@phantom/browser-sdk 1.0.3 → 1.0.5

package/dist/index.d.ts

@@ -119,6 +119,11 @@ type BrowserSDKConfig = Prettify<Omit<EmbeddedProviderConfig, "authOptions" | "a
         authUrl?: string;
         redirectUrl?: string;
     };
+    /** When also provided, the Auth2 PKCE flow is used instead of the legacy Phantom Connect flow. */
+    unstable__auth2Options?: {
+        authApiBaseUrl: string;
+        clientId: string;
+    };
 }>;
 type Prettify<T> = {
     [K in keyof T]: T[K];

package/dist/index.js

@@ -1805,16 +1805,11 @@ var InjectedProvider = class {
           walletName: walletInfo.name
         });
       } catch (err) {
-        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Solana, stopping", {
+        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Solana, continuing with other chains", {
           error: err,
           walletId: this.selectedWalletId,
           walletName: walletInfo.name
         });
-        this.emit("connect_error", {
-          error: err instanceof Error ? err.message : "Failed to connect",
-          source: options?.skipEventListeners ? "auto-connect" : "manual-connect"
-        });
-        throw err;
       }
     }
     if (this.addressTypes.includes(import_client4.AddressType.ethereum) && walletInfo.providers?.ethereum) {
@@ -1844,16 +1839,11 @@ var InjectedProvider = class {
           });
         }
       } catch (err) {
-        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Ethereum, stopping", {
+        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Ethereum, continuing with other chains", {
           error: err,
           walletId: this.selectedWalletId,
           walletName: walletInfo.name
         });
-        this.emit("connect_error", {
-          error: err instanceof Error ? err.message : "Failed to connect",
-          source: options?.skipEventListeners ? "auto-connect" : "manual-connect"
-        });
-        throw err;
       }
     }
     return connectedAddresses;
@@ -2774,7 +2764,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.3",
+        sdk_version: "1.0.5",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2805,7 +2795,7 @@ var BrowserAuthProvider = class {
       resolve();
     });
   }
-  resumeAuthFromRedirect(provider) {
+  async resumeAuthFromRedirect(provider) {
     try {
       const walletId = this.urlParamsAccessor.getParam("wallet_id");
       const sessionId = this.urlParamsAccessor.getParam("session_id");
@@ -2880,14 +2870,14 @@ var BrowserAuthProvider = class {
           }
         );
       }
-      return {
+      return Promise.resolve({
         walletId,
         organizationId,
         accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
         expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
         authUserId: authUserId || void 0,
         provider
-      };
+      });
     } catch (error) {
       sessionStorage.removeItem("phantom-auth-context");
       throw error;
@@ -2895,6 +2885,294 @@ var BrowserAuthProvider = class {
   }
 };
 
+// src/providers/embedded/adapters/Auth2AuthProvider.ts
+var import_auth2 = require("@phantom/auth2");
+var Auth2AuthProvider = class {
+  constructor(stamper, storage, urlParamsAccessor, auth2ProviderOptions, kmsClientOptions) {
+    this.stamper = stamper;
+    this.storage = storage;
+    this.urlParamsAccessor = urlParamsAccessor;
+    this.auth2ProviderOptions = auth2ProviderOptions;
+    this.kms = new import_auth2.Auth2KmsRpcClient(stamper, kmsClientOptions);
+  }
+  /** Redirect the browser. Extracted as a static method so tests can spy on it. */
+  static navigate(url) {
+    window.location.href = url;
+  }
+  /**
+   * Builds the Auth2 /login/start URL and redirects the browser.
+   *
+   * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
+   * already been initialized and a pending Session has been saved to storage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
+   */
+  async authenticate(options) {
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const keyPair = this.stamper.getCryptoKeyPair();
+    if (!keyPair) {
+      throw new Error("Stamper key pair not found.");
+    }
+    const codeVerifier = (0, import_auth2.createCodeVerifier)();
+    const session = await this.storage.getSession();
+    if (!session) {
+      throw new Error("Session not found.");
+    }
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
+    const url = await (0, import_auth2.createConnectStartUrl)({
+      keyPair,
+      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      sessionId: options.sessionId,
+      provider: options.provider,
+      codeVerifier,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
+    });
+    Auth2AuthProvider.navigate(url);
+  }
+  /**
+   * Processes the Auth2 callback after the browser returns from /login/start.
