@phantom/browser-sdk 1.0.6 → 2.0.0-beta.0

package/README.md

@@ -216,6 +216,7 @@ const sdk = new BrowserSDK({
   authOptions: {
     authUrl: "https://connect.phantom.app/login", // optional
     redirectUrl: "https://yourapp.com/callback", // optional, defaults to current page
+    authApiBaseUrl: "https://auth.phantom.app", // optional
   },
   autoConnect: true, // optional, auto-connect to existing session (default: true when embedded providers are used)
 });
@@ -231,8 +232,9 @@ const sdk = new BrowserSDK({
   addressTypes: [AddressType.solana, AddressType.ethereum],
   appId: "your-app-id", // Required for deeplink
   authOptions: {
-    authUrl: "https://connect.phantom.app/login",
+    authUrl: "https://connect.phantom.app/login/start",
     redirectUrl: "https://yourapp.com/callback",
+    authApiBaseUrl: "https://auth.phantom.app",
   },
 });
 ```
@@ -325,9 +327,11 @@ interface BrowserSDKConfig {
 
   // Optional configuration
   apiBaseUrl?: string; // Phantom API base URL (optional, has default)
+
   authOptions?: {
-    authUrl?: string; // Custom auth URL (optional, defaults to "https://connect.phantom.app/login")
+    authUrl?: string; // Custom auth URL (optional, defaults to "https://connect.phantom.app/login/start")
     redirectUrl?: string; // Custom redirect URL after authentication (optional)
+    authApiBaseUrl?: string; // Custom OAuth URL (optional, defaults to "https://auth.phantom.app")
   };
   embeddedWalletType?: "user-wallet"; // Wallet type (optional, defaults to "user-wallet")
   autoConnect?: boolean; // Auto-connect to existing session (default: true when embedded providers used)
@@ -985,6 +989,46 @@ function toggleDebug(enabled: boolean) {
 }
 ```
 
+## Dapp-Sponsored Transactions (presignTransaction)
+
+Pass `presignTransaction` directly to `signAndSendTransaction` for calls that need co-signing. Calls without it proceed normally — it is never applied globally.
+
+> **Important:** Phantom embedded wallets do not accept pre-signed transactions. If your use case requires a second signer (e.g. your app as the fee payer), that signing must happen via this option, after Phantom has constructed and validated the transaction. This restriction does not apply to injected providers (e.g. the Phantom browser extension).
+
+> **Note:** `presignTransaction` only fires for Solana transactions via the embedded provider. EVM transactions and injected providers are unaffected.
+
+### Transaction format
+
+The `transaction` string is **base64url-encoded** (URL-safe base64 without `=` padding, using `-` and `_` instead of `+` and `/`).
+
+The SDK exports `base64urlDecode` and `base64urlEncode` utilities:
+
+```ts
+import { base64urlDecode, base64urlEncode } from "@phantom/browser-sdk";
+```
+
+### Example: Dapp fee payer
+
+```ts
+import { base64urlDecode, base64urlEncode } from "@phantom/browser-sdk";
+import { Keypair, VersionedTransaction } from "@solana/web3.js";
+
+const feePayerKeypair = Keypair.fromSecretKey(/* your fee payer secret key */);
+
+// This call co-signs as fee payer
+const result = await sdk.solana.signAndSendTransaction(transaction, {
+  presignTransaction: async (tx, context) => {
+    const txBytes = base64urlDecode(tx);
+    const versionedTx = VersionedTransaction.deserialize(txBytes);
+    versionedTx.sign([feePayerKeypair]);
+    return base64urlEncode(versionedTx.serialize());
+  },
+});
+
+// This call has no co-signer
+const result2 = await sdk.solana.signAndSendTransaction(otherTransaction);
+```
+
 ## Transaction Examples
 
