npm - @ozura/elements - Versions diffs - 1.1.0-next.21 → 1.1.0-next.22 - Mend

@ozura/elements 1.1.0-next.21 → 1.1.0-next.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/README.md +73 -71
package/dist/oz-elements.esm.js +254 -239
package/dist/oz-elements.esm.js.map +1 -1
package/dist/oz-elements.umd.js +255 -239
package/dist/oz-elements.umd.js.map +1 -1
package/dist/react/index.cjs.js +127 -108
package/dist/react/index.cjs.js.map +1 -1
package/dist/react/index.esm.js +127 -108
package/dist/react/index.esm.js.map +1 -1
package/dist/react/react/index.d.ts +46 -29
package/dist/react/sdk/OzVault.d.ts +6 -5
package/dist/react/sdk/createSessionFetcher.d.ts +29 -0
package/dist/react/sdk/index.d.ts +6 -26
package/dist/react/server/index.d.ts +126 -74
package/dist/react/types/index.d.ts +52 -31
package/dist/server/index.cjs.js +165 -76
package/dist/server/index.cjs.js.map +1 -1
package/dist/server/index.esm.js +164 -77
package/dist/server/index.esm.js.map +1 -1
package/dist/server/sdk/OzVault.d.ts +6 -5
package/dist/server/sdk/createSessionFetcher.d.ts +29 -0
package/dist/server/sdk/index.d.ts +6 -26
package/dist/server/server/index.d.ts +126 -74
package/dist/server/types/index.d.ts +52 -31
package/dist/types/sdk/OzVault.d.ts +6 -5
package/dist/types/sdk/createSessionFetcher.d.ts +29 -0
package/dist/types/sdk/index.d.ts +6 -26
package/dist/types/server/index.d.ts +126 -74
package/dist/types/types/index.d.ts +52 -31
package/package.json +1 -1

package/dist/oz-elements.umd.js CHANGED Viewed

@@ -4,147 +4,6 @@
     (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.OzElements = {}));
 })(this, (function (exports) { 'use strict';
-    /**
-     * errors.ts — error types and normalisation for OzElements.
-     *
-     * Three normalisation functions:
-     *  - normalizeVaultError      — maps raw vault /tokenize errors to user-facing messages (card flows)
-     *  - normalizeBankVaultError   — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
-     *  - normalizeCardSaleError    — maps raw cardSale API errors to user-facing messages
-     *
-     * Error keys in normalizeCardSaleError are taken directly from checkout's
-     * errorMapping.ts so the same error strings produce the same user-facing copy.
-     */
-    const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'server', 'config', 'unknown']);
-    /** Returns true and narrows to OzErrorCode when `value` is a valid member of the union. */
-    function isOzErrorCode(value) {
-        return typeof value === 'string' && OZ_ERROR_CODES.has(value);
-    }
-    class OzError extends Error {
-        constructor(message, raw, errorCode) {
-            super(message);
-            this.name = 'OzError';
-            this.raw = raw !== null && raw !== void 0 ? raw : message;
-            this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
-            this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
-        }
-    }
-    /** Shared patterns that apply to both card and bank vault errors. */
-    function normalizeCommonVaultError(msg) {
-        if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
-            return 'Authentication failed. Check your vault API key configuration.';
-        }
-        if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
-            return 'A network error occurred. Please check your connection and try again.';
-        }
-        if (msg.includes('timeout') || msg.includes('timed out')) {
-            return 'The request timed out. Please try again.';
-        }
-        if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
-            return 'A server error occurred. Please try again shortly.';
-        }
-        return null;
-    }
-    /**
-     * Maps a raw vault /tokenize error string to a user-facing message for card flows.
-     * Falls back to the original string if no pattern matches.
-     */
-    function normalizeVaultError(raw) {
-        const msg = raw.toLowerCase();
-        if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
-            return 'The card number is invalid. Please check and try again.';
-        }
-        if (msg.includes('expir')) {
-            return 'The card expiration date is invalid or the card has expired.';
-        }
-        if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
-            return 'The CVV code is invalid. Please check and try again.';
-        }
-        if (msg.includes('insufficient') || msg.includes('funds')) {
-            return 'Your card has insufficient funds. Please use a different card.';
-        }
-        if (msg.includes('declined') || msg.includes('do not honor')) {
-            return 'Your card was declined. Please try a different card or contact your bank.';
-        }
-        const common = normalizeCommonVaultError(msg);
-        if (common)
-            return common;
-        return raw;
-    }
-    /**
-     * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
-     * Uses bank-specific pattern matching so card-specific messages are never shown for
-     * bank errors. Falls back to the original string if no pattern matches.
