@passflow/core 0.0.1 → 0.2.0

package/dist/index.mjs

@@ -1,7 +1,9 @@
-import T from "axios";
-import { v4 as R } from "uuid";
-import { startRegistration as _, startAuthentication as U } from "@simplewebauthn/browser";
-const P = "X-Passflow-Clientid", m = "Authorization", D = "X-Passflow-DeviceId", x = "X-Passflow-DeviceType", F = ["id", "offline", "tenant", "email", "oidc", "openid", "access:tenant:all"], A = "https://auth.passflow.cloud", re = "default", M = (i) => {
+import D from "axios";
+import { v4 as H } from "uuid";
+import { startRegistration as K, startAuthentication as j } from "@simplewebauthn/browser";
+const z = "0.1.47", X = {
+  version: z
+}, C = "X-Passflow-Clientid", _ = "Authorization", W = "X-Passflow-DeviceId", J = "X-Passflow-DeviceType", Z = X.version, Ne = ["id", "offline", "openid"], Q = ["id", "offline", "tenant", "email", "oidc", "openid", "access:tenant:all"], G = "https://auth.passflow.cloud", Ke = "default", ee = 500, te = 600, se = 100, re = 6e4, V = 30, ie = 3, oe = 30, ne = 200, ae = (i) => {
   const e = [];
   let t;
   for (t in i) {
@@ -16,9 +18,16 @@ const P = "X-Passflow-Clientid", m = "Authorization", D = "X-Passflow-DeviceId",
   }
   return { raw: i, tenants: e };
 };
-class G {
-  constructor() {
-    this.storageManager = new b();
+function ce(i) {
+  if (typeof window < "u" && typeof window.atob == "function")
+    return window.atob(i);
+  if (typeof Buffer < "u")
+    return Buffer.from(i, "base64").toString("utf-8");
+  throw new Error("No Base64 decoding method available in this environment");
+}
+class he {
+  constructor(e) {
+    this.storageManager = e;
   }
   /**
    * Checks if a token is not exists or expired.
@@ -29,8 +38,8 @@ class G {
   isTokenTypeExpired(e) {
     const t = this.storageManager.getToken(e);
     if (!t) return !0;
-    const s = d(t);
-    return s ? f(s) : !0;
+    const s = y(t);
+    return s ? S(s) : !0;
   }
   /**
    * Parse token from storage by type.
@@ -42,40 +51,209 @@ class G {
   parseTokenType(e) {
     const t = this.storageManager.getToken(e);
     if (t)
-      return d(t);
+      return y(t);
   }
 }
-function f(i) {
-  return Math.floor(Date.now() / 1e3) > i.exp;
+function S(i, e = V) {
+  return Math.floor(Date.now() / 1e3) + e > i.exp;
 }
-function d(i) {
+function y(i) {
   const e = i.split(".")[1];
   if (!e) throw new Error("Invalid token string");
-  const t = e.replace(/-/g, "+").replace(/_/g, "/"), s = decodeURIComponent(
-    window.atob(t).split("").map((o) => "%" + ("00" + o.charCodeAt(0).toString(16)).slice(-2)).join("")
-  ), r = JSON.parse(s);
-  return r.membership = r.passflow_tm && r.type !== "invite" ? M(r.passflow_tm) : void 0, r;
+  const t = e.replace(/-/g, "+").replace(/_/g, "/"), s = t + "=".repeat((4 - t.length % 4) % 4), r = ce(s), o = decodeURIComponent(
+    r.split("").map((d) => "%" + ("00" + d.charCodeAt(0).toString(16)).slice(-2)).join("")
+  ), n = JSON.parse(o);
+  return n.membership = n.passflow_tm && n.type !== "invite" ? ae(n.passflow_tm) : void 0, n;
+}
+var k = /* @__PURE__ */ ((i) => (i.id_token = "id_token", i.access_token = "access", i.refresh_token = "refresh", i.invite_token = "invite", i.reset_token = "reset", i.web_cookie = "web-cookie", i.management = "management", i.signin = "signin", i.actor = "actor", i.two_factor = "2fa", i))(k || {}), v = /* @__PURE__ */ ((i) => (i.JsonBody = "json_body", i.Cookie = "cookie", i.Mobile = "mobile", i.BFF = "bff", i))(v || {}), q = /* @__PURE__ */ ((i) => (i.Unknown = "unknown", i.Valid = "valid", i.Invalid = "invalid", i))(q || {});
+class B {
+  constructor(e) {
+    this.storageManager = e, this.mode = "json_body", this.sessionState = "unknown", this.isInitializedFlag = !1, this.STORAGE_PREFIX = "passflow_", this.DELIVERY_MODE_KEY = `${this.STORAGE_PREFIX}delivery_mode`, this.SESSION_STATE_KEY = `${this.STORAGE_PREFIX}session_state`, this.loadPersistedMode(), this.loadPersistedSessionState();
+  }
+  /**
+   * Set the token delivery mode
+   */
+  setMode(e) {
+    this.mode = e, this.isInitializedFlag = !0, this.persistMode();
+  }
+  /**
+   * Get the current token delivery mode
+   */
+  getMode() {
+    return this.mode;
+  }
+  /**
+   * Check if currently in cookie mode
+   */
+  isCookieMode() {
+    return this.mode === "cookie";
+  }
+  /**
+   * Check if currently in JSON body mode
+   */
+  isJsonMode() {
+    return this.mode === "json_body";
+  }
+  /**
+   * Check if currently in mobile mode
+   */
+  isMobileMode() {
+    return this.mode === "mobile";
+  }
+  /**
+   * Check if currently in BFF mode
+   */
+  isBFFMode() {
+    return this.mode === "bff";
+  }
+  /**
+   * Check if delivery mode has been initialized from a server response
+   */
+  isInitialized() {
+    return this.isInitializedFlag;
+  }
+  /**
+   * Mark session as valid (successful authentication or token refresh)
+   */
+  setSessionValid() {
+    this.sessionState = "valid", this.persistSessionState();
+  }
+  /**
+   * Mark session as invalid (received 401 or logout)
+   */
+  setSessionInvalid() {
+    this.sessionState = "invalid", this.persistSessionState();
+  }
+  /**
+   * Reset session state to unknown (used during authentication flows)
+   */
+  setSessionUnknown() {
+    this.sessionState = "unknown", this.persistSessionState();
+  }
+  /**
+   * Check if session is valid
+   */
+  isSessionValid() {
+    return this.sessionState === "valid";
+  }
+  /**
+   * Check if session state is unknown (not yet determined)
+   */
+  isSessionUnknown() {
+    return this.sessionState === "unknown";
+  }
+  /**
+   * Check if session is invalid
+   */
+  isSessionInvalid() {
+    return this.sessionState === "invalid";
+  }
+  /**
+   * Get current session state
+   */
+  getSessionState() {
+    return this.sessionState;
+  }
+  /**
+   * Reset delivery manager to initial state
+   */
+  reset() {
+    this.mode = "json_body", this.sessionState = "unknown", this.isInitializedFlag = !1, this.clearPersistedMode(), this.clearPersistedSessionState();
+  }
+  /**
+   * Load persisted delivery mode from storage
+   */
+  loadPersistedMode() {
+    try {
+      const e = this.storageManager.storage.getItem(this.DELIVERY_MODE_KEY);
+      e && Object.values(v).includes(e) && (this.mode = e, this.isInitializedFlag = !0);
+    } catch {
+    }
+  }
+  /**
+   * Load persisted session state from storage
+   */
+  loadPersistedSessionState() {
+    try {
+      const e = this.storageManager.storage.getItem(this.SESSION_STATE_KEY);
+      e && Object.values(q).includes(e) && (this.sessionState = e);
+    } catch {
+    }
+  }
+  /**
+   * Persist delivery mode to storage
+   */
+  persistMode() {
+    try {
+      this.storageManager.storage.setItem(this.DELIVERY_MODE_KEY, this.mode);
+    } catch {
+    }
+  }
+  /**
+   * Persist session state to storage
+   */
+  persistSessionState() {
+    try {
+      this.storageManager.storage.setItem(this.SESSION_STATE_KEY, this.sessionState);
+    } catch {
+    }
+  }
+  /**
+   * Clear persisted delivery mode from storage
+   */
+  clearPersistedMode() {
+    try {
+      this.storageManager.storage.removeItem(this.DELIVERY_MODE_KEY);
+    } catch {
+    }
+  }
+  /**
+   * Clear persisted session state from storage
+   */
+  clearPersistedSessionState() {
+    try {
+      this.storageManager.storage.removeItem(this.SESSION_STATE_KEY);
+    } catch {
+    }
+  }
 }
-var g = /* @__PURE__ */ ((i) => (i.id_token = "id_token", i.access_token = "access", i.refresh_token = "refresh", i.invite_token = "invite", i.reset_token = "reset", i.web_cookie = "web-cookie", i.management = "management", i.signin = "signin", i.actor = "actor", i))(g || {});
-class b {
+class $ {
   constructor({ storage: e, prefix: t } = {}) {
-    this.keyStoragePrefix = "", this.scopes = `${this.keyStoragePrefix}tokens_scopes`, this.deviceId = `${this.keyStoragePrefix}passflowDeviceId`, this.invitationToken = `${this.keyStoragePrefix}passflowInvitationToken`, this.previousRedirectUrl = `${this.keyStoragePrefix}passflowPreviousRedirectUrl`, this.storage = e ?? localStorage, this.keyStoragePrefix = t ? `${t}_` : "";
+    this.keyStoragePrefix = "", this.scopes = `${this.keyStoragePrefix}tokens_scopes`, this.deviceId = `${this.keyStoragePrefix}passflowDeviceId`, this.invitationToken = `${this.keyStoragePrefix}passflowInvitationToken`, this.previousRedirectUrl = `${this.keyStoragePrefix}passflowPreviousRedirectUrl`, this.STORAGE_PREFIX = "passflow_", this.ID_TOKEN_KEY = `${this.STORAGE_PREFIX}id_token`, this.CSRF_TOKEN_KEY = `${this.STORAGE_PREFIX}csrf_token`, this.DELIVERY_MODE_KEY = `${this.STORAGE_PREFIX}delivery_mode`, this.storage = e ?? localStorage, this.keyStoragePrefix = t ? `${t}_` : "";
   }
-  saveTokens(e) {
-    const { id_token: t, access_token: s, refresh_token: r, scopes: o } = e;
-    t && this.storage.setItem(this.getKeyForTokenType(g.id_token), t), s && this.storage.setItem(this.getKeyForTokenType(g.access_token), s), r && this.storage.setItem(this.getKeyForTokenType(g.refresh_token), r), o && this.storage.setItem(this.scopes, o.join(","));
+  /**
+   * Save tokens to storage with conditional logic based on delivery mode
+   * In cookie/BFF mode: ONLY save ID token (not access/refresh tokens)
+   * In JSON mode: save all tokens (existing behavior)
+   */
+  saveTokens(e, t) {
+    const { id_token: s, access_token: r, refresh_token: o, scopes: n } = e;
+    t === v.Cookie || t === v.BFF ? s && this.storage.setItem(this.ID_TOKEN_KEY, s) : (s && this.storage.setItem(this.getKeyForTokenType(k.id_token), s), r && this.storage.setItem(this.getKeyForTokenType(k.access_token), r), o && this.storage.setItem(this.getKeyForTokenType(k.refresh_token), o), n && this.storage.setItem(this.scopes, n.join(",")));
   }
   getToken(e) {
     const t = this.getKeyForTokenType(e);
     return this.storage.getItem(t) ?? void 0;
   }
+  /**
+   * Get tokens from storage with conditional logic based on delivery mode
+   * In cookie/BFF mode: return ID token only (access/refresh in HttpOnly cookies)
+   * In JSON mode: return all stored tokens (existing behavior)
+   */
   getTokens() {
-    const e = this.storage.getItem(this.getKeyForTokenType(g.access_token));
-    if (e)
+    const e = this.getDeliveryMode();
+    if (e === v.Cookie || e === v.BFF) {
+      const s = this.storage.getItem(this.ID_TOKEN_KEY);
+      return s ? {
+        id_token: s
+        // access_token and refresh_token are in HttpOnly cookies, not localStorage
+      } : void 0;
+    }
+    const t = this.storage.getItem(this.getKeyForTokenType(k.access_token));
+    if (t)
       return {
-        access_token: e,
-        id_token: this.storage.getItem(this.getKeyForTokenType(g.id_token)) ?? void 0,
-        refresh_token: this.storage.getItem(this.getKeyForTokenType(g.refresh_token)) ?? void 0,
+        access_token: t,
+        id_token: this.storage.getItem(this.getKeyForTokenType(k.id_token)) ?? void 0,
+        refresh_token: this.storage.getItem(this.getKeyForTokenType(k.refresh_token)) ?? void 0,
         scopes: this.storage.getItem(this.scopes)?.split(",") ?? void 0
       };
   }
@@ -87,7 +265,7 @@ class b {
     this.storage.removeItem(t);
   }
   deleteTokens() {
-    this.storage.removeItem(this.getKeyForTokenType(g.id_token)), this.storage.removeItem(this.getKeyForTokenType(g.access_token)), this.storage.removeItem(this.getKeyForTokenType(g.refresh_token)), this.storage.removeItem(this.scopes);
+    this.storage.removeItem(this.getKeyForTokenType(k.id_token)), this.storage.removeItem(this.getKeyForTokenType(k.access_token)), this.storage.removeItem(this.getKeyForTokenType(k.refresh_token)), this.storage.removeItem(this.scopes), this.clearIdToken();
   }
   getDeviceId() {
     return this.storage.getItem(this.deviceId) ?? void 0;
@@ -116,13 +294,101 @@ class b {
   deletePreviousRedirectUrl() {
     this.storage.removeItem(this.previousRedirectUrl);
   }
+  // Delivery mode storage methods
+  /**
+   * Set the token delivery mode in storage
+   */
+  setDeliveryMode(e) {
+    try {
+      this.storage.setItem(this.DELIVERY_MODE_KEY, e);
+    } catch {
+    }
+  }
+  /**
+   * Get the token delivery mode from storage
+   */
+  getDeliveryMode() {
+    try {
+      const e = this.storage.getItem(this.DELIVERY_MODE_KEY);
+      if (e && Object.values(v).includes(e))
+        return e;
+    } catch {
+    }
+  }
+  /**
+   * Clear the delivery mode from storage
+   */
+  clearDeliveryMode() {
+    try {
+      this.storage.removeItem(this.DELIVERY_MODE_KEY);
+    } catch {
+    }
+  }
+  // ID token storage methods (for cookie mode)
+  /**
+   * Get the ID token from storage (cookie mode)
+   */
+  getIdToken() {
+    try {
+      return this.storage.getItem(this.ID_TOKEN_KEY) ?? void 0;
+    } catch {
+      return;
+    }
+  }
+  /**
+   * Set the ID token in storage (cookie mode)
+   */
+  setIdToken(e) {
+    try {
+      this.storage.setItem(this.ID_TOKEN_KEY, e);
+    } catch {
+    }
+  }
+  /**
+   * Clear the ID token from storage
+   */
+  clearIdToken() {
+    try {
+      this.storage.removeItem(this.ID_TOKEN_KEY);
+    } catch {
+    }
+  }
+  // CSRF token storage methods
+  /**
+   * Get the CSRF token from storage
+   */
+  getCsrfToken() {
+    try {
+      return this.storage.getItem(this.CSRF_TOKEN_KEY) ?? void 0;
+    } catch {
+      return;
+    }
+  }
+  /**
+   * Set the CSRF token in storage
+   */
+  setCsrfToken(e) {
+    try {
+      this.storage.setItem(this.CSRF_TOKEN_KEY, e);
+    } catch {
+    }
+  }
+  /**
+   * Clear the CSRF token from storage
+   */
+  clearCsrfToken() {
+    try {
+      this.storage.removeItem(this.CSRF_TOKEN_KEY);
+    } catch {
+    }
+  }
   getKeyForTokenType(e) {
     return `${this.keyStoragePrefix}${e}`;
   }
 }
-class $ {
-  constructor() {
-    this.storageManager = new b();
+class Y {
+  constructor(e) {
+    this.storageManager = e ?? new $();
   }
   getDeviceId() {
     const e = this.storageManager.getDeviceId();
@@ -133,84 +399,85 @@ class $ {
     return e;
   }
   generateUniqueDeviceId() {
-    return R();
+    return H();
   }
 }
-var S = /* @__PURE__ */ ((i) => (i.GET = "get", i.POST = "post", i.PUT = "put", i.PATCH = "patch", i.DELETE = "delete", i))(S || {}), c = /* @__PURE__ */ ((i) => (i.signin = "/auth/login", i.signup = "/auth/register", i.signInWithProvider = "/auth/federated/start/", i.passwordless = "/auth/passwordless/start", i.passwordlessComplete = "/auth/passwordless/complete", i.logout = "/user/logout", i.refresh = "/auth/refresh", i.sendPasswordResetEmail = "/auth/password/reset", i.resetPassword = "/auth/password/change", i.appSettings = "/app/settings", i.passkeyRegisterStart = "/auth/passkey/register/start", i.passkeyRegisterComplete = "/auth/passkey/register/complete", i.passkeyAuthenticateStart = "/auth/passkey/authenticate/start", i.passkeyAuthenticateComplete = "/auth/passkey/authenticate/complete", i.passkeyValidate = "/auth/validate", i.settingsAll = "/settings", i.settingsPasswordPolicy = "/settings/password", i.settingsPasskey = "/settings/passkey", i.userPasskey = "/user/passkey", i.addUserPasskey = "/user/passkey/add/start", i.completeAddUserPasskey = "/user/passkey/add/complete", i.joinInvitation = "/user/tenant/join", i.tenantPath = "/user/tenant", i.invitationsPath = "/user/tenant/:tenantID/invitations", i.requestInvitation = "/user/invite", i.invitationDelete = "/user/invite/:invitationID", i.invitationResend = "/user/invite/:invitationID/resend", i.invitationGetLink = "/user/invite/:invitationID/link", i))(c || {}), y = /* @__PURE__ */ ((i) => (i.passkeyRegisterStart = "/admin/auth/passkey/register/start", i.passkeyRegisterComplete = "/admin/auth/passkey/register/complete", i.passkeyAuthenticateStart = "/admin/auth/passkey/authenticate/start", i.passkeyAuthenticateComplete = "/admin/auth/passkey/authenticate/complete", i.passkeyValidate = "/admin/auth/validate", i.logout = "/admin/auth/logout", i))(y || {});
+var E = /* @__PURE__ */ ((i) => (i.GET = "get", i.POST = "post", i.PUT = "put", i.PATCH = "patch", i.DELETE = "delete", i))(E || {}), h = /* @__PURE__ */ ((i) => (i.signin = "/auth/login", i.signup = "/auth/register", i.signInWithProvider = "/auth/federated/start/", i.passwordless = "/auth/passwordless/start", i.passwordlessComplete = "/auth/passwordless/complete", i.logout = "/user/logout", i.refresh = "/auth/refresh", i.validateSession = "/user/me", i.sendPasswordResetEmail = "/auth/password/reset", i.resetPassword = "/auth/password/change", i.appSettings = "/app/settings", i.passkeyRegisterStart = "/auth/passkey/register/start", i.passkeyRegisterComplete = "/auth/passkey/register/complete", i.passkeyAuthenticateStart = "/auth/passkey/authenticate/start", i.passkeyAuthenticateComplete = "/auth/passkey/authenticate/complete", i.passkeyValidate = "/auth/validate", i.settingsAll = "/settings", i.settingsPasswordPolicy = "/settings/password", i.settingsPasskey = "/settings/passkey", i.userPasskey = "/user/passkey", i.addUserPasskey = "/user/passkey/add/start", i.completeAddUserPasskey = "/user/passkey/add/complete", i.joinInvitation = "/user/tenant/join", i.tenantPath = "/user/tenant", i.invitationsPath = "/user/tenant/:tenantID/invitations", i.requestInvitation = "/user/invite", i.invitationDelete = "/user/invite/:invitationID", i.invitationResend = "/user/invite/:invitationID/resend", i.invitationGetLink = "/user/invite/:invitationID/link", i.twoFactor = "/user/2fa", i.twoFactorStatus = "/user/2fa/status", i.twoFactorSetupBegin = "/user/2fa/setup/begin", i.twoFactorSetupConfirm = "/user/2fa/setup/confirm", i.twoFactorVerify = "/auth/2fa/verify", i.twoFactorRecovery = "/auth/2fa/recovery", i.twoFactorRegenerateCodes = "/user/2fa/recovery-codes/regenerate", i.twoFactorSetupMagicLink = "/auth/2fa-setup", i))(h || {}), w = /* @__PURE__ */ ((i) => (i.passkeyRegisterStart = "/admin/auth/passkey/register/start", i.passkeyRegisterComplete = "/admin/auth/passkey/register/complete", i.passkeyAuthenticateStart = "/admin/auth/passkey/authenticate/start", i.passkeyAuthenticateComplete = "/admin/auth/passkey/authenticate/complete", i.passkeyValidate = "/admin/auth/validate", i.logout = "/admin/auth/logout", i))(w || {});
 class u extends Error {
   constructor(e) {
     super(), this.id = e?.id ?? "unknown", this.message = e?.message ?? e ?? "Something went wrong", this.status = e?.status ?? 500, this.location = e?.location ?? "unknown", this.time = e?.time ?? (/* @__PURE__ */ new Date()).toISOString();
   }
 }
-var L = /* @__PURE__ */ ((i) => (i.google = "google", i.facebook = "facebook", i))(L || {}), w = /* @__PURE__ */ ((i) => (i.web = "web", i))(w || {});
-function C(i, e) {
+var de = /* @__PURE__ */ ((i) => (i.google = "google", i.facebook = "facebook", i))(de || {}), I = /* @__PURE__ */ ((i) => (i.web = "web", i))(I || {});
+function A(i, e) {
   let t = i;
   return Object.entries(e).forEach(([s, r]) => {
     t = t.replace(`:${s}`, r);
   }), t;
 }
-class I {
-  constructor(e) {
-    this.refreshPromise = null, this.origin = window.location.origin, this.defaultHeaders = {
+var ue = /* @__PURE__ */ ((i) => (i.Disabled = "disabled", i.Optional = "optional", i.Required = "required", i))(ue || {});
+const le = 3, ge = 1e3;
+class T {
+  constructor(e, t, s) {
+    this.refreshPromise = null, this.isRefreshing = !1, this.origin = typeof window < "u" ? window.location.origin : "", this.defaultHeaders = {
       Accept: "application/json",
       "Content-Type": "application/json"
     }, this.nonAccessTokenEndpoints = ["/auth/", "/settings", "/settings/"], this.protectedEndpoints = ["logout", "refresh"];
-    const { url: t, appId: s, keyStoragePrefix: r } = e;
-    this.url = t || A, this.storageManager = new b({
-      prefix: r ?? ""
-    }), this.deviceService = new $(), this.tokenService = new G(), s && (this.appId = s, this.defaultHeaders = {
+    const { url: r, appId: o, keyStoragePrefix: n } = e;
+    this.url = r || G, this.storageManager = t ?? new $({
+      prefix: n ?? ""
+    }), this.deviceService = s ?? new Y(this.storageManager), this.tokenService = new he(this.storageManager), this.tokenDeliveryManager = new B(this.storageManager), o && (this.appId = o, this.defaultHeaders = {
       ...this.defaultHeaders,
-      [P]: s
+      [C]: o
     });
-    const o = this.deviceService.getDeviceId();
+    const d = this.deviceService.getDeviceId();
     this.defaultHeaders = {
       ...this.defaultHeaders,
-      [D]: o,
-      [x]: "web"
-    }, this.instance = T.create({
+      [W]: d,
+      [J]: "web"
+    }, this.detectCookieSupport(), this.instance = D.create({
       baseURL: this.url,
       headers: { ...this.defaultHeaders }
-    }), this.instance.interceptors.request.use(async (n) => {
-      if (this.isNonAuthEndpoint(n.url))
-        return n;
-      if (n.url?.includes("refresh")) {
-        if (this.refreshPromise) {
+    }), this.instance.interceptors.request.use(async (c) => {
+      if (this.isNonAuthEndpoint(c.url))
+        return c;
+      if (this.tokenDeliveryManager.isCookieMode()) {
+        c.withCredentials = !0;
+        const p = this.storageManager.getCsrfToken();
+        return p && (c.headers["X-CSRF-Token"] = p), c;
+      }
+      if (c.url?.includes("refresh")) {
+        if (this.isRefreshing) {
           const p = new AbortController();
-          return p.abort(), n.signal = p.signal, n;
+          return p.abort(), c.signal = p.signal, c;
         }
-        return n;
+        return c;
       }
-      const h = this.storageManager.getTokens(), l = this.storageManager.getScopes();
-      if (h?.access_token) {
-        const p = d(h.access_token);
-        if (f(p) && h.refresh_token)
+      const g = this.storageManager.getTokens();
+      if (g?.access_token) {
+        const p = y(g.access_token);
+        if (S(p, V) && g.refresh_token)
           try {
             if (this.refreshPromise) {
-              const E = await this.refreshPromise;
-              return E.data && (n.headers[m] = `Bearer ${E.data.access_token}`), n;
+              const f = await this.refreshPromise;
+              return f?.data?.access_token && (c.headers[_] = `Bearer ${f.data.access_token}`), c;
+            }
+            this.refreshPromise = this.refreshTokens();
+            try {
+              const f = await this.refreshPromise;
+              return f?.data?.access_token && (c.headers[_] = `Bearer ${f.data.access_token}`), c;