 ### Solana Transactions

package/dist/index.d.ts

@@ -1,12 +1,13 @@
 import { EmbeddedProviderConfig, EmbeddedProviderAuthType, ConnectResult as ConnectResult$1, WalletAddress, EmbeddedProviderEvent, EventCallback } from '@phantom/embedded-provider-core';
 export { ConnectErrorEventData, ConnectEventData, ConnectStartEventData, DisconnectEventData, EmbeddedProviderEvent, EmbeddedProviderEventMap, EventCallback, SignAndSendTransactionParams, SignMessageParams, SignMessageResult, SignedTransaction, WalletAddress } from '@phantom/embedded-provider-core';
 import { IEthereumChain, ISolanaChain } from '@phantom/chain-interfaces';
-export { EthTransactionRequest, IEthereumChain, ISolanaChain } from '@phantom/chain-interfaces';
+export { EthTransactionRequest, IEthereumChain, ISolanaChain, SignAndSendTransactionOptions } from '@phantom/chain-interfaces';
 import { AddressType } from '@phantom/client';
-export { AddressType } from '@phantom/client';
+export { AddressType, PresignTransactionContext } from '@phantom/client';
 import { AutoConfirmEnableParams, AutoConfirmResult, AutoConfirmSupportedChainsResult } from '@phantom/browser-injected-sdk/auto-confirm';
 export { AutoConfirmEnableParams, AutoConfirmResult, AutoConfirmSupportedChainsResult } from '@phantom/browser-injected-sdk/auto-confirm';
 export { NetworkId, PHANTOM_ICON } from '@phantom/constants';
+export { base64urlDecode, base64urlEncode } from '@phantom/base64url';
 
 declare enum DebugLevel {
     ERROR = 0,
@@ -118,11 +119,7 @@ type BrowserSDKConfig = Prettify<Omit<EmbeddedProviderConfig, "authOptions" | "a
     authOptions?: {
         authUrl?: string;
         redirectUrl?: string;
-    };
-    /** When also provided, the Auth2 PKCE flow is used instead of the legacy Phantom Connect flow. */
-    unstable__auth2Options?: {
-        authApiBaseUrl: string;
-        clientId: string;
+        authApiBaseUrl?: string;
     };
 }>;
 type Prettify<T> = {

package/dist/index.js

@@ -34,8 +34,10 @@ __export(src_exports, {
   BrowserSDK: () => BrowserSDK,
   DebugCategory: () => DebugCategory,
   DebugLevel: () => DebugLevel,
-  NetworkId: () => import_constants8.NetworkId,
-  PHANTOM_ICON: () => import_constants9.PHANTOM_ICON,
+  NetworkId: () => import_constants7.NetworkId,
+  PHANTOM_ICON: () => import_constants8.PHANTOM_ICON,
+  base64urlDecode: () => import_base64url.base64urlDecode,
+  base64urlEncode: () => import_base64url.base64urlEncode,
   debug: () => debug,
   detectBrowser: () => detectBrowser,
   getBrowserDisplayName: () => getBrowserDisplayName,
@@ -2455,7 +2457,7 @@ var InjectedProvider = class {
 
 // src/providers/embedded/index.ts
 var import_embedded_provider_core = require("@phantom/embedded-provider-core");
-var import_indexed_db_stamper = require("@phantom/indexed-db-stamper");
+var import_auth22 = require("@phantom/auth2");
 
 // src/providers/embedded/adapters/storage.ts
 var BrowserStorage = class {
@@ -2730,161 +2732,6 @@ function isMobileDevice() {
   return isMobileUA || isSmallScreen && isTouchDevice;
 }
 
