
+ * - Works across different TLDs (alia.onl ↔ mention.earth ↔ homiio.com)
+ * - No third-party cookies required
+ * - Privacy-preserving (browser mediates identity, IdP can't track)
+ * - Automatic silent sign-in after initial authentication
  *
- * Automatically checks for existing cross-domain session on mount.
- * Only runs on web platforms. Uses OxyServices.silentSignIn() internally.
+ * For browsers without FedCM (Firefox, older browsers), automatic SSO
+ * is not possible. Users will see a sign-in button instead.
  */
-export declare function useWebSSO({ oxyServices, onSessionFound, onError, enabled, }: UseWebSSOOptions): UseWebSSOResult;
+export declare function useWebSSO({ oxyServices, onSessionFound, onSSOUnavailable, onError, enabled, }: UseWebSSOOptions): UseWebSSOResult;
 export { isWebBrowser };
 //# sourceMappingURL=useWebSSO.d.ts.map

package/lib/typescript/commonjs/ui/hooks/useWebSSO.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useWebSSO.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useWebSSO.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,UAAU,gBAAgB;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,cAAc,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,QAAQ,EAAE,MAAM,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IACrD,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,iBAAS,YAAY,IAAI,OAAO,CAK/B;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,EACxB,WAAW,EACX,cAAc,EACd,OAAO,EACP,OAAc,GACf,EAAE,gBAAgB,GAAG,eAAe,CA2CpC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"useWebSSO.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useWebSSO.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,UAAU,gBAAgB;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,cAAc,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,gBAAgB,CAAC,EAAE,MAAM,IAAI,CAAC;IAC9B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IACrD,uCAAuC;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,iDAAiD;IACjD,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,iBAAS,YAAY,IAAI,OAAO,CAI/B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,SAAS,CAAC,EACxB,WAAW,EACX,cAAc,EACd,gBAAgB,EAChB,OAAO,EACP,OAAc,GACf,EAAE,gBAAgB,GAAG,eAAe,CAiEpC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/lib/typescript/module/core/mixins/OxyServices.fedcm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OxyServices.fedcm.d.ts","sourceRoot":"","sources":["../../../../../src/core/mixins/OxyServices.fedcm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC;CACpD;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,OAAO,eAAe,EAAE,IAAI,EAAE,CAAC;kBAEtD,GAAG,EAAE;QAc5B;;WAEG;4BACiB,OAAO;QAI3B;;;;;;;;;;;;;;;;;;;;;;;WAuBG;kCAC4B,gBAAgB,GAAQ,OAAO,CAAC,oBAAoB,CAAC;QA2CpF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;iCAC4B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;QAiCnE;;;;WAIG;2CAC6C;YAC9C,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,SAAS,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAC;SAChD,GAAG,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QA+BrC;;;;;;;WAOG;2CAC6C,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;QAStF;;;;;WAKG;iCAC4B,OAAO,CAAC,IAAI,CAAC;QAmB5C;;;;WAIG;0BACe,WAAW;QAQ7B;;;;WAIG;yBACqB,MAAM;QAQ9B;;;;WAIG;uBACmB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAhH3B,CAAF;sBAEM,CAAC;yBAA6B,CAAC;;;;;;iBAgH/B,CAAC;qBAEJ,CAAD;;;;iCA3Q2C,gCAAgC;4BACrC,KAAK;IAE5C;;OAEG;wBACwB,OAAO;;MAwQnC;AAGD,OAAO,EAAE,qBAAqB,IAAI,UAAU,EAAE,CAAC"}
+{"version":3,"file":"OxyServices.fedcm.d.ts","sourceRoot":"","sources":["../../../../../src/core/mixins/OxyServices.fedcm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,KAAK,CAAC;CACpD;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,OAAO,eAAe,EAAE,IAAI,EAAE,CAAC;kBAEtD,GAAG,EAAE;QAc5B;;WAEG;4BACiB,OAAO;QAI3B;;;;;;;;;;;;;;;;;;;;;;;WAuBG;kCAC4B,gBAAgB,GAAQ,OAAO,CAAC,oBAAoB,CAAC;QA2CpF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;iCAC4B,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;QAiCnE;;;;WAIG;2CAC6C;YAC9C,SAAS,EAAE,MAAM,CAAC;YAClB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,SAAS,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,UAAU,CAAC;SAChD,GAAG,OAAO,CAAC;YAAE,KAAK,EAAE,MAAM,CAAA;SAAE,GAAG,IAAI,CAAC;QA+BrC;;;;;;;WAOG;2CAC6C,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;QAStF;;;;;WAKG;iCAC4B,OAAO,CAAC,IAAI,CAAC;QAmB5C;;;;WAIG;0BACe,WAAW;QAQ7B;;;;WAIG;yBACqB,MAAM;QAQ9B;;;;WAIG;uBACmB,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;sBAhH3B,CAAF;sBAEM,CAAC;yBAA6B,CAAC;;;;;;iBAgHzB,CAAA;qBAEN,CAAC;;;;iCA3QsC,gCAAgC;4BACrC,KAAK;IAE5C;;OAEG;wBACwB,OAAO;;MAwQnC;AAGD,OAAO,EAAE,qBAAqB,IAAI,UAAU,EAAE,CAAC"}