+   *
+   * Exchanges the authorization code for tokens, discovers the organization
+   * and wallet via KMS RPC, then returns a completed AuthResult.
+   */
+  async resumeAuthFromRedirect(provider) {
+    const code = this.urlParamsAccessor.getParam("code");
+    if (!code) {
+      return null;
+    }
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const session = await this.storage.getSession();
+    if (!session) {
+      throw new Error("Session not found.");
+    }
+    const codeVerifier = session?.pkceCodeVerifier;
+    if (!codeVerifier) {
+      return null;
+    }
+    const state = this.urlParamsAccessor.getParam("state");
+    if (!state || state !== session.sessionId) {
+      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
+    }
+    const error = this.urlParamsAccessor.getParam("error");
+    if (error) {
+      const description = this.urlParamsAccessor.getParam("error_description");
+      throw new Error(`Auth2 callback error: ${description ?? error}`);
+    }
+    const { idToken, bearerToken, authUserId, expiresInMs } = await (0, import_auth2.exchangeAuthCode)({
+      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      code,
+      codeVerifier
+    });
+    await this.stamper.setIdToken(idToken);
+    await this.storage.saveSession({
+      ...session,
+      status: "completed",
+      bearerToken,
+      authUserId,
+      pkceCodeVerifier: void 0
+      // no longer needed after code exchange
+    });
+    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
+    return {
+      walletId,
+      organizationId,
+      provider,
+      accountDerivationIndex: 0,
+      // discoverWalletId uses derivation index of 0.
+      expiresInMs,
+      authUserId,
+      bearerToken
+    };
+  }
+};
+
+// src/providers/embedded/adapters/Auth2Stamper.ts
+var import_bs582 = __toESM(require("bs58"));
+var import_base64url = require("@phantom/base64url");
+var import_sdk_types = require("@phantom/sdk-types");
+var STORE_NAME = "crypto-keys";
+var ACTIVE_KEY = "auth2-p256-signing-key";
+var Auth2Stamper = class {
+  /**
+   * @param dbName - IndexedDB database name (use a unique name per app to
+   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
+   */
+  constructor(dbName) {
+    this.dbName = dbName;
+    this.db = null;
+    this._keyPair = null;
+    this._keyInfo = null;
+    this._idToken = null;
+    this.algorithm = import_sdk_types.Algorithm.secp256r1;
+    this.type = "OIDC";
+  }
+  async init() {
+    await this.openDB();
+    const stored = await this.loadRecord();
+    if (stored) {
+      this._keyPair = stored.keyPair;
+      this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
+      return this._keyInfo;
+    }
+    return this.generateAndStore();
+  }
+  getKeyInfo() {
+    return this._keyInfo;
+  }
+  getCryptoKeyPair() {
+    return this._keyPair;
+  }
+  /**
+   * Arms the stamper with the OIDC id token for subsequent KMS stamp() calls.
+   *
+   * Persists the token to IndexedDB alongside the key pair so that
+   * auto-connect can restore it on the next page load without a new login.