-// src/providers/embedded/adapters/auth.ts
-var BrowserAuthProvider = class {
-  constructor(urlParamsAccessor) {
-    this.urlParamsAccessor = urlParamsAccessor;
-  }
-  getValidatedCurrentUrl() {
-    const currentUrl = window.location.href;
-    if (!currentUrl.startsWith("http:") && !currentUrl.startsWith("https:")) {
-      throw new Error("Invalid URL protocol - only HTTP/HTTPS URLs are supported");
-    }
-    return currentUrl;
-  }
-  authenticate(options) {
-    return new Promise((resolve) => {
-      if ("jwtToken" in options) {
-        throw new Error("JWT authentication should be handled by the core JWTAuth class");
-      }
-      const phantomOptions = options;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Starting Phantom Connect authentication", {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        authUrl: phantomOptions.authUrl
-      });
-      const baseUrl = phantomOptions.authUrl || import_constants3.DEFAULT_AUTH_URL;
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Using auth URL", { baseUrl });
-      const params = new URLSearchParams({
-        public_key: phantomOptions.publicKey,
-        app_id: phantomOptions.appId,
-        redirect_uri: phantomOptions.redirectUrl || (typeof window !== "undefined" ? this.getValidatedCurrentUrl() : ""),
-        session_id: phantomOptions.sessionId,
-        // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
-        clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
-        allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.6",
-        sdk_type: "browser",
-        platform: detectBrowser().name,
-        algorithm: phantomOptions.algorithm || import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM
-      });
-      if (phantomOptions.provider) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Provider specified, will skip selection", {
-          provider: phantomOptions.provider
-        });
-        params.append("provider", phantomOptions.provider);
-      } else {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "No provider specified, defaulting to Google");
-        params.append("provider", "google");
-      }
-      const authContext = {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        sessionId: phantomOptions.sessionId
-      };
-      sessionStorage.setItem("phantom-auth-context", JSON.stringify(authContext));
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Stored auth context in session storage", { authContext });
-      const authUrl = `${baseUrl}?${params.toString()}`;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Redirecting to Phantom Connect", { authUrl });
-      if (!authUrl.startsWith("https:") && !authUrl.startsWith("http://localhost")) {
-        throw new Error("Invalid auth URL - only HTTPS URLs are allowed for authentication");
-      }
-      window.location.href = authUrl;
-      resolve();
-    });
-  }
-  async resumeAuthFromRedirect(provider) {
-    try {
-      const walletId = this.urlParamsAccessor.getParam("wallet_id");
-      const sessionId = this.urlParamsAccessor.getParam("session_id");
-      const accountDerivationIndex = this.urlParamsAccessor.getParam("selected_account_index");
-      const error = this.urlParamsAccessor.getParam("error");
-      const errorDescription = this.urlParamsAccessor.getParam("error_description");
-      if (error) {
-        const errorMsg = errorDescription || error;
-        switch (error) {
-          case "access_denied":
-            throw new Error(`Authentication cancelled: ${errorMsg}`);
-          case "invalid_request":
-            throw new Error(`Invalid authentication request: ${errorMsg}`);
-          case "server_error":
-            throw new Error(`Authentication server error: ${errorMsg}`);
-          case "temporarily_unavailable":
-            throw new Error(`Authentication service temporarily unavailable: ${errorMsg}`);
-          default:
-            throw new Error(`Authentication failed: ${errorMsg}`);
-        }
-      }
-      if (!walletId || !sessionId) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing auth parameters in URL", {
-          hasWalletId: !!walletId,
-          hasSessionId: !!sessionId
-        });
-        return null;
-      }
-      const contextStr = sessionStorage.getItem("phantom-auth-context");
-      let context = {};
-      if (contextStr) {
-        try {
-          context = JSON.parse(contextStr);
-        } catch (parseError) {
-          debug.warn(DebugCategory.PHANTOM_CONNECT_AUTH, "Failed to parse stored auth context", { error: parseError });
-        }
-      }
-      if (context.sessionId && sessionId !== context.sessionId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Session ID mismatch", {
-          urlSessionId: sessionId,
-          storedSessionId: context.sessionId
-        });
-        throw new Error("Session ID mismatch - possible session corruption or replay attack");
-      }
-      sessionStorage.removeItem("phantom-auth-context");
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Successfully resumed auth from redirect", {
-        walletId,
-        sessionId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : void 0
-      });
-      const organizationId = this.urlParamsAccessor.getParam("organization_id");
-      const expiresInMs = this.urlParamsAccessor.getParam("expires_in_ms");
-      const authUserId = this.urlParamsAccessor.getParam("auth_user_id");
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Auth redirect parameters", {
-        walletId,
-        organizationId,
-        sessionId,
-        accountDerivationIndex,
-        expiresInMs,
-        authUserId
-      });
-      if (!organizationId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing organization_id in auth response");
-        throw new Error("Missing organization_id in auth response");
-      }
-      if (organizationId.startsWith("temp-")) {
-        debug.warn(
-          DebugCategory.PHANTOM_CONNECT_AUTH,
-          "Received temporary organization_id, server may not be configured properly",
-          {
-            organizationId
-          }
-        );
-      }
-      return Promise.resolve({
-        walletId,
-        organizationId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
-        expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
-        authUserId: authUserId || void 0,
-        provider
-      });
-    } catch (error) {
-      sessionStorage.removeItem("phantom-auth-context");
-      throw error;
-    }
-  }
-};
-
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 var import_auth2 = require("@phantom/auth2");
 var Auth2AuthProvider = class {
@@ -2908,30 +2755,17 @@ var Auth2AuthProvider = class {
    * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
-    if (!this.stamper.getKeyInfo()) {
-      await this.stamper.init();
-    }
-    const keyPair = this.stamper.getCryptoKeyPair();
-    if (!keyPair) {
-      throw new Error("Stamper key pair not found.");
-    }
-    const codeVerifier = (0, import_auth2.createCodeVerifier)();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
-    const url = await (0, import_auth2.createConnectStartUrl)({
-      keyPair,
-      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const { url, codeVerifier } = await (0, import_auth2.prepareAuth2Flow)({
+      stamper: this.stamper,
+      auth2Options: this.auth2ProviderOptions,
       sessionId: options.sessionId,
-      provider: options.provider,
-      codeVerifier,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: ""
+      provider: options.provider
     });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     Auth2AuthProvider.navigate(url);
   }
   /**
@@ -2941,8 +2775,7 @@ var Auth2AuthProvider = class {
    * and wallet via KMS RPC, then returns a completed AuthResult.
    */
   async resumeAuthFromRedirect(provider) {
-    const code = this.urlParamsAccessor.getParam("code");
-    if (!code) {
+    if (!this.urlParamsAccessor.getParam("code")) {
       return null;
     }
     if (!this.stamper.getKeyInfo()) {
@@ -2956,226 +2789,39 @@ var Auth2AuthProvider = class {
     if (!codeVerifier) {
       return null;
     }
-    const state = this.urlParamsAccessor.getParam("state");
-    if (!state || state !== session.sessionId) {
-      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
-    }
-    const error = this.urlParamsAccessor.getParam("error");
-    if (error) {
-      const description = this.urlParamsAccessor.getParam("error_description");
-      throw new Error(`Auth2 callback error: ${description ?? error}`);
-    }
-    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await (0, import_auth2.exchangeAuthCode)({
-      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const code = (0, import_auth2.validateAuth2Callback)({
+      getParam: (key) => this.urlParamsAccessor.getParam(key),
+      expectedSessionId: session.sessionId
+    });
+    const result = await (0, import_auth2.completeAuth2Exchange)({
+      stamper: this.stamper,
+      kms: this.kms,
+      auth2Options: this.auth2ProviderOptions,
       code,
-      codeVerifier
+      codeVerifier,
+      provider
     });
-    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
-      bearerToken,
-      authUserId,
+      bearerToken: result.bearerToken,
+      authUserId: result.authUserId,
       pkceCodeVerifier: void 0
-      // no longer needed after code exchange
     });
-    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
-    return {
-      walletId,
-      organizationId,
-      provider,
-      accountDerivationIndex: 0,
-      // discoverWalletId uses derivation index of 0.
-      expiresInMs,
-      authUserId,
-      bearerToken
-    };
+    return result;
   }
 };
 