package/lib/typescript/module/ui/components/OxySignInButton.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OxySignInButton.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/OxySignInButton.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAC/B,OAAO,EAA4C,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAY,MAAM,cAAc,CAAC;AAIlI,MAAM,WAAW,oBAAoB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;IAE9C;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAErB;;OAEG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAE7B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAEjC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,oBAAoB,CA8E1D,CAAC;AA8DF,eAAe,eAAe,CAAC"}
+{"version":3,"file":"OxySignInButton.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/OxySignInButton.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,KAAK,MAAM,OAAO,CAAC;AAE/B,OAAO,EAA4C,KAAK,SAAS,EAAE,KAAK,SAAS,EAAE,KAAK,SAAS,EAAY,MAAM,cAAc,CAAC;AAIlI,MAAM,WAAW,oBAAoB;IACjC;;;OAGG;IACH,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;IAE9C;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IAErB;;OAEG;IACH,KAAK,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAE7B;;OAEG;IACH,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IAEjC;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB;;;OAGG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,oBAAoB,CAoF1D,CAAC;AA8DF,eAAe,eAAe,CAAC"}

package/lib/typescript/module/ui/components/WebOxyProvider.d.ts

@@ -3,10 +3,12 @@
  *
  * This provider is specifically for web environments and doesn't include
  * React Native-specific dependencies. It provides:
- * - Automatic cross-domain SSO via hidden iframe
+ * - Automatic cross-domain SSO via FedCM (Chrome 108+, Safari 16.4+, Edge 108+)
  * - Session management
  * - All useOxy/useAuth functionality
  *
+ * Zero-config: Just wrap your app and SSO works automatically across domains.
+ *
  * Usage:
  * ```tsx
  * import { WebOxyProvider, useAuth } from '@oxyhq/services';
@@ -18,6 +20,12 @@
  *     </WebOxyProvider>
  *   );
  * }
+ *
+ * function LoginButton() {
+ *   const { isAuthenticated, signIn, user } = useAuth();
+ *   if (isAuthenticated) return <span>Welcome, {user?.username}!</span>;
+ *   return <button onClick={() => signIn()}>Sign In</button>;
+ * }
  * ```
  */
 import { type FC, type ReactNode } from 'react';
@@ -34,7 +42,8 @@ export interface WebOxyProviderProps {
  * OxyProvider for web applications
  *
  * Features:
- * - Automatic cross-domain SSO (checks auth.oxy.so/auth/silent on mount)
+ * - Automatic cross-domain SSO via FedCM (browser-native identity API)
+ * - Works across different TLDs (alia.onl, mention.earth, homiio.com, etc.)
  * - Session persistence in localStorage
  * - TanStack Query for data fetching
  * - No React Native dependencies