+            } finally {
+              this.refreshPromise = null;
             }
-            const v = {
-              refresh_token: h.refresh_token,
-              scopes: l
-            };
-            this.refreshPromise = this.instance.post(c.refresh, v, {
-              headers: {
-                [m]: `Bearer ${h.refresh_token}`
-              }
-            });
-            const k = await this.refreshPromise;
-            return k.data && (this.storageManager.saveTokens(k.data), n.headers[m] = `Bearer ${k.data.access_token}`), n;
-          } catch (v) {
-            return this.refreshPromise = null, Promise.reject(v);
-          } finally {
-            this.refreshPromise = null;
+          } catch (f) {
+            return this.refreshPromise = null, this.isRefreshing = !1, this.storageManager.deleteTokens(), Promise.reject(f);
           }
-        return n.headers[m] = `Bearer ${h.access_token}`, n;
+        return c.headers[_] = `Bearer ${g.access_token}`, c;
       }
-      return n;
+      return c;
     }), this.instance.interceptors.response.use(
-      (n) => n,
-      (n) => this.handleAxiosError(n)
+      (c) => c,
+      async (c) => (c.response?.status === 401 && this.tokenDeliveryManager.setSessionInvalid(), c.response?.status === 429 ? await this.handleRateLimitError(c) : this.handleAxiosError(c))
     );
   }
   isProtectedEndpoint(e) {
@@ -219,6 +486,71 @@ class I {
   isNonAuthEndpoint(e) {
     return this.nonAccessTokenEndpoints.some((t) => e?.includes(t)) && !this.isProtectedEndpoint(e);
   }
+  /**
+   * Detect if cookies are supported/enabled in the browser
+   * Falls back to JSON mode if cookies are blocked
+   */
+  detectCookieSupport() {
+    if (!(typeof document > "u"))
+      try {
+        document.cookie = "passflow_test=1; SameSite=Lax";
+        const e = document.cookie.indexOf("passflow_test=1") !== -1;
+        document.cookie = "passflow_test=; expires=Thu, 01 Jan 1970 00:00:00 UTC", !e && this.tokenDeliveryManager.isCookieMode() && console.warn("[Passflow SDK] Cookies are blocked. Cookie mode may not work.");
+      } catch {
+      }
+  }
+  /**
+   * Refresh tokens using single-flight pattern to prevent race conditions
+   * Supports both cookie mode and JSON mode
+   */
+  async refreshTokens() {
+    if (this.tokenDeliveryManager.isCookieMode()) {
+      const e = await this.instance.post(
+        h.refresh,
+        {},
+        // Empty body
+        { withCredentials: !0 }
+      );
+      return this.tokenDeliveryManager.setSessionValid(), e.data.csrf_token && this.storageManager.setCsrfToken(e.data.csrf_token), e.data.id_token && this.storageManager.setIdToken(e.data.id_token), e;
+    } else {
+      const e = this.storageManager.getTokens(), t = this.storageManager.getScopes();
+      if (!e?.refresh_token)
+        throw new Error("No refresh token available");
+      this.isRefreshing = !0;
+      const s = {
+        refresh_token: e.refresh_token,
+        scopes: t
+      }, r = await this.instance.post(h.refresh, s, {
+        headers: {
+          [_]: `Bearer ${e.refresh_token}`
+        }
+      });
+      return r.data && this.storageManager.saveTokens(r.data), this.isRefreshing = !1, r;
+    }
+  }
+  async handleRateLimitError(e) {
+    const t = e.config;
+    if (!t)
+      return Promise.reject(e);
+    const s = t.method?.toUpperCase();
+    if (!["GET", "HEAD", "OPTIONS"].includes(s || ""))
+      return Promise.reject(e);
+    const o = t._retryCount || 0;
+    if (o >= le)
+      return Promise.reject(e);
+    let n = ge * Math.pow(2, o);
+    const d = e.response?.headers?.["retry-after"];
+    if (d) {
+      const c = Number.parseInt(d, 10);
+      if (!Number.isNaN(c))
+        n = c * 1e3;
+      else {
+        const g = new Date(d);
+        Number.isNaN(g.getTime()) || (n = Math.max(0, g.getTime() - Date.now()));
+      }
+    }
+    return await new Promise((c) => setTimeout(c, n)), t._retryCount = o + 1, this.instance.request(t);
+  }
   // eslint-disable-next-line complexity
   // biome-ignore lint/suspicious/useAwait: <explanation>
   async handleAxiosError(e) {
@@ -247,33 +579,59 @@ class I {
     })).data;
   }
   get(e, t) {
-    return this.send(S.GET, e, t);
+    return this.send(E.GET, e, t);
   }
   post(e, t, s) {
-    return this.send(S.POST, e, { data: t, ...s });
+    return this.send(E.POST, e, { data: t, ...s });
   }
   put(e, t, s) {
-    return this.send(S.PUT, e, { data: t, ...s });
+    return this.send(E.PUT, e, { data: t, ...s });
   }
   patch(e, t, s) {
-    return this.send(S.PATCH, e, { data: t, ...s });
+    return this.send(E.PATCH, e, { data: t, ...s });
   }
   delete(e, t) {
-    return this.send(S.DELETE, e, t);
+    return this.send(E.DELETE, e, t);
+  }
+  /**
+   * Update the appId and propagate it to axios headers.
+   * This ensures that the APP_ID_HEADER_KEY is updated in all future requests.
+   *
+   * @param appId - The new application ID to set
+   */
+  setAppId(e) {
+    this.appId = e, this.defaultHeaders = {
+      ...this.defaultHeaders,
+      [C]: e
+    }, this.instance.defaults.headers.common[C] = e;
   }
 }
-class O {
-  constructor(e) {
-    this.storageManager = new b(), this.axiosClient = new I(e);
+class pe {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
+  }
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
+  }
+  getAppSettings() {
+    return this.axiosClient.get(h.appSettings);
+  }
+}
+class fe {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
+  }
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
   }
   refreshToken(e, t, s) {
     const r = {
       access: s,
       scopes: t
     };
-    return this.axiosClient.post(c.refresh, r, {
+    return this.axiosClient.post(h.refresh, r, {
       headers: {
-        [m]: `Bearer ${e}`
+        [_]: `Bearer ${e}`
       }
     });
   }
@@ -284,7 +642,7 @@ class O {
       os: s
     };
     return this.axiosClient.post(
-      c.signin,
+      h.signin,
       r
     );
   }
@@ -295,7 +653,7 @@ class O {
       anonymous: s ?? !1
     };
     return this.axiosClient.post(
-      c.signup,
+      h.signup,
       r
     );
   }
@@ -307,23 +665,26 @@ class O {
       os: s
     };
     return this.axiosClient.post(
-      c.passwordless,
+      h.passwordless,
       o
     );
   }
   passwordlessSignInComplete(e) {
     return this.axiosClient.post(
-      c.passwordlessComplete,
+      h.passwordlessComplete,
       e
     );
   }
   logOut(e, t, s = !1) {
-    const r = s ? void 0 : { refresh_token: t, device: e }, o = s ? y.logout : c.logout;
+    const r = s ? void 0 : { refresh_token: t, device: e }, o = s ? w.logout : h.logout;
     return this.axiosClient.post(o, r);
   }
+  validateSession() {
+    return this.axiosClient.get(h.validateSession);
+  }
   sendPasswordResetEmail(e) {
     return this.axiosClient.post(
-      c.sendPasswordResetEmail,
+      h.sendPasswordResetEmail,
       e
     );
   }
@@ -332,10 +693,10 @@ class O {
       password: e,
       scopes: t
     };
-    return this.axiosClient.post(c.resetPassword, r, {
+    return this.axiosClient.post(h.resetPassword, r, {
       headers: {
-        [m]: `Bearer ${s}`,
-        [P]: void 0
+        [_]: `Bearer ${s}`,
+        [C]: void 0
       }
     });
   }
@@ -345,15 +706,15 @@ class O {
       create_tenant: o ?? !1,
       device: t,
       os: s
-    }, h = r ? y.passkeyRegisterStart : c.passkeyRegisterStart;
-    return this.axiosClient.post(h, n);
+    }, d = r ? w.passkeyRegisterStart : h.passkeyRegisterStart;
+    return this.axiosClient.post(d, n);
   }
   passkeyRegisterComplete(e, t, s, r = !1) {
     const o = {
       challenge_id: s,
       device: t,
       passkey_data: e
-    }, n = r ? y.passkeyRegisterComplete : c.passkeyRegisterComplete;
+    }, n = r ? w.passkeyRegisterComplete : h.passkeyRegisterComplete;
     return this.axiosClient.post(n, o);
   }
   passkeyAuthenticateStart(e, t, s, r = !1) {
@@ -362,7 +723,7 @@ class O {
       user_id: e.user_id ?? "",
       device: t,
       os: s
-    }, n = r ? y.passkeyAuthenticateStart : c.passkeyAuthenticateStart;
+    }, n = r ? w.passkeyAuthenticateStart : h.passkeyAuthenticateStart;
     return this.axiosClient.post(
       n,
       o
@@ -373,7 +734,7 @@ class O {
       challenge_id: s,
       device: t,
       passkey_data: e
-    }, n = r ? y.passkeyAuthenticateComplete : c.passkeyAuthenticateComplete;
+    }, n = r ? w.passkeyAuthenticateComplete : h.passkeyAuthenticateComplete;
     return this.axiosClient.post(n, o);
   }
   passkeyValidate(e, t, s, r = !1, o) {
@@ -382,79 +743,103 @@ class O {
       device: t,
       challenge_id: s
     };
-    let h = c.passkeyValidate;
-    !o && r && (h = y.passkeyValidate);
-    const l = o ? { [P]: o } : {};
-    return this.axiosClient.post(h, n, { headers: l });
+    let d = h.passkeyValidate;
+    !o && r && (d = w.passkeyValidate);
+    const c = o ? { [C]: o } : {};
+    return this.axiosClient.post(d, n, { headers: c });
   }
 }
-class j {
-  constructor(e) {
-    this.axiosClient = new I(e);
+class ke {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
   }
-  getAppSettings() {
-    return this.axiosClient.get(c.appSettings);
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
+  }
+  /**
+   * Requests an invitation link that can be used to invite users
+   * @param payload Request invitation payload
+   * @returns Promise with invitation link and token
+   */
+  requestInviteLink(e) {
+    return this.axiosClient.post(
+      h.requestInvitation,
+      e
+    );
+  }
+  /**
+   * Gets a list of active invitations
+   * @param options Optional parameters for filtering and pagination
+   * @returns Promise with paginated list of invitations
+   */
+  getInvitations(e) {
+    const t = {};
+    e.groupID && (t.group_id = e.groupID.toString()), e.skip !== void 0 && (t.skip = e.skip.toString()), e.limit !== void 0 && (t.limit = e.limit.toString());
+    const s = A(h.invitationsPath, {
+      tenantID: e.tenantID
+    });
+    return this.axiosClient.get(s, { params: t }).then((r) => ({
+      invites: r.invites,
+      nextPageSkip: r.next_page_skip
+    }));
+  }
+  /**
+   * Deletes an invitation by token
+   * @param invitationID The invitation ID to delete
+   * @returns Promise with success response
+   */
+  deleteInvitation(e) {
+    const t = A(h.invitationDelete, {
+      invitationID: e
+    });
+    return this.axiosClient.delete(t);
+  }
+  /**
+   * Resend an invitation by token
+   * @param invitationID The invitation ID to resend
+   * @returns Promise with success response
+   */
+  resendInvitation(e) {
+    const t = A(h.invitationResend, {
+      invitationID: e
+    });
+    return this.axiosClient.post(t, {});
+  }
+  /**
+   * Get a link to an invitation by id
+   * @param invitationID The invitation ID to get link
+   * @returns Promise with the link
+   */
+  getInvitationLink(e) {
+    const t = A(h.invitationGetLink, {
+      invitationID: e
+    });
+    return this.axiosClient.get(t);
   }
 }
-class K {
-  constructor(e) {
-    this.axiosClient = new I(e);
+class ye {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
+  }
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
   }
   getSettingsAll() {
-    return this.axiosClient.get(c.settingsAll);
+    return this.axiosClient.get(h.settingsAll);
   }
   getPasswordPolicySettings() {
-    return this.axiosClient.get(c.settingsPasswordPolicy);
+    return this.axiosClient.get(h.settingsPasswordPolicy);
   }
   getPasskeySettings() {
-    return this.axiosClient.get(c.settingsPasskey);
+    return this.axiosClient.get(h.settingsPasskey);
   }
 }
-class N {
-  constructor(e) {
-    this.axiosClient = new I(e);
-  }
-  getUserPasskeys() {
-    return this.axiosClient.get(c.userPasskey);
-  }
-  renameUserPasskey(e, t) {
-    return this.axiosClient.patch(
-      `${c.userPasskey}/${t}`,
-      {
-        name: e
-      }
-    );
+class ve {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
   }
-  deleteUserPasskey(e) {
-    return this.axiosClient.delete(`${c.userPasskey}/${e}`);
-  }
-  addUserPasskeyStart({
-    relyingPartyId: e,
-    deviceId: t,
-    os: s,
-    passkeyDisplayName: r,
-    passkeyUsername: o
-  }) {
-    const n = {
-      passkey_display_name: r,
-      passkey_username: o,
-      relying_party_id: e,
-      deviceId: t,
-      os: s
-    };
-    return this.axiosClient.post(c.addUserPasskey, n);
-  }
-  addUserPasskeyComplete(e, t, s) {
-    return this.axiosClient.post(c.completeAddUserPasskey, {
-      challenge_id: s,
-      device: t,
-      passkey_data: e
-    });
-  }
-}
-class B {
-  constructor(e) {
-    this.axiosClient = new I(e);
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
   }
   joinInvitation(e, t) {
     const s = {
@@ -462,7 +847,7 @@ class B {
       scopes: t
     };
     return this.axiosClient.post(
-      c.joinInvitation,
+      h.joinInvitation,
       s
     );
   }
@@ -471,7 +856,7 @@ class B {
       name: e
     };
     return this.axiosClient.post(
-      c.tenantPath,
+      h.tenantPath,
       t
     );
   }
@@ -481,7 +866,7 @@ class B {
    * @param tenantId Tenant ID
    */
   getTenantDetails(e) {
-    const t = `${c.tenantPath}/${e}`;
+    const t = `${h.tenantPath}/${e}`;
     return this.axiosClient.get(t);
   }
   /**
@@ -490,7 +875,7 @@ class B {
    * @param name New tenant name
    */
   updateTenant(e, t) {
-    const s = `${c.tenantPath}/${e}`, r = { name: t };
+    const s = `${h.tenantPath}/${e}`, r = { name: t };
     return this.axiosClient.put(s, r);
   }
   /**
@@ -498,14 +883,14 @@ class B {
    * @param tenantId Tenant ID
    */
   deleteTenant(e) {
-    const t = `${c.tenantPath}/${e}`;
+    const t = `${h.tenantPath}/${e}`;
     return this.axiosClient.delete(t);
   }
   /**
    * Get user's tenant memberships
    */
   getUserTenantMembership() {
-    return this.axiosClient.get(c.tenantPath);
+    return this.axiosClient.get(h.tenantPath);
   }
   // 2. Group Management
   /**
@@ -514,7 +899,7 @@ class B {
    * @param name Group name
    */
   createGroup(e, t) {
-    const s = `${c.tenantPath}/${e}/group`, r = { name: t };
+    const s = `${h.tenantPath}/${e}/group`, r = { name: t };
     return this.axiosClient.post(s, r);
   }
   /**
@@ -523,7 +908,7 @@ class B {
    * @param groupId Group ID
    */
   getGroupInfo(e, t) {
-    const s = `${c.tenantPath}/${e}/group/${t}`;
+    const s = `${h.tenantPath}/${e}/group/${t}`;
     return this.axiosClient.get(s);
   }
   /**
@@ -533,7 +918,7 @@ class B {
    * @param name New group name
    */
   updateGroup(e, t, s) {
-    const r = `${c.tenantPath}/${e}/group/${t}`, o = { name: s };
+    const r = `${h.tenantPath}/${e}/group/${t}`, o = { name: s };
     return this.axiosClient.put(r, o);
   }
   /**
@@ -542,7 +927,7 @@ class B {
    * @param groupId Group ID
    */
   deleteGroup(e, t) {
-    const s = `${c.tenantPath}/${e}/group/${t}`;
+    const s = `${h.tenantPath}/${e}/group/${t}`;
     return this.axiosClient.delete(s);
   }
   /**
@@ -553,7 +938,7 @@ class B {
    * @param role Role to assign
    */
   addUserToGroup(e, t, s, r) {
-    const o = `${c.tenantPath}/${e}/group/${t}/add`, n = { user_id: s, role: r };
+    const o = `${h.tenantPath}/${e}/group/${t}/add`, n = { user_id: s, role: r };
     return this.axiosClient.post(o, n);
   }
   /**
@@ -564,7 +949,7 @@ class B {
    * @param roles Roles to remove
    */
   removeUserRolesFromGroup(e, t, s, r) {
-    const o = `${c.tenantPath}/${e}/group/${t}/remove_roles`, n = { user_id: s, roles: r };
+    const o = `${h.tenantPath}/${e}/group/${t}/remove_roles`, n = { user_id: s, roles: r };
     return this.axiosClient.post(o, n);
   }
   /**
@@ -575,7 +960,7 @@ class B {
    * @param roles New roles to assign
    */
   changeUserRoles(e, t, s, r) {
-    const o = `${c.tenantPath}/${e}/group/${t}/change`, n = { user_id: s, roles: r };
+    const o = `${h.tenantPath}/${e}/group/${t}/change`, n = { user_id: s, roles: r };
     return this.axiosClient.post(o, n);
   }
   /**
@@ -585,7 +970,7 @@ class B {
    * @param userId User ID
    */
   deleteUserFromGroup(e, t, s) {
-    const r = `${c.tenantPath}/${e}/group/${t}/${s}`;
+    const r = `${h.tenantPath}/${e}/group/${t}/${s}`;
     return this.axiosClient.delete(r);
   }
   // 3. Role Management
@@ -594,7 +979,7 @@ class B {
    * @param tenantId Tenant ID
    */
   getRolesForTenant(e) {
-    const t = `${c.tenantPath}/${e}/role`;
+    const t = `${h.tenantPath}/${e}/role`;
     return this.axiosClient.get(t);
   }
   /**
@@ -603,7 +988,7 @@ class B {
    * @param name Role name
    */
   createRoleForTenant(e, t) {
-    const s = `${c.tenantPath}/${e}/role`, r = { name: t };
+    const s = `${h.tenantPath}/${e}/role`, r = { name: t };
     return this.axiosClient.post(s, r);
   }
   /**
@@ -613,7 +998,7 @@ class B {
    * @param name New role name
    */
   updateRole(e, t, s) {
-    const r = `${c.tenantPath}/${e}/role/${t}`, o = { name: s };
+    const r = `${h.tenantPath}/${e}/role/${t}`, o = { name: s };
     return this.axiosClient.put(r, o);
   }
   /**
@@ -622,7 +1007,7 @@ class B {
    * @param roleId Role ID
    */
   deleteRole(e, t) {
-    const s = `${c.tenantPath}/${e}/role/${t}`;
+    const s = `${h.tenantPath}/${e}/role/${t}`;
     return this.axiosClient.delete(s);
   }
   // 4. User Management in Tenants
@@ -632,7 +1017,7 @@ class B {
    * @param userId User ID
    */
   deleteUserFromTenant(e, t) {
-    const s = `${c.tenantPath}/${e}/user/${t}`;
+    const s = `${h.tenantPath}/${e}/user/${t}`;
     return this.axiosClient.delete(s);
   }
   // 5. Invitation Management
@@ -644,7 +1029,7 @@ class B {
    * @param skip Number of invitations to skip
    */
   getGroupInvitations(e, t, s, r) {
-    const o = `${c.tenantPath}/${e}/group/${t}/invitations`;
+    const o = `${h.tenantPath}/${e}/group/${t}/invitations`;
     return this.axiosClient.get(o, {
       params: { limit: s, skip: r }
     });
@@ -656,7 +1041,7 @@ class B {
    * @param skip Number of invitations to skip
    */
   getTenantInvitations(e, t, s) {
-    const r = `${c.tenantPath}/${e}/invitations`;
+    const r = `${h.tenantPath}/${e}/invitations`;
     return this.axiosClient.get(r, {
       params: { limit: t, skip: s }
     });
@@ -668,7 +1053,7 @@ class B {
    * @param inviteId Invitation ID
    */
   invalidateInviteById(e, t, s) {
-    const r = `${c.tenantPath}/${e}/group/${t}/invite/${s}`;
+    const r = `${h.tenantPath}/${e}/group/${t}/invite/${s}`;
     return this.axiosClient.delete(r);
   }
   /**
@@ -678,77 +1063,224 @@ class B {
    * @param email Email address
    */
   invalidateInviteByEmail(e, t, s) {
-    const r = `${c.tenantPath}/${e}/group/${t}/invite/email/${s}`;
+    const r = `${h.tenantPath}/${e}/group/${t}/invite/email/${s}`;
     return this.axiosClient.delete(r);
   }
 }
-class W {
-  constructor(e) {
-    this.axiosClient = new I(e);
+class Se {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
+  }
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
   }
   /**
-   * Requests an invitation link that can be used to invite users
-   * @param payload Request invitation payload
-   * @returns Promise with invitation link and token
+   * Get current 2FA enrollment status
+   * GET /user/2fa/status
    */
-  requestInviteLink(e) {
+  getStatus() {
+    return this.axiosClient.get(h.twoFactorStatus);
+  }
+  /**
+   * Begin 2FA setup process
+   * POST /user/2fa/setup/begin
+   * Returns secret and QR code for authenticator app
+   */
+  beginSetup() {
+    return this.axiosClient.post(h.twoFactorSetupBegin, {});
+  }
+  /**
+   * Confirm 2FA setup with TOTP code
+   * POST /user/2fa/setup/confirm
+   * Returns recovery codes on success
+   */
+  confirmSetup(e) {
     return this.axiosClient.post(
-      c.requestInvitation,
+      h.twoFactorSetupConfirm,
       e
     );
   }
   /**
-   * Gets a list of active invitations
-   * @param options Optional parameters for filtering and pagination
-   * @returns Promise with paginated list of invitations
+   * Verify TOTP code during login
+   * POST /auth/2fa/verify
+   * Uses tfa_token as Bearer token for authentication
    */
-  getInvitations(e) {
-    const t = {};
-    e.groupID && (t.group_id = e.groupID.toString()), e.skip !== void 0 && (t.skip = e.skip.toString()), e.limit !== void 0 && (t.limit = e.limit.toString());
-    const s = C(c.invitationsPath, {
-      tenantID: e.tenantID
-    });
-    return this.axiosClient.get(s, { params: t }).then((r) => ({
-      invites: r.invites,
-      nextPageSkip: r.next_page_skip
-    }));
+  verify(e) {
+    const { tfa_token: t, code: s } = e;
+    return this.axiosClient.post(
+      h.twoFactorVerify,
+      { code: s },
+      {
+        headers: {
+          Authorization: `Bearer ${t}`
+        }
+      }
+    );
   }
   /**
-   * Deletes an invitation by token
-   * @param invitationID The invitation ID to delete
-   * @returns Promise with success response
+   * Use recovery code for authentication
+   * POST /auth/2fa/recovery
+   * Uses tfa_token as Bearer token for authentication
    */
-  deleteInvitation(e) {
-    const t = C(c.invitationDelete, {
-      invitationID: e
-    });
-    return this.axiosClient.delete(t);
+  useRecoveryCode(e) {
+    const { tfa_token: t, recovery_code: s } = e;
+    return this.axiosClient.post(
+      h.twoFactorRecovery,
+      { recovery_code: s },
+      {
+        headers: {
+          Authorization: `Bearer ${t}`
+        }
+      }
+    );
   }
   /**
-   * Resend an invitation by token
-   * @param invitationID The invitation ID to resend
-   * @returns Promise with success response
+   * Disable 2FA (requires TOTP verification)
+   * DELETE /user/2fa
    */
-  resendInvitation(e) {
-    const t = C(c.invitationResend, {
-      invitationID: e
+  disable(e) {
+    return this.axiosClient.delete(h.twoFactor, { data: e });
+  }
+  /**
+   * Regenerate recovery codes
+   * POST /user/2fa/recovery-codes/regenerate
+   */
+  regenerateRecoveryCodes(e) {
+    return this.axiosClient.post(
+      h.twoFactorRegenerateCodes,
+      e
+    );
+  }
+  /**
+   * Validate magic link token for 2FA setup
+   * GET /auth/2fa-setup/:token
+   *
+   * This endpoint validates an admin-generated magic link token
+   * and returns a scoped session (scope: "2fa_setup") that can ONLY
+   * be used for completing 2FA setup operations.