-     */
-    function normalizeBankVaultError(raw) {
-        const msg = raw.toLowerCase();
-        if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
-            return 'The bank account number is invalid. Please check and try again.';
-        }
-        if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
-            return 'The routing number is invalid. Please check and try again.';
-        }
-        const common = normalizeCommonVaultError(msg);
-        if (common)
-            return common;
-        return raw;
-    }
-    // ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
-    const CARD_SALE_ERROR_MAP = [
-        ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
-        ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
-        ['Card expired', 'Your card has expired. Please use a different card.'],
-        ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
-        ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
-        ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
-        ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
-        ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
-        ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
-        ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
-        ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
-        ['API key not found', 'Authentication failed. Please refresh the page.'],
-        ['Access token expired', 'Your session has expired. Please refresh the page.'],
-        ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
-        ['Unauthorized', 'Authentication failed. Please refresh the page.'],
-        ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
-        ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
-        ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
-        ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
-        ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
-        ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
-        ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
-    ];
-    /**
-     * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
-     *
-     * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
-     * errorMapping.ts so both surfaces produce identical copy for the same errors.
-     *
-     * Falls back to the original string when it's under 100 characters, or to a
-     * generic message for long/opaque server errors — matching checkout's fallback
-     * behaviour exactly.
-     *
-     * **Trade-off:** Short unrecognised strings (e.g. processor codes like
-     * `"PROC_TIMEOUT"`) are passed through verbatim. This intentionally mirrors
-     * checkout so the same raw Pay API errors produce the same user-facing text on
-     * both surfaces. If the Pay API ever returns internal codes that should never
-     * reach the UI, the fix belongs in the Pay API error normalisation layer rather
-     * than here.
-     */
-    function normalizeCardSaleError(raw) {
-        if (!raw)
-            return 'Payment processing failed. Please try again.';
-        for (const [key, message] of CARD_SALE_ERROR_MAP) {
-            if (raw.toLowerCase().includes(key.toLowerCase())) {
-                return message;
-            }
-        }
-        // Checkout fallback: pass through short errors, genericise long ones
-        if (raw.length < 100)
-            return raw;
-        return 'Payment processing failed. Please try again or contact support.';
-    }
     const THEME_DEFAULT = {
         base: {
             color: '#1a1a2e',
@@ -309,6 +168,147 @@
         return mergeStyleConfigs(appearance, elementStyle);
     }
+    /**
+     * errors.ts — error types and normalisation for OzElements.
+     *
+     * Three normalisation functions:
+     *  - normalizeVaultError      — maps raw vault /tokenize errors to user-facing messages (card flows)
+     *  - normalizeBankVaultError   — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
+     *  - normalizeCardSaleError    — maps raw cardSale API errors to user-facing messages
+     *
+     * Error keys in normalizeCardSaleError are taken directly from checkout's
+     * errorMapping.ts so the same error strings produce the same user-facing copy.
+     */
+    const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'server', 'config', 'unknown']);
+    /** Returns true and narrows to OzErrorCode when `value` is a valid member of the union. */
+    function isOzErrorCode(value) {
+        return typeof value === 'string' && OZ_ERROR_CODES.has(value);
+    }
+    class OzError extends Error {
+        constructor(message, raw, errorCode) {
+            super(message);
+            this.name = 'OzError';
+            this.raw = raw !== null && raw !== void 0 ? raw : message;
+            this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
+            this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
+        }
+    }
+    /** Shared patterns that apply to both card and bank vault errors. */
+    function normalizeCommonVaultError(msg) {
+        if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
+            return 'Authentication failed. Check your vault API key configuration.';
+        }
+        if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
+            return 'A network error occurred. Please check your connection and try again.';
+        }
+        if (msg.includes('timeout') || msg.includes('timed out')) {
+            return 'The request timed out. Please try again.';
+        }
+        if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
+            return 'A server error occurred. Please try again shortly.';
+        }
+        return null;
+    }
+    /**
+     * Maps a raw vault /tokenize error string to a user-facing message for card flows.
+     * Falls back to the original string if no pattern matches.