-// src/providers/embedded/adapters/Auth2Stamper.ts
-var import_bs582 = __toESM(require("bs58"));
-var import_base64url = require("@phantom/base64url");
-var import_sdk_types = require("@phantom/sdk-types");
-var import_auth22 = require("@phantom/auth2");
-var import_constants4 = require("@phantom/constants");
+// src/providers/embedded/adapters/IndexedDBAuth2StamperStorage.ts
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
-var Auth2Stamper = class {
-  /**
-   * @param dbName - IndexedDB database name (use a unique name per app to
-   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
-   * @param refreshConfig - When provided, the stamper will automatically refresh
-   *   the id_token using the refresh_token before it expires.
-   */
-  constructor(dbName, refreshConfig) {
+var IndexedDBAuth2StamperStorage = class {
+  constructor(dbName) {
     this.dbName = dbName;
-    this.refreshConfig = refreshConfig;
     this.db = null;
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-    this.algorithm = import_sdk_types.Algorithm.secp256r1;
-    this.type = "OIDC";
-  }
-  async init() {
-    await this.openDB();
-    const stored = await this.loadRecord();
-    if (stored) {
-      this._keyPair = stored.keyPair;
-      this._keyInfo = stored.keyInfo;
-      if (stored.idToken) {
-        this._idToken = stored.idToken;
-      }
-      if (stored.bearerToken) {
-        this._bearerToken = stored.bearerToken;
-      }
-      if (stored.refreshToken) {
-        this._refreshToken = stored.refreshToken;
-      }
-      if (stored.tokenExpiresAt) {
-        this._tokenExpiresAt = stored.tokenExpiresAt;
-      }
-      return this._keyInfo;
-    }
-    return this.generateAndStore();
-  }
-  getKeyInfo() {
-    return this._keyInfo;
-  }
-  getCryptoKeyPair() {
-    return this._keyPair;
-  }
-  /**
-   * Returns the current token state (refreshing proactively if near expiry),
-   * or null if no token has been set yet.
-   */
-  async getTokens() {
-    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - import_constants4.TOKEN_REFRESH_BUFFER_MS) {
-      const refreshed = await (0, import_auth22.refreshToken)({
-        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
-        clientId: this.refreshConfig.clientId,
-        redirectUri: this.refreshConfig.redirectUri,
-        refreshToken: this._refreshToken
-      });
-      await this.setTokens(refreshed);
-    }
-    if (!this._idToken || !this._bearerToken) {
-      return null;
-    }
-    return {
-      idToken: this._idToken,
-      bearerToken: this._bearerToken,
-      refreshToken: this._refreshToken ?? void 0
-    };
-  }
-  /**
-   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
-   *
-   * Persists the tokens to IndexedDB alongside the key pair so that
-   * auto-connect can restore them on the next page load without a new login.
-   *
-   * @param refreshToken - When provided alongside a `refreshConfig`, enables
-   *   silent token refresh before the token expires.
-   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
-   *   Used to compute the absolute expiry time for proactive refresh.
-   */
-  async setTokens({
-    idToken,
-    bearerToken,
-    refreshToken,
-    expiresInMs
-  }) {
-    if (!this.db) {
-      await this.openDB();
-    }
-    this._idToken = idToken;
-    this._bearerToken = bearerToken;
-    this._refreshToken = refreshToken ?? null;
-    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
-    const existing = await this.loadRecord();
-    if (existing) {
-      await this.storeRecord({
-        ...existing,
-        idToken,
-        bearerToken,
-        refreshToken,
-        tokenExpiresAt: this._tokenExpiresAt ?? void 0
-      });
-    }
+    this.requiresExtractableKeys = false;
   }
-  async stamp(params) {
-    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
-      throw new Error("Auth2Stamper not initialized. Call init() first.");
-    }
-    const signatureRaw = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this._keyPair.privateKey,
-      new Uint8Array(params.data)
-    );
-    const rawPublicKey = import_bs582.default.decode(this._keyInfo.publicKey);
-    const stampData = {
-      kind: this.type,
-      idToken: this._idToken,
-      publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
-      algorithm: this.algorithm,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: "",
-      signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
-    };
-    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
-  }
-  async resetKeyPair() {
-    await this.clear();
-    return this.generateAndStore();
-  }
-  async clear() {
-    await this.clearStoredRecord();
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-  }
-  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
-  async rotateKeyPair() {
-    return this.init();
-  }
-  // eslint-disable-next-line @typescript-eslint/require-await
-  async commitRotation(authenticatorId) {
-    if (this._keyInfo) {
-      this._keyInfo.authenticatorId = authenticatorId;
-    }
-  }
-  async rollbackRotation() {
-  }
-  async generateAndStore() {
-    const keyPair = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      // non-extractable — private key never leaves Web Crypto
-      ["sign", "verify"]
-    );
-    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
-    const publicKeyBase58 = import_bs582.default.encode(rawPublicKey);
-    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
-    const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this._keyPair = keyPair;
-    this._keyInfo = {
-      keyId,
-      publicKey: publicKeyBase58,
-      createdAt: Date.now()
-    };
-    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
-    return this._keyInfo;
-  }
-  async openDB() {
+  async open() {
     return new Promise((resolve, reject) => {
       const request = indexedDB.open(this.dbName, 1);
       request.onsuccess = () => {
@@ -3191,7 +2837,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadRecord() {
+  async load() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3205,7 +2851,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeRecord(record) {
+  async save(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3219,7 +2865,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredRecord() {
+  async clear() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3353,38 +2999,34 @@ var BrowserLogger = class {
 };
 
