@oxyhq/services 9.0.0 → 10.1.0

package/lib/typescript/module/ui/types/navigation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"navigation.d.ts","sourceRoot":"","sources":["../../../../../src/ui/types/navigation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAKtD,YAAY,EAAE,SAAS,EAAE,CAAC;AAE1B,MAAM,WAAW,cAAc;IAC3B,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,MAAM,EAAE,MAAM,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAE5B,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IACxE,MAAM,CAAC,EAAE,MAAM,IAAI,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,eAAe,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAG9C,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IAGlC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,SAAS,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IACrD,YAAY,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;IAGjE,aAAa,CAAC,EAAE,SAAS,CAAC;IAG1B,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAGnD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,OAAO,CAAC;IAMtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,SAAS,CAAC;IACrB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,WAAW,CAAC;CAC7B"}
+{"version":3,"file":"navigation.d.ts","sourceRoot":"","sources":["../../../../../src/ui/types/navigation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAKtD,YAAY,EAAE,SAAS,EAAE,CAAC;AAE1B,MAAM,WAAW,cAAc;IAC3B,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,MAAM,EAAE,MAAM,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAE5B,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;IACxE,MAAM,CAAC,EAAE,MAAM,IAAI,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,eAAe,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAG9C,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IAGlC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,SAAS,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;IACrD,YAAY,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;IAGjE,aAAa,CAAC,EAAE,SAAS,CAAC;IAG1B,QAAQ,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IAGnD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,OAAO,CAAC;IAMtB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED,MAAM,WAAW,gBAAgB;IAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,SAAS,CAAC;IACrB,iBAAiB,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;IAC5C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;;OAQG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,WAAW,CAAC;CAC7B"}

package/lib/typescript/module/utils/deviceFlowSignIn.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Shared, pure orchestration for completing the cross-app device-flow sign-in
+ * (the QR-code / "Open Oxy Auth" path used on native and web).
+ *
+ * THE BUG THIS FIXES (native): once another authenticated device approves the
+ * pending AuthSession, the originating client is notified (socket / poll /
+ * deep-link) with the authorized `sessionId`. Before any session-management
+ * code can use it, the client MUST exchange the secret 128-bit `sessionToken`
+ * (held only by this client, generated for THIS flow) for the first access
+ * token via `claimSessionByToken` — the device-flow equivalent of OAuth's
+ * code-for-token exchange (RFC 8628 §3.4).
+ *
+ * Skipping the claim leaves the SDK with NO bearer token, so the subsequent
+ * `switchSession` -> `getTokenBySession` (`GET /session/token/:id`) call 401s
+ * against the C1-hardened API: the session is authorized server-side but the
+ * app never becomes authenticated and the UI sits "Waiting for
+ * authorization..." forever. The web `SignInModal` already claimed first; the
+ * native `OxyAuthScreen` did not. Consolidating the claim→switch sequence here
+ * keeps both paths identical and unit-testable, and prevents future drift.
+ */
+import type { User } from '@oxyhq/core';
+/**
+ * The minimal `OxyServices` surface this orchestration needs. Kept as a
+ * structural type (rather than importing the full client) so the helper is
+ * trivially unit-testable with a stub and never pulls the RN/Expo runtime into
+ * a test bundle.
+ */
+export interface DeviceFlowClient {
+    /**
+     * Exchange the device-flow `sessionToken` for the first access + refresh
+     * token, planting them on the client. Single-use; replay is rejected by the
+     * API. No bearer required — the high-entropy `sessionToken` IS the credential.
+     */
+    claimSessionByToken: (sessionToken: string) => Promise<unknown>;
+}
+export interface CompleteDeviceFlowSignInOptions {
+    /** The OxyServices client (or any object exposing `claimSessionByToken`). */
+    oxyServices: DeviceFlowClient;
+    /** The authorized device session id, delivered by the socket / poll / link. */
+    sessionId: string;
+    /**
+     * The secret `sessionToken` generated for THIS flow and registered via
+     * `POST /auth/session/create`. Required to claim the first access token.
+     */
+    sessionToken: string;
+    /**
+     * The session-management `switchSession` from `useOxy()`. Hydrates the
+     * activated session (validates, fetches the user, persists, updates state).
+     * Runs AFTER the bearer is planted so its bearer-protected calls succeed.
+     */
+    switchSession: (sessionId: string) => Promise<User>;
+}
+/**
+ * Complete a device-flow sign-in: claim the first access token with the secret
+ * `sessionToken` (planting the bearer), then hydrate the session via
+ * `switchSession`. Returns the authenticated user.
+ *
+ * Throws if either the claim or the switch fails; callers surface a retry UI.
+ */
+export declare function completeDeviceFlowSignIn({ oxyServices, sessionId, sessionToken, switchSession, }: CompleteDeviceFlowSignInOptions): Promise<User>;
+//# sourceMappingURL=deviceFlowSignIn.d.ts.map

