@phantom/browser-sdk 1.0.4 → 1.0.6

package/dist/index.js

@@ -34,8 +34,8 @@ __export(src_exports, {
   BrowserSDK: () => BrowserSDK,
   DebugCategory: () => DebugCategory,
   DebugLevel: () => DebugLevel,
-  NetworkId: () => import_constants7.NetworkId,
-  PHANTOM_ICON: () => import_constants8.PHANTOM_ICON,
+  NetworkId: () => import_constants8.NetworkId,
+  PHANTOM_ICON: () => import_constants9.PHANTOM_ICON,
   debug: () => debug,
   detectBrowser: () => detectBrowser,
   getBrowserDisplayName: () => getBrowserDisplayName,
@@ -2764,7 +2764,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.4",
+        sdk_version: "1.0.6",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2904,8 +2904,8 @@ var Auth2AuthProvider = class {
    *
    * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
    * already been initialized and a pending Session has been saved to storage.
-   * We store the PKCE code_verifier and salt into that session so they survive
-   * the page redirect without ever touching sessionStorage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
     if (!this.stamper.getKeyInfo()) {
@@ -2916,12 +2916,11 @@ var Auth2AuthProvider = class {
       throw new Error("Stamper key pair not found.");
     }
     const codeVerifier = (0, import_auth2.createCodeVerifier)();
-    const salt = (0, import_auth2.createSalt)();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier, salt });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     const url = await (0, import_auth2.createConnectStartUrl)({
       keyPair,
       connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
@@ -2930,7 +2929,8 @@ var Auth2AuthProvider = class {
       sessionId: options.sessionId,
       provider: options.provider,
       codeVerifier,
-      salt
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
     });
     Auth2AuthProvider.navigate(url);
   }
@@ -2965,24 +2965,21 @@ var Auth2AuthProvider = class {
       const description = this.urlParamsAccessor.getParam("error_description");
       throw new Error(`Auth2 callback error: ${description ?? error}`);
     }
-    const { idToken, bearerToken, authUserId, expiresInMs } = await (0, import_auth2.exchangeAuthCode)({
+    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await (0, import_auth2.exchangeAuthCode)({
       authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
       clientId: this.auth2ProviderOptions.clientId,
       redirectUri: this.auth2ProviderOptions.redirectUri,
       code,
       codeVerifier
     });
-    this.stamper.idToken = idToken;
-    this.stamper.salt = session?.salt;
+    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
       bearerToken,
       authUserId,
-      pkceCodeVerifier: void 0,
+      pkceCodeVerifier: void 0
       // no longer needed after code exchange
-      salt: void 0
-      // no longer needed after nonce binding is complete
     });
     const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
     return {
@@ -3002,27 +2999,48 @@ var Auth2AuthProvider = class {
 var import_bs582 = __toESM(require("bs58"));
 var import_base64url = require("@phantom/base64url");
 var import_sdk_types = require("@phantom/sdk-types");
+var import_auth22 = require("@phantom/auth2");
+var import_constants4 = require("@phantom/constants");
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
 var Auth2Stamper = class {
   /**
    * @param dbName - IndexedDB database name (use a unique name per app to
    *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
+   * @param refreshConfig - When provided, the stamper will automatically refresh
+   *   the id_token using the refresh_token before it expires.
    */
-  constructor(dbName) {
+  constructor(dbName, refreshConfig) {
     this.dbName = dbName;
+    this.refreshConfig = refreshConfig;
     this.db = null;
-    this.keyPair = null;
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
+    this._bearerToken = null;
+    this._refreshToken = null;
+    this._tokenExpiresAt = null;
     this.algorithm = import_sdk_types.Algorithm.secp256r1;
-    this.type = "PKI";
+    this.type = "OIDC";
   }
   async init() {
     await this.openDB();
-    const stored = await this.loadKeyPair();
+    const stored = await this.loadRecord();
     if (stored) {
-      this.keyPair = stored.keyPair;
+      this._keyPair = stored.keyPair;
       this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
+      if (stored.bearerToken) {
+        this._bearerToken = stored.bearerToken;
+      }
+      if (stored.refreshToken) {
+        this._refreshToken = stored.refreshToken;
+      }
+      if (stored.tokenExpiresAt) {
+        this._tokenExpiresAt = stored.tokenExpiresAt;
+      }
       return this._keyInfo;
     }
     return this.generateAndStore();
@@ -3031,41 +3049,99 @@ var Auth2Stamper = class {
     return this._keyInfo;
   }
   getCryptoKeyPair() {
-    return this.keyPair;
+    return this._keyPair;
+  }
+  /**
+   * Returns the current token state (refreshing proactively if near expiry),
+   * or null if no token has been set yet.
+   */
+  async getTokens() {
+    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - import_constants4.TOKEN_REFRESH_BUFFER_MS) {
+      const refreshed = await (0, import_auth22.refreshToken)({
+        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
+        clientId: this.refreshConfig.clientId,
+        redirectUri: this.refreshConfig.redirectUri,
+        refreshToken: this._refreshToken
+      });
+      await this.setTokens(refreshed);
+    }
+    if (!this._idToken || !this._bearerToken) {
+      return null;
+    }
+    return {
+      idToken: this._idToken,
+      bearerToken: this._bearerToken,
+      refreshToken: this._refreshToken ?? void 0
+    };
+  }
+  /**
+   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
+   *
+   * Persists the tokens to IndexedDB alongside the key pair so that
+   * auto-connect can restore them on the next page load without a new login.
+   *
+   * @param refreshToken - When provided alongside a `refreshConfig`, enables
+   *   silent token refresh before the token expires.
+   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
+   *   Used to compute the absolute expiry time for proactive refresh.
+   */
+  async setTokens({
+    idToken,
+    bearerToken,
+    refreshToken,
+    expiresInMs
+  }) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    this._bearerToken = bearerToken;
+    this._refreshToken = refreshToken ?? null;
+    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({
+        ...existing,
+        idToken,
+        bearerToken,
+        refreshToken,
+        tokenExpiresAt: this._tokenExpiresAt ?? void 0
+      });
+    }
   }
   async stamp(params) {
-    if (!this.keyPair || !this._keyInfo) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
       throw new Error("Auth2Stamper not initialized. Call init() first.");
     }
     const signatureRaw = await crypto.subtle.sign(
       { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
+      this._keyPair.privateKey,
       new Uint8Array(params.data)
     );
     const rawPublicKey = import_bs582.default.decode(this._keyInfo.publicKey);
-    if (this.idToken === void 0 || this.salt === void 0) {
-      throw new Error("Auth2Stamper not initialized with idToken or salt.");
-    }
     const stampData = {
-      kind: "OIDC",
-      idToken: this.idToken,
+      kind: this.type,
+      idToken: this._idToken,
       publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
-      algorithm: "Secp256r1",
-      salt: this.salt,
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
       signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
     };
     return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
   }
   async resetKeyPair() {
-    await this.clearStoredKey();
-    this.keyPair = null;
-    this._keyInfo = null;
+    await this.clear();
     return this.generateAndStore();
   }
   async clear() {
-    await this.clearStoredKey();
-    this.keyPair = null;
+    await this.clearStoredRecord();
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
+    this._bearerToken = null;
+    this._refreshToken = null;
+    this._tokenExpiresAt = null;
   }
   // Auth2 doesn't use key rotation; provide minimal no-op implementations.
   async rotateKeyPair() {
@@ -3090,13 +3166,13 @@ var Auth2Stamper = class {
     const publicKeyBase58 = import_bs582.default.encode(rawPublicKey);
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
     const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this.keyPair = keyPair;
+    this._keyPair = keyPair;
     this._keyInfo = {
       keyId,
       publicKey: publicKeyBase58,
       createdAt: Date.now()
     };
-    await this.storeKeyPair(keyPair, this._keyInfo);
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
     return this._keyInfo;
   }
   async openDB() {
@@ -3115,7 +3191,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadKeyPair() {
+  async loadRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3129,12 +3205,12 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeRecord(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
       }
-      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put({ keyPair, keyInfo }, ACTIVE_KEY);
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
       request.onsuccess = () => {
         resolve();
       };
@@ -3143,7 +3219,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredKey() {
+  async clearStoredRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3262,28 +3338,32 @@ var BrowserPhantomAppProvider = class {
 