 // src/providers/embedded/index.ts
-var import_constants5 = require("@phantom/constants");
+var import_constants4 = require("@phantom/constants");
 var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvider {
   constructor(config) {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
-      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
-      clientId: config.unstable__auth2Options.clientId,
-      redirectUri: config.authOptions?.redirectUrl ?? ""
-    }) : new import_indexed_db_stamper.IndexedDbStamper({
-      dbName: `phantom-embedded-sdk-${config.appId}`,
-      storeName: "crypto-keys",
-      keyName: "signing-key"
+    const stamper = new import_auth22.Auth2Stamper(new IndexedDBAuth2StamperStorage(`phantom-auth2-${config.appId}`), {
+      authApiBaseUrl: config.authOptions.authApiBaseUrl,
+      clientId: config.appId,
+      redirectUri: config.authOptions.redirectUrl
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
-    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+    const authProvider = new Auth2AuthProvider(
       stamper,
       storage,
       urlParamsAccessor,
       {
         redirectUri: config.authOptions.redirectUrl,
         connectLoginUrl: config.authOptions.authUrl,
-        clientId: config.unstable__auth2Options.clientId,
-        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+        clientId: config.appId,
+        authApiBaseUrl: config.authOptions.authApiBaseUrl
       },
       {
         apiBaseUrl: config.apiBaseUrl,
         appId: config.appId
       }
-    ) : new BrowserAuthProvider(urlParamsAccessor);
+    );
     const platform = {
       storage,
       authProvider,
@@ -3394,13 +3036,13 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
       name: platformName,
       // Use detected browser name and version for identification
       analyticsHeaders: {
-        [import_constants5.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
-        [import_constants5.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
-        [import_constants5.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
-        [import_constants5.ANALYTICS_HEADERS.CLIENT]: browserName,
-        [import_constants5.ANALYTICS_HEADERS.APP_ID]: config.appId,
-        [import_constants5.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants5.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.6"
+        [import_constants4.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
+        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
+        [import_constants4.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
+        [import_constants4.ANALYTICS_HEADERS.CLIENT]: browserName,
+        [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
+        [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
+        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "2.0.0-beta.0"
         // Replaced at build time
       }
     };
@@ -3417,7 +3059,7 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
 