+     */
+    function normalizeVaultError(raw) {
+        const msg = raw.toLowerCase();
+        if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
+            return 'The card number is invalid. Please check and try again.';
+        }
+        if (msg.includes('expir')) {
+            return 'The card expiration date is invalid or the card has expired.';
+        }
+        if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
+            return 'The CVV code is invalid. Please check and try again.';
+        }
+        if (msg.includes('insufficient') || msg.includes('funds')) {
+            return 'Your card has insufficient funds. Please use a different card.';
+        }
+        if (msg.includes('declined') || msg.includes('do not honor')) {
+            return 'Your card was declined. Please try a different card or contact your bank.';
+        }
+        const common = normalizeCommonVaultError(msg);
+        if (common)
+            return common;
+        return raw;
+    }
+    /**
+     * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
+     * Uses bank-specific pattern matching so card-specific messages are never shown for
+     * bank errors. Falls back to the original string if no pattern matches.
+     */
+    function normalizeBankVaultError(raw) {
+        const msg = raw.toLowerCase();
+        if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
+            return 'The bank account number is invalid. Please check and try again.';
+        }
+        if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
+            return 'The routing number is invalid. Please check and try again.';
+        }
+        const common = normalizeCommonVaultError(msg);
+        if (common)
+            return common;
+        return raw;
+    }
+    // ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
+    const CARD_SALE_ERROR_MAP = [
+        ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
+        ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
+        ['Card expired', 'Your card has expired. Please use a different card.'],
+        ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
+        ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
+        ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
+        ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
+        ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
+        ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
+        ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
+        ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
+        ['API key not found', 'Authentication failed. Please refresh the page.'],
+        ['Access token expired', 'Your session has expired. Please refresh the page.'],
+        ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
+        ['Unauthorized', 'Authentication failed. Please refresh the page.'],
+        ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
+        ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
+        ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
+        ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
+        ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
+        ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
+        ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
+    ];
+    /**
+     * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
+     *
+     * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
+     * errorMapping.ts so both surfaces produce identical copy for the same errors.
+     *
+     * Falls back to the original string when it's under 100 characters, or to a
+     * generic message for long/opaque server errors — matching checkout's fallback
+     * behaviour exactly.
+     *
+     * **Trade-off:** Short unrecognised strings (e.g. processor codes like
+     * `"PROC_TIMEOUT"`) are passed through verbatim. This intentionally mirrors
+     * checkout so the same raw Pay API errors produce the same user-facing text on
+     * both surfaces. If the Pay API ever returns internal codes that should never
+     * reach the UI, the fix belongs in the Pay API error normalisation layer rather
+     * than here.
+     */
+    function normalizeCardSaleError(raw) {
+        if (!raw)
+            return 'Payment processing failed. Please try again.';
+        for (const [key, message] of CARD_SALE_ERROR_MAP) {
+            if (raw.toLowerCase().includes(key.toLowerCase())) {
+                return message;
+            }
+        }
+        // Checkout fallback: pass through short errors, genericise long ones
+        if (raw.length < 100)
+            return raw;
+        return 'Payment processing failed. Please try again or contact support.';
+    }
     /**
      * Generates a RFC 4122 v4 UUID.
      *
@@ -896,6 +896,85 @@
      */
     const PROTOCOL_VERSION = 1;
+    /**
+     * Creates a `getSessionKey` callback for `OzVault.create()` and `<OzElements>`.
+     *
+     * This is the recommended way to wire the SDK to your backend session endpoint.
+     * If you don't need custom headers or auth logic, pass `sessionUrl` directly to
+     * `OzVault.create()` or `<OzElements>` — it calls this helper internally.
+     *
+     * The callback POSTs `{ sessionId }` to `url` and reads `sessionKey` (or the
+     * legacy `waxKey`) from the JSON response, so it is compatible with both the
+     * new `createSessionMiddleware` and the old `createMintWaxMiddleware` backends.
+     *
+     * Each call enforces a **10-second timeout**. On pure network failures
+     * (offline, DNS, connection refused) the request is retried **once after 750ms**.
+     * HTTP 4xx/5xx errors are never retried — they indicate misconfiguration.
+     *
+     * @param url - Absolute or relative URL of your session endpoint, e.g. `'/api/oz-session'`.
+     *
+     * @example
+     * // Simplest — just pass sessionUrl, no need to call this directly
+     * const vault = await OzVault.create({ pubKey: 'pk_live_...', sessionUrl: '/api/oz-session' });
+     *
+     * @example
+     * // Manual — use when you need custom headers
+     * const vault = await OzVault.create({
+     *   pubKey: 'pk_live_...',
+     *   getSessionKey: createSessionFetcher('/api/oz-session'),
+     * });
+     */
+    function createSessionFetcher(url) {
+        const TIMEOUT_MS = 10000;
+        // Each attempt gets its own AbortController so a timeout on attempt 1 does
+        // not bleed into the retry.
