@ozura/elements 1.1.0 → 1.2.0

package/dist/oz-elements.esm.js

@@ -1,144 +1,3 @@
-/**
- * errors.ts — error types and normalisation for OzElements.
- *
- * Three normalisation functions:
- *  - normalizeVaultError      — maps raw vault /tokenize errors to user-facing messages (card flows)
- *  - normalizeBankVaultError   — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
- *  - normalizeCardSaleError    — maps raw cardSale API errors to user-facing messages
- *
- * Error keys in normalizeCardSaleError are taken directly from checkout's
- * errorMapping.ts so the same error strings produce the same user-facing copy.
- */
-const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'server', 'config', 'unknown']);
-/** Returns true and narrows to OzErrorCode when `value` is a valid member of the union. */
-function isOzErrorCode(value) {
-    return typeof value === 'string' && OZ_ERROR_CODES.has(value);
-}
-class OzError extends Error {
-    constructor(message, raw, errorCode) {
-        super(message);
-        this.name = 'OzError';
-        this.raw = raw !== null && raw !== void 0 ? raw : message;
-        this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
-        this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
-    }
-}
-/** Shared patterns that apply to both card and bank vault errors. */
-function normalizeCommonVaultError(msg) {
-    if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
-        return 'Authentication failed. Check your vault API key configuration.';
-    }
-    if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
-        return 'A network error occurred. Please check your connection and try again.';
-    }
-    if (msg.includes('timeout') || msg.includes('timed out')) {
-        return 'The request timed out. Please try again.';
-    }
-    if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
-        return 'A server error occurred. Please try again shortly.';
-    }
-    return null;
-}
-/**
- * Maps a raw vault /tokenize error string to a user-facing message for card flows.
- * Falls back to the original string if no pattern matches.
- */
-function normalizeVaultError(raw) {
-    const msg = raw.toLowerCase();
-    if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
-        return 'The card number is invalid. Please check and try again.';
-    }
-    if (msg.includes('expir')) {
-        return 'The card expiration date is invalid or the card has expired.';
-    }
-    if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
-        return 'The CVV code is invalid. Please check and try again.';
-    }
-    if (msg.includes('insufficient') || msg.includes('funds')) {
-        return 'Your card has insufficient funds. Please use a different card.';
-    }
-    if (msg.includes('declined') || msg.includes('do not honor')) {
-        return 'Your card was declined. Please try a different card or contact your bank.';
-    }
-    const common = normalizeCommonVaultError(msg);
-    if (common)
-        return common;
-    return raw;
-}
-/**
- * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
- * Uses bank-specific pattern matching so card-specific messages are never shown for
- * bank errors. Falls back to the original string if no pattern matches.
- */
-function normalizeBankVaultError(raw) {
-    const msg = raw.toLowerCase();
-    if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
-        return 'The bank account number is invalid. Please check and try again.';
-    }
-    if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
-        return 'The routing number is invalid. Please check and try again.';
-    }
-    const common = normalizeCommonVaultError(msg);
-    if (common)
-        return common;
-    return raw;
-}
-// ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
-const CARD_SALE_ERROR_MAP = [
-    ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
-    ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
-    ['Card expired', 'Your card has expired. Please use a different card.'],
-    ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
-    ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
-    ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
-    ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
-    ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
-    ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
-    ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
-    ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
-    ['API key not found', 'Authentication failed. Please refresh the page.'],
-    ['Access token expired', 'Your session has expired. Please refresh the page.'],
-    ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
-    ['Unauthorized', 'Authentication failed. Please refresh the page.'],
-    ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
-    ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
-    ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
-    ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
-    ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
-    ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
-    ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
-];
-/**
- * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
- *
- * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
- * errorMapping.ts so both surfaces produce identical copy for the same errors.
- *
- * Falls back to the original string when it's under 100 characters, or to a
- * generic message for long/opaque server errors — matching checkout's fallback
- * behaviour exactly.
- *
- * **Trade-off:** Short unrecognised strings (e.g. processor codes like
- * `"PROC_TIMEOUT"`) are passed through verbatim. This intentionally mirrors
- * checkout so the same raw Pay API errors produce the same user-facing text on
- * both surfaces. If the Pay API ever returns internal codes that should never
- * reach the UI, the fix belongs in the Pay API error normalisation layer rather
- * than here.