 // src/ProviderManager.ts
 var import_embedded_provider_core2 = require("@phantom/embedded-provider-core");
-var import_constants6 = require("@phantom/constants");
+var import_constants5 = require("@phantom/constants");
 
 // src/utils/auth-callback.ts
 function isAuthFailureCallback(searchParams) {
@@ -3808,18 +3450,19 @@ var ProviderManager = class {
       if (!this.config.appId) {
         throw new Error("appId is required for embedded provider");
       }
-      const apiBaseUrl = this.config.apiBaseUrl || import_constants6.DEFAULT_WALLET_API_URL;
-      const authUrl = this.config.authOptions?.authUrl || import_constants6.DEFAULT_AUTH_URL;
+      const apiBaseUrl = this.config.apiBaseUrl || import_constants5.DEFAULT_WALLET_API_URL;
+      const authUrl = this.config.authOptions?.authUrl || import_constants5.DEFAULT_AUTH_URL;
+      const authApiBaseUrl = this.config.authOptions?.authApiBaseUrl || import_constants5.DEFAULT_AUTH_API_BASE_URL;
       provider = new EmbeddedProvider({
         apiBaseUrl,
         appId: this.config.appId,
         authOptions: {
           ...this.config.authOptions || {},
           authUrl,
-          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
+          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl(),
+          authApiBaseUrl
         },
-        unstable__auth2Options: this.config.unstable__auth2Options,
-        embeddedWalletType: embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE,
+        embeddedWalletType: embeddedWalletType || import_constants5.DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [import_client.AddressType.solana]
       });
     } else {
@@ -3855,7 +3498,7 @@ var ProviderManager = class {
 