+        const attemptFetch = (sessionId) => {
+            const controller = new AbortController();
+            const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
+            return fetch(url, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ sessionId }),
+                signal: controller.signal,
+            }).finally(() => clearTimeout(timer));
+        };
+        return async (sessionId) => {
+            let res;
+            try {
+                res = await attemptFetch(sessionId);
+            }
+            catch (firstErr) {
+                // Timeout/abort — don't retry, we already waited the full duration.
+                if (firstErr instanceof Error && (firstErr.name === 'AbortError' || firstErr.name === 'TimeoutError')) {
+                    throw new OzError(`Session endpoint timed out after ${TIMEOUT_MS / 1000}s (${url})`, undefined, 'timeout');
+                }
+                // Pure network error — retry once after a short pause.
+                await new Promise(resolve => setTimeout(resolve, 750));
+                try {
+                    res = await attemptFetch(sessionId);
+                }
+                catch (retryErr) {
+                    const msg = retryErr instanceof Error ? retryErr.message : 'Network error';
+                    throw new OzError(`Could not reach session endpoint (${url}): ${msg}`, undefined, 'network');
+                }
+            }
+            const data = await res.json().catch(() => ({}));
+            if (!res.ok) {
+                throw new OzError(typeof data.error === 'string' && data.error
+                    ? data.error
+                    : `Session endpoint returned HTTP ${res.status}`, undefined, res.status >= 500 ? 'server' : res.status === 401 || res.status === 403 ? 'auth' : 'validation');
+            }
+            // Accept both new `sessionKey` and legacy `waxKey` for backward compatibility
+            // with backends that haven't migrated to createSessionMiddleware yet.
+            const key = (typeof data.sessionKey === 'string' ? data.sessionKey : '') ||
+                (typeof data.waxKey === 'string' ? data.waxKey : '');
+            if (!key.trim()) {
+                throw new OzError('Session endpoint response is missing sessionKey. Check your /api/oz-session implementation.', undefined, 'validation');
+            }
+            return key;
+        };
+    }
     function isCardMetadata(v) {
         return !!v && typeof v === 'object' && typeof v.last4 === 'string';
     }
@@ -935,7 +1014,7 @@
          * @internal
          */
         constructor(options, waxKey, tokenizationSessionId) {
-            var _a, _b, _c, _d;
+            var _a, _b, _c, _d, _e, _f;
             this.elements = new Map();
             this.elementsByType = new Map();
             this.bankElementsByType = new Map();
@@ -969,15 +1048,16 @@
             this.fonts = (_a = options.fonts) !== null && _a !== void 0 ? _a : [];
             this.resolvedAppearance = resolveAppearance(options.appearance);
             this.vaultId = `vault-${uuid()}`;
-            this._maxTokenizeCalls = (_b = options.maxTokenizeCalls) !== null && _b !== void 0 ? _b : 3;
-            this._debug = (_c = options.debug) !== null && _c !== void 0 ? _c : false;
+            // sessionLimit takes precedence over legacy maxTokenizeCalls
+            this._maxTokenizeCalls = (_c = (_b = options.sessionLimit) !== null && _b !== void 0 ? _b : options.maxTokenizeCalls) !== null && _c !== void 0 ? _c : 3;
+            this._debug = (_d = options.debug) !== null && _d !== void 0 ? _d : false;
             this.boundHandleMessage = this.handleMessage.bind(this);
             window.addEventListener('message', this.boundHandleMessage);
             this.boundHandleVisibility = this.handleVisibilityChange.bind(this);
             document.addEventListener('visibilitychange', this.boundHandleVisibility);
             this.mountTokenizerFrame();
             if (options.onLoadError) {
-                const timeout = (_d = options.loadTimeoutMs) !== null && _d !== void 0 ? _d : 10000;
+                const timeout = (_e = options.loadTimeoutMs) !== null && _e !== void 0 ? _e : 10000;
                 this.loadErrorTimeoutId = setTimeout(() => {
                     this.loadErrorTimeoutId = null;
                     if (!this._destroyed && !this.tokenizerReady) {
@@ -985,7 +1065,8 @@
                     }
                 }, timeout);
             }
-            this._onWaxRefresh = options.onWaxRefresh;
+            // onSessionRefresh takes precedence over legacy onWaxRefresh
+            this._onWaxRefresh = (_f = options.onSessionRefresh) !== null && _f !== void 0 ? _f : options.onWaxRefresh;
             this._onReady = options.onReady;
             this.log('vault created', { vaultId: this.vaultId, frameBaseUrl: this.frameBaseUrl, maxTokenizeCalls: this._maxTokenizeCalls });
         }
@@ -993,47 +1074,59 @@
          * Creates and returns a ready `OzVault` instance.