+   */
+  async setIdToken(idToken) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({ ...existing, idToken });
+    }
+  }
+  async stamp(params) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
+      throw new Error("Auth2Stamper not initialized. Call init() first.");
+    }
+    const signatureRaw = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this._keyPair.privateKey,
+      new Uint8Array(params.data)
+    );
+    const rawPublicKey = import_bs582.default.decode(this._keyInfo.publicKey);
+    const stampData = {
+      kind: this.type,
+      idToken: this._idToken,
+      publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
+      signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
+    };
+    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
+  }
+  async resetKeyPair() {
+    await this.clear();
+    return this.generateAndStore();
+  }
+  async clear() {
+    await this.clearStoredRecord();
+    this._keyPair = null;
+    this._keyInfo = null;
+    this._idToken = null;
+  }
+  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
+  async rotateKeyPair() {
+    return this.init();
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await
+  async commitRotation(authenticatorId) {
+    if (this._keyInfo) {
+      this._keyInfo.authenticatorId = authenticatorId;
+    }
+  }
+  async rollbackRotation() {
+  }
+  async generateAndStore() {
+    const keyPair = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      // non-extractable — private key never leaves Web Crypto
+      ["sign", "verify"]
+    );
+    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const publicKeyBase58 = import_bs582.default.encode(rawPublicKey);
+    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
+    const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    this._keyPair = keyPair;
+    this._keyInfo = {
+      keyId,
+      publicKey: publicKeyBase58,
+      createdAt: Date.now()
+    };
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
+    return this._keyInfo;
+  }
+  async openDB() {
+    return new Promise((resolve, reject) => {
+      const request = indexedDB.open(this.dbName, 1);
+      request.onsuccess = () => {
+        this.db = request.result;
+        resolve();
+      };
+      request.onerror = () => reject(request.error);
+      request.onupgradeneeded = (event) => {
+        const db = event.target.result;
+        if (!db.objectStoreNames.contains(STORE_NAME)) {
+          db.createObjectStore(STORE_NAME);
+        }
+      };
+    });
+  }
+  async loadRecord() {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readonly").objectStore(STORE_NAME).get(ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve(request.result ?? null);
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+  async storeRecord(record) {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve();
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+  async clearStoredRecord() {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).delete(ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve();
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+};
+
 // src/providers/embedded/adapters/phantom-app.ts
 var import_browser_injected_sdk4 = require("@phantom/browser-injected-sdk");
 
@@ -3018,16 +3296,32 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
   constructor(config) {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
-    const stamper = new import_indexed_db_stamper.IndexedDbStamper({
+    const storage = new BrowserStorage();
+    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`) : new import_indexed_db_stamper.IndexedDbStamper({
       dbName: `phantom-embedded-sdk-${config.appId}`,
       storeName: "crypto-keys",
       keyName: "signing-key"
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
+    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+      stamper,
+      storage,
+      urlParamsAccessor,
+      {
+        redirectUri: config.authOptions.redirectUrl,
+        connectLoginUrl: config.authOptions.authUrl,
+        clientId: config.unstable__auth2Options.clientId,
+        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+      },
+      {
+        apiBaseUrl: config.apiBaseUrl,
+        appId: config.appId
+      }
+    ) : new BrowserAuthProvider(urlParamsAccessor);
     const platform = {
-      storage: new BrowserStorage(),
-      authProvider: new BrowserAuthProvider(urlParamsAccessor),
+      storage,
+      authProvider,
       phantomAppProvider: new BrowserPhantomAppProvider(),
       urlParamsAccessor,
       stamper,
@@ -3035,13 +3329,12 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
       // Use detected browser name and version for identification
       analyticsHeaders: {
         [import_constants4.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
-        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: browserName,
-        // firefox, chrome, safari, etc.