package/lib/typescript/module/ui/components/WebOxyProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"WebOxyProvider.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/WebOxyProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,EAA+B,KAAK,EAAE,EAAE,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAG7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAGzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;CACpD;AAED;;;;;;;;GAQG;AACH,QAAA,MAAM,cAAc,EAAE,EAAE,CAAC,mBAAmB,CA2D3C,CAAC;AAEF,eAAe,cAAc,CAAC"}
+{"version":3,"file":"WebOxyProvider.d.ts","sourceRoot":"","sources":["../../../../../src/ui/components/WebOxyProvider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAA+B,KAAK,EAAE,EAAE,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAG7E,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAGzD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,SAAS,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;CACpD;AAED;;;;;;;;;GASG;AACH,QAAA,MAAM,cAAc,EAAE,EAAE,CAAC,mBAAmB,CA2D3C,CAAC;AAEF,eAAe,cAAc,CAAC"}

package/lib/typescript/module/ui/hooks/useAuth.d.ts

@@ -16,6 +16,11 @@
  *   return <Welcome user={user} />;
  * }
  * ```
+ *
+ * Cross-domain SSO:
+ * - Web: Automatic via FedCM (Chrome 108+, Safari 16.4+)
+ * - Native: Automatic via shared Keychain/Account Manager
+ * - Manual sign-in: signIn() opens popup (web) or auth sheet (native)
  */
 import { useOxy } from '../context/OxyContext';
 import type { User } from '../../models/interfaces';
@@ -33,9 +38,9 @@ export interface AuthState {
 }
 export interface AuthActions {
     /**
-     * Sign in with cryptographic identity
-     * On native: Uses device keychain
-     * On web: Opens auth popup/redirect
+     * Sign in
+     * - Web: Opens popup to auth.oxy.so (no public key needed)
+     * - Native: Uses cryptographic identity from keychain
      */
     signIn: (publicKey?: string) => Promise<User>;
     /**

package/lib/typescript/module/ui/hooks/useAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AAEpD,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9C;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;CACvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CA4EvC;AAGD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"useAuth.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,yBAAyB,CAAC;AAGpD,MAAM,WAAW,SAAS;IACxB,4DAA4D;IAC5D,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAElB,oCAAoC;IACpC,eAAe,EAAE,OAAO,CAAC;IAEzB,4DAA4D;IAC5D,SAAS,EAAE,OAAO,CAAC;IAEnB,oDAAoD;IACpD,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B;;;;OAIG;IACH,MAAM,EAAE,CAAC,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAE9C;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7B;;OAEG;IACH,UAAU,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAEhC;;OAEG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,aAAc,SAAQ,SAAS,EAAE,WAAW;IAC3D,6DAA6D;IAC7D,WAAW,EAAE,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC,aAAa,CAAC,CAAC;CACvD;AAED;;;;;;;;GAQG;AACH,wBAAgB,OAAO,IAAI,aAAa,CAoGvC;AAGD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC"}

package/lib/typescript/module/ui/hooks/useWebSSO.d.ts

@@ -1,34 +1,56 @@
 /**
  * Web SSO Hook
  *
- * Automatically handles cross-domain SSO for web apps.
- * Uses the OxyServices.silentSignIn() method which loads a hidden iframe
- * to check for existing session at auth.oxy.so.
+ * Handles cross-domain SSO for web apps using FedCM (Federated Credential Management).
+ *
+ * FedCM is the modern, privacy-preserving standard for cross-domain identity federation.
+ * It works across completely different TLDs (alia.onl, mention.earth, homiio.com, etc.)
+ * without relying on third-party cookies.
+ *
+ * For browsers without FedCM support, users will need to click a sign-in button
+ * which triggers a popup-based authentication flow.
  *
  * This is called automatically by OxyContext on web platforms.
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
  */
 import type { OxyServices } from '../../core/OxyServices';
 import type { SessionLoginResponse } from '../../models/session';