          *
          * Internally this:
-         * 1. Generates a `tokenizationSessionId` (UUID).
+         * 1. Generates a session UUID.
          * 2. Starts loading the hidden tokenizer iframe immediately.
-         * 3. Calls `options.fetchWaxKey(tokenizationSessionId)` concurrently — your
-         *    backend mints a session-bound wax key from the vault and returns it.
-         * 4. Resolves with the vault instance once the wax key is stored. The iframe
+         * 3. Fetches a session key from your backend concurrently — either via
+         *    `sessionUrl` (simplest), `getSessionKey` (custom headers/auth), or the
+         *    deprecated `fetchWaxKey` callback.
+         * 4. Resolves with the vault instance once the session key is stored. The iframe
          *    has been loading the whole time, so `isReady` may already be true or
          *    will fire shortly after.
          *
          * The returned vault is ready to create elements immediately. `createToken()`
          * additionally requires `vault.isReady` (tokenizer iframe loaded).
          *
-         * @throws {OzError} if `fetchWaxKey` throws, returns a non-string value, or returns an empty/whitespace-only string.
+         * @throws {OzError} if the session fetch fails, times out, or returns an empty string.
          */
         static async create(options, signal) {
             if (!options.pubKey || !options.pubKey.trim()) {
                 throw new OzError('pubKey is required in options. Obtain your public key from the Ozura admin.');
             }
-            if (typeof options.fetchWaxKey !== 'function') {
-                throw new OzError('fetchWaxKey must be a function. See OzVault.create() docs for the expected signature.');
+            // Normalize the session callback. Priority: sessionUrl > getSessionKey > fetchWaxKey (deprecated).
+            // This allows merchants to use the clean new API without touching legacy code.
+            let resolvedFetchKey;
+            if (options.sessionUrl) {
+                resolvedFetchKey = createSessionFetcher(options.sessionUrl);
+            }
+            else if (typeof options.getSessionKey === 'function') {
+                resolvedFetchKey = options.getSessionKey;
+            }
+            else if (typeof options.fetchWaxKey === 'function') {
+                resolvedFetchKey = options.fetchWaxKey;
+            }
+            else {
+                throw new OzError('A session URL or callback is required. Pass sessionUrl, getSessionKey, or fetchWaxKey to OzVault.create().');
             }
             const tokenizationSessionId = uuid();
             // Construct the vault immediately — this mounts the tokenizer iframe so it
-            // starts loading while fetchWaxKey is in flight. The waxKey field starts
-            // empty and is set below before create() returns.
+            // starts loading while the session fetch is in flight.
             const vault = new OzVault(options, '', tokenizationSessionId);
             // If the caller provides an AbortSignal (e.g. React useEffect cleanup),
             // destroy the vault immediately on abort so the tokenizer iframe and message
-            // listener are removed synchronously rather than waiting for fetchWaxKey to
-            // settle. This eliminates the brief double-iframe window in React StrictMode.
+            // listener are removed synchronously rather than waiting for the session fetch
+            // to settle. This eliminates the brief double-iframe window in React StrictMode.
             const onAbort = () => vault.destroy();
             signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', onAbort, { once: true });
             let waxKey;
             try {
-                waxKey = await options.fetchWaxKey(tokenizationSessionId);
+                waxKey = await resolvedFetchKey(tokenizationSessionId);
             }
             catch (err) {
                 signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort);
                 vault.destroy();
                 if (signal === null || signal === void 0 ? void 0 : signal.aborted)
                     throw new OzError('OzVault.create() was cancelled.');
-                // Preserve errorCode/retryable from OzError (e.g. timeout/network from createFetchWaxKey)
+                // Preserve errorCode/retryable from OzError (e.g. timeout/network from createSessionFetcher)
                 // so callers can distinguish transient failures from config errors.
                 const originalCode = err instanceof OzError ? err.errorCode : undefined;
                 const msg = err instanceof Error ? err.message : 'Unknown error';
@@ -1050,7 +1143,7 @@
             }
             // Static methods can access private fields of instances of the same class.
             vault.waxKey = waxKey;
-            vault._storedFetchWaxKey = options.fetchWaxKey;
+            vault._storedFetchWaxKey = resolvedFetchKey;
             // If the tokenizer iframe fired OZ_FRAME_READY before fetchWaxKey resolved,
             // the OZ_INIT sent at that point had an empty waxKey. Send a follow-up now
             // so the tokenizer has the key stored before any createToken() call.