+   *
+   * This method never throws - it always returns a TwoFactorSetupMagicLinkValidationResponse
+   * with either success=true and session data, or success=false and error details.
+   *
+   * @param token - Magic link token from URL parameter
+   * @returns Validation response with scoped session token or error
+   */
+  validateTwoFactorSetupMagicLink(e) {
+    const t = `${h.twoFactorSetupMagicLink}/${e}`;
+    return this.axiosClient.get(t, {
+      // Override default auth headers (this is a public endpoint)
+      transformRequest: [
+        (s, r) => (r && delete r.Authorization, s)
+      ]
+    }).then((s) => ({
+      success: !0,
+      sessionToken: s.session_token,
+      userId: s.user_id,
+      expiresIn: s.expires_in,
+      appId: s.app_id
+    })).catch((s) => {
+      if (s.response) {
+        const r = s.response.status, o = s.response.data || {}, n = s.response.headers?.["retry-after"] ? parseInt(s.response.headers["retry-after"], 10) : void 0;
+        return {
+          success: !1,
+          error: {
+            code: o.error || this.mapStatusToErrorCode(r),
+            message: o.message || this.getDefaultErrorMessage(r),
+            retryAfter: n
+          }
+        };
+      }
+      return {
+        success: !1,
+        error: {
+          code: "SERVER_ERROR",
+          message: s instanceof Error ? s.message : "Unable to connect to the server. Please check your connection."
+        }
+      };
     });
-    return this.axiosClient.post(t, {});
   }
   /**
-   * Get a link to an invitation by id
-   * @param invitationID The invitation ID to get link
-   * @returns Promise with the link
+   * Map HTTP status code to magic link error code
    */
-  getInvitationLink(e) {
-    const t = C(c.invitationGetLink, {
-      invitationID: e
+  mapStatusToErrorCode(e) {
+    switch (e) {
+      case 400:
+        return "INVALID_TOKEN";
+      case 404:
+        return "REVOKED_TOKEN";
+      case 410:
+        return "EXPIRED_TOKEN";
+      case 429:
+        return "RATE_LIMITED";
+      default:
+        return "SERVER_ERROR";
+    }
+  }
+  /**
+   * Get default error message for HTTP status code
+   */
+  getDefaultErrorMessage(e) {
+    switch (e) {
+      case 400:
+        return "The provided magic link is invalid or malformed.";
+      case 404:
+        return "This magic link has been revoked or does not exist.";
+      case 410:
+        return "This magic link has expired. Please request a new one from your administrator.";
+      case 429:
+        return "Too many validation attempts. Please try again later.";
+      default:
+        return "An error occurred while validating the magic link.";
+    }
+  }
+}
+class me {
+  constructor(e, t, s) {
+    this.axiosClient = new T(e, t, s);
+  }
+  setAppId(e) {
+    this.axiosClient.setAppId(e);
+  }
+  getUserPasskeys() {
+    return this.axiosClient.get(h.userPasskey);
+  }
+  renameUserPasskey(e, t) {
+    return this.axiosClient.patch(
+      `${h.userPasskey}/${t}`,
+      {
+        name: e
+      }
+    );
+  }
+  deleteUserPasskey(e) {
+    return this.axiosClient.delete(`${h.userPasskey}/${e}`);
+  }
+  addUserPasskeyStart({
+    relyingPartyId: e,
+    deviceId: t,
+    os: s,
+    passkeyDisplayName: r,
+    passkeyUsername: o
+  }) {
+    const n = {
+      passkey_display_name: r,
+      passkey_username: o,
+      relying_party_id: e,
+      deviceId: t,
+      os: s
+    };
+    return this.axiosClient.post(h.addUserPasskey, n);
+  }
+  addUserPasskeyComplete(e, t, s) {
+    return this.axiosClient.post(h.completeAddUserPasskey, {
+      challenge_id: s,
+      device: t,
+      passkey_data: e
     });
-    return this.axiosClient.get(t);
   }
 }
-var a = /* @__PURE__ */ ((i) => (i.SignIn = "signin", i.SignInStart = "signin:start", i.Register = "register", i.RegisterStart = "register:start", i.SignOut = "signout", i.Error = "error", i.Refresh = "refresh", i.RefreshStart = "refresh:start", i.TokenCacheExpired = "token-cache-expired", i))(a || {});
-class H {
+var a = /* @__PURE__ */ ((i) => (i.SignIn = "signin", i.SignInStart = "signin:start", i.Register = "register", i.RegisterStart = "register:start", i.SignOut = "signout", i.SessionRestored = "session:restored", i.Error = "error", i.Refresh = "refresh", i.RefreshStart = "refresh:start", i.TokenCacheExpired = "token-cache-expired", i.TwoFactorRequired = "2fa:required", i.TwoFactorSetupStarted = "2fa:setup_started", i.TwoFactorEnabled = "2fa:enabled", i.TwoFactorDisabled = "2fa:disabled", i.TwoFactorVerified = "2fa:verified", i.TwoFactorRecoveryUsed = "2fa:recovery_used", i.TwoFactorRecoveryCodesLow = "2fa:recovery_low", i.TwoFactorRecoveryCodesExhausted = "2fa:recovery_exhausted", i.TwoFactorSetupMagicLinkValidated = "2fa:magic_link_validated", i.TwoFactorSetupMagicLinkFailed = "2fa:magic_link_failed", i))(a || {});
+class we {
   constructor() {
     this.subscribers = /* @__PURE__ */ new Map();
   }
@@ -788,20 +1320,156 @@ class H {
     });
   }
 }
-class q {
-  constructor(e, t, s, r, o, n, h, l, p, v, k) {
-    this.authApi = e, this.deviceService = t, this.storageManager = s, this.subscribeStore = r, this.tokenCacheService = o, this.scopes = n, this.createTenantForNewUser = h, this.origin = l, this.url = p, this.sessionCallbacks = v, this.appId = k;
+function F(i) {
+  if (!i || typeof i != "string") return !1;
+  const e = i.split(".");
+  if (e.length !== 3) return !1;
+  const t = /^[A-Za-z0-9_-]+$/;
+  return e.every((s) => t.test(s) && s.length > 0);
+}
+function Te(i) {
+  return i.replace(/<[^>]*>/g, "").substring(0, ne);
+}
+function M(i) {
+  if (!i || typeof i != "string") return !1;
+  const e = i.trim();
+  return e.length === 0 ? !1 : /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e);
+}
+function x(i) {
+  if (!i || typeof i != "string") return !1;
+  const e = i.trim();
+  return /^\+[1-9]\d{1,14}$/.test(e);
+}
+function Ee(i) {
+  if (!i || typeof i != "string") return !1;
+  const e = i.trim();
+  return e.length < ie || e.length > oe ? !1 : /^[a-zA-Z0-9_-]+$/.test(e);
+}
+function R(i, e = 6) {
+  return !i || typeof i != "string" ? !1 : (e === 8 ? /^\d{8}$/ : /^\d{6}$/).test(i);
+}
+function _e(i) {
+  if (!i || typeof i != "string") return null;
+  const e = i.toUpperCase().replace(/\s+/g, "");
+  return /^[A-Z0-9-]{4,16}$/.test(e) ? e : null;
+}
+class Ie {
+  constructor(e, t, s, r, o, n, d, c, g, p, f, b) {
+    this.authApi = e, this.deviceService = t, this.storageManager = s, this.subscribeStore = r, this.tokenCacheService = o, this.scopes = n, this.createTenantForNewUser = d, this.origin = c, this.url = g, this.sessionCallbacks = p, this.appId = f, this.tokenExchangeConfig = b, this.tokenDeliveryManager = new B(s), b?.enabled && this.tokenDeliveryManager.setMode(v.BFF), this.initializeSession();
+  }
+  /**
+   * Initialize session state on page load for cookie/BFF mode
+   */
+  async initializeSession() {
+    (this.tokenDeliveryManager.isCookieMode() || this.tokenDeliveryManager.isBFFMode()) && await this.restoreSession();
+  }
+  /**
+   * Restore session for cookie/BFF mode on page load
+   * Validates that HttpOnly cookies are still valid
+   * @returns true if session is valid, false otherwise
+   */
+  async restoreSession() {
+    if (this.tokenDeliveryManager.isBFFMode() && this.tokenExchangeConfig?.statusUrl)
+      try {
+        const e = await fetch(this.tokenExchangeConfig.statusUrl, {
+          method: "GET",
+          credentials: "include"
+          // Include httpOnly cookies
+        });
+        return e.ok && (await e.json()).authenticated ? (this.tokenDeliveryManager.setSessionValid(), !0) : (this.tokenDeliveryManager.setSessionInvalid(), !1);
+      } catch {
+        return this.tokenDeliveryManager.setSessionInvalid(), !1;
+      }
+    if (!this.tokenDeliveryManager.isCookieMode())
+      return !1;
+    try {
+      const e = await this.authApi.validateSession();
+      return e.valid ? (this.tokenDeliveryManager.setSessionValid(), e.user && this.subscribeStore.notify(a.SessionRestored, e.user), !0) : (this.tokenDeliveryManager.setSessionInvalid(), !1);
+    } catch {
+      return this.tokenDeliveryManager.setSessionInvalid(), !1;
+    }
+  }
+  /**
+   * Process successful authentication response
+   * Handles token storage, session state, CSRF tokens
+   * In BFF mode, forwards tokens to BFF server
+   */
+  async processAuthResponse(e, t) {
+    this.tokenExchangeConfig?.enabled || "token_delivery" in e && e.token_delivery && this.tokenDeliveryManager.setMode(e.token_delivery), this.tokenDeliveryManager.setSessionValid(), this.tokenDeliveryManager.isBFFMode() && this.tokenExchangeConfig?.callbackUrl && await this.forwardTokensToBFF(e), e.scopes = t, this.storageManager.saveTokens(e, this.tokenDeliveryManager.getMode()), this.tokenCacheService.setTokensCache(e), e.csrf_token && this.storageManager.setCsrfToken(e.csrf_token);
+  }
+  /**
+   * Forward tokens to BFF server for httpOnly cookie storage
+   */
+  async forwardTokensToBFF(e) {
+    if (!this.tokenExchangeConfig?.callbackUrl) {
+      console.warn("[Passflow SDK] BFF mode enabled but callbackUrl not configured");
+      return;
+    }
+    try {
+      const t = await fetch(this.tokenExchangeConfig.callbackUrl, {
+        method: "POST",
+        credentials: "include",
+        // Include/set httpOnly cookies
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          access_token: e.access_token,
+          refresh_token: e.refresh_token,
+          id_token: e.id_token,
+          // expires_in is returned by the server but not typed in the SDK
+          expires_in: e.expires_in
+        })
+      });
+      if (!t.ok) {
+        const s = await t.text();
+        throw console.error("[Passflow SDK] Failed to forward tokens to BFF:", s), new Error(`BFF token storage failed: ${t.status}`);
+      }
+      console.log("[Passflow SDK] Tokens forwarded to BFF successfully");
+    } catch (t) {
+      throw console.error("[Passflow SDK] Error forwarding tokens to BFF:", t), t;
+    }
   }
   async signIn(e) {
+    if ("email" in e && e.email && !M(e.email)) {
+      const r = new Error("Invalid email format"), o = {
+        message: "Invalid email format",
+        originalError: r,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, o), r;
+    }
+    if ("username" in e && e.username && !Ee(e.username)) {
+      const r = new Error(
+        "Invalid username format. Username must be 3-30 characters and contain only letters, numbers, underscores, and hyphens"
+      ), o = {
+        message: "Invalid username format. Username must be 3-30 characters and contain only letters, numbers, underscores, and hyphens",
+        originalError: r,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, o), r;
+    }
+    if ("phone" in e && e.phone && !x(e.phone)) {
+      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), o = {
+        message: "Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)",
+        originalError: r,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, o), r;
+    }
     this.subscribeStore.notify(a.SignInStart, { email: e.email });
-    const t = this.deviceService.getDeviceId(), s = w.web;
+    const t = this.deviceService.getDeviceId(), s = I.web;
     e.scopes = e.scopes ?? this.scopes;
     try {
       const r = await this.authApi.signIn(e, t, s);
-      return r.scopes = e.scopes, this.storageManager.saveTokens(r), this.tokenCacheService.setTokensCache(r), this.subscribeStore.notify(a.SignIn, {
+      return "requires_2fa" in r && r.requires_2fa === !0 || "tfa_token" in r && r.tfa_token ? (this.subscribeStore.notify(a.TwoFactorRequired, {
+        email: e.email || "",
+        challengeId: r.challenge_id || "",
+        tfaToken: r.tfa_token || ""
+      }), r) : (await this.processAuthResponse(r, e.scopes), this.subscribeStore.notify(a.SignIn, {
         tokens: r,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
-      }), await this.submitSessionCheck(), r;
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), await this.submitSessionCheck(), r);
     } catch (r) {
       const o = {
         message: r instanceof Error ? r.message : "Sign in failed",
@@ -812,12 +1480,28 @@ class q {
     }
   }
   async signUp(e) {
+    if (e.user.email && !M(e.user.email)) {
+      const t = new Error("Invalid email format"), s = {
+        message: "Invalid email format",
+        originalError: t,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, s), t;
+    }
+    if (e.user.phone_number && !x(e.user.phone_number)) {
+      const t = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), s = {
+        message: "Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)",
+        originalError: t,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, s), t;
+    }
     this.subscribeStore.notify(a.RegisterStart, { email: e.user.email }), e.scopes = e.scopes ?? this.scopes, e.create_tenant = this.createTenantForNewUser;
     try {
       const t = await this.authApi.signUp(e);
-      return t.scopes = e.scopes, this.storageManager.saveTokens(t), this.tokenCacheService.setTokensCache(t), this.subscribeStore.notify(a.Register, {
+      return await this.processAuthResponse(t, e.scopes), this.subscribeStore.notify(a.Register, {
         tokens: t,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
+        parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck(), t;
     } catch (t) {
       const s = {
@@ -829,8 +1513,24 @@ class q {
     }
   }
   async passwordlessSignIn(e) {
+    if (e.email && !M(e.email)) {
+      const r = new Error("Invalid email format"), o = {
+        message: "Invalid email format",
+        originalError: r,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, o), r;
+    }
+    if (e.phone && !x(e.phone)) {
+      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), o = {
+        message: "Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)",
+        originalError: r,
+        code: "VALIDATION_ERROR"
+      };
+      throw this.subscribeStore.notify(a.Error, o), r;
+    }
     this.subscribeStore.notify(a.SignInStart, { email: e.email }), e.scopes = e.scopes ?? this.scopes;
-    const t = this.deviceService.getDeviceId(), s = w.web;
+    const t = this.deviceService.getDeviceId(), s = I.web;
     try {
       return await this.authApi.passwordlessSignIn(e, t, s);
     } catch (r) {
@@ -846,9 +1546,9 @@ class q {
     this.subscribeStore.notify(a.SignInStart, {}), e.scopes = e.scopes ?? this.scopes, e.device = this.deviceService.getDeviceId();
     try {
       const t = await this.authApi.passwordlessSignInComplete(e);
-      return t.scopes = e.scopes, this.storageManager.saveTokens(t), this.tokenCacheService.setTokensCache(t), this.subscribeStore.notify(a.SignIn, {
+      return await this.processAuthResponse(t, e.scopes), this.subscribeStore.notify(a.SignIn, {
         tokens: t,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
+        parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck(), t;
     } catch (t) {
       const s = {
@@ -860,17 +1560,67 @@ class q {
     }
   }
   async logOut() {
-    const e = this.storageManager.getToken(g.refresh_token), t = this.storageManager.getDeviceId();
-    try {
-      if ((await this.authApi.logOut(t, e, !this.appId)).status !== "ok")
-        throw new Error("Logout failed");
-      this.storageManager.deleteTokens(), this.subscribeStore.notify(a.SignOut, {});
-    } catch (s) {
-      throw console.error(s), s;
+    if (this.tokenDeliveryManager.isBFFMode() && this.tokenExchangeConfig?.logoutUrl)
+      try {
+        const e = await fetch(this.tokenExchangeConfig.logoutUrl, {
+          method: "POST",
+          credentials: "include"
+          // Include httpOnly cookies
+        });
+        e.ok || console.warn("[Passflow SDK] BFF logout failed:", await e.text());
+      } catch (e) {
+        console.warn("[Passflow SDK] BFF logout error:", e);
+      }
+    else {
+      const e = this.storageManager.getToken(k.refresh_token), t = this.storageManager.getDeviceId();
+      try {
+        if ((await this.authApi.logOut(t, e, !this.appId)).status !== "ok")
+          throw new Error("Logout failed");
+      } catch (s) {
+        console.warn("[Passflow SDK] Logout API failed, clearing local state anyway:", s);
+      }
     }
+    this.storageManager.deleteTokens(), this.storageManager.clearIdToken(), this.storageManager.clearCsrfToken(), this.tokenDeliveryManager.reset(), this.subscribeStore.notify(a.SignOut, {});
   }
   async refreshToken() {
-    this.subscribeStore.notify(a.RefreshStart, {});
+    if (this.subscribeStore.notify(a.RefreshStart, {}), this.tokenDeliveryManager.isBFFMode() && this.tokenExchangeConfig?.refreshUrl)
+      try {
+        const s = await fetch(this.tokenExchangeConfig.refreshUrl, {
+          method: "POST",
+          credentials: "include"
+          // Include httpOnly cookies
+        });
+        if (!s.ok)
+          throw this.tokenDeliveryManager.setSessionInvalid(), new Error("BFF token refresh failed");
+        const r = await s.json();
+        return this.tokenDeliveryManager.setSessionValid(), r.id_token && this.storageManager.setIdToken(r.id_token), this.subscribeStore.notify(a.Refresh, {
+          tokens: r,
+          parsedTokens: this.tokenCacheService.getParsedTokens()
+        }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.tokenCacheService.isRefreshing = !1, this.tokenCacheService.tokenExpiredFlag = !1, r;
+      } catch (s) {
+        this.tokenDeliveryManager.setSessionInvalid();
+        const r = {
+          message: s instanceof Error ? s.message : "Token refresh failed",
+          originalError: s
+        };
+        throw this.subscribeStore.notify(a.Error, r), s;
+      }
+    if (this.tokenDeliveryManager.isCookieMode())
+      try {
+        const s = await this.authApi.refreshToken("", this.scopes);
+        return this.tokenDeliveryManager.setSessionValid(), await this.processAuthResponse(s, this.scopes), this.subscribeStore.notify(a.Refresh, {
+          tokens: s,
+          parsedTokens: this.tokenCacheService.getParsedTokens()
+        }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.tokenCacheService.isRefreshing = !1, this.tokenCacheService.tokenExpiredFlag = !1, s;
+      } catch (s) {
+        this.tokenDeliveryManager.setSessionInvalid();
+        const r = {
+          message: s instanceof Error ? s.message : "Token refresh failed",
+          originalError: s,
+          code: s instanceof u ? s.id : void 0
+        };
+        throw this.subscribeStore.notify(a.Error, r), s;