package/lib/typescript/module/utils/deviceFlowSignIn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deviceFlowSignIn.d.ts","sourceRoot":"","sources":["../../../../src/utils/deviceFlowSignIn.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAExC;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,mBAAmB,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACjE;AAED,MAAM,WAAW,+BAA+B;IAC9C,6EAA6E;IAC7E,WAAW,EAAE,gBAAgB,CAAC;IAC9B,+EAA+E;IAC/E,SAAS,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,aAAa,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED;;;;;;GAMG;AACH,wBAAsB,wBAAwB,CAAC,EAC7C,WAAW,EACX,SAAS,EACT,YAAY,EACZ,aAAa,GACd,EAAE,+BAA+B,GAAG,OAAO,CAAC,IAAI,CAAC,CAOjD"}

package/lib/typescript/module/utils/silentGuardKey.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Shared, pure helpers for building the `origin|baseURL` signature used as the
+ * module-level run-once guard key for cold-boot silent-SSO probes
+ * (`silentColdBootKey` in `OxyContext`, `ssoSignature` in `useWebSSO`).
+ *
+ * NATIVE SAFETY (the bug this fixes): React Native aliases a global `window`
+ * (it points at the JS global object), so `typeof window !== 'undefined'` is
+ * `true` on native — but `window.location` is `undefined`. Reading
+ * `window.location.origin` after only a `typeof window` check therefore throws
+ * `TypeError: Cannot read property 'origin' of undefined` on native. Because
+ * the key is built UNCONDITIONALLY at the top of the cold-boot path (before its
+ * try/catch), that throw escaped session restore entirely and broke
+ * cross-session restore on native. Both prior copies of the guard had the same
+ * insufficient `typeof window` check and were prone to drift, so the read is
+ * consolidated here behind a guard that also verifies `window.location`.
+ */
+/**
+ * Read `window.location.origin` safely on every platform.
+ *
+ * Returns the browser origin on web, and the sentinel `'no-origin'` anywhere
+ * `window.location` is absent (React Native, SSR/Node). Never throws.
+ */
+export declare function safeWindowOrigin(): string;
+/**
+ * Build the stable `origin|baseURL` signature for the silent-SSO run-once
+ * guard. Two providers pointed at the same API from the same origin share one
+ * attempt. `getBaseURL` is invoked defensively (it may be absent or throw on a
+ * partially-initialised client); any failure degrades to an empty baseURL.
+ */
+export declare function buildSilentGuardKey(getBaseURL?: () => string | undefined): string;
+//# sourceMappingURL=silentGuardKey.d.ts.map

package/lib/typescript/module/utils/silentGuardKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"silentGuardKey.d.ts","sourceRoot":"","sources":["../../../../src/utils/silentGuardKey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH;;;;;GAKG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAKzC;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,MAAM,GAAG,SAAS,GAAG,MAAM,CASjF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oxyhq/services",
-  "version": "9.0.0",
+  "version": "10.1.0",
   "description": "OxyHQ Expo/React Native SDK — UI components, screens, and native features",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",
@@ -160,7 +160,7 @@
   "peerDependencies": {
     "@expo/vector-icons": "^15.0.3",
     "@oxyhq/bloom": ">=0.5.0",
-    "@oxyhq/core": "^3.0.0",
+    "@oxyhq/core": "^3.2.0",
     "@react-native-community/netinfo": "^11.4.1",
     "@tanstack/query-async-storage-persister": "^5.100",
     "@tanstack/query-sync-storage-persister": "^5.100",