+        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
         [import_constants4.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
-        // Full user agent for more detailed info
+        [import_constants4.ANALYTICS_HEADERS.CLIENT]: browserName,
         [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
         [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.3"
+        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.5"
         // Replaced at build time
       }
     };
@@ -3459,6 +3752,7 @@ var ProviderManager = class {
           authUrl,
           redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
         },
+        unstable__auth2Options: this.config.unstable__auth2Options,
         embeddedWalletType: embeddedWalletType || import_constants5.DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [import_client.AddressType.solana]
       });

package/dist/index.mjs

@@ -1755,16 +1755,11 @@ var InjectedProvider = class {
           walletName: walletInfo.name
         });
       } catch (err) {
-        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Solana, stopping", {
+        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Solana, continuing with other chains", {
           error: err,
           walletId: this.selectedWalletId,
           walletName: walletInfo.name
         });
-        this.emit("connect_error", {
-          error: err instanceof Error ? err.message : "Failed to connect",
-          source: options?.skipEventListeners ? "auto-connect" : "manual-connect"
-        });
-        throw err;
       }
     }
     if (this.addressTypes.includes(AddressType3.ethereum) && walletInfo.providers?.ethereum) {
@@ -1794,16 +1789,11 @@ var InjectedProvider = class {
           });
         }
       } catch (err) {
-        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Ethereum, stopping", {
+        debug.warn(DebugCategory.INJECTED_PROVIDER, "Failed to connect Ethereum, continuing with other chains", {
           error: err,
           walletId: this.selectedWalletId,
           walletName: walletInfo.name
         });
-        this.emit("connect_error", {
-          error: err instanceof Error ? err.message : "Failed to connect",
-          source: options?.skipEventListeners ? "auto-connect" : "manual-connect"
-        });
-        throw err;
       }
     }
     return connectedAddresses;
@@ -2724,7 +2714,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.3",
+        sdk_version: "1.0.5",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2755,7 +2745,7 @@ var BrowserAuthProvider = class {
       resolve();
     });
   }
-  resumeAuthFromRedirect(provider) {
+  async resumeAuthFromRedirect(provider) {
     try {
       const walletId = this.urlParamsAccessor.getParam("wallet_id");
       const sessionId = this.urlParamsAccessor.getParam("session_id");
@@ -2830,14 +2820,14 @@ var BrowserAuthProvider = class {
           }
         );
       }
-      return {
+      return Promise.resolve({
         walletId,
         organizationId,
         accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
         expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
         authUserId: authUserId || void 0,
         provider
-      };
+      });
     } catch (error) {
       sessionStorage.removeItem("phantom-auth-context");
       throw error;
@@ -2845,6 +2835,299 @@ var BrowserAuthProvider = class {
   }
 };
 
+// src/providers/embedded/adapters/Auth2AuthProvider.ts
+import {
+  createCodeVerifier,
+  createConnectStartUrl,
+  exchangeAuthCode,
+  Auth2KmsRpcClient
+} from "@phantom/auth2";
+var Auth2AuthProvider = class {
+  constructor(stamper, storage, urlParamsAccessor, auth2ProviderOptions, kmsClientOptions) {
+    this.stamper = stamper;
+    this.storage = storage;
+    this.urlParamsAccessor = urlParamsAccessor;
+    this.auth2ProviderOptions = auth2ProviderOptions;
+    this.kms = new Auth2KmsRpcClient(stamper, kmsClientOptions);
+  }
+  /** Redirect the browser. Extracted as a static method so tests can spy on it. */
+  static navigate(url) {
+    window.location.href = url;
+  }
+  /**
+   * Builds the Auth2 /login/start URL and redirects the browser.
+   *
+   * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
+   * already been initialized and a pending Session has been saved to storage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
+   */
+  async authenticate(options) {
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const keyPair = this.stamper.getCryptoKeyPair();
+    if (!keyPair) {
+      throw new Error("Stamper key pair not found.");
+    }
+    const codeVerifier = createCodeVerifier();
+    const session = await this.storage.getSession();
+    if (!session) {
+      throw new Error("Session not found.");
+    }
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
+    const url = await createConnectStartUrl({
+      keyPair,
+      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      sessionId: options.sessionId,
+      provider: options.provider,
+      codeVerifier,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
+    });
+    Auth2AuthProvider.navigate(url);
+  }
+  /**
+   * Processes the Auth2 callback after the browser returns from /login/start.
+   *
+   * Exchanges the authorization code for tokens, discovers the organization
+   * and wallet via KMS RPC, then returns a completed AuthResult.
+   */
+  async resumeAuthFromRedirect(provider) {
+    const code = this.urlParamsAccessor.getParam("code");
+    if (!code) {
+      return null;
+    }
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const session = await this.storage.getSession();
+    if (!session) {
+      throw new Error("Session not found.");
+    }
+    const codeVerifier = session?.pkceCodeVerifier;
+    if (!codeVerifier) {
+      return null;
+    }
+    const state = this.urlParamsAccessor.getParam("state");
+    if (!state || state !== session.sessionId) {
+      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
+    }
+    const error = this.urlParamsAccessor.getParam("error");
+    if (error) {
+      const description = this.urlParamsAccessor.getParam("error_description");
+      throw new Error(`Auth2 callback error: ${description ?? error}`);
+    }
+    const { idToken, bearerToken, authUserId, expiresInMs } = await exchangeAuthCode({
+      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      code,
+      codeVerifier
+    });
+    await this.stamper.setIdToken(idToken);
+    await this.storage.saveSession({
+      ...session,
+      status: "completed",
+      bearerToken,
+      authUserId,
+      pkceCodeVerifier: void 0
+      // no longer needed after code exchange
+    });
+    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
+    return {
+      walletId,
+      organizationId,
+      provider,
+      accountDerivationIndex: 0,
+      // discoverWalletId uses derivation index of 0.