+      }
     const e = this.storageManager.getTokens();
     if (e) {
       if (!e?.refresh_token) {
@@ -892,19 +1642,19 @@ class q {
       const s = await this.authApi.refreshToken(e?.refresh_token ?? "", t, e?.access_token);
       return s.scopes = t, this.storageManager.saveTokens(s), this.tokenCacheService.setTokensCache(s), this.subscribeStore.notify(a.Refresh, {
         tokens: s,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
-      }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.tokenCacheService.isRefreshing = !1, this.tokenCacheService.isExpired = !1, this.tokenCacheService.startTokenCheck(), s;
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.tokenCacheService.isRefreshing = !1, this.tokenCacheService.tokenExpiredFlag = !1, this.tokenCacheService.startTokenCheck(), s;
     } catch (s) {
       const r = {
         message: s instanceof Error ? s.message : "Token refresh failed",
         originalError: s,
         code: s instanceof u ? s.id : void 0,
-        details: T.isAxiosError(s) && s.response ? {
+        details: D.isAxiosError(s) && s.response ? {
           status: s.response.status,
           data: s.response.data
         } : void 0
       };
-      throw this.subscribeStore.notify(a.Error, r), s instanceof u ? s : T.isAxiosError(s) && s.response && s.response?.status >= 400 && s.response?.status < 500 ? new Error(`Getting unknown error message from server with code:${s.response.status}`) : s;
+      throw this.subscribeStore.notify(a.Error, r), s instanceof u ? s : D.isAxiosError(s) && s.response && s.response?.status >= 400 && s.response?.status < 500 ? new Error(`Getting unknown error message from server with code:${s.response.status}`) : s;
     }
   }
   async sendPasswordResetEmail(e) {
@@ -924,38 +1674,38 @@ class q {
     const r = new URLSearchParams(window.location.search).get("token") ?? void 0, o = t ?? this.scopes;
     try {
       const n = await this.authApi.resetPassword(e, o, r);
-      return n.scopes = o, this.storageManager.saveTokens(n), this.tokenCacheService.setTokensCache(n), this.subscribeStore.notify(a.SignIn, {
+      return await this.processAuthResponse(n, o), this.subscribeStore.notify(a.SignIn, {
         tokens: n,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
+        parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck(), n;
     } catch (n) {
-      const h = {
+      const d = {
         message: n instanceof Error ? n.message : "Password reset failed",
         originalError: n,
         code: n instanceof u ? n.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, h), n;
+      throw this.subscribeStore.notify(a.Error, d), n;
     }
   }
   async passkeyRegister(e) {
     this.subscribeStore.notify(a.RegisterStart, {});
-    const t = this.deviceService.getDeviceId(), s = w.web;
+    const t = this.deviceService.getDeviceId(), s = I.web;
     e.scopes = e.scopes ?? this.scopes, e.create_tenant = this.createTenantForNewUser;
     try {
       const { challenge_id: r, publicKey: o } = await this.authApi.passkeyRegisterStart(e, t, s, !this.appId);
       o.user.id = btoa(o.user.id);
-      const n = await _({
+      const n = await K({
         optionsJSON: o
-      }), h = await this.authApi.passkeyRegisterComplete(
+      }), d = await this.authApi.passkeyRegisterComplete(
         n,
         t,
         r,
         !this.appId
       );
-      return h.scopes = e.scopes, this.storageManager.saveTokens(h), this.tokenCacheService.setTokensCache(h), this.subscribeStore.notify(a.Register, {
-        tokens: h,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
-      }), await this.submitSessionCheck(), h;
+      return await this.processAuthResponse(d, e.scopes), this.subscribeStore.notify(a.Register, {
+        tokens: d,
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), await this.submitSessionCheck(), d;
     } catch (r) {
       const o = {
         message: r instanceof Error ? r.message : "Passkey registration failed",
@@ -967,21 +1717,21 @@ class q {
   }
   async passkeyAuthenticate(e) {
     this.subscribeStore.notify(a.SignInStart, {});
-    const t = this.deviceService.getDeviceId(), s = w.web;
+    const t = this.deviceService.getDeviceId(), s = I.web;
     e.scopes = e.scopes ?? this.scopes;
     try {
-      const { challenge_id: r, publicKey: o } = await this.authApi.passkeyAuthenticateStart(e, t, s, !this.appId), n = await U({
+      const { challenge_id: r, publicKey: o } = await this.authApi.passkeyAuthenticateStart(e, t, s, !this.appId), n = await j({
         optionsJSON: o
-      }), h = await this.authApi.passkeyAuthenticateComplete(
+      }), d = await this.authApi.passkeyAuthenticateComplete(
         n,
         t,
         r,
         !this.appId
       );
-      return "access_token" in h && (h.scopes = e.scopes, this.storageManager.saveTokens(h), this.tokenCacheService.setTokensCache(h), this.subscribeStore.notify(a.SignIn, {
-        tokens: h,
-        parsedTokens: this.tokenCacheService.getParsedTokenCache()
-      }), await this.submitSessionCheck()), h;
+      return "access_token" in d && (await this.processAuthResponse(d, e.scopes), this.subscribeStore.notify(a.SignIn, {
+        tokens: d,
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), await this.submitSessionCheck()), d;
     } catch (r) {
       const o = {
         message: r instanceof Error ? r.message : "Passkey authentication failed",
@@ -1006,25 +1756,48 @@ class q {
   }
   federatedAuthWithPopup(e) {
     this.subscribeStore.notify(a.SignInStart, { provider: e.provider });
-    const t = e.scopes ?? this.scopes, s = this.deviceService.getDeviceId(), r = this.createFederatedAuthUrl({ ...e, scopes: t, device: s }), o = window.open(r, "_blank", "width=500,height=500");
-    if (!o)
+    const t = e.scopes ?? this.scopes, s = this.deviceService.getDeviceId(), r = this.createFederatedAuthUrl({ ...e, scopes: t, device: s }), o = window.open(r, "_blank", `width=${ee},height=${te}`);
+    if (!o) {
       this.federatedAuthWithRedirect(e);
-    else {
-      const n = setInterval(() => {
+      return;
+    }
+    const n = Date.now(), d = setInterval(() => {
+      if (o.closed) {
+        clearInterval(d);
+        const c = {
+          message: "Authentication popup was closed",
+          code: "POPUP_CLOSED"
+        };
+        this.subscribeStore.notify(a.Error, c);
+        return;
+      }
+      if (Date.now() - n > re) {
+        clearInterval(d), o.close();
+        const c = {
+          message: "Authentication popup timed out",
+          code: "POPUP_TIMEOUT"
+        };
+        this.subscribeStore.notify(a.Error, c);
+        return;
+      }
+      try {
         if (o.location.href.startsWith(this.origin)) {
-          const h = new URLSearchParams(o.location.search), l = h.get("access_token") || "", p = h.get("refresh_token") || "", v = h.get("id_token") || "", k = {
-            access_token: l,
-            refresh_token: p,
-            id_token: v,
+          const c = new URLSearchParams(o.location.search), g = c.get("access_token") || "", p = c.get("refresh_token") || "", f = c.get("id_token") || "", b = {
+            access_token: g,
+            refresh_token: p || void 0,
+            id_token: f || void 0,
             scopes: t
           };
-          this.storageManager.saveTokens(k), this.tokenCacheService.setTokensCache(k), this.subscribeStore.notify(a.SignIn, {
-            tokens: k,
-            parsedTokens: this.tokenCacheService.getParsedTokenCache()
-          }), window.location.href = `${this.origin}`, clearInterval(n), o.close();
+          this.processAuthResponse(b, t).then(() => {
+            this.subscribeStore.notify(a.SignIn, {
+              tokens: b,
+              parsedTokens: this.tokenCacheService.getParsedTokens()
+            }), window.location.href = `${this.origin}`;
+          }), clearInterval(d), o.close();
         }
-      }, 100);
-    }
+      } catch {
+      }
+    }, se);
   }
   federatedAuthWithRedirect(e) {
     this.subscribeStore.notify(a.SignInStart, { provider: e.provider });
@@ -1036,12 +1809,12 @@ class q {
     try {
       const { url: t, redirectUrl: s, scopes: r, appId: o } = e ?? {}, n = new URL(t ?? this.url);
       n.pathname = (n.pathname.endsWith("/") ? n.pathname : n.pathname + "/") + "web";
-      const h = r ?? this.scopes, l = {
+      const d = r ?? this.scopes, c = {
         appId: o ?? this.appId ?? "",
         redirectto: s ?? window.location.href,
-        scopes: h.join(",")
-      }, p = new URLSearchParams(l);
-      return n.search = p.toString(), n.toString();
+        scopes: d.join(",")
+      }, g = new URLSearchParams(c);
+      return n.search = g.toString(), n.toString();
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to create auth redirect URL",
@@ -1063,10 +1836,15 @@ class q {
   }
   /**
    * Check if user is authenticated
+   * CRITICAL: Cookie/BFF mode checks ID token + session state, NOT access_token
    */
   isAuthenticated(e) {
     try {
-      return e ? !f(e.access_token) || !!e.refresh_token && !f(e.refresh_token) : !1;
+      if (this.tokenDeliveryManager.isCookieMode() || this.tokenDeliveryManager.isBFFMode()) {
+        const t = !!e?.id_token || !!this.storageManager.getIdToken(), s = this.tokenDeliveryManager.isSessionValid(), r = this.tokenDeliveryManager.isSessionUnknown();
+        return t && (s || r);
+      }
+      return !e || !e.access_token ? !1 : !S(e.access_token) || e.refresh_token !== void 0 && !S(e.refresh_token);
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to check authentication status",
@@ -1081,7 +1859,7 @@ class q {
   async submitSessionCheck(e = !1) {
     let t, s;
     try {
-      t = await this.getTokens(e), s = this.tokenCacheService.getParsedTokenCache();
+      t = await this.getTokens(e), s = this.tokenCacheService.getParsedTokens();
     } catch (r) {
       const o = {
         message: r instanceof Error || r instanceof u ? r.message : "Session check failed",
@@ -1093,13 +1871,19 @@ class q {
   }
   /**
    * Get tokens and refresh if needed
+   * Cookie/BFF mode: Returns ID token only (access/refresh in HttpOnly cookies)
+   * JSON mode: Returns all tokens from localStorage
    */
   async getTokens(e) {
     try {
+      if (this.tokenDeliveryManager.isCookieMode() || this.tokenDeliveryManager.isBFFMode()) {
+        const r = this.storageManager.getTokens();
+        return r?.id_token ? this.tokenDeliveryManager.isSessionInvalid() && e ? await this.refreshToken() : r : void 0;
+      }
       const t = this.storageManager.getTokens();
       if (!t || !t.access_token) return;
-      const s = d(t.access_token);
-      return f(s) ? e ? await this.refreshToken() : void 0 : t;
+      const s = y(t.access_token);
+      return S(s) ? e ? await this.refreshToken() : void 0 : t;
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to get tokens",
@@ -1110,9 +1894,9 @@ class q {
     }
   }
 }
-class V {
+class be {
   constructor(e) {
-    this.invitationAPI = e;
+    this.invitationApi = e;
   }
   /**
    * Requests an invitation link that can be used to invite users
@@ -1120,7 +1904,7 @@ class V {
    * @returns Promise with invitation link and token
    */
   requestInviteLink(e) {
-    return this.invitationAPI.requestInviteLink(e);
+    return this.invitationApi.requestInviteLink(e);
   }
   /**
    * Gets a list of active invitations
@@ -1128,7 +1912,7 @@ class V {
    * @returns Promise with paginated list of invitations
    */
   getInvitations(e) {
-    return this.invitationAPI.getInvitations(e);
+    return this.invitationApi.getInvitations(e);
   }
   /**
    * Deletes an invitation by token
@@ -1136,7 +1920,7 @@ class V {
    * @returns Promise with success response
    */
   deleteInvitation(e) {
-    return this.invitationAPI.deleteInvitation(e);
+    return this.invitationApi.deleteInvitation(e);
   }
   /**
    * Resends an invitation by token
@@ -1144,7 +1928,7 @@ class V {
    * @returns Promise with success response
    */
   resendInvitation(e) {
-    return this.invitationAPI.resendInvitation(e);
+    return this.invitationApi.resendInvitation(e);
   }
   /**
    * Gets a link to an invitation by id
@@ -1152,10 +1936,10 @@ class V {
    * @returns Promise with the link
    */
   getInvitationLink(e) {
-    return this.invitationAPI.getInvitationLink(e);
+    return this.invitationApi.getInvitationLink(e);
   }
 }
-class z {
+class Ce {
   error(e, ...t) {
     console.error(e, ...t);
   }
@@ -1169,10 +1953,10 @@ class z {
     console.debug(e, ...t);
   }
 }
-function J() {
-  return new z();
+function Ae() {
+  return new Ce();
 }
-class Y {
+class Re {
   constructor(e) {
     this.data = this.normalize(e);
   }
@@ -1193,16 +1977,16 @@ class Y {
         name: n.name
       });
     }), e.users_in_groups?.forEach((n) => {
-      const h = n.user;
-      h && !t.has(h.id) && t.set(h.id, {
-        id: h.id,
-        name: h.name ?? null,
-        email: h.email ?? null,
-        phone: h.phone ?? null
-      }), h && n.group_id && s.has(n.group_id) && o.push({
-        userId: h.id,
+      const d = n.user;
+      d && !t.has(d.id) && t.set(d.id, {
+        id: d.id,
+        name: d.name ?? null,
+        email: d.email ?? null,
+        phone: d.phone ?? null
+      }), d && n.group_id && s.has(n.group_id) && o.push({
+        userId: d.id,
         groupId: n.group_id,
-        roleIds: n.roles?.map((l) => l.id) ?? []
+        roleIds: n.roles?.map((c) => c.id) ?? []
       });
     }), {
       tenant_id: e.tenant_id,
@@ -1242,9 +2026,9 @@ class Y {
     return this.data;
   }
 }
-class X {
+class Pe {
   constructor(e, t, s) {
-    this.tenantAPI = e, this.scopes = t, this.logger = s || J();
+    this.tenantApi = e, this.scopes = t, this.logger = s || Ae();
   }
   /**
    * Handle Passflow API errors
@@ -1253,7 +2037,7 @@ class X {
    * @throws Formatted error with Passflow API error details
    */
   handlePassflowError(e, t) {
-    if (T.isAxiosError(e) && e.response?.data) {
+    if (D.isAxiosError(e) && e.response?.data) {
       const s = e.response.data;
       if (typeof s == "object" && s !== null && "error" in s && typeof s.error == "object" && s.error !== null) {
         const r = s.error;
@@ -1271,7 +2055,7 @@ class X {
   async joinInvitation(e, t) {
     try {
       const s = t ?? this.scopes;
-      return await this.tenantAPI.joinInvitation(e, s);
+      return await this.tenantApi.joinInvitation(e, s);
     } catch (s) {
       this.handlePassflowError(s, "Join invitation failed");
     }
@@ -1283,7 +2067,7 @@ class X {
    */
   async createTenant(e) {
     try {
-      return await this.tenantAPI.createTenant(e);
+      return await this.tenantApi.createTenant(e);
     } catch (t) {
       this.handlePassflowError(t, "Tenant creation failed");
     }
@@ -1301,7 +2085,7 @@ class X {
    */
   async getTenantDetails(e) {
     try {
-      return await this.tenantAPI.getTenantDetails(e);
+      return await this.tenantApi.getTenantDetails(e);
     } catch (t) {
       this.handlePassflowError(t, `Get tenant details failed for tenant ID ${e}`);
     }
@@ -1313,8 +2097,8 @@ class X {
    */
   async getTenantUserMembership(e) {
     try {
-      const t = await this.tenantAPI.getTenantDetails(e);
-      return new Y(t);
+      const t = await this.tenantApi.getTenantDetails(e);
+      return new Re(t);
     } catch (t) {
       this.handlePassflowError(t, `Get tenant user membership failed for tenant ID ${e}`);
     }
@@ -1327,7 +2111,7 @@ class X {
    */
   async updateTenant(e, t) {
     try {
-      return await this.tenantAPI.updateTenant(e, t);
+      return await this.tenantApi.updateTenant(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Update tenant failed for tenant ID ${e}`);
     }
@@ -1339,7 +2123,7 @@ class X {
    */
   async deleteTenant(e) {
     try {
-      return await this.tenantAPI.deleteTenant(e);
+      return await this.tenantApi.deleteTenant(e);
     } catch (t) {
       this.handlePassflowError(t, `Delete tenant failed for tenant ID ${e}`);
     }
@@ -1350,7 +2134,7 @@ class X {
    */
   async getUserTenantMembership() {
     try {
-      return await this.tenantAPI.getUserTenantMembership();
+      return await this.tenantApi.getUserTenantMembership();
     } catch (e) {
       this.handlePassflowError(e, "Get user tenant memberships failed");
     }
@@ -1364,7 +2148,7 @@ class X {
    */
   async createGroup(e, t) {
     try {
-      return await this.tenantAPI.createGroup(e, t);
+      return await this.tenantApi.createGroup(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Group creation failed for tenant ID ${e}`);
     }
@@ -1377,7 +2161,7 @@ class X {
    */
   async getGroupInfo(e, t) {
     try {
-      return await this.tenantAPI.getGroupInfo(e, t);
+      return await this.tenantApi.getGroupInfo(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Get group info failed for tenant ID ${e}, group ID ${t}`);
     }
@@ -1391,7 +2175,7 @@ class X {
    */
   async updateGroup(e, t, s) {
     try {
-      return await this.tenantAPI.updateGroup(e, t, s);
+      return await this.tenantApi.updateGroup(e, t, s);
     } catch (r) {
       this.handlePassflowError(r, `Update group failed for tenant ID ${e}, group ID ${t}`);
     }
@@ -1404,7 +2188,7 @@ class X {
    */
   async deleteGroup(e, t) {
     try {
-      return await this.tenantAPI.deleteGroup(e, t);
+      return await this.tenantApi.deleteGroup(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Delete group failed for tenant ID ${e}, group ID ${t}`);
     }
@@ -1419,7 +2203,7 @@ class X {
    */
   async addUserToGroup(e, t, s, r) {
     try {
-      return await this.tenantAPI.addUserToGroup(e, t, s, r);
+      return await this.tenantApi.addUserToGroup(e, t, s, r);
     } catch (o) {
       this.handlePassflowError(
         o,
@@ -1437,7 +2221,7 @@ class X {
    */
   async removeUserRolesFromGroup(e, t, s, r) {
     try {
-      return await this.tenantAPI.removeUserRolesFromGroup(e, t, s, r);
+      return await this.tenantApi.removeUserRolesFromGroup(e, t, s, r);
     } catch (o) {
       this.handlePassflowError(
         o,
@@ -1455,7 +2239,7 @@ class X {
    */
   async changeUserRoles(e, t, s, r) {
     try {
-      return await this.tenantAPI.changeUserRoles(e, t, s, r);
+      return await this.tenantApi.changeUserRoles(e, t, s, r);
     } catch (o) {
       this.handlePassflowError(
         o,
@@ -1472,7 +2256,7 @@ class X {
    */
   async deleteUserFromGroup(e, t, s) {
     try {
-      return await this.tenantAPI.deleteUserFromGroup(e, t, s);