- */
-function normalizeCardSaleError(raw) {
-    if (!raw)
-        return 'Payment processing failed. Please try again.';
-    for (const [key, message] of CARD_SALE_ERROR_MAP) {
-        if (raw.toLowerCase().includes(key.toLowerCase())) {
-            return message;
-        }
-    }
-    // Checkout fallback: pass through short errors, genericise long ones
-    if (raw.length < 100)
-        return raw;
-    return 'Payment processing failed. Please try again or contact support.';
-}
-
 const THEME_DEFAULT = {
     base: {
         color: '#1a1a2e',
@@ -303,6 +162,147 @@ function mergeAppearanceWithElementStyle(appearance, elementStyle) {
     return mergeStyleConfigs(appearance, elementStyle);
 }
 
+/**
+ * errors.ts — error types and normalisation for OzElements.
+ *
+ * Three normalisation functions:
+ *  - normalizeVaultError      — maps raw vault /tokenize errors to user-facing messages (card flows)
+ *  - normalizeBankVaultError   — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
+ *  - normalizeCardSaleError    — maps raw cardSale API errors to user-facing messages
+ *
+ * Error keys in normalizeCardSaleError are taken directly from checkout's
+ * errorMapping.ts so the same error strings produce the same user-facing copy.
+ */
+const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'server', 'config', 'unknown']);
+/** Returns true and narrows to OzErrorCode when `value` is a valid member of the union. */
+function isOzErrorCode(value) {
+    return typeof value === 'string' && OZ_ERROR_CODES.has(value);
+}
+class OzError extends Error {
+    constructor(message, raw, errorCode) {
+        super(message);
+        this.name = 'OzError';
+        this.raw = raw !== null && raw !== void 0 ? raw : message;
+        this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
+        this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
+    }
+}
+/** Shared patterns that apply to both card and bank vault errors. */
+function normalizeCommonVaultError(msg) {
+    if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
+        return 'Authentication failed. Check your vault API key configuration.';
+    }
+    if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
+        return 'A network error occurred. Please check your connection and try again.';
+    }
+    if (msg.includes('timeout') || msg.includes('timed out')) {
+        return 'The request timed out. Please try again.';
+    }
+    if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
+        return 'A server error occurred. Please try again shortly.';
+    }
+    return null;
+}
+/**
+ * Maps a raw vault /tokenize error string to a user-facing message for card flows.
+ * Falls back to the original string if no pattern matches.
+ */
+function normalizeVaultError(raw) {
+    const msg = raw.toLowerCase();
+    if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
+        return 'The card number is invalid. Please check and try again.';
+    }
+    if (msg.includes('expir')) {
+        return 'The card expiration date is invalid or the card has expired.';
+    }
+    if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
+        return 'The CVV code is invalid. Please check and try again.';
+    }
+    if (msg.includes('insufficient') || msg.includes('funds')) {
+        return 'Your card has insufficient funds. Please use a different card.';
+    }
+    if (msg.includes('declined') || msg.includes('do not honor')) {
+        return 'Your card was declined. Please try a different card or contact your bank.';
+    }
+    const common = normalizeCommonVaultError(msg);
+    if (common)
+        return common;
+    return raw;
+}
+/**
+ * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
+ * Uses bank-specific pattern matching so card-specific messages are never shown for
+ * bank errors. Falls back to the original string if no pattern matches.
+ */
+function normalizeBankVaultError(raw) {
+    const msg = raw.toLowerCase();
+    if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
+        return 'The bank account number is invalid. Please check and try again.';
+    }
+    if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
+        return 'The routing number is invalid. Please check and try again.';
+    }
+    const common = normalizeCommonVaultError(msg);
+    if (common)
+        return common;
+    return raw;
+}
+// ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
+const CARD_SALE_ERROR_MAP = [
+    ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
+    ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
+    ['Card expired', 'Your card has expired. Please use a different card.'],
+    ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
+    ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
+    ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
+    ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
+    ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
+    ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
+    ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
+    ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
+    ['API key not found', 'Authentication failed. Please refresh the page.'],
+    ['Access token expired', 'Your session has expired. Please refresh the page.'],
+    ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
+    ['Unauthorized', 'Authentication failed. Please refresh the page.'],
+    ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
+    ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
+    ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
+    ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
+    ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
+    ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
+    ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
+];
+/**
+ * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
+ *
+ * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
+ * errorMapping.ts so both surfaces produce identical copy for the same errors.
+ *
+ * Falls back to the original string when it's under 100 characters, or to a
+ * generic message for long/opaque server errors — matching checkout's fallback
+ * behaviour exactly.