 // src/providers/embedded/adapters/logger.ts
 var BrowserLogger = class {
-  info(category, message, data) {
-    debug.info(category, message, data);
+  info(message, ...args) {
+    debug.info(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  warn(category, message, data) {
-    debug.warn(category, message, data);
+  warn(message, ...args) {
+    debug.warn(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  error(category, message, data) {
-    debug.error(category, message, data);
+  error(message, ...args) {
+    debug.error(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  log(category, message, data) {
-    debug.log(category, message, data);
+  debug(message, ...args) {
+    debug.log(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
 };
 
 // src/providers/embedded/index.ts
-var import_constants4 = require("@phantom/constants");
+var import_constants5 = require("@phantom/constants");
 var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvider {
   constructor(config) {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`) : new import_indexed_db_stamper.IndexedDbStamper({
+    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
+      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
+      clientId: config.unstable__auth2Options.clientId,
+      redirectUri: config.authOptions?.redirectUrl ?? ""
+    }) : new import_indexed_db_stamper.IndexedDbStamper({
       dbName: `phantom-embedded-sdk-${config.appId}`,
       storeName: "crypto-keys",
       keyName: "signing-key"
@@ -3314,13 +3394,13 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
       name: platformName,
       // Use detected browser name and version for identification
       analyticsHeaders: {
-        [import_constants4.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
-        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
-        [import_constants4.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
-        [import_constants4.ANALYTICS_HEADERS.CLIENT]: browserName,
-        [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
-        [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
+        [import_constants5.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
+        [import_constants5.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
+        [import_constants5.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
+        [import_constants5.ANALYTICS_HEADERS.CLIENT]: browserName,
+        [import_constants5.ANALYTICS_HEADERS.APP_ID]: config.appId,
+        [import_constants5.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
+        [import_constants5.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.6"
         // Replaced at build time
       }
     };
@@ -3337,7 +3417,7 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
 
 // src/ProviderManager.ts
 var import_embedded_provider_core2 = require("@phantom/embedded-provider-core");
-var import_constants5 = require("@phantom/constants");
+var import_constants6 = require("@phantom/constants");
 
 // src/utils/auth-callback.ts
 function isAuthFailureCallback(searchParams) {
@@ -3728,8 +3808,8 @@ var ProviderManager = class {
       if (!this.config.appId) {
         throw new Error("appId is required for embedded provider");
       }
-      const apiBaseUrl = this.config.apiBaseUrl || import_constants5.DEFAULT_WALLET_API_URL;
-      const authUrl = this.config.authOptions?.authUrl || import_constants5.DEFAULT_AUTH_URL;
+      const apiBaseUrl = this.config.apiBaseUrl || import_constants6.DEFAULT_WALLET_API_URL;
+      const authUrl = this.config.authOptions?.authUrl || import_constants6.DEFAULT_AUTH_URL;
       provider = new EmbeddedProvider({
         apiBaseUrl,
         appId: this.config.appId,
@@ -3739,7 +3819,7 @@ var ProviderManager = class {
           redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
         },
         unstable__auth2Options: this.config.unstable__auth2Options,
-        embeddedWalletType: embeddedWalletType || import_constants5.DEFAULT_EMBEDDED_WALLET_TYPE,
+        embeddedWalletType: embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [import_client.AddressType.solana]
       });
     } else {
@@ -3775,7 +3855,7 @@ var ProviderManager = class {
 