package/src/ui/components/OxyProvider.tsx

@@ -103,7 +103,7 @@ const OxyProvider: FC<OxyProviderProps> = ({
     children,
     onAuthStateChange,
     storageKeyPrefix,
-    appName,
+    clientId,
     baseURL,
     authWebUrl,
     authRedirectUri,
@@ -297,7 +297,7 @@ const OxyProvider: FC<OxyProviderProps> = ({
                     authWebUrl={authWebUrl}
                     authRedirectUri={authRedirectUri}
                     storageKeyPrefix={storageKeyPrefix}
-                    appName={appName}
+                    clientId={clientId}
                     onAuthStateChange={onAuthStateChange as OxyContextProviderProps['onAuthStateChange']}
                 >
                     {children}

package/src/ui/components/SignInModal.tsx

@@ -35,6 +35,7 @@ import { Loading } from '@oxyhq/bloom/loading';
 import { useOxy } from '../context/OxyContext';
 import OxyLogo from './OxyLogo';
 import { createDebugLogger } from '@oxyhq/core';
+import { completeDeviceFlowSignIn } from '../../utils/deviceFlowSignIn';
 
 const debug = createDebugLogger('SignInModal');
 
@@ -93,7 +94,7 @@ const SignInModal: React.FC = () => {
 
     const insets = useSafeAreaInsets();
     const theme = useTheme();
-    const { oxyServices, switchSession, appName } = useOxy();
+    const { oxyServices, switchSession, clientId } = useOxy();
 
     const socketRef = useRef<Socket | null>(null);
     const pollingIntervalRef = useRef<ReturnType<typeof setInterval> | null>(null);
@@ -153,16 +154,18 @@ const SignInModal: React.FC = () => {
         isProcessingRef.current = true;
 
         try {
-            // Plant the bearer + refresh tokens for this newly-authorized
-            // session. Single-use — replay attempts on this sessionToken
-            // are rejected by the API.
-            await oxyServices.claimSessionByToken(sessionToken);
-
-            // Now the SDK has a bearer token, the normal session
-            // management path can hydrate state from the sessionId.
-            if (switchSession) {
-                await switchSession(sessionId);
+            // Claim the first access token with the secret sessionToken, then
+            // hydrate the session. Shared with the native `OxyAuthScreen` via
+            // `completeDeviceFlowSignIn` so the two paths cannot drift.
+            if (!switchSession) {
+                throw new Error('Session management unavailable');
             }
+            await completeDeviceFlowSignIn({
+                oxyServices,
+                sessionId,
+                sessionToken,
+                switchSession,
+            });
 
             hideSignInModal();
         } catch (err) {
@@ -266,6 +269,17 @@ const SignInModal: React.FC = () => {
         setError(null);
         isProcessingRef.current = false;
 
+        // The cross-app device sign-in flow identifies the requesting app by its
+        // real registered OAuth client id (ApplicationCredential publicKey).
+        // Without it the API cannot resolve the consent identity, so we fail
+        // fast with a clear configuration error rather than creating a session
+        // the server would reject.
+        if (!clientId) {
+            setError('This app is not configured for sign-in (missing clientId).');
+            setIsLoading(false);
+            return;
+        }
+
         try {
             const sessionToken = generateSessionToken();
             const expiresAt = Date.now() + AUTH_SESSION_EXPIRY_MS;
@@ -273,7 +287,7 @@ const SignInModal: React.FC = () => {
             await oxyServices.makeRequest('POST', '/auth/session/create', {
                 sessionToken,
                 expiresAt,
-                appId: appName,
+                clientId,
             }, { cache: false });
 
             setAuthSession({ sessionToken, expiresAt });
@@ -284,7 +298,7 @@ const SignInModal: React.FC = () => {
         } finally {
             setIsLoading(false);
         }
-    }, [oxyServices, connectSocket, appName]);
+    }, [oxyServices, connectSocket, clientId]);
 
     // Generate a cryptographically random session token.
     // 16 random bytes -> 32 hex chars (128 bits of entropy) — unguessable.