+      return await this.tenantApi.deleteUserFromGroup(e, t, s);
     } catch (r) {
       this.handlePassflowError(
         r,
@@ -1488,7 +2272,7 @@ class X {
    */
   async getRolesForTenant(e) {
     try {
-      return await this.tenantAPI.getRolesForTenant(e);
+      return await this.tenantApi.getRolesForTenant(e);
     } catch (t) {
       this.handlePassflowError(t, `Get roles for tenant failed for tenant ID ${e}`);
     }
@@ -1501,7 +2285,7 @@ class X {
    */
   async createRoleForTenant(e, t) {
     try {
-      return await this.tenantAPI.createRoleForTenant(e, t);
+      return await this.tenantApi.createRoleForTenant(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Create role for tenant failed for tenant ID ${e}`);
     }
@@ -1515,7 +2299,7 @@ class X {
    */
   async updateRole(e, t, s) {
     try {
-      return await this.tenantAPI.updateRole(e, t, s);
+      return await this.tenantApi.updateRole(e, t, s);
     } catch (r) {
       this.handlePassflowError(r, `Update role failed for tenant ID ${e}, role ID ${t}`);
     }
@@ -1528,7 +2312,7 @@ class X {
    */
   async deleteRole(e, t) {
     try {
-      return await this.tenantAPI.deleteRole(e, t);
+      return await this.tenantApi.deleteRole(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Delete role failed for tenant ID ${e}, role ID ${t}`);
     }
@@ -1542,7 +2326,7 @@ class X {
    */
   async deleteUserFromTenant(e, t) {
     try {
-      return await this.tenantAPI.deleteUserFromTenant(e, t);
+      return await this.tenantApi.deleteUserFromTenant(e, t);
     } catch (s) {
       this.handlePassflowError(s, `Delete user from tenant failed for tenant ID ${e}, user ID ${t}`);
     }
@@ -1558,7 +2342,7 @@ class X {
    */
   async getGroupInvitations(e, t, s, r) {
     try {
-      return await this.tenantAPI.getGroupInvitations(e, t, s, r);
+      return await this.tenantApi.getGroupInvitations(e, t, s, r);
     } catch (o) {
       this.handlePassflowError(o, `Get group invitations failed for tenant ID ${e}, group ID ${t}`);
     }
@@ -1572,7 +2356,7 @@ class X {
    */
   async getTenantInvitations(e, t, s) {
     try {
-      return await this.tenantAPI.getTenantInvitations(e, t, s);
+      return await this.tenantApi.getTenantInvitations(e, t, s);
     } catch (r) {
       this.handlePassflowError(r, `Get tenant invitations failed for tenant ID ${e}`);
     }
@@ -1586,7 +2370,7 @@ class X {
    */
   async invalidateInviteById(e, t, s) {
     try {
-      return await this.tenantAPI.invalidateInviteById(e, t, s);
+      return await this.tenantApi.invalidateInviteById(e, t, s);
     } catch (r) {
       this.handlePassflowError(
         r,
@@ -1603,7 +2387,7 @@ class X {
    */
   async invalidateInviteByEmail(e, t, s) {
     try {
-      return await this.tenantAPI.invalidateInviteByEmail(e, t, s);
+      return await this.tenantApi.invalidateInviteByEmail(e, t, s);
     } catch (r) {
       this.handlePassflowError(
         r,
@@ -1612,83 +2396,37 @@ class X {
     }
   }
 }
-class Q {
-  constructor(e, t) {
-    this.userAPI = e, this.deviceService = t;
+class De {
+  constructor(e, t, s) {
+    this.storageManager = e, this.authApi = t, this.subscribeStore = s, this.checkInterval = null, this.CHECK_INTERVAL = 6e4, this.visibilityChangeHandler = null, this.isRefreshing = !1, this.tokenExpiredFlag = !1, this.storageManager = e, this.authApi = t, this.setupPageUnloadHandler();
   }
-  /**
-   * Get user's registered passkeys
-   * @returns Promise with passkeys array
-   */
-  getUserPasskeys() {
-    return this.userAPI.getUserPasskeys();
-  }
-  /**
-   * Rename a user passkey
-   * @param name The new name for the passkey
-   * @param passkeyId The ID of the passkey to rename
-   * @returns Promise with success response
-   */
-  renameUserPasskey(e, t) {
-    return this.userAPI.renameUserPasskey(e, t);
-  }
-  /**
-   * Delete a user passkey
-   * @param passkeyId The ID of the passkey to delete
-   * @returns Promise with success response
-   */
-  deleteUserPasskey(e) {
-    return this.userAPI.deleteUserPasskey(e);
-  }
-  /**
-   * Add a new passkey for the current user
-   * @param options Optional parameters for the passkey
-   * @returns Promise that resolves when the passkey is added
-   */
-  async addUserPasskey({
-    relyingPartyId: e,
-    passkeyUsername: t,
-    passkeyDisplayName: s
-  } = {}) {
-    const r = this.deviceService.getDeviceId(), o = w.web, { challenge_id: n, publicKey: h } = await this.userAPI.addUserPasskeyStart({
-      relyingPartyId: e || window?.location?.hostname,
-      deviceId: r,
-      os: o,
-      passkeyDisplayName: s,
-      passkeyUsername: t
-    });
-    h.user.id = btoa(h.user.id);
-    const l = await _({ optionsJSON: h });
-    return await this.userAPI.addUserPasskeyComplete(l, r, n);
-  }
-}
-class Z {
-  constructor(e, t, s) {
-    this.storageManager = e, this.authApi = t, this.subscribeStore = s, this.checkInterval = null, this.CHECK_INTERVAL = 10, this.isRefreshing = !1, this.isExpired = !1, this.storageManager = e, this.authApi = t;
-  }
-  initialize() {
-    try {
-      const e = this.storageManager.getTokens();
-      if (!e || !e.access_token) {
-        this.startTokenCheck();
-        return;
-      }
-      const t = d(e.access_token);
-      f(t) ? (this.isExpired = !0, this.stopTokenCheck(), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 })) : (this.setTokensCache(e), this.startTokenCheck());
-    } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get tokens",
-        originalError: e
-      };
-      this.subscribeStore.notify(a.Error, t), this.setTokensCache(void 0);
-    }
+  initialize() {
+    try {
+      const e = this.storageManager.getTokens();
+      if (!e) {
+        this.startTokenCheck();
+        return;
+      }
+      if (!e.access_token) {
+        this.setTokensCache(e), this.startTokenCheck();
+        return;
+      }
+      const t = y(e.access_token);
+      S(t) ? (this.tokenExpiredFlag = !0, this.stopTokenCheck(), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 })) : (this.setTokensCache(e), this.startTokenCheck());
+    } catch (e) {
+      const t = {
+        message: e instanceof Error ? e.message : "Failed to get tokens",
+        originalError: e
+      };
+      this.subscribeStore.notify(a.Error, t), this.setTokensCache(void 0);
+    }
   }
   async refreshTokensCache(e) {
     if (!this.isRefreshing)
       try {
         this.isRefreshing = !0, this.subscribeStore.notify(a.RefreshStart, {});
         const t = await this.authApi.refreshToken(e?.refresh_token ?? "", e.scopes ?? [], e.access_token);
-        this.setTokensCache(t), this.subscribeStore.notify(a.Refresh, { tokens: t, parsedTokens: this.getParsedTokenCache() }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.isExpired = !1, this.startTokenCheck();
+        this.setTokensCache(t), this.subscribeStore.notify(a.Refresh, { tokens: t, parsedTokens: this.getParsedTokens() }), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !1 }), this.tokenExpiredFlag = !1, this.startTokenCheck();
       } catch (t) {
         const s = {
           message: t instanceof Error ? t.message : "Failed to get tokens",
@@ -1700,29 +2438,48 @@ class Z {
       }
   }
   startTokenCheck() {
-    this.checkInterval && clearInterval(this.checkInterval), !this.isExpired && (this.checkInterval = setInterval(() => {
-      this.isRefreshing || this.isExpired || this.tokensCacheIsExpired() && !this.isExpired && (this.isExpired = !0, this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 }), this.stopTokenCheck());
+    this.checkInterval && clearInterval(this.checkInterval), !this.tokenExpiredFlag && (this.setupVisibilityListener(), this.checkInterval = setInterval(() => {
+      typeof document < "u" && document.hidden || this.isRefreshing || this.tokenExpiredFlag || this.isExpired() && !this.tokenExpiredFlag && (this.tokenExpiredFlag = !0, this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 }), this.stopTokenCheck());
     }, this.CHECK_INTERVAL));
   }
+  setupVisibilityListener() {
+    typeof document > "u" || (this.visibilityChangeHandler && document.removeEventListener("visibilitychange", this.visibilityChangeHandler), this.visibilityChangeHandler = () => {
+      !document.hidden && this.checkInterval && !this.isRefreshing && !this.tokenExpiredFlag && this.isExpired() && (this.tokenExpiredFlag = !0, this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 }), this.stopTokenCheck());
+    }, document.addEventListener("visibilitychange", this.visibilityChangeHandler));
+  }
+  setupPageUnloadHandler() {
+    typeof window > "u" || window.addEventListener("beforeunload", () => {
+      this.destroy();
+    });
+  }
   stopTokenCheck() {
-    this.checkInterval && (clearInterval(this.checkInterval), this.checkInterval = null);
+    this.checkInterval && (clearInterval(this.checkInterval), this.checkInterval = null), this.visibilityChangeHandler && typeof document < "u" && (document.removeEventListener("visibilitychange", this.visibilityChangeHandler), this.visibilityChangeHandler = null);
+  }
+  /**
+   * Cleanup method to stop all intervals and remove event listeners.
+   * Should be called when the service is no longer needed.
+   */
+  destroy() {
+    this.stopTokenCheck();
   }
   setTokensCache(e) {
     this.tokensCache = e, e ? this.parsedTokensCache = {
-      access_token: d(e.access_token),
-      id_token: e.id_token ? d(e.id_token) : void 0,
-      refresh_token: e.refresh_token ? d(e.refresh_token) : void 0,
+      access_token: e.access_token ? y(e.access_token) : void 0,
+      id_token: e.id_token ? y(e.id_token) : void 0,
+      refresh_token: e.refresh_token ? y(e.refresh_token) : void 0,
       scopes: e.scopes
     } : this.parsedTokensCache = void 0;
   }
-  getTokensCache() {
+  getTokens() {
     return this.tokensCache;
   }
-  async getTokensCacheWithRefresh() {
+  async getTokensWithRefresh() {
     try {
       if (!this.tokensCache) return this.tokensCache;
-      const e = d(this.tokensCache.access_token);
-      return f(e) && !this.isExpired ? (await this.refreshTokensCache(this.tokensCache), this.tokensCache) : this.tokensCache;
+      if (!this.tokensCache.access_token)
+        return this.tokensCache;
+      const e = y(this.tokensCache.access_token);
+      return S(e) && !this.tokenExpiredFlag ? (await this.refreshTokensCache(this.tokensCache), this.tokensCache) : this.tokensCache;
     } catch (e) {
       const t = {
         message: e instanceof Error ? e.message : "Failed to get tokens",
@@ -1732,28 +2489,352 @@ class Z {
       return;
     }
   }
-  getParsedTokenCache() {
+  getParsedTokens() {
     return this.parsedTokensCache;
   }
-  tokensCacheIsExpired() {
+  isExpired() {
     if (!this.tokensCache) return !0;
-    const e = d(this.tokensCache.access_token);
-    return f(e);
+    if (!this.tokensCache.access_token)
+      return !1;
+    const e = y(this.tokensCache.access_token);
+    return S(e);
+  }
+}
+class Fe {
+  constructor(e, t) {
+    this.twoFactorApi = e, this.subscribeStore = t, this.PARTIAL_AUTH_TIMEOUT_MS = 300 * 1e3, this.SESSION_STORAGE_KEY = "passflow_2fa_challenge", this.totpDigits = 6;
+    const s = {
+      onAuthChange: (r, o) => {
+        if (r === a.TwoFactorRequired) {
+          const n = o;
+          this.setPartialAuthState(n.email, n.challengeId, n.tfaToken);
+        }
+      }
+    };
+    this.subscribeStore.subscribe(s, [a.TwoFactorRequired]);
+  }
+  /**
+   * Emit error event and throw the error
+   * Helper method to ensure errors are properly emitted to subscribers
+   */
+  emitErrorAndThrow(e, t) {
+    const s = {
+      message: e instanceof Error ? e.message : `${t} failed`,
+      originalError: e,
+      code: e?.id || void 0
+    };
+    throw this.subscribeStore.notify(a.Error, s), e;
+  }
+  /**
+   * Get 2FA enrollment status for current user
+   */
+  async getStatus() {
+    try {
+      const e = await this.twoFactorApi.getStatus();
+      return e.totp_digits && (this.totpDigits = e.totp_digits), e;
+    } catch (e) {
+      this.emitErrorAndThrow(e, "Get 2FA status");
+    }
+  }
+  /**
+   * Begin 2FA setup process
+   * Returns secret and QR code for authenticator app
+   */
+  async beginSetup() {
+    try {
+      const e = await this.twoFactorApi.beginSetup();
+      return e.totp_digits && (this.totpDigits = e.totp_digits), this.subscribeStore.notify(a.TwoFactorSetupStarted, { secret: e.secret }), e;
+    } catch (e) {
+      this.emitErrorAndThrow(e, "Begin 2FA setup");
+    }
+  }
+  /**
+   * Confirm 2FA setup with TOTP code
+   * Returns recovery codes that MUST be displayed to user
+   */
+  async confirmSetup(e) {
+    if (!R(e, this.totpDigits))
+      throw new Error(`Invalid TOTP code format. Code must be exactly ${this.totpDigits} digits.`);
+    try {
+      const t = await this.twoFactorApi.confirmSetup({ code: e });
+      return this.subscribeStore.notify(a.TwoFactorEnabled, {
+        recoveryCodes: t.recovery_codes,
+        clearRecoveryCodes: () => {
+          t.recovery_codes.length = 0;
+        }
+      }), t;
+    } catch (t) {
+      this.emitErrorAndThrow(t, "Confirm 2FA setup");
+    }
+  }
+  /**
+   * Verify TOTP code during login
+   * Completes authentication if successful
+   */
+  async verify(e) {
+    if (!R(e, this.totpDigits))
+      throw new Error(`Invalid TOTP code format. Code must be exactly ${this.totpDigits} digits.`);
+    if (this.recoverPartialAuthState(), !this.isVerificationRequired())
+      throw new Error("2FA verification expired or not required. User must sign in first.");
+    if (!this.partialAuthState?.tfaToken)
+      throw new Error("No TFA token found. User must sign in first.");
+    try {
+      const t = await this.twoFactorApi.verify({
+        code: e,
+        tfa_token: this.partialAuthState.tfaToken
+      });
+      return this.clearPartialAuthState(), this.subscribeStore.notify(a.TwoFactorVerified, { tokens: t }), t;
+    } catch (t) {
+      this.emitErrorAndThrow(t, "Verify 2FA code");
+    }
+  }
+  /**
+   * Use recovery code for authentication
+   * Completes authentication if successful
+   */
+  async useRecoveryCode(e) {
+    try {
+      const t = _e(e);
+      if (!t)
+        throw new Error("Invalid recovery code format. Expected format: XXXX-XXXX or XXXXXXXX (alphanumeric).");
+      if (this.recoverPartialAuthState(), !this.isVerificationRequired())
+        throw new Error("2FA verification expired or not required. User must sign in first.");
+      if (!this.partialAuthState?.tfaToken)
+        throw new Error("No TFA token found. User must sign in first.");
+      const s = await this.twoFactorApi.useRecoveryCode({
+        recovery_code: t,
+        tfa_token: this.partialAuthState.tfaToken
+      });
+      return this.clearPartialAuthState(), s.remaining_recovery_codes === 0 ? this.subscribeStore.notify(a.TwoFactorRecoveryCodesExhausted, { tokens: s }) : s.remaining_recovery_codes <= 2 && this.subscribeStore.notify(a.TwoFactorRecoveryCodesLow, {
+        tokens: s,
+        remainingCodes: s.remaining_recovery_codes
+      }), this.subscribeStore.notify(a.TwoFactorRecoveryUsed, {
+        tokens: s,
+        remainingCodes: s.remaining_recovery_codes
+      }), this.subscribeStore.notify(a.TwoFactorVerified, { tokens: s }), s;
+    } catch (t) {
+      this.emitErrorAndThrow(t, "Use recovery code");
+    }
+  }
+  /**
+   * Disable 2FA (requires TOTP verification)
+   */
+  async disable(e) {
+    if (!R(e, this.totpDigits))
+      throw new Error(`Invalid TOTP code format. Code must be exactly ${this.totpDigits} digits.`);
+    try {
+      const t = await this.twoFactorApi.disable({ code: e });
+      return this.subscribeStore.notify(a.TwoFactorDisabled, {}), t;
+    } catch (t) {
+      this.emitErrorAndThrow(t, "Disable 2FA");
+    }
+  }
+  /**
+   * Regenerate recovery codes
+   */
+  async regenerateRecoveryCodes(e) {
+    if (!R(e, this.totpDigits))
+      throw new Error(`Invalid TOTP code format. Code must be exactly ${this.totpDigits} digits.`);
+    try {
+      const t = await this.twoFactorApi.regenerateRecoveryCodes({ code: e }), s = [...t.recovery_codes];
+      return t.recovery_codes = [], t.recovery_codes = s, t;
+    } catch (t) {
+      this.emitErrorAndThrow(t, "Regenerate recovery codes");
+    }
+  }
+  /**
+   * Check if 2FA verification is required (local state check)
+   * Returns true if user has signed in but needs 2FA verification
+   */
+  isVerificationRequired() {
+    return this.recoverPartialAuthState(), this.partialAuthState ? Date.now() > this.partialAuthState.expiresAt ? (this.clearPartialAuthState(), !1) : !0 : !1;
+  }
+  /**
+   * Set partial auth state when login requires 2FA
+   * Called internally via event listener when AuthService emits TwoFactorRequired
+   */
+  setPartialAuthState(e, t, s) {
+    if (this.partialAuthState = {
+      email: e,
+      challengeId: t,
+      tfaToken: s,
+      timestamp: Date.now(),
+      expiresAt: Date.now() + this.PARTIAL_AUTH_TIMEOUT_MS
+    }, typeof sessionStorage < "u")
+      try {
+        sessionStorage.setItem(this.SESSION_STORAGE_KEY, JSON.stringify(this.partialAuthState));
+      } catch {
+      }
+  }
+  /**
+   * Clear partial auth state
+   * Called on logout or successful verification
+   */
+  clearPartialAuthState() {
+    if (this.partialAuthState = void 0, typeof sessionStorage < "u")
+      try {
+        sessionStorage.removeItem(this.SESSION_STORAGE_KEY);
+      } catch {
+      }
+  }
+  /**
+   * Attempt to recover partial auth state from sessionStorage
+   * Called before verification operations to handle page refresh
+   */
+  recoverPartialAuthState() {
+    if (!this.partialAuthState && !(typeof sessionStorage > "u"))
+      try {
+        const e = sessionStorage.getItem(this.SESSION_STORAGE_KEY);
+        if (!e) return;
+        const t = JSON.parse(e);
+        Date.now() < t.expiresAt ? this.partialAuthState = t : sessionStorage.removeItem(this.SESSION_STORAGE_KEY);
+      } catch {
+        try {
+          sessionStorage.removeItem(this.SESSION_STORAGE_KEY);
+        } catch {
+        }
+      }
+  }
+  // ============================================
+  // Magic Link 2FA Setup Methods
+  // ============================================
+  /**
+   * Validate magic link token for 2FA setup
+   *
+   * This method validates an admin-generated magic link token and
+   * creates a scoped session (scope: "2fa_setup") that can ONLY be
+   * used for completing 2FA setup operations.