 // src/BrowserSDK.ts
 var import_embedded_provider_core3 = require("@phantom/embedded-provider-core");
-var import_constants6 = require("@phantom/constants");
+var import_constants7 = require("@phantom/constants");
 var BROWSER_SDK_PROVIDER_TYPES = [
   ...import_embedded_provider_core3.EMBEDDED_PROVIDER_AUTH_TYPES,
   "injected",
@@ -3811,7 +3891,7 @@ var BrowserSDK = class {
       });
       throw new Error("appId is required when using embedded providers (google, apple, phantom, etc.)");
     }
-    const embeddedWalletType = config.embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE;
+    const embeddedWalletType = config.embeddedWalletType || import_constants7.DEFAULT_EMBEDDED_WALLET_TYPE;
     if (!["app-wallet", "user-wallet"].includes(embeddedWalletType)) {
       debug.error(DebugCategory.BROWSER_SDK, "Invalid embeddedWalletType", {
         embeddedWalletType: config.embeddedWalletType
@@ -4086,6 +4166,6 @@ var BrowserSDK = class {
 };
 
 // src/index.ts
-var import_constants7 = require("@phantom/constants");
-var import_client5 = require("@phantom/client");
 var import_constants8 = require("@phantom/constants");
+var import_client5 = require("@phantom/client");
+var import_constants9 = require("@phantom/constants");