package/src/ui/context/OxyContext.tsx

@@ -42,7 +42,6 @@ import { useDeviceManagement } from '../hooks/useDeviceManagement';
 import { getStorageKeys, createPlatformStorage, type StorageInterface } from '../utils/storageHelpers';
 import { isInvalidSessionError, isTimeoutOrNetworkError } from '../utils/errorHandlers';
 import { readActiveAuthuser, writeActiveAuthuser } from '../utils/activeAuthuser';
-import { resolveAppDisplayName } from '../utils/appName';
 import type { RouteName } from '../navigation/routes';
 import { showBottomSheet as globalShowBottomSheet } from '../navigation/bottomSheetManager';
 import { useQueryClient } from '@tanstack/react-query';
@@ -51,6 +50,7 @@ import { useAvatarPicker } from '../hooks/useAvatarPicker';
 import { useAccountStore } from '../stores/accountStore';
 import { logger as loggerUtil } from '@oxyhq/core';
 import { useWebSSO, isWebBrowser } from '../hooks/useWebSSO';
+import { buildSilentGuardKey } from '../../utils/silentGuardKey';
 
 export interface OxyContextState {
   user: User | null;
@@ -97,7 +97,7 @@ export interface OxyContextState {
   // Session management
   logout: (targetSessionId?: string) => Promise<void>;
   logoutAll: () => Promise<void>;
-  switchSession: (sessionId: string) => Promise<void>;
+  switchSession: (sessionId: string) => Promise<User>;
   removeSession: (sessionId: string) => Promise<void>;
   refreshSessions: () => Promise<void>;
   setLanguage: (languageId: string) => Promise<void>;
@@ -116,12 +116,16 @@ export interface OxyContextState {
   clearAllAccountData: () => Promise<void>;
   storageKeyPrefix: string;
   /**
-   * Resolved human-readable app display name surfaced on the central Oxy
-   * sign-in / consent experience (e.g. "Mention wants to access your Oxy
-   * account"). Always non-empty — derived from the `appName` prop, then
-   * `storageKeyPrefix`, then `document.title` (web), then the platform.
+   * The app's Oxy OAuth client id / ApplicationCredential publicKey, as
+   * supplied via the `clientId` prop. Required for the cross-app device
+   * sign-in flow: the sign-in components send it to
+   * `POST /auth/session/create` so the API can identify the requesting app by
+   * its real registered client id (the consent identity is then resolved
+   * server-side and shown by the central auth web). `null` when the consuming
+   * app did not configure a client id — the device sign-in flow surfaces a
+   * configuration error in that case.
    */
-  appName: string;
+  clientId: string | null;
   oxyServices: OxyServices;
   useFollow?: UseFollowHook;
   showBottomSheet?: (screenOrConfig: RouteName | { screen: RouteName; props?: Record<string, unknown> }) => void;
@@ -149,10 +153,10 @@ export interface OxyContextProviderProps {
   authRedirectUri?: string;
   storageKeyPrefix?: string;
   /**
-   * Human-readable name of the consuming app shown on the central Oxy
-   * sign-in / consent experience. See {@link OxyContextState.appName}.
+   * The app's Oxy OAuth client id / ApplicationCredential publicKey; required
+   * for the cross-app device sign-in flow. See {@link OxyContextState.clientId}.
    */
-  appName?: string;
+  clientId?: string;
   onAuthStateChange?: (user: User | null) => void;
   onError?: (error: ApiError) => void;
 }
@@ -181,14 +185,15 @@ const servicesSilentAttempted = new Set<string>();
  * Build the `origin|baseURL` signature used as the silent-cold-boot guard key.
  */
 function silentColdBootKey(oxyServices: OxyServices): string {
-  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
-  let baseURL = '';
-  try {
-    baseURL = oxyServices.getBaseURL?.() ?? '';
-  } catch {
-    baseURL = '';
-  }
-  return `${origin}|${baseURL}`;
+  // `buildSilentGuardKey` reads `window.location.origin` behind a guard that
+  // also verifies `window.location` exists. This is critical: it runs
+  // UNCONDITIONALLY at the top of `restoreSessionsFromStorage` (before the
+  // cold-boot try/catch) on EVERY platform, and React Native aliases a global
+  // `window` with NO `window.location`. Without that guard the read threw
+  // `Cannot read property 'origin' of undefined` on native, escaping the
+  // restore path so `markAuthResolved` never ran and stored-session restore was
+  // never reached.
+  return buildSilentGuardKey(() => oxyServices.getBaseURL?.());
 }
 