+      expiresInMs,
+      authUserId,
+      bearerToken
+    };
+  }
+};
+
+// src/providers/embedded/adapters/Auth2Stamper.ts
+import bs582 from "bs58";
+import { base64urlEncode } from "@phantom/base64url";
+import { Algorithm } from "@phantom/sdk-types";
+var STORE_NAME = "crypto-keys";
+var ACTIVE_KEY = "auth2-p256-signing-key";
+var Auth2Stamper = class {
+  /**
+   * @param dbName - IndexedDB database name (use a unique name per app to
+   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
+   */
+  constructor(dbName) {
+    this.dbName = dbName;
+    this.db = null;
+    this._keyPair = null;
+    this._keyInfo = null;
+    this._idToken = null;
+    this.algorithm = Algorithm.secp256r1;
+    this.type = "OIDC";
+  }
+  async init() {
+    await this.openDB();
+    const stored = await this.loadRecord();
+    if (stored) {
+      this._keyPair = stored.keyPair;
+      this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
+      return this._keyInfo;
+    }
+    return this.generateAndStore();
+  }
+  getKeyInfo() {
+    return this._keyInfo;
+  }
+  getCryptoKeyPair() {
+    return this._keyPair;
+  }
+  /**
+   * Arms the stamper with the OIDC id token for subsequent KMS stamp() calls.
+   *
+   * Persists the token to IndexedDB alongside the key pair so that
+   * auto-connect can restore it on the next page load without a new login.
+   */
+  async setIdToken(idToken) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({ ...existing, idToken });
+    }
+  }
+  async stamp(params) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
+      throw new Error("Auth2Stamper not initialized. Call init() first.");
+    }
+    const signatureRaw = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this._keyPair.privateKey,
+      new Uint8Array(params.data)
+    );
+    const rawPublicKey = bs582.decode(this._keyInfo.publicKey);
+    const stampData = {
+      kind: this.type,
+      idToken: this._idToken,
+      publicKey: base64urlEncode(rawPublicKey),
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
+      signature: base64urlEncode(new Uint8Array(signatureRaw))
+    };
+    return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
+  }
+  async resetKeyPair() {
+    await this.clear();
+    return this.generateAndStore();
+  }
+  async clear() {
+    await this.clearStoredRecord();
+    this._keyPair = null;
+    this._keyInfo = null;
+    this._idToken = null;
+  }
+  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
+  async rotateKeyPair() {
+    return this.init();
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await
+  async commitRotation(authenticatorId) {
+    if (this._keyInfo) {
+      this._keyInfo.authenticatorId = authenticatorId;
+    }
+  }
+  async rollbackRotation() {
+  }
+  async generateAndStore() {
+    const keyPair = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      // non-extractable — private key never leaves Web Crypto
+      ["sign", "verify"]
+    );
+    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const publicKeyBase58 = bs582.encode(rawPublicKey);
+    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
+    const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    this._keyPair = keyPair;
+    this._keyInfo = {
+      keyId,
+      publicKey: publicKeyBase58,
+      createdAt: Date.now()
+    };
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
+    return this._keyInfo;
+  }
+  async openDB() {
+    return new Promise((resolve, reject) => {
+      const request = indexedDB.open(this.dbName, 1);
+      request.onsuccess = () => {
+        this.db = request.result;
+        resolve();
+      };
+      request.onerror = () => reject(request.error);
+      request.onupgradeneeded = (event) => {
+        const db = event.target.result;
+        if (!db.objectStoreNames.contains(STORE_NAME)) {
+          db.createObjectStore(STORE_NAME);
+        }
+      };
+    });
+  }
+  async loadRecord() {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readonly").objectStore(STORE_NAME).get(ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve(request.result ?? null);