 interface UseWebSSOOptions {
     oxyServices: OxyServices;
     onSessionFound: (session: SessionLoginResponse) => Promise<void>;
+    onSSOUnavailable?: () => void;
     onError?: (error: Error) => void;
     enabled?: boolean;
 }
 interface UseWebSSOResult {
+    /** Manually trigger SSO check */
     checkSSO: () => Promise<SessionLoginResponse | null>;
+    /** Whether SSO check is in progress */
     isChecking: boolean;
+    /** Whether FedCM is supported in this browser */
+    isFedCMSupported: boolean;
 }
 /**
  * Check if we're running in a web browser environment (not React Native)
  */
 declare function isWebBrowser(): boolean;
 /**
- * Hook for automatic web SSO
+ * Hook for automatic cross-domain web SSO
+ *
+ * Uses FedCM (Federated Credential Management) - the modern browser-native
+ * identity federation API. This is the same technology that powers
+ * Google's cross-domain SSO (YouTube, Gmail, Maps, etc.).
+ *
+ * Key benefits:
+ * - Works across different TLDs (alia.onl ↔ mention.earth ↔ homiio.com)
+ * - No third-party cookies required
+ * - Privacy-preserving (browser mediates identity, IdP can't track)
+ * - Automatic silent sign-in after initial authentication
  *
- * Automatically checks for existing cross-domain session on mount.
- * Only runs on web platforms. Uses OxyServices.silentSignIn() internally.
+ * For browsers without FedCM (Firefox, older browsers), automatic SSO
+ * is not possible. Users will see a sign-in button instead.
  */
-export declare function useWebSSO({ oxyServices, onSessionFound, onError, enabled, }: UseWebSSOOptions): UseWebSSOResult;
+export declare function useWebSSO({ oxyServices, onSessionFound, onSSOUnavailable, onError, enabled, }: UseWebSSOOptions): UseWebSSOResult;
 export { isWebBrowser };
 //# sourceMappingURL=useWebSSO.d.ts.map

package/lib/typescript/module/ui/hooks/useWebSSO.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useWebSSO.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useWebSSO.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,UAAU,gBAAgB;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,cAAc,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,QAAQ,EAAE,MAAM,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IACrD,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,iBAAS,YAAY,IAAI,OAAO,CAK/B;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,EACxB,WAAW,EACX,cAAc,EACd,OAAO,EACP,OAAc,GACf,EAAE,gBAAgB,GAAG,eAAe,CA2CpC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}
+{"version":3,"file":"useWebSSO.d.ts","sourceRoot":"","sources":["../../../../../src/ui/hooks/useWebSSO.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjE,UAAU,gBAAgB;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,cAAc,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,gBAAgB,CAAC,EAAE,MAAM,IAAI,CAAC;IAC9B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IACjC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,iCAAiC;IACjC,QAAQ,EAAE,MAAM,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAAC;IACrD,uCAAuC;IACvC,UAAU,EAAE,OAAO,CAAC;IACpB,iDAAiD;IACjD,gBAAgB,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,iBAAS,YAAY,IAAI,OAAO,CAI/B;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,SAAS,CAAC,EACxB,WAAW,EACX,cAAc,EACd,gBAAgB,EAChB,OAAO,EACP,OAAc,GACf,EAAE,gBAAgB,GAAG,eAAe,CAiEpC;AAED,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/services",
-  "version": "5.18.4",
+  "version": "5.19.0",
   "description": "Reusable OxyHQ module to handle authentication, user management, karma system, device-based session management and more 🚀",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",

package/src/core/mixins/OxyServices.fedcm.ts

@@ -240,7 +240,7 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
   public async exchangeIdTokenForSession(idToken: string): Promise<SessionLoginResponse> {
     return this.makeRequest<SessionLoginResponse>(
       'POST',
-      '/api/auth/fedcm/exchange',
+      '/api/fedcm/exchange',
       { id_token: idToken },
       { cache: false }
     );