+   *
+   * Session characteristics:
+   * - Stored in memory only (no persistence across page reloads)
+   * - Short-lived (typically 1 hour expiration)
+   * - Cannot be refreshed
+   * - Cannot be promoted to full authentication
+   * - Only valid for 2FA setup endpoints
+   *
+   * @param token - Magic link token from URL parameter
+   * @returns Validation response with session details
+   */
+  async validateTwoFactorSetupMagicLink(e) {
+    const t = await this.twoFactorApi.validateTwoFactorSetupMagicLink(e);
+    return t.success && t.sessionToken && t.userId ? (this.magicLinkSession = {
+      sessionToken: t.sessionToken,
+      userId: t.userId,
+      appId: t.appId,
+      scope: "2fa_setup",
+      timestamp: Date.now(),
+      expiresAt: Date.now() + (t.expiresIn || 3600) * 1e3
+    }, this.subscribeStore.notify(a.TwoFactorSetupMagicLinkValidated, {
+      userId: t.userId,
+      appId: t.appId,
+      expiresIn: t.expiresIn || 3600,
+      sessionToken: t.sessionToken
+    })) : t.error && this.subscribeStore.notify(a.TwoFactorSetupMagicLinkFailed, {
+      error: t.error
+    }), t;
+  }
+  /**
+   * Get current magic link session (if any)
+   * Used by React SDK to access session token for API calls
+   *
+   * @returns Active magic link session or null if none/expired
+   */
+  getMagicLinkSession() {
+    return this.magicLinkSession ? Date.now() > this.magicLinkSession.expiresAt ? (this.clearMagicLinkSession(), null) : this.magicLinkSession : null;
+  }
+  /**
+   * Clear magic link session
+   * Called after successful setup completion or on error
+   */
+  clearMagicLinkSession() {
+    this.magicLinkSession = void 0;
+  }
+  /**
+   * Check if magic link session is active
+   * Used by React SDK to determine if form can use magic link auth
+   */
+  hasMagicLinkSession() {
+    return this.getMagicLinkSession() !== null;
+  }
+  /**
+   * Get the session token from magic link session (if active)
+   * Used by AxiosClient for injecting auth header on 2FA setup endpoints
+   */
+  getMagicLinkSessionToken() {
+    return this.getMagicLinkSession()?.sessionToken || null;
+  }
+  /**
+   * Get configured TOTP digit count
+   * Returns the number of digits (6 or 8) for TOTP codes
+   * Useful for UI components that need to render the correct number of input fields
+   */
+  getTotpDigits() {
+    return this.totpDigits;
+  }
+}
+class Me {
+  constructor(e, t) {
+    this.userAPI = e, this.deviceService = t;
+  }
+  /**
+   * Get user's registered passkeys
+   * @returns Promise with passkeys array
+   */
+  getUserPasskeys() {
+    return this.userAPI.getUserPasskeys();
+  }
+  /**
+   * Rename a user passkey
+   * @param name The new name for the passkey
+   * @param passkeyId The ID of the passkey to rename
+   * @returns Promise with success response
+   */
+  renameUserPasskey(e, t) {
+    return this.userAPI.renameUserPasskey(e, t);
+  }
+  /**
+   * Delete a user passkey
+   * @param passkeyId The ID of the passkey to delete
+   * @returns Promise with success response
+   */
+  deleteUserPasskey(e) {
+    return this.userAPI.deleteUserPasskey(e);
+  }
+  /**
+   * Add a new passkey for the current user
+   * @param options Optional parameters for the passkey
+   * @returns Promise that resolves when the passkey is added
+   */
+  async addUserPasskey({
+    relyingPartyId: e,
+    passkeyUsername: t,
+    passkeyDisplayName: s
+  } = {}) {
+    const r = this.deviceService.getDeviceId(), o = I.web, { challenge_id: n, publicKey: d } = await this.userAPI.addUserPasskeyStart({
+      relyingPartyId: e || window?.location?.hostname,
+      deviceId: r,
+      os: o,
+      passkeyDisplayName: s,
+      passkeyUsername: t
+    });
+    d.user.id = btoa(d.user.id);
+    const c = await K({ optionsJSON: d });
+    return await this.userAPI.addUserPasskeyComplete(c, r, n);
   }
 }
-class ie {
+const O = class O {
   constructor(e) {
     this.doRefreshTokens = !1, this.origin = window.location.origin, this.session = async ({
       createSession: o,
       expiredSession: n,
-      doRefresh: h = !1
+      doRefresh: d = !1
     }) => {
-      this.createSessionCallback = o, this.expiredSessionCallback = n, this.doRefreshTokens = h, await this.submitSessionCheck();
+      this.createSessionCallback = o, this.expiredSessionCallback = n, this.doRefreshTokens = d, await this.submitSessionCheck();
     };
     const { url: t, appId: s, scopes: r } = e;
-    this.url = t || A, this.appId = s, this.authApi = new O(e), this.appApi = new j(e), this.userApi = new N(e), this.settingApi = new K(e), this.tenantAPI = new B(e), this.invitationAPI = new W(e), this.storageManager = new b({
+    this.url = t || G, this.appId = s, this.storageManager = new $({
       prefix: e.keyStoragePrefix ?? ""
-    }), this.deviceService = new $(), this.subscribeStore = new H(), this.tokenCacheService = new Z(this.storageManager, this.authApi, this.subscribeStore), this.scopes = r ?? F, this.createTenantForNewUser = e.createTenantForNewUser ?? !1, this.authService = new q(
+    }), this.deviceService = new Y(this.storageManager), this.authApi = new fe(e, this.storageManager, this.deviceService), this.appApi = new pe(e, this.storageManager, this.deviceService), this.userApi = new me(e, this.storageManager, this.deviceService), this.settingApi = new ye(e, this.storageManager, this.deviceService), this.tenantApi = new ve(e, this.storageManager, this.deviceService), this.invitationApi = new ke(e, this.storageManager, this.deviceService), this.twoFactorApi = new Se(e, this.storageManager, this.deviceService), this.subscribeStore = new we(), this.tokenCacheService = new De(this.storageManager, this.authApi, this.subscribeStore), this.scopes = r ?? Q, this.createTenantForNewUser = e.createTenantForNewUser ?? !1, this.authService = new Ie(
       this.authApi,
       this.deviceService,
       this.storageManager,
@@ -1767,13 +2848,29 @@ class ie {
         createSession: this.createSessionCallback,
         expiredSession: this.expiredSessionCallback
       },
-      this.appId ?? ""
-    ), this.userService = new Q(this.userApi, this.deviceService), this.tenantService = new X(this.tenantAPI, this.scopes), this.tenant = this.tenantService, this.invitationService = new V(this.invitationAPI), e.parseQueryParams && this.checkAndSetTokens(), this.setTokensToCacheFromLocalStorage();
+      this.appId ?? "",
+      e.tokenExchange
+    ), this.userService = new Me(this.userApi, this.deviceService), this.tenantService = new Pe(this.tenantApi, this.scopes), this.tenant = this.tenantService, this.invitationService = new be(this.invitationApi), this.twoFactorService = new Fe(this.twoFactorApi, this.subscribeStore), this.twoFactor = this.twoFactorService, e.parseQueryParams && this.checkAndSetTokens(), this.setTokensToCacheFromLocalStorage();
+  }
+  /**
+   * Update the appId and propagate it to all API clients.
+   * This ensures that all future API requests use the new appId in their headers.
+   *
+   * @param appId - The new application ID to set
+   *
+   * @example
+   * ```typescript
+   * // Update appId after discovery
+   * passflow.setAppId('discovered-app-id-123');
+   * ```
+   */
+  setAppId(e) {
+    this.appId = e, this.authApi.setAppId(e), this.appApi.setAppId(e), this.userApi.setAppId(e), this.settingApi.setAppId(e), this.tenantApi.setAppId(e), this.invitationApi.setAppId(e), this.twoFactorApi.setAppId(e), this.authService;
   }
   async submitSessionCheck() {
     let e, t;
     try {
-      e = await this.authService.getTokens(this.doRefreshTokens), t = this.tokenCacheService.getParsedTokenCache();
+      e = await this.authService.getTokens(this.doRefreshTokens), t = this.tokenCacheService.getParsedTokens();
     } catch (s) {
       const r = {
         message: s instanceof Error || s instanceof u ? s.message : "Session check failed",
@@ -1784,89 +2881,424 @@ class ie {
     e && this.createSessionCallback && await this.createSessionCallback({ tokens: e, parsedTokens: t }), !e && this.expiredSessionCallback && await this.expiredSessionCallback();
   }
   // Event subscription
+  /**
+   * Subscribe to Passflow authentication events.
+   *
+   * @param subscriber - Subscriber function that receives event type and payload
+   * @param events - Optional array of specific events to listen for. If omitted, subscribes to all events.
+   *
+   * @example
+   * ```typescript
+   * // Subscribe to all events
+   * passflow.subscribe((event, payload) => {
+   *   console.log('Event:', event, payload);
+   * });
+   *
+   * // Subscribe to specific events only
+   * passflow.subscribe(
+   *   (event, payload) => {
+   *     if (event === PassflowEvent.SignIn) {
+   *       console.log('User signed in', payload.tokens);
+   *     }
+   *   },
+   *   [PassflowEvent.SignIn, PassflowEvent.SignOut]
+   * );
+   * ```
+   */
   subscribe(e, t) {
     this.subscribeStore.subscribe(e, t), this.tokenCacheService.initialize();
   }
+  /**
+   * Unsubscribe from Passflow authentication events.
+   *
+   * @param subscriber - The subscriber function to remove
+   * @param events - Optional array of specific events to unsubscribe from. If omitted, unsubscribes from all events.
+   *
+   * @example
+   * ```typescript
+   * const subscriber = (event, payload) => console.log(event, payload);
+   *
+   * // Subscribe
+   * passflow.subscribe(subscriber);
+   *
+   * // Later, unsubscribe
+   * passflow.unsubscribe(subscriber);
+   * ```
+   */
   unsubscribe(e, t) {
     this.subscribeStore.unsubscribe(e, t);
   }
   // Token handling
+  /**
+   * Handle OAuth redirect callback and extract tokens from URL query parameters.
+   * This method should be called on the redirect page after authentication.
+   *
+   * @returns Tokens object if found in URL, undefined otherwise
+   *
+   * @example
+   * ```typescript
+   * // On your redirect page (e.g., /auth/callback)
+   * const tokens = passflow.handleTokensRedirect();
+   * if (tokens) {
+   *   console.log('Authentication successful', tokens.access_token);
+   *   // Tokens are automatically saved to storage
+   * }
+   * ```
+   */
   handleTokensRedirect() {
     return this.checkAndSetTokens();
   }
   checkAndSetTokens() {
-    const e = new URLSearchParams(window.location.search), t = e.get("access_token"), s = e.get("refresh_token"), r = e.get("id_token"), o = e.get("scopes")?.split(",") ?? this.scopes;
-    let n;
-    if (t)
-      return n = {
-        access_token: t,
-        refresh_token: s ?? void 0,
-        id_token: r ?? void 0,
-        scopes: o
-      }, this.storageManager.saveTokens(n), this.tokenCacheService.setTokensCache(n), this.subscribeStore.notify(a.SignIn, { tokens: n, parsedTokens: this.getParsedTokenCache() }), this.submitSessionCheck(), e.delete("access_token"), e.delete("refresh_token"), e.delete("id_token"), e.delete("client_challenge"), e.size > 0 ? window.history.replaceState({}, document.title, `${window.location.pathname}?${e.toString()}`) : window.history.replaceState({}, document.title, window.location.pathname), this.error = void 0, n;
-    this.error = this.checkErrorsFromURL();
+    let e = new URLSearchParams(window.location.search), t = !1;
+    if (!e.get("access_token") && window.location.hash) {
+      const c = new URLSearchParams(window.location.hash.substring(1));
+      c.get("access_token") && (e = c, t = !0);
+    }
+    const s = e.get("access_token"), r = e.get("refresh_token"), o = e.get("id_token"), n = e.get("scopes")?.split(",") ?? this.scopes;
+    let d;
+    if (s) {
+      if (!F(s)) {
+        const c = {
+          message: "Invalid access token format received",
+          code: "INVALID_TOKEN_FORMAT"
+        };
+        this.subscribeStore.notify(a.Error, c), this.cleanupUrlParams(t);
+        return;
+      }
+      if (r && !F(r)) {
+        const c = {
+          message: "Invalid refresh token format received",
+          code: "INVALID_TOKEN_FORMAT"
+        };
+        this.subscribeStore.notify(a.Error, c), this.cleanupUrlParams(t);
+        return;
+      }
+      if (o && !F(o)) {
+        const c = {
+          message: "Invalid ID token format received",
+          code: "INVALID_TOKEN_FORMAT"
+        };
+        this.subscribeStore.notify(a.Error, c), this.cleanupUrlParams(t);
+        return;
+      }
+      return d = {
+        access_token: s,
+        refresh_token: r ?? void 0,
+        id_token: o ?? void 0,
+        scopes: n
+      }, this.storageManager.saveTokens(d), this.tokenCacheService.setTokensCache(d), this.subscribeStore.notify(a.SignIn, { tokens: d, parsedTokens: this.getParsedTokens() }), this.submitSessionCheck(), this.cleanupUrlParams(t), this.error = void 0, d;
+    } else
+      this.error = this.checkErrorsFromURL();
   }
   checkErrorsFromURL() {
     const t = new URLSearchParams(window.location.search).get("error");
-    if (t)
-      return new Error(t);
+    if (t) {
+      const s = Te(t);
+      return new Error(s);
+    }
+  }
+  cleanupUrlParams(e = !1) {
+    if (e)
+      window.history.replaceState({}, document.title, window.location.pathname + window.location.search);
+    else {
+      const t = new URLSearchParams(window.location.search);
+      t.delete("access_token"), t.delete("refresh_token"), t.delete("id_token"), t.delete("client_challenge"), t.size > 0 ? window.history.replaceState({}, document.title, `${window.location.pathname}?${t.toString()}`) : window.history.replaceState({}, document.title, window.location.pathname);
+    }
   }
   setTokensToCacheFromLocalStorage() {
     const e = this.storageManager.getTokens();
     e && this.tokenCacheService.setTokensCache(e);
   }
-  getTokensCache() {
-    return this.tokenCacheService.getTokensCache();
+  /**
+   * Get cached tokens from memory without triggering a refresh.
+   *
+   * @returns Cached tokens or undefined if not cached
+   *
+   * @example
+   * ```typescript
+   * const tokens = passflow.getCachedTokens();
+   * if (tokens) {
+   *   console.log('Access token:', tokens.access_token);
+   * }
+   * ```
+   */
+  getCachedTokens() {
+    return this.tokenCacheService.getTokens();
   }
-  getTokensCacheWithRefresh() {
-    return this.tokenCacheService.getTokensCacheWithRefresh();
+  /**
+   * Get cached tokens from memory and automatically refresh if expired.
+   *
+   * @returns Promise resolving to tokens or undefined
+   *
+   * @example
+   * ```typescript
+   * const tokens = await passflow.getTokensWithRefresh();
+   * // Tokens are guaranteed to be valid or undefined
+   * ```
+   */
+  getTokensWithRefresh() {
+    return this.tokenCacheService.getTokensWithRefresh();
   }
-  getParsedTokenCache() {
-    return this.tokenCacheService.getParsedTokenCache();
+  /**
+   * Get parsed JWT tokens with decoded claims.
+   *
+   * @returns Parsed token objects with decoded payloads
+   *
+   * @example
+   * ```typescript
+   * const parsed = passflow.getParsedTokens();
+   * if (parsed?.access_token) {
+   *   console.log('User ID:', parsed.access_token.sub);
+   *   console.log('Expires at:', new Date(parsed.access_token.exp * 1000));
+   * }
+   * ```
+   */
+  getParsedTokens() {
+    return this.tokenCacheService.getParsedTokens();
   }
-  tokensCacheIsExpired() {
-    return this.tokenCacheService.tokensCacheIsExpired();
+  /**
+   * Check if the cached tokens are expired.
+   *
+   * @returns True if tokens are expired, false otherwise
+   *
+   * @example
+   * ```typescript
+   * if (passflow.areTokensExpired()) {
+   *   await passflow.refreshToken();
+   * }
+   * ```
+   */
+  areTokensExpired() {
+    return this.tokenCacheService.isExpired();
   }
   // Auth delegation methods
+  /**
+   * Check if the user is currently authenticated with valid tokens.
+   *
+   * @returns True if user has valid, non-expired tokens
+   *
+   * @example
+   * ```typescript
+   * if (passflow.isAuthenticated()) {
+   *   console.log('User is logged in');
+   * } else {
+   *   console.log('User needs to sign in');
+   * }
+   * ```
+   */
   isAuthenticated() {
     const e = this.storageManager.getTokens();
     if (!e || !e.access_token) return !1;
-    const t = {
-      access_token: d(e.access_token),
-      refresh_token: e.refresh_token ? d(e.refresh_token) : void 0
-    };
-    return this.authService.isAuthenticated(t);
+    const t = this.tokenCacheService.getParsedTokens();
+    return t ? this.authService.isAuthenticated(t) : !1;
   }
+  /**
+   * Sign in a user with email/username and password.
+   *
+   * @param payload - Sign-in credentials and options
+   * @param payload.email - User's email or username
+   * @param payload.password - User's password
+   * @param payload.scopes - Optional scopes to request (defaults to SDK scopes)
+   * @returns Promise with authorization response containing tokens
+   * @throws {PassflowError} If authentication fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const response = await passflow.signIn({
+   *     email: 'user@example.com',
+   *     password: 'secure-password'
+   *   });
+   *   console.log('Signed in successfully', response.access_token);
+   * } catch (error) {
+   *   console.error('Sign in failed', error.message);
+   * }
+   * ```
+   */
   async signIn(e) {
     return await this.authService.signIn(e);
   }
+  /**
+   * Register a new user account with email and password.
+   *
+   * @param payload - Registration details
+   * @param payload.email - User's email address
+   * @param payload.password - User's password
+   * @param payload.username - Optional username
+   * @param payload.scopes - Optional scopes to request
+   * @returns Promise with authorization response containing tokens
+   * @throws {PassflowError} If registration fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const response = await passflow.signUp({
+   *     email: 'newuser@example.com',
+   *     password: 'secure-password',
+   *     username: 'newuser'
+   *   });
+   *   console.log('Account created', response.access_token);
+   * } catch (error) {
+   *   console.error('Sign up failed', error.message);
+   * }
+   * ```
+   */
   async signUp(e) {
     return await this.authService.signUp(e);
   }
+  /**
+   * Initiate passwordless authentication by sending a magic link or OTP.
+   *
+   * @param payload - Passwordless sign-in configuration
+   * @param payload.email - User's email address
+   * @param payload.method - Delivery method ('email' or 'sms')
+   * @returns Promise with response indicating if the code was sent
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * // Send magic link via email
+   * const response = await passflow.passwordlessSignIn({
+   *   email: 'user@example.com',
+   *   method: 'email'
+   * });
+   * console.log('Magic link sent:', response.success);
+   * ```
+   */
   passwordlessSignIn(e) {
     return this.authService.passwordlessSignIn(e);
   }
+  /**
+   * Complete passwordless authentication by verifying the OTP or token.
+   *
+   * @param payload - Verification payload
+   * @param payload.email - User's email address
+   * @param payload.code - Verification code from email/SMS
+   * @param payload.scopes - Optional scopes to request
+   * @returns Promise with validation response containing tokens
+   * @throws {PassflowError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const response = await passflow.passwordlessSignInComplete({
+   *     email: 'user@example.com',
+   *     code: '123456'
+   *   });
+   *   console.log('Passwordless sign-in complete', response.access_token);
+   * } catch (error) {
+   *   console.error('Invalid code', error.message);
+   * }
+   * ```
+   */
   async passwordlessSignInComplete(e) {
     return await this.authService.passwordlessSignInComplete(e);
   }
+  /**
+   * Centralized error handler for all public methods.
+   * Creates proper ErrorPayload, distinguishes PassflowError from generic Error,
+   * notifies error event, and re-throws the error.
+   *
+   * @param error - The error to handle
+   * @param context - Context description for the error
+   * @throws The original error after handling
+   */
+  handleError(e, t) {
+    const s = {
+      message: e instanceof Error ? e.message : `${t} failed`,
+      originalError: e,
+      code: e instanceof u ? e.id : void 0
+    };
+    throw this.subscribeStore.notify(a.Error, s), e;
+  }
+  /**
+   * Sign out the current user and clear all tokens.
+   *
+   * @returns Promise that resolves when sign-out is complete
+   * @throws {PassflowError} If sign-out request fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   await passflow.logOut();
+   *   console.log('User signed out successfully');
+   *   // Redirect to login page
+   * } catch (error) {
+   *   console.error('Sign out failed', error.message);
+   * }
+   * ```
+   */
   async logOut() {
     try {
-      await this.authService.logOut(), this.storageManager.deleteTokens(), await this.submitSessionCheck();
+      await this.authService.logOut(), this.storageManager.deleteTokens(), this.tokenCacheService.setTokensCache(void 0), this.twoFactorService.clearPartialAuthState(), await this.submitSessionCheck(), this.subscribeStore.notify(a.SignOut, {});
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to log out",
-        originalError: e
-      };
-      this.subscribeStore.notify(a.Error, t);
+      this.handleError(e, "Log out");
     }
-    this.tokenCacheService.setTokensCache(void 0), this.subscribeStore.notify(a.SignOut, {});
   }
+  /**
+   * Initiate federated authentication (OAuth) with a popup window.
+   *
+   * @param payload - Federated authentication configuration
+   * @param payload.provider - OAuth provider (e.g., 'google', 'github', 'microsoft')
+   * @param payload.scopes - Optional scopes to request
+   *
+   * @example
+   * ```typescript
+   * // Sign in with Google using a popup
+   * passflow.federatedAuthWithPopup({
+   *   provider: 'google'
+   * });
+   *
+   * // Listen for the result via subscribe
+   * passflow.subscribe((event, payload) => {
+   *   if (event === PassflowEvent.SignIn) {
+   *     console.log('OAuth sign-in successful', payload.tokens);
+   *   }
+   * });
+   * ```
+   */
   federatedAuthWithPopup(e) {
     this.authService.federatedAuthWithPopup(e);
   }
+  /**
+   * Initiate federated authentication (OAuth) with a full-page redirect.
+   *
+   * @param payload - Federated authentication configuration
+   * @param payload.provider - OAuth provider (e.g., 'google', 'github', 'microsoft')
+   * @param payload.scopes - Optional scopes to request
+   * @param payload.redirectUrl - URL to redirect to after authentication
+   *
+   * @example
+   * ```typescript
+   * // Sign in with GitHub using redirect
+   * passflow.federatedAuthWithRedirect({
+   *   provider: 'github',
+   *   redirectUrl: window.location.origin + '/auth/callback'
+   * });
+   * ```
+   */
   federatedAuthWithRedirect(e) {
     this.authService.federatedAuthWithRedirect(e);
   }
+  /**
+   * Reset the SDK state by clearing all tokens and optionally throwing an error.
+   *
+   * @param error - Optional error message to throw after reset
+   * @throws {Error} If error message is provided
+   *
+   * @example
+   * ```typescript
+   * // Clear tokens without error
+   * passflow.reset();
+   *
+   * // Clear tokens and throw error
+   * try {
+   *   passflow.reset('Session expired');
+   * } catch (error) {
+   *   console.error('Reset error:', error.message);
+   * }
+   * ```
+   */
   reset(e) {
     if (this.storageManager.deleteTokens(), this.tokenCacheService.setTokensCache(void 0), this.subscribeStore.notify(a.SignOut, {}), e) {
       this.error = new Error(e);
@@ -1877,6 +3309,24 @@ class ie {
       throw this.subscribeStore.notify(a.Error, t), this.error;
     }
   }
+  /**
+   * Refresh the access token using the refresh token.
+   *
+   * @returns Promise with new authorization response containing refreshed tokens
+   * @throws {Error} If no refresh token is found
+   * @throws {PassflowError} If refresh request fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const response = await passflow.refreshToken();
+   *   console.log('Token refreshed', response.access_token);
+   * } catch (error) {
+   *   console.error('Failed to refresh token', error.message);
+   *   // Redirect to login
+   * }
+   * ```
+   */
   async refreshToken() {
     if (!this.tokenCacheService.parsedTokensCache?.refresh_token)
       throw new Error("No refresh token found");
@@ -1889,122 +3339,337 @@ class ie {
       }), e;
     }
   }
+  /**
+   * Send a password reset email to the user.
+   *
+   * @param payload - Password reset request
+   * @param payload.email - User's email address
+   * @returns Promise with success response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   await passflow.sendPasswordResetEmail({
+   *     email: 'user@example.com'
+   *   });
+   *   console.log('Password reset email sent');
+   * } catch (error) {
+   *   console.error('Failed to send reset email', error.message);
+   * }
+   * ```
+   */
   sendPasswordResetEmail(e) {
     return this.authService.sendPasswordResetEmail(e);
   }
+  /**
+   * Reset password using a reset token (typically from URL after clicking email link).
+   *
+   * @param newPassword - The new password to set
+   * @param scopes - Optional scopes to request after reset
+   * @returns Promise with authorization response containing new tokens
+   * @throws {PassflowError} If reset fails
+   *
+   * @example
+   * ```typescript
+   * // On password reset page (e.g., /reset-password?token=xyz)
+   * try {
+   *   const response = await passflow.resetPassword('new-secure-password');
+   *   console.log('Password reset successful', response.access_token);
+   * } catch (error) {
+   *   console.error('Password reset failed', error.message);
+   * }
+   * ```
+   */
   async resetPassword(e, t) {
     return await this.authService.resetPassword(e, t);
   }
   // App settings
+  /**
+   * Get application settings and configuration.