 /**
@@ -258,7 +263,12 @@ const COLD_BOOT_OVERALL_DEADLINE = 20000;
  * off-browser.
  */
 function isSameSiteIdP(idpOrigin: string): boolean {
-  if (typeof window === 'undefined') return false;
+  // Native defines a global `window` but no `window.location`; guard the
+  // latter so reading `.hostname` can never throw off-browser. (Only reachable
+  // from the web-only visibility check, but kept robust for parity.)
+  if (typeof window === 'undefined' || typeof window.location === 'undefined') {
+    return false;
+  }
   let idpHostname: string;
   try {
     idpHostname = new URL(idpOrigin).hostname;
@@ -314,7 +324,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   authWebUrl,
   authRedirectUri,
   storageKeyPrefix = 'oxy_session',
-  appName: appNameProp,
+  clientId: clientIdProp,
   onAuthStateChange,
   onError,
 }) => {
@@ -424,13 +434,16 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
 
   const storageKeys = useMemo(() => getStorageKeys(storageKeyPrefix), [storageKeyPrefix]);
 
-  // Human-readable app display name for the central sign-in / consent UI.
-  // Derived once from the consumer config; never "web" unless the app supplies
-  // no name, no custom prefix, and no document title.
-  const appName = useMemo(
-    () => resolveAppDisplayName(appNameProp, storageKeyPrefix),
-    [appNameProp, storageKeyPrefix],
-  );
+  // The app's Oxy OAuth client id surfaced on the context so the cross-app
+  // device sign-in components (SignInModal / OxyAuthScreen) can identify the
+  // requesting app to `POST /auth/session/create`. Normalized to a trimmed
+  // non-empty string, or `null` when the consumer did not configure one — the
+  // sign-in components surface a clear configuration error in that case rather
+  // than falling back to any display string.
+  const clientId = useMemo(() => {
+    const trimmed = clientIdProp?.trim();
+    return trimmed ? trimmed : null;
+  }, [clientIdProp]);
 
   // Storage initialization.
   //
@@ -1542,8 +1555,12 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
   });
 
   const switchSessionForContext = useCallback(
-    async (sessionId: string): Promise<void> => {
-      await switchSession(sessionId);
+    async (sessionId: string): Promise<User> => {
+      // Propagate the activated user so callers (the device-flow sign-in,
+      // `useSwitchSession`'s cache write, account chooser) receive it. The
+      // underlying session-management `switchSession` already resolves the
+      // `User`; the previous `Promise<void>` wrapper discarded it.
+      return switchSession(sessionId);
     },
     [switchSession],
   );
@@ -1666,7 +1683,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     clearSessionState,
     clearAllAccountData,
     storageKeyPrefix,
-    appName,
+    clientId,
     oxyServices,
     useFollow: useFollowHook,
     showBottomSheet: showBottomSheetForContext,
@@ -1695,7 +1712,7 @@ export const OxyProvider: React.FC<OxyContextProviderProps> = ({
     logoutAllDeviceSessions,
     oxyServices,
     storageKeyPrefix,
-    appName,
+    clientId,
     refreshSessionsWithUser,
     sessions,
     setLanguage,
@@ -1763,7 +1780,7 @@ const LOADING_STATE: OxyContextState = {
   handlePopupSession: () => rejectMissingProvider<void>(),
   logout: () => rejectMissingProvider<void>(),
   logoutAll: () => rejectMissingProvider<void>(),
-  switchSession: () => rejectMissingProvider<void>(),
+  switchSession: () => rejectMissingProvider<User>(),
   removeSession: () => rejectMissingProvider<void>(),
   refreshSessions: () => rejectMissingProvider<void>(),
   setLanguage: () => rejectMissingProvider<void>(),
@@ -1773,7 +1790,7 @@ const LOADING_STATE: OxyContextState = {
   clearSessionState: () => rejectMissingProvider<void>(),
   clearAllAccountData: () => rejectMissingProvider<void>(),
   storageKeyPrefix: 'oxy_session',
-  appName: resolveAppDisplayName(undefined, undefined),
+  clientId: null,
   oxyServices: LOADING_STATE_OXY_SERVICES,
   openAvatarPicker: () => {},
   actingAs: null,

package/src/ui/hooks/useWebSSO.ts

@@ -18,6 +18,7 @@
 import { useEffect, useRef, useCallback } from 'react';
 import type { OxyServices } from '@oxyhq/core';
 import type { SessionLoginResponse } from '@oxyhq/core';
+import { buildSilentGuardKey } from '../../utils/silentGuardKey';
 