+ *
+ * **Trade-off:** Short unrecognised strings (e.g. processor codes like
+ * `"PROC_TIMEOUT"`) are passed through verbatim. This intentionally mirrors
+ * checkout so the same raw Pay API errors produce the same user-facing text on
+ * both surfaces. If the Pay API ever returns internal codes that should never
+ * reach the UI, the fix belongs in the Pay API error normalisation layer rather
+ * than here.
+ */
+function normalizeCardSaleError(raw) {
+    if (!raw)
+        return 'Payment processing failed. Please try again.';
+    for (const [key, message] of CARD_SALE_ERROR_MAP) {
+        if (raw.toLowerCase().includes(key.toLowerCase())) {
+            return message;
+        }
+    }
+    // Checkout fallback: pass through short errors, genericise long ones
+    if (raw.length < 100)
+        return raw;
+    return 'Payment processing failed. Please try again or contact support.';
+}
+
 /**
  * Generates a RFC 4122 v4 UUID.
  *
@@ -890,6 +890,85 @@ function validateBilling(billing) {
  */
 const PROTOCOL_VERSION = 1;
 
+/**
+ * Creates a `getSessionKey` callback for `OzVault.create()` and `<OzElements>`.
+ *
+ * This is the recommended way to wire the SDK to your backend session endpoint.
+ * If you don't need custom headers or auth logic, pass `sessionUrl` directly to
+ * `OzVault.create()` or `<OzElements>` — it calls this helper internally.
+ *
+ * The callback POSTs `{ sessionId }` to `url` and reads `sessionKey` (or the
+ * legacy `waxKey`) from the JSON response, so it is compatible with both the
+ * new `createSessionMiddleware` and the old `createMintWaxMiddleware` backends.
+ *
+ * Each call enforces a **10-second timeout**. On pure network failures
+ * (offline, DNS, connection refused) the request is retried **once after 750ms**.
+ * HTTP 4xx/5xx errors are never retried — they indicate misconfiguration.
+ *
+ * @param url - Absolute or relative URL of your session endpoint, e.g. `'/api/oz-session'`.
+ *
+ * @example
+ * // Simplest — just pass sessionUrl, no need to call this directly
+ * const vault = await OzVault.create({ pubKey: 'pk_live_...', sessionUrl: '/api/oz-session' });
+ *
+ * @example
+ * // Manual — use when you need custom headers
+ * const vault = await OzVault.create({
+ *   pubKey: 'pk_live_...',
+ *   getSessionKey: createSessionFetcher('/api/oz-session'),
+ * });
+ */
+function createSessionFetcher(url) {
+    const TIMEOUT_MS = 10000;
+    // Each attempt gets its own AbortController so a timeout on attempt 1 does
+    // not bleed into the retry.
+    const attemptFetch = (sessionId) => {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
+        return fetch(url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ sessionId }),
+            signal: controller.signal,
+        }).finally(() => clearTimeout(timer));
+    };
+    return async (sessionId) => {
+        let res;
+        try {
+            res = await attemptFetch(sessionId);
+        }
+        catch (firstErr) {
+            // Timeout/abort — don't retry, we already waited the full duration.
+            if (firstErr instanceof Error && (firstErr.name === 'AbortError' || firstErr.name === 'TimeoutError')) {
+                throw new OzError(`Session endpoint timed out after ${TIMEOUT_MS / 1000}s (${url})`, undefined, 'timeout');
+            }
+            // Pure network error — retry once after a short pause.
+            await new Promise(resolve => setTimeout(resolve, 750));
+            try {
+                res = await attemptFetch(sessionId);
+            }
+            catch (retryErr) {
+                const msg = retryErr instanceof Error ? retryErr.message : 'Network error';
+                throw new OzError(`Could not reach session endpoint (${url}): ${msg}`, undefined, 'network');
+            }
+        }
+        const data = await res.json().catch(() => ({}));
+        if (!res.ok) {
+            throw new OzError(typeof data.error === 'string' && data.error
+                ? data.error
+                : `Session endpoint returned HTTP ${res.status}`, undefined, res.status >= 500 ? 'server' : res.status === 401 || res.status === 403 ? 'auth' : 'validation');
+        }
+        // Accept both new `sessionKey` and legacy `waxKey` for backward compatibility
+        // with backends that haven't migrated to createSessionMiddleware yet.