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+  async storeRecord(record) {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve();
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+  async clearStoredRecord() {
+    return new Promise((resolve, reject) => {
+      if (!this.db) {
+        throw new Error("Database not initialized");
+      }
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).delete(ACTIVE_KEY);
+      request.onsuccess = () => {
+        resolve();
+      };
+      request.onerror = () => {
+        reject(request.error);
+      };
+    });
+  }
+};
+
 // src/providers/embedded/adapters/phantom-app.ts
 import { isPhantomExtensionInstalled as isPhantomExtensionInstalled3 } from "@phantom/browser-injected-sdk";
 
@@ -2968,16 +3251,32 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
   constructor(config) {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
-    const stamper = new IndexedDbStamper({
+    const storage = new BrowserStorage();
+    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`) : new IndexedDbStamper({
       dbName: `phantom-embedded-sdk-${config.appId}`,
       storeName: "crypto-keys",
       keyName: "signing-key"
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
+    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+      stamper,
+      storage,
+      urlParamsAccessor,
+      {
+        redirectUri: config.authOptions.redirectUrl,
+        connectLoginUrl: config.authOptions.authUrl,
+        clientId: config.unstable__auth2Options.clientId,
+        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+      },
+      {
+        apiBaseUrl: config.apiBaseUrl,
+        appId: config.appId
+      }
+    ) : new BrowserAuthProvider(urlParamsAccessor);
     const platform = {
-      storage: new BrowserStorage(),
-      authProvider: new BrowserAuthProvider(urlParamsAccessor),
+      storage,
+      authProvider,
       phantomAppProvider: new BrowserPhantomAppProvider(),
       urlParamsAccessor,
       stamper,
@@ -2985,13 +3284,12 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
       // Use detected browser name and version for identification
       analyticsHeaders: {
         [ANALYTICS_HEADERS.SDK_TYPE]: "browser",
-        [ANALYTICS_HEADERS.PLATFORM]: browserName,
-        // firefox, chrome, safari, etc.
+        [ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
         [ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
-        // Full user agent for more detailed info
+        [ANALYTICS_HEADERS.CLIENT]: browserName,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.3"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.5"
         // Replaced at build time
       }
     };
@@ -3411,6 +3709,7 @@ var ProviderManager = class {
           authUrl,
           redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
         },
+        unstable__auth2Options: this.config.unstable__auth2Options,
         embeddedWalletType: embeddedWalletType || DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [AddressType.solana]
       });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/browser-sdk",
-  "version": "1.0.3",
+  "version": "1.0.5",
   "description": "Browser SDK for Phantom Wallet",
   "repository": {
     "type": "git",
@@ -33,15 +33,16 @@
     "prettier": "prettier --write \"src/**/*.{ts,tsx}\""
   },
   "dependencies": {
-    "@phantom/base64url": "^1.0.3",
-    "@phantom/browser-injected-sdk": "^1.0.3",
-    "@phantom/chain-interfaces": "^1.0.3",
-    "@phantom/client": "^1.0.3",
-    "@phantom/constants": "^1.0.3",
-    "@phantom/embedded-provider-core": "^1.0.3",
-    "@phantom/indexed-db-stamper": "^1.0.3",
-    "@phantom/parsers": "^1.0.3",
-    "@phantom/sdk-types": "^1.0.3",
+    "@phantom/auth2": "^1.0.1",
+    "@phantom/base64url": "^1.0.5",
+    "@phantom/browser-injected-sdk": "^1.0.5",
+    "@phantom/chain-interfaces": "^1.0.5",
+    "@phantom/client": "^1.0.5",
+    "@phantom/constants": "^1.0.5",
+    "@phantom/embedded-provider-core": "^1.0.5",
+    "@phantom/indexed-db-stamper": "^1.0.5",
+    "@phantom/parsers": "^1.0.5",
+    "@phantom/sdk-types": "^1.0.5",
     "axios": "^1.10.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3",