@@ -1964,88 +2057,11 @@
         }
     }
-    /**
-     * Creates a ready-to-use `fetchWaxKey` callback for `OzVault.create()` and `<OzElements>`.
-     *
-     * Calls your backend mint endpoint with `{ sessionId }` and returns the wax key string.
-     * Throws on non-OK responses or a missing `waxKey` field so the vault can surface the
-     * error through its normal error path.
-     *
-     * Each call enforces a 10-second per-attempt timeout. On a pure network-level
-     * failure (connection refused, DNS failure, etc.) the call is retried once after
-     * 750ms before throwing. HTTP errors (4xx/5xx) are never retried — they indicate
-     * an endpoint misconfiguration or an invalid key, not a transient failure.
-     *
-     * The mint endpoint is typically the one-line `createMintWaxHandler` / `createMintWaxMiddleware`
-     * from `@ozura/elements/server`.
-     *
-     * @param mintUrl - Absolute or relative URL of your wax-key mint endpoint, e.g. `'/api/mint-wax'`.
-     *
-     * @example
-     * // Vanilla JS
-     * const vault = await OzVault.create({
-     *   pubKey: 'pk_live_...',
-     *   fetchWaxKey: createFetchWaxKey('/api/mint-wax'),
-     * });
-     *
-     * @example
-     * // React
-     * <OzElements pubKey="pk_live_..." fetchWaxKey={createFetchWaxKey('/api/mint-wax')}>
-     */
-    function createFetchWaxKey(mintUrl) {
-        const TIMEOUT_MS = 10000;
-        // Each attempt gets its own AbortController so a timeout on attempt 1 does
-        // not bleed into the retry. Uses AbortController + setTimeout instead of
-        // AbortSignal.timeout() to support environments without that API.
-        const attemptFetch = (sessionId) => {
-            const controller = new AbortController();
-            const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
-            return fetch(mintUrl, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ sessionId }),
-                signal: controller.signal,
-            }).finally(() => clearTimeout(timer));
-        };
-        return async (sessionId) => {
-            let res;
-            try {
-                res = await attemptFetch(sessionId);
-            }
-            catch (firstErr) {
-                // Abort/timeout should not be retried — the server received nothing or
-                // we already waited the full timeout duration.
-                if (firstErr instanceof Error && (firstErr.name === 'AbortError' || firstErr.name === 'TimeoutError')) {
-                    throw new OzError(`Wax key mint timed out after ${TIMEOUT_MS / 1000}s (${mintUrl})`, undefined, 'timeout');
-                }
-                // Pure network error (offline, DNS, connection refused) — retry once
-                // after a short pause in case of a transient blip.
-                await new Promise(resolve => setTimeout(resolve, 750));
-                try {
-                    res = await attemptFetch(sessionId);
-                }
-                catch (retryErr) {
-                    const msg = retryErr instanceof Error ? retryErr.message : 'Network error';
-                    throw new OzError(`Could not reach wax key mint endpoint (${mintUrl}): ${msg}`, undefined, 'network');
-                }
-            }
-            const data = await res.json().catch(() => ({}));
-            if (!res.ok) {
-                throw new OzError(typeof data.error === 'string' && data.error
-                    ? data.error
-                    : `Wax key mint failed (HTTP ${res.status})`, undefined, res.status >= 500 ? 'server' : res.status === 401 || res.status === 403 ? 'auth' : 'validation');
-            }
-            if (typeof data.waxKey !== 'string' || !data.waxKey.trim()) {
-                throw new OzError('Mint endpoint response is missing waxKey. Check your /api/mint-wax implementation.', undefined, 'validation');
-            }
-            return data.waxKey;
-        };
-    }
     exports.OzElement = OzElement;
     exports.OzError = OzError;
     exports.OzVault = OzVault;
-    exports.createFetchWaxKey = createFetchWaxKey;
+    exports.createFetchWaxKey = createSessionFetcher;
+    exports.createSessionFetcher = createSessionFetcher;
     exports.normalizeBankVaultError = normalizeBankVaultError;
     exports.normalizeCardSaleError = normalizeCardSaleError;
     exports.normalizeVaultError = normalizeVaultError;