+        const key = (typeof data.sessionKey === 'string' ? data.sessionKey : '') ||
+            (typeof data.waxKey === 'string' ? data.waxKey : '');
+        if (!key.trim()) {
+            throw new OzError('Session endpoint response is missing sessionKey. Check your /api/oz-session implementation.', undefined, 'validation');
+        }
+        return key;
+    };
+}
+
 function isCardMetadata(v) {
     return !!v && typeof v === 'object' && typeof v.last4 === 'string';
 }
@@ -929,7 +1008,7 @@ class OzVault {
      * @internal
      */
     constructor(options, waxKey, tokenizationSessionId) {
-        var _a, _b, _c, _d;
+        var _a, _b, _c, _d, _e;
         this.elements = new Map();
         this.elementsByType = new Map();
         this.bankElementsByType = new Map();
@@ -963,7 +1042,12 @@ class OzVault {
         this.fonts = (_a = options.fonts) !== null && _a !== void 0 ? _a : [];
         this.resolvedAppearance = resolveAppearance(options.appearance);
         this.vaultId = `vault-${uuid()}`;
-        this._maxTokenizeCalls = (_b = options.maxTokenizeCalls) !== null && _b !== void 0 ? _b : 3;
+        // sessionLimit takes precedence over legacy maxTokenizeCalls.
+        // null means unlimited — use Infinity so the ">=" check never triggers.
+        const rawLimit = options.sessionLimit !== undefined
+            ? options.sessionLimit
+            : ((_b = options.maxTokenizeCalls) !== null && _b !== void 0 ? _b : 3);
+        this._maxTokenizeCalls = rawLimit === null ? Infinity : rawLimit;
         this._debug = (_c = options.debug) !== null && _c !== void 0 ? _c : false;
         this.boundHandleMessage = this.handleMessage.bind(this);
         window.addEventListener('message', this.boundHandleMessage);
@@ -979,7 +1063,8 @@ class OzVault {
                 }
             }, timeout);
         }
-        this._onWaxRefresh = options.onWaxRefresh;
+        // onSessionRefresh takes precedence over legacy onWaxRefresh
+        this._onWaxRefresh = (_e = options.onSessionRefresh) !== null && _e !== void 0 ? _e : options.onWaxRefresh;
         this._onReady = options.onReady;
         this.log('vault created', { vaultId: this.vaultId, frameBaseUrl: this.frameBaseUrl, maxTokenizeCalls: this._maxTokenizeCalls });
     }
@@ -987,51 +1072,63 @@ class OzVault {
      * Creates and returns a ready `OzVault` instance.
      *
      * Internally this:
-     * 1. Generates a `tokenizationSessionId` (UUID).
+     * 1. Generates a session UUID.
      * 2. Starts loading the hidden tokenizer iframe immediately.
-     * 3. Calls `options.fetchWaxKey(tokenizationSessionId)` concurrently — your
-     *    backend mints a session-bound wax key from the vault and returns it.
-     * 4. Resolves with the vault instance once the wax key is stored. The iframe
+     * 3. Fetches a session key from your backend concurrently — either via
+     *    `sessionUrl` (simplest), `getSessionKey` (custom headers/auth), or the
+     *    deprecated `fetchWaxKey` callback.
+     * 4. Resolves with the vault instance once the session key is stored. The iframe
      *    has been loading the whole time, so `isReady` may already be true or
      *    will fire shortly after.
      *
      * The returned vault is ready to create elements immediately. `createToken()`
      * additionally requires `vault.isReady` (tokenizer iframe loaded).
      *
-     * @throws {OzError} if `fetchWaxKey` throws, returns a non-string value, or returns an empty/whitespace-only string.
+     * @throws {OzError} if the session fetch fails, times out, or returns an empty string.
      */
     static async create(options, signal) {
         if (!options.pubKey || !options.pubKey.trim()) {
             throw new OzError('pubKey is required in options. Obtain your public key from the Ozura admin.');
         }
-        if (typeof options.fetchWaxKey !== 'function') {
-            throw new OzError('fetchWaxKey must be a function. See OzVault.create() docs for the expected signature.');
+        // Normalize the session callback. Priority: sessionUrl > getSessionKey > fetchWaxKey (deprecated).
+        // This allows merchants to use the clean new API without touching legacy code.