 interface UseWebSSOOptions {
   oxyServices: OxyServices;
@@ -58,14 +59,12 @@ const silentSSOAttempted = new Set<string>();
  * pointed at the same API from the same origin share one attempt.
  */
 function ssoSignature(oxyServices: OxyServices): string {
-  const origin = typeof window !== 'undefined' ? window.location.origin : 'no-origin';
-  let baseURL = '';
-  try {
-    baseURL = oxyServices.getBaseURL?.() ?? '';
-  } catch {
-    baseURL = '';
-  }
-  return `${origin}|${baseURL}`;
+  // Shared with `OxyContext.silentColdBootKey`. `buildSilentGuardKey` reads
+  // `window.location.origin` behind a guard that also verifies
+  // `window.location` exists — React Native aliases a global `window` with NO
+  // `window.location`, so a `typeof window`-only check would throw
+  // `Cannot read property 'origin' of undefined` off-browser.
+  return buildSilentGuardKey(() => oxyServices.getBaseURL?.());
 }
 
 /**

package/src/ui/screens/OxyAuthScreen.tsx

@@ -30,6 +30,7 @@ import { useOxy } from '../context/OxyContext';
 import QRCode from 'react-native-qrcode-svg';
 import OxyLogo from '../components/OxyLogo';
 import { createDebugLogger } from '@oxyhq/core';
+import { completeDeviceFlowSignIn } from '../../utils/deviceFlowSignIn';
 
 const debug = createDebugLogger('OxyAuthScreen');
 
@@ -119,7 +120,7 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
   theme,
 }) => {
   const bloomTheme = useTheme();
-  const { oxyServices, signIn, switchSession, appName } = useOxy();
+  const { oxyServices, switchSession, clientId } = useOxy();
 
   const [authSession, setAuthSession] = useState<AuthSession | null>(null);
   const [isLoading, setIsLoading] = useState(true);
@@ -132,25 +133,42 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
   const isProcessingRef = useRef(false);
   const linkingHandledRef = useRef(false);
 
-  // Handle successful authorization
-  const handleAuthSuccess = useCallback(async (sessionId: string) => {
+  // Handle successful authorization.
+  //
+  // The auth-session socket / poll (or deep-link return) hands us the
+  // authorized `sessionId`. Before any session-management code can touch it we
+  // MUST first exchange the secret `sessionToken` (held only by this client,
+  // generated for THIS flow) for the first access token via
+  // `claimSessionByToken` — the device-flow equivalent of OAuth's
+  // code-for-token exchange (RFC 8628 §3.4).
+  //
+  // Without that exchange the SDK has no bearer token, so the subsequent
+  // `switchSession` -> `getTokenBySession` call (`GET /session/token/:id`) 401s
+  // against the C1-hardened API — the session is authorized server-side but the
+  // app never becomes authenticated and the sheet sits "Waiting for
+  // authorization..." forever. Once `claimSessionByToken` plants the tokens in
+  // the HttpService, the rest of the session wiring flows through the normal
+  // `switchSession` path. This mirrors `SignInModal`'s web flow exactly.
+  const handleAuthSuccess = useCallback(async (sessionId: string, sessionToken: string) => {
     if (isProcessingRef.current) return;
     isProcessingRef.current = true;
 
     try {
-      // Switch to the new session (this will get token, user data, and update state)
-      if (switchSession) {
-        const user = await switchSession(sessionId);
-        if (onAuthenticated) {
-          onAuthenticated(user);
-        }
-      } else {
-        // Fallback if switchSession not available (shouldn't happen, but for safety)
-        await oxyServices.getTokenBySession(sessionId);
-        const user = await oxyServices.getUserBySession(sessionId);
-        if (onAuthenticated) {
-          onAuthenticated(user);
-        }
+      // Claim the first access token with the secret sessionToken, then
+      // hydrate the session. The claim step is what the native screen was
+      // previously missing — see `completeDeviceFlowSignIn`. `switchSession`
+      // is always provided by the context here; the helper requires it.
+      if (!switchSession) {
+        throw new Error('Session management unavailable');
+      }
+      const user = await completeDeviceFlowSignIn({
+        oxyServices,
+        sessionId,
+        sessionToken,
+        switchSession,
+      });
+      if (onAuthenticated) {
+        onAuthenticated(user);
       }
     } catch (err) {
       debug.error('Error completing auth:', err);
@@ -189,7 +207,9 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 
       if (payload.status === 'authorized' && payload.sessionId) {
         cleanup();
-        handleAuthSuccess(payload.sessionId);
+        // `sessionToken` is this flow's secret credential (in closure) — pass
+        // it through so `handleAuthSuccess` can claim the first access token.
+        handleAuthSuccess(payload.sessionId, sessionToken);
       } else if (payload.status === 'cancelled') {
         cleanup();
         setError('Authorization was denied.');
@@ -228,7 +248,9 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
 