package/dist/index.mjs

@@ -2714,7 +2714,7 @@ var BrowserAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.4",
+        sdk_version: "1.0.6",
         sdk_type: "browser",
         platform: detectBrowser().name,
         algorithm: phantomOptions.algorithm || DEFAULT_AUTHENTICATOR_ALGORITHM
@@ -2838,7 +2838,6 @@ var BrowserAuthProvider = class {
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 import {
   createCodeVerifier,
-  createSalt,
   createConnectStartUrl,
   exchangeAuthCode,
   Auth2KmsRpcClient
@@ -2860,8 +2859,8 @@ var Auth2AuthProvider = class {
    *
    * Called by EmbeddedProvider.handleRedirectAuth() after the stamper has
    * already been initialized and a pending Session has been saved to storage.
-   * We store the PKCE code_verifier and salt into that session so they survive
-   * the page redirect without ever touching sessionStorage.
+   * We store the PKCE code_verifier into that session so it survives the page
+   * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
     if (!this.stamper.getKeyInfo()) {
@@ -2872,12 +2871,11 @@ var Auth2AuthProvider = class {
       throw new Error("Stamper key pair not found.");
     }
     const codeVerifier = createCodeVerifier();
-    const salt = createSalt();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier, salt });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     const url = await createConnectStartUrl({
       keyPair,
       connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
@@ -2886,7 +2884,8 @@ var Auth2AuthProvider = class {
       sessionId: options.sessionId,
       provider: options.provider,
       codeVerifier,
-      salt
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: ""
     });
     Auth2AuthProvider.navigate(url);
   }
@@ -2921,24 +2920,21 @@ var Auth2AuthProvider = class {
       const description = this.urlParamsAccessor.getParam("error_description");
       throw new Error(`Auth2 callback error: ${description ?? error}`);
     }
-    const { idToken, bearerToken, authUserId, expiresInMs } = await exchangeAuthCode({
+    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await exchangeAuthCode({
       authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
       clientId: this.auth2ProviderOptions.clientId,
       redirectUri: this.auth2ProviderOptions.redirectUri,
       code,
       codeVerifier
     });
-    this.stamper.idToken = idToken;
-    this.stamper.salt = session?.salt;
+    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
       bearerToken,
       authUserId,
-      pkceCodeVerifier: void 0,
+      pkceCodeVerifier: void 0
       // no longer needed after code exchange
-      salt: void 0
-      // no longer needed after nonce binding is complete
     });
     const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
     return {
@@ -2958,27 +2954,48 @@ var Auth2AuthProvider = class {
 import bs582 from "bs58";
 import { base64urlEncode } from "@phantom/base64url";
 import { Algorithm } from "@phantom/sdk-types";
+import { refreshToken as refreshTokenRequest } from "@phantom/auth2";
+import { TOKEN_REFRESH_BUFFER_MS } from "@phantom/constants";
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
 var Auth2Stamper = class {
   /**
    * @param dbName - IndexedDB database name (use a unique name per app to
    *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
+   * @param refreshConfig - When provided, the stamper will automatically refresh
+   *   the id_token using the refresh_token before it expires.
    */
-  constructor(dbName) {
+  constructor(dbName, refreshConfig) {
     this.dbName = dbName;
+    this.refreshConfig = refreshConfig;
     this.db = null;
-    this.keyPair = null;
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
+    this._bearerToken = null;
+    this._refreshToken = null;
+    this._tokenExpiresAt = null;
     this.algorithm = Algorithm.secp256r1;
-    this.type = "PKI";
+    this.type = "OIDC";
   }
   async init() {
     await this.openDB();
-    const stored = await this.loadKeyPair();
+    const stored = await this.loadRecord();
     if (stored) {
-      this.keyPair = stored.keyPair;
+      this._keyPair = stored.keyPair;
       this._keyInfo = stored.keyInfo;
+      if (stored.idToken) {
+        this._idToken = stored.idToken;
+      }
+      if (stored.bearerToken) {
+        this._bearerToken = stored.bearerToken;
+      }
+      if (stored.refreshToken) {
+        this._refreshToken = stored.refreshToken;
+      }
+      if (stored.tokenExpiresAt) {
+        this._tokenExpiresAt = stored.tokenExpiresAt;
+      }
       return this._keyInfo;
     }
     return this.generateAndStore();
@@ -2987,41 +3004,99 @@ var Auth2Stamper = class {
     return this._keyInfo;
   }
   getCryptoKeyPair() {
-    return this.keyPair;
+    return this._keyPair;
+  }
+  /**