+        let resolvedFetchKey;
+        if (options.sessionUrl) {
+            resolvedFetchKey = createSessionFetcher(options.sessionUrl);
+        }
+        else if (typeof options.getSessionKey === 'function') {
+            resolvedFetchKey = options.getSessionKey;
+        }
+        else if (typeof options.fetchWaxKey === 'function') {
+            resolvedFetchKey = options.fetchWaxKey;
+        }
+        else {
+            throw new OzError('A session URL or callback is required. Pass sessionUrl, getSessionKey, or fetchWaxKey to OzVault.create().');
         }
         const tokenizationSessionId = uuid();
         // Construct the vault immediately — this mounts the tokenizer iframe so it
-        // starts loading while fetchWaxKey is in flight. The waxKey field starts
-        // empty and is set below before create() returns.
+        // starts loading while the session fetch is in flight.
         const vault = new OzVault(options, '', tokenizationSessionId);
         // If the caller provides an AbortSignal (e.g. React useEffect cleanup),
         // destroy the vault immediately on abort so the tokenizer iframe and message
-        // listener are removed synchronously rather than waiting for fetchWaxKey to
-        // settle. This eliminates the brief double-iframe window in React StrictMode.
+        // listener are removed synchronously rather than waiting for the session fetch
+        // to settle. This eliminates the brief double-iframe window in React StrictMode.
         const onAbort = () => vault.destroy();
         signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', onAbort, { once: true });
         let waxKey;
         try {
-            waxKey = await options.fetchWaxKey(tokenizationSessionId);
+            waxKey = await resolvedFetchKey(tokenizationSessionId);
         }
         catch (err) {
             signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort);
             vault.destroy();
             if (signal === null || signal === void 0 ? void 0 : signal.aborted)
                 throw new OzError('OzVault.create() was cancelled.');
-            // Preserve errorCode/retryable from OzError (e.g. timeout/network from createFetchWaxKey)
+            // Preserve errorCode/retryable from OzError (e.g. timeout/network from createSessionFetcher)
             // so callers can distinguish transient failures from config errors.
             const originalCode = err instanceof OzError ? err.errorCode : undefined;
             const msg = err instanceof Error ? err.message : 'Unknown error';
-            throw new OzError(`fetchWaxKey threw an error: ${msg}`, undefined, originalCode);
+            throw new OzError(`Session fetch threw an error: ${msg}`, undefined, originalCode);
         }
         signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort);
         if (signal === null || signal === void 0 ? void 0 : signal.aborted) {
@@ -1040,11 +1137,11 @@ class OzVault {
         }
         if (typeof waxKey !== 'string' || !waxKey.trim()) {
             vault.destroy();
-            throw new OzError('fetchWaxKey must return a non-empty wax key string. Check your mint endpoint.');
+            throw new OzError('Session fetch returned an empty key. Check your session endpoint response — it must return { sessionKey: "..." }.');
         }
         // Static methods can access private fields of instances of the same class.
         vault.waxKey = waxKey;
-        vault._storedFetchWaxKey = options.fetchWaxKey;
+        vault._storedFetchWaxKey = resolvedFetchKey;
         // If the tokenizer iframe fired OZ_FRAME_READY before fetchWaxKey resolved,
         // the OZ_INIT sent at that point had an empty waxKey. Send a follow-up now
         // so the tokenizer has the key stored before any createToken() call.
@@ -1710,9 +1807,9 @@ class OzVault {
                     // key without waiting for a vault rejection.
                     this._tokenizeSuccessCount++;
                     if (this._tokenizeSuccessCount >= this._maxTokenizeCalls) {
-                        this.log('proactive wax key refresh triggered', { tokenizeSuccessCount: this._tokenizeSuccessCount, maxTokenizeCalls: this._maxTokenizeCalls });
+                        this.log('proactive session key refresh triggered', { tokenizeSuccessCount: this._tokenizeSuccessCount, maxTokenizeCalls: this._maxTokenizeCalls });
                         this.refreshWaxKey().catch((err) => {
-                            console.warn('[OzVault] Post-budget wax key refresh failed:', err instanceof Error ? err.message : err);
+                            console.warn('[OzVault] Post-budget session key refresh failed:', err instanceof Error ? err.message : err);
                         });
                     }
                 }
@@ -1870,9 +1967,9 @@ class OzVault {
                     // Same proactive refresh logic as card tokenization.
                     this._tokenizeSuccessCount++;
                     if (this._tokenizeSuccessCount >= this._maxTokenizeCalls) {
-                        this.log('proactive wax key refresh triggered', { tokenizeSuccessCount: this._tokenizeSuccessCount, maxTokenizeCalls: this._maxTokenizeCalls });
+                        this.log('proactive session key refresh triggered', { tokenizeSuccessCount: this._tokenizeSuccessCount, maxTokenizeCalls: this._maxTokenizeCalls });
                         this.refreshWaxKey().catch((err) => {
-                            console.warn('[OzVault] Post-budget wax key refresh failed:', err instanceof Error ? err.message : err);
+                            console.warn('[OzVault] Post-budget session key refresh failed:', err instanceof Error ? err.message : err);
                         });
                     }
                 }
@@ -1958,83 +2055,5 @@ class OzVault {
     }
 }
 
-/**
- * Creates a ready-to-use `fetchWaxKey` callback for `OzVault.create()` and `<OzElements>`.