+   *
+   * @returns Promise with app settings including branding, features, and config
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const settings = await passflow.getAppSettings();
+   * console.log('App name:', settings.name);
+   * console.log('Passwordless enabled:', settings.passwordless_enabled);
+   * ```
+   */
   async getAppSettings() {
     try {
       return await this.appApi.getAppSettings();
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get app settings",
-        originalError: e
-      };
-      throw this.subscribeStore.notify(a.Error, t), e;
+      this.handleError(e, "Get app settings");
     }
   }
+  /**
+   * Get all Passflow settings including password policy, passkey settings, etc.
+   *
+   * @returns Promise with all settings
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const settings = await passflow.getSettingsAll();
+   * console.log('Password policy:', settings.password_policy);
+   * console.log('Passkey settings:', settings.passkey);
+   * ```
+   */
   async getSettingsAll() {
     try {
       return await this.settingApi.getSettingsAll();
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get all settings",
-        originalError: e
-      };
-      throw this.subscribeStore.notify(a.Error, t), e;
+      this.handleError(e, "Get all settings");
     }
   }
+  /**
+   * Get password policy settings (min length, complexity requirements, etc.).
+   *
+   * @returns Promise with password policy configuration
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const policy = await passflow.getPasswordPolicySettings();
+   * console.log('Min length:', policy.min_length);
+   * console.log('Require uppercase:', policy.require_uppercase);
+   * ```
+   */
   async getPasswordPolicySettings() {
     try {
       return await this.settingApi.getPasswordPolicySettings();
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get password policy settings",
-        originalError: e
-      };
-      throw this.subscribeStore.notify(a.Error, t), e;
+      this.handleError(e, "Get password policy settings");
     }
   }
+  /**
+   * Get passkey (WebAuthn) configuration settings.
+   *
+   * @returns Promise with passkey settings
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const passkeySettings = await passflow.getPasskeySettings();
+   * console.log('Passkeys enabled:', passkeySettings.enabled);
+   * console.log('User verification:', passkeySettings.user_verification);
+   * ```
+   */
   async getPasskeySettings() {
     try {
       return await this.settingApi.getPasskeySettings();
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get passkey settings",
-        originalError: e
-      };
-      throw this.subscribeStore.notify(a.Error, t), e;
+      this.handleError(e, "Get passkey settings");
     }
   }
   // Passkey methods
+  /**
+   * Register a new user with a passkey (WebAuthn).
+   *
+   * @param payload - Passkey registration configuration
+   * @param payload.email - User's email address
+   * @param payload.username - Optional username
+   * @param payload.scopes - Optional scopes to request
+   * @returns Promise with authorization response containing tokens
+   * @throws {PassflowError} If passkey registration fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const response = await passflow.passkeyRegister({
+   *     email: 'user@example.com',
+   *     username: 'myusername'
+   *   });
+   *   console.log('Passkey registered', response.access_token);
+   * } catch (error) {
+   *   console.error('Passkey registration failed', error.message);
+   * }
+   * ```
+   */
   async passkeyRegister(e) {
     return await this.authService.passkeyRegister(e);
   }
+  /**
+   * Authenticate a user with a passkey (WebAuthn).
+   *
+   * @param payload - Passkey authentication configuration
+   * @param payload.email - Optional user email to pre-fill
+   * @param payload.scopes - Optional scopes to request
+   * @returns Promise with authorization response containing tokens
+   * @throws {PassflowError} If passkey authentication fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   // Let user select from available passkeys
+   *   const response = await passflow.passkeyAuthenticate({});
+   *   console.log('Passkey sign-in successful', response.access_token);
+   * } catch (error) {
+   *   console.error('Passkey authentication failed', error.message);
+   * }
+   * ```
+   */
   async passkeyAuthenticate(e) {
     return await this.authService.passkeyAuthenticate(e);
   }
   // Token management
+  /**
+   * Manually set tokens (useful after custom authentication flows).
+   * This will save tokens to storage, update cache, and trigger SignIn event.
+   *
+   * @param tokensData - Tokens object to set
+   * @param tokensData.access_token - JWT access token
+   * @param tokensData.refresh_token - Optional refresh token
+   * @param tokensData.id_token - Optional ID token
+   * @param tokensData.scopes - Token scopes
+   *
+   * @example
+   * ```typescript
+   * // Set tokens from a custom auth flow
+   * passflow.setTokens({
+   *   access_token: 'eyJhbGci...',
+   *   refresh_token: 'eyJhbGci...',
+   *   id_token: 'eyJhbGci...',
+   *   scopes: ['id', 'offline', 'email']
+   * });
+   * ```
+   */
   setTokens(e) {
     this.storageManager.saveTokens(e), this.tokenCacheService.setTokensCache(e), this.subscribeStore.notify(a.SignIn, {
       tokens: e,
-      parsedTokens: this.tokenCacheService.getParsedTokenCache()
+      parsedTokens: this.tokenCacheService.getParsedTokens()
     });
   }
-  // Add getTokens method
+  /**
+   * Get current tokens from storage, optionally refreshing if expired.
+   *
+   * @param doRefresh - If true, automatically refresh expired tokens (default: false)
+   * @returns Promise with tokens or undefined if not authenticated
+   *
+   * @example
+   * ```typescript
+   * // Get tokens without refresh
+   * const tokens = await passflow.getTokens();
+   *
+   * // Get tokens and auto-refresh if expired
+   * const freshTokens = await passflow.getTokens(true);
+   * ```
+   */
   async getTokens(e = !1) {
     return await this.authService.getTokens(e);
   }
-  // Get token from storage by key
+  /**
+   * Get a specific token from storage by type.
+   *
+   * @param tokenType - Type of token to retrieve ('access_token', 'refresh_token', 'id_token')
+   * @returns Token string or undefined if not found
+   *
+   * @example
+   * ```typescript
+   * const accessToken = passflow.getToken('access_token');
+   * if (accessToken) {
+   *   // Use token for API calls
+   *   fetch('/api/data', {
+   *     headers: { Authorization: `Bearer ${accessToken}` }
+   *   });
+   * }
+   * ```
+   */
   getToken(e) {
     return this.storageManager.getToken(e);
   }
   // User passkey methods delegated to UserService
+  /**
+   * Get list of passkeys registered for the current user.
+   *
+   * @returns Promise with array of user's passkeys
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const passkeys = await passflow.getUserPasskeys();
+   * passkeys.forEach(passkey => {
+   *   console.log('Passkey:', passkey.name, passkey.id);
+   * });
+   * ```
+   */
   async getUserPasskeys() {
     try {
       return await this.userService.getUserPasskeys();
     } catch (e) {
-      const t = {
-        message: e instanceof Error ? e.message : "Failed to get user passkeys",
-        originalError: e
-      };
-      throw this.subscribeStore.notify(a.Error, t), e;
+      this.handleError(e, "Get user passkeys");
     }
   }
+  /**
+   * Rename a user's passkey to a friendly name.
+   *
+   * @param name - New friendly name for the passkey
+   * @param passkeyId - ID of the passkey to rename
+   * @returns Promise with success response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await passflow.renameUserPasskey('My MacBook Pro', 'passkey-123');
+   * console.log('Passkey renamed successfully');
+   * ```
+   */
   async renameUserPasskey(e, t) {
     try {
       return await this.userService.renameUserPasskey(e, t);
     } catch (s) {
-      const r = {
-        message: s instanceof Error ? s.message : "Failed to rename user passkey",
-        originalError: s
-      };
-      throw this.subscribeStore.notify(a.Error, r), s;
+      this.handleError(s, "Rename user passkey");
     }
   }
+  /**
+   * Delete a passkey from the user's account.
+   *
+   * @param passkeyId - ID of the passkey to delete
+   * @returns Promise with success response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await passflow.deleteUserPasskey('passkey-123');
+   * console.log('Passkey deleted successfully');
+   * ```
+   */
   async deleteUserPasskey(e) {
     try {
       return await this.userService.deleteUserPasskey(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to delete user passkey",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Delete user passkey");
     }
   }
+  /**
+   * Add a new passkey to the current user's account (requires active session).
+   *
+   * @param options - Optional passkey configuration
+   * @param options.relyingPartyId - Optional RP ID for the passkey
+   * @param options.passkeyUsername - Optional username to associate with passkey
+   * @param options.passkeyDisplayName - Optional display name for the passkey
+   * @returns Promise that resolves when passkey is added
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * // Add passkey with default settings
+   * await passflow.addUserPasskey();
+   *
+   * // Add passkey with custom display name
+   * await passflow.addUserPasskey({
+   *   passkeyDisplayName: 'My iPhone'
+   * });
+   * ```
+   */
   async addUserPasskey(e) {
     try {
       return await this.userService.addUserPasskey(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to add user passkey",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Add user passkey");
     }
   }
   // Tenant methods delegated to TenantService
@@ -2019,11 +3684,7 @@ class ie {
       const s = await this.tenant.joinInvitation(e, t);
       return s.scopes = t ?? this.scopes, this.storageManager.saveTokens(s), this.tokenCacheService.setTokensCache(s), s;
     } catch (s) {
-      const r = {
-        message: s instanceof Error ? s.message : "Failed to join invitation",
-        originalError: s
-      };
-      throw this.subscribeStore.notify(a.Error, r), s;
+      this.handleError(s, "Join invitation");
     }
   }
   /**
@@ -2037,23 +3698,35 @@ class ie {
       const s = await this.tenant.createTenant(e);
       return t && await this.refreshToken(), s;
     } catch (s) {
-      const r = {
-        message: s instanceof Error ? s.message : "Failed to create tenant",
-        originalError: s
-      };
-      throw this.subscribeStore.notify(a.Error, r), s;
+      this.handleError(s, "Create tenant");
     }
   }
   // Invitation methods delegated to InvitationService
+  /**
+   * Request an invitation link for a user to join a tenant.
+   *
+   * @param payload - Invitation request configuration
+   * @param payload.email - Email address to send invitation to
+   * @param payload.tenantID - Tenant ID for the invitation
+   * @param payload.send_to_email - Whether to send email automatically (default: true)
+   * @returns Promise with invitation link response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const invitation = await passflow.requestInviteLink({
+   *   email: 'newuser@example.com',
+   *   tenantID: 'tenant-123',
+   *   send_to_email: true
+   * });
+   * console.log('Invitation link:', invitation.link);
+   * ```
+   */
   async requestInviteLink(e) {
     try {
       return e.send_to_email === void 0 && (e.send_to_email = !0), await this.invitationService.requestInviteLink(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to request invite link",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Request invite link");
     }
   }
   /**
@@ -2065,85 +3738,1012 @@ class ie {
     try {
       return await this.invitationService.getInvitations(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to get invitations",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Get invitations");
     }
   }
+  /**
+   * Delete an invitation by its token.
+   *
+   * @param token - Invitation token to delete
+   * @returns Promise with success response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await passflow.deleteInvitation('invitation-token-123');
+   * console.log('Invitation deleted');
+   * ```
+   */
   async deleteInvitation(e) {
     try {
       return await this.invitationService.deleteInvitation(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to delete invitation",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Delete invitation");
     }
   }
+  /**
+   * Resend an invitation email.
+   *
+   * @param token - Invitation token to resend
+   * @returns Promise with success response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await passflow.resendInvitation('invitation-token-123');
+   * console.log('Invitation email resent');
+   * ```
+   */
   async resendInvitation(e) {
     try {
       return await this.invitationService.resendInvitation(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to resend invitation",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Resend invitation");
     }
   }
+  /**
+   * Get invitation details and link by invitation ID.
+   *
+   * @param invitationID - Invitation ID to retrieve
+   * @returns Promise with invitation link response
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const invitation = await passflow.getInvitationLink('invitation-123');
+   * console.log('Invitation link:', invitation.link);
+   * ```
+   */
   async getInvitationLink(e) {
     try {
       return await this.invitationService.getInvitationLink(e);
     } catch (t) {
-      const s = {
-        message: t instanceof Error ? t.message : "Failed to get invitation link",
-        originalError: t
-      };
-      throw this.subscribeStore.notify(a.Error, s), t;
+      this.handleError(t, "Get invitation link");
     }
   }
   // Auth redirect helpers
+  /**
+   * Generate an authentication redirect URL for hosted login.
+   *
+   * @param options - Redirect URL configuration
+   * @param options.url - Optional custom Passflow server URL
+   * @param options.redirectUrl - URL to redirect to after authentication
+   * @param options.scopes - Optional scopes to request
+   * @param options.appId - Optional app ID to use
+   * @returns Authentication redirect URL
+   *
+   * @example
+   * ```typescript
+   * const authUrl = passflow.authRedirectUrl({
+   *   redirectUrl: window.location.origin + '/auth/callback',
+   *   scopes: ['id', 'email', 'offline']
+   * });
+   * console.log('Auth URL:', authUrl);
+   * // Use this URL for custom navigation logic
+   * ```
+   */
   authRedirectUrl(e = {}) {
     return this.authService.authRedirectUrl(e);
   }
+  /**
+   * Redirect to the Passflow hosted login page.
+   *
+   * @param options - Redirect configuration
+   * @param options.url - Optional custom Passflow server URL
+   * @param options.redirectUrl - URL to redirect to after authentication
+   * @param options.scopes - Optional scopes to request
+   * @param options.appId - Optional app ID to use
+   *
+   * @example
+   * ```typescript
+   * // Redirect to hosted login page
+   * passflow.authRedirect({
+   *   redirectUrl: window.location.origin + '/auth/callback'
+   * });
+   * ```
+   */
   authRedirect(e = {}) {
     this.authService.authRedirect(e);
   }
+  /**
+   * Get the current token delivery mode.
+   * Returns the mode determined by the server (json_body, cookie, or mobile).
+   *
+   * @returns The current token delivery mode
+   *
+   * @example
+   * ```typescript
+   * import { TokenDeliveryMode } from '@passflow/core';
+   *
+   * const mode = passflow.getDeliveryMode();
+   * if (mode === TokenDeliveryMode.Cookie) {
+   *   console.log('Using cookie-based authentication');
+   * } else {
+   *   console.log('Using JSON body authentication');
+   * }
+   * ```
+   */
+  getDeliveryMode() {
+    return this.authService.tokenDeliveryManager.getMode();
+  }
+  /**
+   * Restore and validate session for cookie mode on page load.
+   * Only applicable when using cookie-based token delivery.
+   * Validates that HttpOnly cookies are still valid with the server.
+   *
+   * This method is automatically called on SDK initialization for cookie mode,
+   * but can be called manually to re-validate the session.
+   *
+   * @returns Promise resolving to true if session is valid, false otherwise
+   *
+   * @example
+   * ```typescript
+   * // Check if session is valid (useful after page reload)
+   * const isValid = await passflow.restoreSession();
+   * if (isValid) {
+   *   console.log('Session restored successfully');
+   * } else {
+   *   console.log('Session expired, please sign in again');
+   * }
+   * ```
+   */
+  async restoreSession() {
+    return await this.authService.restoreSession();
+  }
+  // Two-Factor Authentication methods
+  /**
+   * Get the current 2FA enrollment status for the authenticated user.
+   *
+   * @returns Promise with 2FA status including enabled state and policy
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const status = await passflow.getTwoFactorStatus();
+   * console.log('2FA enabled:', status.enabled);
+   * console.log('Recovery codes remaining:', status.recovery_codes_remaining);
+   * ```
+   */
+  async getTwoFactorStatus() {
+    try {
+      return await this.twoFactorService.getStatus();
+    } catch (e) {
+      this.handleError(e, "Get 2FA status");
+    }
+  }
+  /**
+   * Begin the 2FA setup process for the authenticated user.
+   * Returns a secret and QR code to scan with an authenticator app.
+   *
+   * @returns Promise with setup response containing secret and QR code
+   * @throws {PassflowError} If request fails
+   *
+   * @example
+   * ```typescript
+   * const setup = await passflow.beginTwoFactorSetup();
+   * console.log('Scan this QR code:', setup.qr_code);
+   * console.log('Or enter this secret:', setup.secret);
+   * ```
+   */
+  async beginTwoFactorSetup() {
+    try {
+      return await this.twoFactorService.beginSetup();
+    } catch (e) {
+      this.handleError(e, "Begin 2FA setup");
+    }
+  }
+  /**
+   * Confirm 2FA setup by verifying a TOTP code from the authenticator app.
+   * Returns recovery codes that MUST be saved by the user.
+   *
+   * @param code - 6-digit TOTP code from authenticator app
+   * @returns Promise with confirmation response including recovery codes
+   * @throws {PassflowError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * const result = await passflow.confirmTwoFactorSetup('123456');
+   * console.log('SAVE THESE RECOVERY CODES:', result.recovery_codes);
+   * // Display recovery codes to user for safekeeping
+   * ```
+   */
+  async confirmTwoFactorSetup(e) {
+    try {
+      return await this.twoFactorService.confirmSetup(e);
+    } catch (t) {
+      this.handleError(t, "Confirm 2FA setup");
+    }
+  }
+  /**
+   * Verify a TOTP code during login when 2FA is required.
+   * Completes the authentication process and saves tokens.
+   *
+   * @param code - 6-digit TOTP code from authenticator app
+   * @returns Promise with verification response containing tokens
+   * @throws {PassflowError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * // After signIn returns requires_2fa: true
+   * if (passflow.isTwoFactorVerificationRequired()) {
+   *   const response = await passflow.verifyTwoFactor('123456');
+   *   console.log('Authentication complete', response.access_token);
+   * }
+   * ```
+   */
+  async verifyTwoFactor(e) {
+    try {
+      const t = await this.twoFactorService.verify(e);
+      return this.storageManager.saveTokens(t), this.tokenCacheService.setTokensCache(t), this.subscribeStore.notify(a.SignIn, {
+        tokens: t,
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), await this.submitSessionCheck(), t;
+    } catch (t) {
+      this.handleError(t, "Verify 2FA");
+    }
+  }
+  /**
+   * Use a recovery code for authentication when TOTP is unavailable.
+   * Completes the authentication process and saves tokens.
+   *
+   * @param code - Recovery code from the list provided during setup
+   * @returns Promise with recovery response containing tokens and remaining codes count
+   * @throws {PassflowError} If recovery code is invalid
+   *
+   * @example
+   * ```typescript
+   * // After signIn returns requires_2fa: true
+   * const result = await passflow.useTwoFactorRecoveryCode('ABCD-1234');
+   * console.log('Authenticated with recovery code');
+   * console.log(`${result.remaining_recovery_codes} recovery codes remaining`);
+   * ```
+   */
+  async useTwoFactorRecoveryCode(e) {
+    try {
+      const t = await this.twoFactorService.useRecoveryCode(e);
+      return this.storageManager.saveTokens(t), this.tokenCacheService.setTokensCache(t), this.subscribeStore.notify(a.SignIn, {
+        tokens: t,
+        parsedTokens: this.tokenCacheService.getParsedTokens()
+      }), await this.submitSessionCheck(), t;
+    } catch (t) {
+      this.handleError(t, "Use 2FA recovery code");
+    }
+  }
+  /**
+   * Disable 2FA for the authenticated user.
+   * Requires verification with a current TOTP code.
+   *
+   * @param code - Current 6-digit TOTP code for verification
+   * @returns Promise with success response
+   * @throws {PassflowError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * await passflow.disableTwoFactor('123456');
+   * console.log('2FA disabled successfully');
+   * ```
+   */
+  async disableTwoFactor(e) {
+    try {
+      return await this.twoFactorService.disable(e);
+    } catch (t) {
+      this.handleError(t, "Disable 2FA");
+    }
+  }
+  /**
+   * Regenerate recovery codes for the authenticated user.
+   * Old recovery codes will be invalidated. Requires verification with a current TOTP code.
+   *
+   * @param code - Current 6-digit TOTP code for verification
+   * @returns Promise with response containing new recovery codes
+   * @throws {PassflowError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * const result = await passflow.regenerateTwoFactorRecoveryCodes('123456');
+   * console.log('New recovery codes:', result.recovery_codes);
+   * // Display new recovery codes to user for safekeeping
+   * ```
+   */
+  async regenerateTwoFactorRecoveryCodes(e) {
+    try {
+      return await this.twoFactorService.regenerateRecoveryCodes(e);
+    } catch (t) {
+      this.handleError(t, "Regenerate 2FA recovery codes");
+    }
+  }
+  /**
+   * Check if 2FA verification is currently required (local state check).
+   * Returns true if user has signed in but needs to complete 2FA verification.
+   *
+   * @returns True if 2FA verification is pending, false otherwise
+   *
+   * @example
+   * ```typescript
+   * if (passflow.isTwoFactorVerificationRequired()) {
+   *   // Show 2FA code input UI
+   *   console.log('Please enter your 2FA code');
+   * }
+   * ```
+   */
+  isTwoFactorVerificationRequired() {
+    return this.twoFactorService.isVerificationRequired();
+  }
+  /**
+   * Get configured TOTP digit count for the current app
+   * @returns Number of digits (6 or 8) configured for TOTP codes
+   *
+   * @example
+   * ```typescript
+   * const digits = passflow.getTotpDigits();
+   * console.log(`TOTP codes should be ${digits} digits`);
+   * ```
+   */
+  getTotpDigits() {
+    return this.twoFactorService.getTotpDigits();
+  }
+  // Magic Link 2FA Setup Methods
+  /**
+   * Validate a magic link token for 2FA setup.
+   * Used when a user clicks on an admin-generated magic link to set up 2FA.
+   *
+   * The magic link creates a scoped session that can ONLY be used for 2FA setup,
+   * not for regular authentication.
+   *
+   * @param token - Magic link token from URL parameter
+   * @returns Promise with validation response containing scoped session or error
+   *
+   * @example
+   * ```typescript
+   * // On the magic link landing page (e.g., /2fa-setup/:token)
+   * const urlToken = extractTokenFromUrl();
+   * const result = await passflow.validateTwoFactorSetupMagicLink(urlToken);
+   *
+   * if (result.success) {
+   *   console.log('Magic link validated');
+   *   console.log('User ID:', result.userId);
+   *   console.log('Session expires in:', result.expiresIn, 'seconds');
+   *   // Show 2FA setup form
+   * } else {
+   *   console.error('Validation failed:', result.error?.message);
+   *   // Show error UI
+   * }
+   * ```
+   */
+  async validateTwoFactorSetupMagicLink(e) {
+    return await this.twoFactorService.validateTwoFactorSetupMagicLink(e);
+  }
+  /**
+   * Get the current magic link session (if any).