+   * Returns the current token state (refreshing proactively if near expiry),
+   * or null if no token has been set yet.
+   */
+  async getTokens() {
+    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - TOKEN_REFRESH_BUFFER_MS) {
+      const refreshed = await refreshTokenRequest({
+        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
+        clientId: this.refreshConfig.clientId,
+        redirectUri: this.refreshConfig.redirectUri,
+        refreshToken: this._refreshToken
+      });
+      await this.setTokens(refreshed);
+    }
+    if (!this._idToken || !this._bearerToken) {
+      return null;
+    }
+    return {
+      idToken: this._idToken,
+      bearerToken: this._bearerToken,
+      refreshToken: this._refreshToken ?? void 0
+    };
+  }
+  /**
+   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
+   *
+   * Persists the tokens to IndexedDB alongside the key pair so that
+   * auto-connect can restore them on the next page load without a new login.
+   *
+   * @param refreshToken - When provided alongside a `refreshConfig`, enables
+   *   silent token refresh before the token expires.
+   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
+   *   Used to compute the absolute expiry time for proactive refresh.
+   */
+  async setTokens({
+    idToken,
+    bearerToken,
+    refreshToken,
+    expiresInMs
+  }) {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this._idToken = idToken;
+    this._bearerToken = bearerToken;
+    this._refreshToken = refreshToken ?? null;
+    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
+    const existing = await this.loadRecord();
+    if (existing) {
+      await this.storeRecord({
+        ...existing,
+        idToken,
+        bearerToken,
+        refreshToken,
+        tokenExpiresAt: this._tokenExpiresAt ?? void 0
+      });
+    }
   }
   async stamp(params) {
-    if (!this.keyPair || !this._keyInfo) {
+    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
       throw new Error("Auth2Stamper not initialized. Call init() first.");
     }
     const signatureRaw = await crypto.subtle.sign(
       { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
+      this._keyPair.privateKey,
       new Uint8Array(params.data)
     );
     const rawPublicKey = bs582.decode(this._keyInfo.publicKey);
-    if (this.idToken === void 0 || this.salt === void 0) {
-      throw new Error("Auth2Stamper not initialized with idToken or salt.");
-    }
     const stampData = {
-      kind: "OIDC",
-      idToken: this.idToken,
+      kind: this.type,
+      idToken: this._idToken,
       publicKey: base64urlEncode(rawPublicKey),
-      algorithm: "Secp256r1",
-      salt: this.salt,
+      algorithm: this.algorithm,
+      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
+      salt: "",
       signature: base64urlEncode(new Uint8Array(signatureRaw))
     };
     return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
   }
   async resetKeyPair() {
-    await this.clearStoredKey();
-    this.keyPair = null;
-    this._keyInfo = null;
+    await this.clear();
     return this.generateAndStore();
   }
   async clear() {
-    await this.clearStoredKey();
-    this.keyPair = null;
+    await this.clearStoredRecord();
+    this._keyPair = null;
     this._keyInfo = null;
+    this._idToken = null;
+    this._bearerToken = null;
+    this._refreshToken = null;
+    this._tokenExpiresAt = null;
   }
   // Auth2 doesn't use key rotation; provide minimal no-op implementations.
   async rotateKeyPair() {
@@ -3046,13 +3121,13 @@ var Auth2Stamper = class {
     const publicKeyBase58 = bs582.encode(rawPublicKey);
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
     const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this.keyPair = keyPair;
+    this._keyPair = keyPair;
     this._keyInfo = {
       keyId,
       publicKey: publicKeyBase58,
       createdAt: Date.now()
     };
-    await this.storeKeyPair(keyPair, this._keyInfo);
+    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
     return this._keyInfo;
   }
   async openDB() {
@@ -3071,7 +3146,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadKeyPair() {
+  async loadRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3085,12 +3160,12 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeRecord(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
       }
-      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put({ keyPair, keyInfo }, ACTIVE_KEY);
+      const request = this.db.transaction([STORE_NAME], "readwrite").objectStore(STORE_NAME).put(record, ACTIVE_KEY);
       request.onsuccess = () => {
         resolve();
       };
@@ -3099,7 +3174,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredKey() {
+  async clearStoredRecord() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3218,17 +3293,17 @@ var BrowserPhantomAppProvider = class {
 