- *
- * Calls your backend mint endpoint with `{ sessionId }` and returns the wax key string.
- * Throws on non-OK responses or a missing `waxKey` field so the vault can surface the
- * error through its normal error path.
- *
- * Each call enforces a 10-second per-attempt timeout. On a pure network-level
- * failure (connection refused, DNS failure, etc.) the call is retried once after
- * 750ms before throwing. HTTP errors (4xx/5xx) are never retried — they indicate
- * an endpoint misconfiguration or an invalid key, not a transient failure.
- *
- * The mint endpoint is typically the one-line `createMintWaxHandler` / `createMintWaxMiddleware`
- * from `@ozura/elements/server`.
- *
- * @param mintUrl - Absolute or relative URL of your wax-key mint endpoint, e.g. `'/api/mint-wax'`.
- *
- * @example
- * // Vanilla JS
- * const vault = await OzVault.create({
- *   pubKey: 'pk_live_...',
- *   fetchWaxKey: createFetchWaxKey('/api/mint-wax'),
- * });
- *
- * @example
- * // React
- * <OzElements pubKey="pk_live_..." fetchWaxKey={createFetchWaxKey('/api/mint-wax')}>
- */
-function createFetchWaxKey(mintUrl) {
-    const TIMEOUT_MS = 10000;
-    // Each attempt gets its own AbortController so a timeout on attempt 1 does
-    // not bleed into the retry. Uses AbortController + setTimeout instead of
-    // AbortSignal.timeout() to support environments without that API.
-    const attemptFetch = (sessionId) => {
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
-        return fetch(mintUrl, {
-            method: 'POST',
-            headers: { 'Content-Type': 'application/json' },
-            body: JSON.stringify({ sessionId }),
-            signal: controller.signal,
-        }).finally(() => clearTimeout(timer));
-    };
-    return async (sessionId) => {
-        let res;
-        try {
-            res = await attemptFetch(sessionId);
-        }
-        catch (firstErr) {
-            // Abort/timeout should not be retried — the server received nothing or
-            // we already waited the full timeout duration.
-            if (firstErr instanceof Error && (firstErr.name === 'AbortError' || firstErr.name === 'TimeoutError')) {
-                throw new OzError(`Wax key mint timed out after ${TIMEOUT_MS / 1000}s (${mintUrl})`, undefined, 'timeout');
-            }
-            // Pure network error (offline, DNS, connection refused) — retry once
-            // after a short pause in case of a transient blip.
-            await new Promise(resolve => setTimeout(resolve, 750));
-            try {
-                res = await attemptFetch(sessionId);
-            }
-            catch (retryErr) {
-                const msg = retryErr instanceof Error ? retryErr.message : 'Network error';
-                throw new OzError(`Could not reach wax key mint endpoint (${mintUrl}): ${msg}`, undefined, 'network');
-            }
-        }
-        const data = await res.json().catch(() => ({}));
-        if (!res.ok) {
-            throw new OzError(typeof data.error === 'string' && data.error
-                ? data.error
-                : `Wax key mint failed (HTTP ${res.status})`, undefined, res.status >= 500 ? 'server' : res.status === 401 || res.status === 403 ? 'auth' : 'validation');
-        }
-        if (typeof data.waxKey !== 'string' || !data.waxKey.trim()) {
-            throw new OzError('Mint endpoint response is missing waxKey. Check your /api/mint-wax implementation.', undefined, 'validation');
-        }
-        return data.waxKey;
-    };
-}
-
-export { OzElement, OzError, OzVault, createFetchWaxKey, normalizeBankVaultError, normalizeCardSaleError, normalizeVaultError };
+export { OzElement, OzError, OzVault, createSessionFetcher as createFetchWaxKey, createSessionFetcher, normalizeBankVaultError, normalizeCardSaleError, normalizeVaultError };
 //# sourceMappingURL=oz-elements.esm.js.map