+   * Used by React SDK components to access session data.
+   *
+   * @returns Active magic link session or null if none/expired
+   *
+   * @example
+   * ```typescript
+   * const session = passflow.getMagicLinkSession();
+   * if (session) {
+   *   console.log('Active session for user:', session.userId);
+   *   console.log('Expires at:', new Date(session.expiresAt));
+   * }
+   * ```
+   */
+  getMagicLinkSession() {
+    return this.twoFactorService.getMagicLinkSession();
+  }
+  /**
+   * Check if a magic link session is currently active.
+   *
+   * @returns True if magic link session is active and not expired
+   *
+   * @example
+   * ```typescript
+   * if (passflow.hasMagicLinkSession()) {
+   *   // User can proceed with 2FA setup
+   * } else {
+   *   // Redirect to error page or request new link
+   * }
+   * ```
+   */
+  hasMagicLinkSession() {
+    return this.twoFactorService.hasMagicLinkSession();
+  }
+  /**
+   * Clear the magic link session.
+   * Called after successful 2FA setup or on error.
+   *
+   * @example
+   * ```typescript
+   * // After 2FA setup is complete
+   * passflow.clearMagicLinkSession();
+   * // Redirect to sign-in
+   * ```
+   */
+  clearMagicLinkSession() {
+    this.twoFactorService.clearMagicLinkSession();
+  }
+};
+O.version = Z;
+let L = O;
+class l extends Error {
+  constructor(e) {
+    super(e.message), this.name = "M2MError", this.code = e.code, this.status = e.status ?? 400, this.errorUri = e.errorUri, this.rateLimitInfo = e.rateLimitInfo, this.headers = e.headers, this.cause = e.cause, this.timestamp = (/* @__PURE__ */ new Date()).toISOString(), Error.captureStackTrace && Error.captureStackTrace(this, l);
+  }
+  /**
+   * Create an M2MError from an OAuth 2.0 error response
+   */
+  static fromOAuthError(e, t, s) {
+    const r = s ? l.parseRateLimitHeaders(s) : void 0;
+    return new l({
+      code: e.error,
+      message: e.error_description ?? l.getDefaultMessage(e.error),
+      status: t,
+      errorUri: e.error_uri,
+      rateLimitInfo: r,
+      headers: s
+    });
+  }
+  /**
+   * Create an M2MError from a network or other error
+   */
+  static fromError(e, t = "server_error") {
+    return new l({
+      code: t,
+      message: e.message || "An unexpected error occurred",
+      status: 500,
+      cause: e
+    });
+  }
+  /**
+   * Parse rate limit headers from response
+   */
+  static parseRateLimitHeaders(e) {
+    const t = e["x-ratelimit-limit"], s = e["x-ratelimit-remaining"], r = e["x-ratelimit-reset"] || e["retry-after"];
+    if (t && s && r)
+      return {
+        limit: parseInt(t, 10),
+        remaining: parseInt(s, 10),
+        reset: parseInt(r, 10)
+      };
+  }
+  /**
+   * Get default error message for an error code
+   */
+  static getDefaultMessage(e) {
+    return {
+      invalid_request: "The request is missing a required parameter or is otherwise malformed.",
+      invalid_client: "Client authentication failed. Verify your client credentials.",
+      invalid_grant: "The provided authorization grant is invalid or expired.",
+      invalid_scope: "The requested scope is invalid, unknown, or exceeds the allowed scopes.",
+      unauthorized_client: "The client is not authorized to use this grant type.",
+      unsupported_grant_type: "The authorization grant type is not supported.",
+      rate_limit_exceeded: "Too many requests. Please retry after the rate limit window resets.",
+      server_error: "The authorization server encountered an unexpected error.",
+      temporarily_unavailable: "The authorization server is temporarily unavailable. Please try again later."
+    }[e] || "An unknown error occurred.";
+  }
+  /**
+   * Check if the error is retryable
+   */
+  isRetryable() {
+    return this.code === "server_error" || this.code === "temporarily_unavailable" || this.code === "rate_limit_exceeded" || this.status >= 500;
+  }
+  /**
+   * Get suggested wait time before retry (in milliseconds)
+   */
+  getRetryAfter() {
+    if (this.rateLimitInfo?.reset) {
+      const e = Math.floor(Date.now() / 1e3), t = this.rateLimitInfo.reset - e;
+      return Math.max(t * 1e3, 1e3);
+    }
+    return 1e3;
+  }
+  /**
+   * Convert to JSON-serializable object
+   */
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      status: this.status,
+      errorUri: this.errorUri,
+      rateLimitInfo: this.rateLimitInfo,
+      timestamp: this.timestamp
+    };
+  }
+  /**
+   * Create a human-readable string representation
+   */
+  toString() {
+    let e = `M2MError [${this.code}]: ${this.message}`;
+    return this.status && (e += ` (HTTP ${this.status})`), e;
+  }
+}
+class N extends l {
+  constructor(e, t) {
+    super({
+      code: "temporarily_unavailable",
+      message: e,
+      status: 0,
+      cause: t
+    }), this.name = "M2MNetworkError";
+  }
+}
+class P extends l {
+  constructor(e, t) {
+    super({
+      code: "invalid_request",
+      message: e,
+      status: 400,
+      cause: t
+    }), this.name = "M2MTokenParseError";
+  }
+}
+class U extends l {
+  constructor(e) {
+    super({
+      code: "invalid_request",
+      message: e,
+      status: 400
+    }), this.name = "M2MConfigError";
+  }
+}
+const Ge = {
+  InvalidRequest: "invalid_request",
+  InvalidClient: "invalid_client",
+  InvalidGrant: "invalid_grant",
+  InvalidScope: "invalid_scope",
+  UnauthorizedClient: "unauthorized_client",
+  UnsupportedGrantType: "unsupported_grant_type",
+  RateLimitExceeded: "rate_limit_exceeded",
+  ServerError: "server_error",
+  TemporarilyUnavailable: "temporarily_unavailable"
+}, m = {
+  /** Default token endpoint path */
+  TOKEN_ENDPOINT: "/oauth2/token",
+  /** Default request timeout in milliseconds */
+  TIMEOUT: 1e4,
+  /** Default number of retry attempts */
+  RETRIES: 3,
+  /** Default delay between retries in milliseconds */
+  RETRY_DELAY: 1e3,
+  /** Default refresh threshold in seconds */
+  REFRESH_THRESHOLD: 30,
+  /** Content-Type for token requests */
+  CONTENT_TYPE: "application/x-www-form-urlencoded"
+};
+class xe {
+  constructor() {
+    this.cache = /* @__PURE__ */ new Map();
+  }
+  async get(e) {
+    const t = this.cache.get(e);
+    return t ? Date.now() >= t.expiresAt ? (this.cache.delete(e), null) : t.token : null;
+  }
+  async set(e, t, s) {
+    this.cache.set(e, {
+      token: t,
+      expiresAt: Date.now() + s * 1e3
+    });
+  }
+  async delete(e) {
+    this.cache.delete(e);
+  }
+}
+const Ue = {
+  shouldRetry(i, e) {
+    return e >= 3 ? !1 : i.code === "server_error" || i.code === "temporarily_unavailable" || i.code === "rate_limit_exceeded" || i.status !== void 0 && i.status >= 500;
+  },
+  getDelay(i) {
+    return Math.pow(2, i - 1) * 1e3;
+  }
+};
+class Ve {
+  /**
+   * Create a new M2M client
+   *
+   * @param config - Client configuration
+   * @throws {M2MConfigError} If required configuration is missing
+   *
+   * @example
+   * ```typescript
+   * const m2m = new M2MClient({
+   *   url: 'https://auth.yourapp.com',
+   *   clientId: 'your-client-id',
+   *   clientSecret: 'your-client-secret',
+   * });
+   * ```
+   */
+  constructor(e) {
+    if (!e.url)
+      throw new U("M2M client requires a URL");
+    if (!e.clientId)
+      throw new U("M2M client requires a clientId");
+    if (!e.clientSecret)
+      throw new U("M2M client requires a clientSecret");
+    const t = e.url.replace(/\/$/, "");
+    this.config = {
+      url: t,
+      clientId: e.clientId,
+      clientSecret: e.clientSecret,
+      scopes: e.scopes,
+      audience: e.audience,
+      autoRefresh: e.autoRefresh ?? !1,
+      refreshThreshold: e.refreshThreshold ?? m.REFRESH_THRESHOLD,
+      timeout: e.timeout ?? m.TIMEOUT,
+      retries: e.retries ?? m.RETRIES,
+      retryDelay: e.retryDelay ?? m.RETRY_DELAY,
+      retryStrategy: e.retryStrategy,
+      cache: e.cache,
+      onTokenRequest: e.onTokenRequest,
+      onTokenResponse: e.onTokenResponse,
+      onError: e.onError
+    }, this.cache = e.cache ?? new xe(), this.retryStrategy = e.retryStrategy ?? Ue, this.tokenEndpoint = `${t}${m.TOKEN_ENDPOINT}`;
+  }
+  /**
+   * Get the cache key for this client
+   */
+  getCacheKey(e, t) {
+    const s = e?.sort().join(",") || "", r = t?.sort().join(",") || "";
+    return `m2m:${this.config.clientId}:${s}:${r}`;
+  }
+  /**
+   * Request an access token from the authorization server
+   *
+   * @param options - Optional request overrides
+   * @returns Token response
+   * @throws {M2MError} On authentication failure
+   *
+   * @example
+   * ```typescript
+   * // Basic usage
+   * const token = await m2m.getToken();
+   *
+   * // With options
+   * const token = await m2m.getToken({
+   *   scopes: ['users:read'],
+   *   forceRefresh: true,
+   * });
+   * ```
+   */
+  async getToken(e) {
+    const t = e?.scopes ?? this.config.scopes, s = e?.audience ?? this.config.audience, r = this.getCacheKey(t, s);
+    if (!e?.forceRefresh) {
+      const o = await this.cache.get(r);
+      if (o && !this.isTokenExpired(o))
+        return o;
+    }
+    return this.requestToken(t, s, r);
+  }
+  /**
+   * Get a valid token, automatically refreshing if needed
+   *
+   * When autoRefresh is enabled, this will proactively refresh tokens
+   * that are about to expire (within refreshThreshold seconds).
+   *
+   * @returns Valid token response
+   * @throws {M2MError} On authentication failure
+   *
+   * @example
+   * ```typescript
+   * // Always returns a valid, non-expired token
+   * const token = await m2m.getValidToken();
+   * ```
+   */
+  async getValidToken() {
+    const e = this.config.scopes, t = this.config.audience, s = this.getCacheKey(e, t), r = await this.cache.get(s);
+    if (r) {
+      if (this.config.autoRefresh && this.isTokenExpired(r, this.config.refreshThreshold))
+        return this.requestToken(e, t, s);
+      if (!this.isTokenExpired(r))
+        return r;
+    }
+    return this.requestToken(e, t, s);
+  }
+  /**
+   * Request a new token from the authorization server
+   */
+  async requestToken(e, t, s) {
+    const r = {
+      grant_type: "client_credentials",
+      client_id: this.config.clientId,
+      client_secret: this.config.clientSecret
+    };
+    e && e.length > 0 && (r.scope = e.join(" ")), t && t.length > 0 && (r.audience = t.join(" ")), this.config.onTokenRequest && this.config.onTokenRequest({
+      clientId: this.config.clientId,
+      scopes: e ?? [],
+      audience: t ?? [],
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    const o = await this.executeWithRetry(() => this.doTokenRequest(r));
+    return o.issued_at = Math.floor(Date.now() / 1e3), s && await this.cache.set(s, o, o.expires_in), this.config.onTokenResponse && this.config.onTokenResponse(o), o;
+  }
+  /**
+   * Execute the actual HTTP request to the token endpoint
+   */
+  async doTokenRequest(e) {
+    const t = new URLSearchParams();
+    t.append("grant_type", e.grant_type), t.append("client_id", e.client_id), t.append("client_secret", e.client_secret), e.scope && t.append("scope", e.scope), e.audience && t.append("audience", e.audience);
+    const s = new AbortController(), r = setTimeout(() => s.abort(), this.config.timeout);
+    try {
+      const o = await fetch(this.tokenEndpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": m.CONTENT_TYPE,
+          Accept: "application/json"
+        },
+        body: t.toString(),
+        signal: s.signal
+      });
+      clearTimeout(r);
+      const n = {};
+      o.headers.forEach((c, g) => {
+        n[g.toLowerCase()] = c;
+      });
+      const d = await o.json();
+      if (!o.ok) {
+        const c = l.fromOAuthError(
+          {
+            error: d.error || "server_error",
+            error_description: d.error_description || d.message,
+            error_uri: d.error_uri
+          },
+          o.status,
+          n
+        );
+        throw this.config.onError && this.config.onError({
+          error: c.code,
+          error_description: c.message
+        }), c;
+      }
+      return d;
+    } catch (o) {
+      throw clearTimeout(r), o instanceof Error && o.name === "AbortError" ? new N(`Request timed out after ${this.config.timeout}ms`) : o instanceof TypeError && o.message.includes("fetch") ? new N(`Network error: ${o.message}`, o) : o instanceof l ? o : l.fromError(o instanceof Error ? o : new Error(String(o)));
+    }
+  }
+  /**
+   * Execute a request with retry logic
+   */
+  async executeWithRetry(e) {
+    let t;
+    for (let s = 1; s <= this.config.retries; s++)
+      try {
+        return await e();
+      } catch (r) {
+        if (!(r instanceof l))
+          throw r;
+        if (t = r, s < this.config.retries && this.retryStrategy.shouldRetry({ code: r.code, status: r.status }, s)) {
+          const o = this.retryStrategy.getDelay(s);
+          await this.sleep(o);
+          continue;
+        }
+        throw r;
+      }
+    throw t ?? new l({ code: "server_error", message: "Request failed after retries" });
+  }
+  /**
+   * Sleep for a given duration
+   */
+  sleep(e) {
+    return new Promise((t) => setTimeout(t, e));
+  }
+  /**
+   * Get the currently cached token without making a request
+   *
+   * @returns Cached token or null if not cached
+   *
+   * @example
+   * ```typescript
+   * const token = m2m.getCachedToken();
+   * if (token && !m2m.isTokenExpired(token)) {
+   *   console.log('Using cached token');
+   * }
+   * ```
+   */
+  getCachedToken() {
+    const e = this.cache;
+    if ("cache" in e) {
+      const t = this.getCacheKey(this.config.scopes, this.config.audience);
+      return e.cache.get(
+        t
+      )?.token ?? null;
+    }
+    return null;
+  }
+  /**
+   * Check if a token is expired or about to expire
+   *
+   * @param token - Token to check (uses issued_at + expires_in if available)
+   * @param threshold - Seconds before actual expiry to consider expired (default: 0)
+   * @returns true if expired or about to expire
+   *
+   * @example
+   * ```typescript
+   * if (m2m.isTokenExpired(token)) {
+   *   console.log('Token is expired');
+   * }
+   *
+   * // Check if expiring within 5 minutes
+   * if (m2m.isTokenExpired(token, 300)) {
+   *   console.log('Token expires soon');
+   * }
+   * ```
+   */
+  isTokenExpired(e, t = 0) {
+    if (!e) return !0;
+    const s = Math.floor(Date.now() / 1e3), o = (e.issued_at ?? s - e.expires_in) + e.expires_in;
+    return s >= o - t;
+  }
+  /**
+   * Parse token claims from a JWT access token
+   *
+   * @param token - JWT access token string
+   * @returns Decoded token claims
+   * @throws {M2MTokenParseError} If token format is invalid
+   *
+   * @example
+   * ```typescript
+   * const token = await m2m.getToken();
+   * const claims = m2m.parseToken(token.access_token);
+   * console.log('Client ID:', claims.client_id);
+   * console.log('Scopes:', claims.scopes);
+   * ```
+   */
+  parseToken(e) {
+    try {
+      const t = e.split(".");
+      if (t.length !== 3)
+        throw new P("Invalid JWT format: expected 3 parts");
+      const s = t[1];
+      if (!s)
+        throw new P("Invalid JWT format: missing payload");
+      const r = atob(s.replace(/-/g, "+").replace(/_/g, "/")), o = JSON.parse(r);
+      return o.scopes && typeof o.scopes == "string" ? o.scopes = o.scopes.split(" ") : o.scopes || (o.scopes = []), o;
+    } catch (t) {
+      throw t instanceof P ? t : new P(`Failed to parse token: ${t instanceof Error ? t.message : "Unknown error"}`);
+    }
+  }
+  /**
+   * Clear the token cache, forcing a new request on next getToken()
+   *
+   * @example
+   * ```typescript
+   * m2m.clearCache();
+   * // Next getToken() will request a new token
+   * const token = await m2m.getToken();
+   * ```
+   */
+  clearCache() {
+    const e = this.getCacheKey(this.config.scopes, this.config.audience);
+    this.cache.delete(e);
+  }
+  /**
+   * Revoke the current token
+   *
+   * Note: Requires the server to support token revocation (RFC 7009).
+   * Not all Passflow deployments may support this endpoint.
+   *
+   * @throws {M2MError} If revocation fails
+   *
+   * @example
+   * ```typescript
+   * await m2m.revokeToken();
+   * console.log('Token revoked');
+   * ```
+   */
+  async revokeToken() {
+    const e = this.getCachedToken();
+    if (!e)
+      return;
+    const t = `${this.config.url}/oauth2/revoke`, s = new URLSearchParams();
+    s.append("token", e.access_token), s.append("client_id", this.config.clientId), s.append("client_secret", this.config.clientSecret);
+    try {
+      const r = await fetch(t, {
+        method: "POST",
+        headers: {
+          "Content-Type": m.CONTENT_TYPE
+        },
+        body: s.toString()
+      });
+      if (!r.ok && r.status !== 200) {
+        const o = await r.json().catch(() => ({}));
+        throw l.fromOAuthError(
+          {
+            error: o.error || "server_error",
+            error_description: o.error_description || "Token revocation failed"
+          },
+          r.status
+        );
+      }
+      this.clearCache();
+    } catch (r) {
+      throw r instanceof l ? r : l.fromError(r instanceof Error ? r : new Error(String(r)));
+    }
+  }
+  /**
+   * Get the configured URL
+   */
+  get url() {
+    return this.config.url;
+  }
+  /**
+   * Get the configured client ID
+   */
+  get clientId() {
+    return this.config.clientId;
+  }
+  /**
+   * Get the configured scopes
+   */
+  get scopes() {
+    return this.config.scopes;
+  }
+  /**
+   * Get the configured audience
+   */
+  get audience() {
+    return this.config.audience;
+  }
 }
 export {
-  P as APP_ID_HEADER_KEY,
-  m as AUTHORIZATION_HEADER_KEY,
-  j as AppAPI,
-  O as AuthAPI,
-  q as AuthService,
-  re as DEFAULT_GROUP_NAME,
-  F as DEFAULT_SCOPES,
-  D as DEVICE_ID_HEADER_KEY,
-  x as DEVICE_TYPE_HEADER_KEY,
-  W as InvitationAPI,
-  V as InvitationService,
-  w as OS,
-  A as PASSFLOW_CLOUD_URL,
-  ie as Passflow,
-  y as PassflowAdminEndpointPaths,
-  c as PassflowEndpointPaths,
+  C as APP_ID_HEADER_KEY,
+  _ as AUTHORIZATION_HEADER_KEY,
+  pe as AppAPI,
+  fe as AuthAPI,
+  Ie as AuthService,
+  Ke as DEFAULT_GROUP_NAME,
+  Q as DEFAULT_SCOPES,
+  W as DEVICE_ID_HEADER_KEY,
+  J as DEVICE_TYPE_HEADER_KEY,
+  ne as ERROR_MESSAGE_MAX_LENGTH,
+  ke as InvitationAPI,
+  be as InvitationService,
+  Ve as M2MClient,
+  U as M2MConfigError,
+  l as M2MError,
+  Ge as M2MErrorCodes,
+  N as M2MNetworkError,
+  P as M2MTokenParseError,
+  m as M2M_DEFAULTS,
+  Ne as MINIMAL_DEFAULT_SCOPES,
+  I as OS,
+  G as PASSFLOW_CLOUD_URL,
+  te as POPUP_HEIGHT,
+  se as POPUP_POLL_INTERVAL_MS,
+  re as POPUP_TIMEOUT_MS,
+  ee as POPUP_WIDTH,
+  L as Passflow,
+  w as PassflowAdminEndpointPaths,
+  h as PassflowEndpointPaths,
   u as PassflowError,
   a as PassflowEvent,
-  L as Providers,
-  S as RequestMethod,
-  K as SettingAPI,
-  B as TenantAPI,
-  X as TenantService,
-  Y as TenantUserMembership,
-  Z as TokenCacheService,
-  g as TokenType,
-  N as UserAPI,
-  Q as UserService,
-  f as isTokenExpired,
-  d as parseToken,
-  C as pathWithParams
+  de as Providers,
+  E as RequestMethod,
+  Z as SDK_VERSION,
+  q as SessionState,
+  ye as SettingAPI,
+  V as TOKEN_EXPIRY_BUFFER_SECONDS,
+  ve as TenantAPI,
+  Pe as TenantService,
+  Re as TenantUserMembership,
+  De as TokenCacheService,
+  v as TokenDeliveryMode,
+  k as TokenType,
+  Se as TwoFactorApiClient,
+  ue as TwoFactorPolicy,
+  Fe as TwoFactorService,
+  oe as USERNAME_MAX_LENGTH,
+  ie as USERNAME_MIN_LENGTH,
+  me as UserAPI,
+  Me as UserService,
+  S as isTokenExpired,
+  M as isValidEmail,
+  F as isValidJWTFormat,
+  x as isValidPhoneNumber,
+  Ee as isValidUsername,
+  y as parseToken,
+  A as pathWithParams,
+  Te as sanitizeErrorMessage
 };
 //# sourceMappingURL=index.mjs.map