 // src/providers/embedded/adapters/logger.ts
 var BrowserLogger = class {
-  info(category, message, data) {
-    debug.info(category, message, data);
+  info(message, ...args) {
+    debug.info(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  warn(category, message, data) {
-    debug.warn(category, message, data);
+  warn(message, ...args) {
+    debug.warn(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  error(category, message, data) {
-    debug.error(category, message, data);
+  error(message, ...args) {
+    debug.error(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
-  log(category, message, data) {
-    debug.log(category, message, data);
+  debug(message, ...args) {
+    debug.log(message, args.length > 0 ? String(args[0]) : "", args[1]);
   }
 };
 
@@ -3239,7 +3314,11 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`) : new IndexedDbStamper({
+    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
+      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
+      clientId: config.unstable__auth2Options.clientId,
+      redirectUri: config.authOptions?.redirectUrl ?? ""
+    }) : new IndexedDbStamper({
       dbName: `phantom-embedded-sdk-${config.appId}`,
       storeName: "crypto-keys",
       keyName: "signing-key"
@@ -3276,7 +3355,7 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
         [ANALYTICS_HEADERS.CLIENT]: browserName,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.6"
         // Replaced at build time
       }
     };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/browser-sdk",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Browser SDK for Phantom Wallet",
   "repository": {
     "type": "git",
@@ -33,16 +33,16 @@
     "prettier": "prettier --write \"src/**/*.{ts,tsx}\""
   },
   "dependencies": {
-    "@phantom/auth2": "^1.0.0",
-    "@phantom/base64url": "^1.0.4",
-    "@phantom/browser-injected-sdk": "^1.0.4",
-    "@phantom/chain-interfaces": "^1.0.4",
-    "@phantom/client": "^1.0.4",
-    "@phantom/constants": "^1.0.4",
-    "@phantom/embedded-provider-core": "^1.0.4",
-    "@phantom/indexed-db-stamper": "^1.0.4",
-    "@phantom/parsers": "^1.0.4",
-    "@phantom/sdk-types": "^1.0.4",
+    "@phantom/auth2": "^1.0.2",
+    "@phantom/base64url": "^1.0.6",
+    "@phantom/browser-injected-sdk": "^1.0.6",
+    "@phantom/chain-interfaces": "^1.0.6",
+    "@phantom/client": "^1.0.6",
+    "@phantom/constants": "^1.0.6",
+    "@phantom/embedded-provider-core": "^1.0.6",
+    "@phantom/indexed-db-stamper": "^1.0.6",
+    "@phantom/parsers": "^1.0.6",
+    "@phantom/sdk-types": "^1.0.6",
     "axios": "^1.10.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3",