         if (response.authorized && response.sessionId) {
           cleanup();
-          handleAuthSuccess(response.sessionId);
+          // Pass the original sessionToken (in closure) through; the claim
+          // exchange needs it to mint the first access token.
+          handleAuthSuccess(response.sessionId, sessionToken);
         } else if (response.status === 'cancelled') {
           cleanup();
           setError('Authorization was denied.');
@@ -264,6 +286,17 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
     setError(null);
     isProcessingRef.current = false;
 
+    // The cross-app device sign-in flow identifies the requesting app by its
+    // real registered OAuth client id (ApplicationCredential publicKey).
+    // Without it the API cannot resolve the consent identity, so we fail fast
+    // with a clear configuration error rather than creating a session the
+    // server would reject.
+    if (!clientId) {
+      setError('This app is not configured for sign-in (missing clientId).');
+      setIsLoading(false);
+      return;
+    }
+
     try {
       // Generate a unique session token for this auth request
       const sessionToken = generateSessionToken();
@@ -273,7 +306,7 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
       await oxyServices.makeRequest('POST', '/auth/session/create', {
         sessionToken,
         expiresAt,
-        appId: appName,
+        clientId,
       }, { cache: false });
 
       setAuthSession({ sessionToken, expiresAt });
@@ -286,7 +319,7 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
     } finally {
       setIsLoading(false);
     }
-  }, [oxyServices, connectSocket, appName]);
+  }, [oxyServices, connectSocket, clientId]);
 
   // Generate a random session token
   const generateSessionToken = (): string => {
@@ -368,10 +401,20 @@ const OxyAuthScreen: React.FC<BaseScreenProps> = ({
     }
 
     if (params.sessionId) {
+      // The deep-link return carries only `session_id` — the secret
+      // `sessionToken` for this flow lives in component state (generated in
+      // `generateAuthSession`). Without it we cannot claim the first access
+      // token, so the flow would 401 in `handleAuthSuccess`. If it is somehow
+      // unavailable, fall through to the socket/poll path (which carries the
+      // token in closure) rather than attempting an unauthenticated claim.
+      const flowSessionToken = authSession?.sessionToken;
+      if (!flowSessionToken) {
+        return;
+      }
       cleanup();
-      handleAuthSuccess(params.sessionId);
+      handleAuthSuccess(params.sessionId, flowSessionToken);
     }
-  }, [cleanup, handleAuthSuccess]);
+  }, [authSession, cleanup, handleAuthSuccess]);
 
   useEffect(() => {
     if (Platform.OS === 'web') {

package/src/ui/types/navigation.ts

@@ -53,13 +53,15 @@ export interface OxyProviderProps {
     onAuthStateChange?: (user: unknown) => void;
     storageKeyPrefix?: string;
     /**
-     * Human-readable name of the consuming app (e.g. "Mention", "Homiio").
-     * Surfaced on the central Oxy sign-in / consent experience as
-     * "{appName} wants to access your Oxy account". When omitted, the SDK
-     * derives a name from `storageKeyPrefix`, then `document.title` (web),
-     * falling back to the platform. Set this to guarantee correct branding.
+     * The app's Oxy OAuth client id / ApplicationCredential publicKey.
+     * Required for the cross-app device sign-in flow: the QR / popup
+     * sign-in registers a device-flow session via `POST /auth/session/create`,
+     * which now identifies the requesting app by this real registered
+     * client id. The central Oxy auth experience resolves and renders the
+     * consent identity from it server-side. Without it the device sign-in
+     * flow cannot start.
      */
-    appName?: string;
+    clientId?: string;
     baseURL?: string;
     authWebUrl?: string;
     authRedirectUri?: string;