 // src/BrowserSDK.ts
 var import_embedded_provider_core3 = require("@phantom/embedded-provider-core");
-var import_constants7 = require("@phantom/constants");
+var import_constants6 = require("@phantom/constants");
 var BROWSER_SDK_PROVIDER_TYPES = [
   ...import_embedded_provider_core3.EMBEDDED_PROVIDER_AUTH_TYPES,
   "injected",
@@ -3891,7 +3534,7 @@ var BrowserSDK = class {
       });
       throw new Error("appId is required when using embedded providers (google, apple, phantom, etc.)");
     }
-    const embeddedWalletType = config.embeddedWalletType || import_constants7.DEFAULT_EMBEDDED_WALLET_TYPE;
+    const embeddedWalletType = config.embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE;
     if (!["app-wallet", "user-wallet"].includes(embeddedWalletType)) {
       debug.error(DebugCategory.BROWSER_SDK, "Invalid embeddedWalletType", {
         embeddedWalletType: config.embeddedWalletType
@@ -4166,6 +3809,7 @@ var BrowserSDK = class {
 };
 
 // src/index.ts
-var import_constants8 = require("@phantom/constants");
+var import_constants7 = require("@phantom/constants");
 var import_client5 = require("@phantom/client");
-var import_constants9 = require("@phantom/constants");
+var import_base64url = require("@phantom/base64url");
+var import_constants8 = require("@phantom/constants");

package/dist/index.mjs

@@ -2405,7 +2405,7 @@ var InjectedProvider = class {
 
 // src/providers/embedded/index.ts
 import { EmbeddedProvider as CoreEmbeddedProvider } from "@phantom/embedded-provider-core";
-import { IndexedDbStamper } from "@phantom/indexed-db-stamper";
+import { Auth2Stamper } from "@phantom/auth2";
 
 // src/providers/embedded/adapters/storage.ts
 var BrowserStorage = class {
@@ -2680,167 +2680,12 @@ function isMobileDevice() {
   return isMobileUA || isSmallScreen && isTouchDevice;
 }
 
-// src/providers/embedded/adapters/auth.ts
-var BrowserAuthProvider = class {
-  constructor(urlParamsAccessor) {
-    this.urlParamsAccessor = urlParamsAccessor;
-  }
-  getValidatedCurrentUrl() {
-    const currentUrl = window.location.href;
-    if (!currentUrl.startsWith("http:") && !currentUrl.startsWith("https:")) {
-      throw new Error("Invalid URL protocol - only HTTP/HTTPS URLs are supported");
-    }
-    return currentUrl;
-  }
-  authenticate(options) {
-    return new Promise((resolve) => {
-      if ("jwtToken" in options) {
-        throw new Error("JWT authentication should be handled by the core JWTAuth class");
-      }
-      const phantomOptions = options;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Starting Phantom Connect authentication", {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        authUrl: phantomOptions.authUrl
-      });
-      const baseUrl = phantomOptions.authUrl || DEFAULT_AUTH_URL;
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Using auth URL", { baseUrl });
-      const params = new URLSearchParams({
-        public_key: phantomOptions.publicKey,
-        app_id: phantomOptions.appId,
-        redirect_uri: phantomOptions.redirectUrl || (typeof window !== "undefined" ? this.getValidatedCurrentUrl() : ""),
-        session_id: phantomOptions.sessionId,
-        // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
-        clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
-        allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.6",
-        sdk_type: "browser",
-        platform: detectBrowser().name,
-        algorithm: phantomOptions.algorithm || DEFAULT_AUTHENTICATOR_ALGORITHM
-      });
-      if (phantomOptions.provider) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Provider specified, will skip selection", {
-          provider: phantomOptions.provider
-        });
-        params.append("provider", phantomOptions.provider);
-      } else {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "No provider specified, defaulting to Google");
-        params.append("provider", "google");
-      }
-      const authContext = {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        sessionId: phantomOptions.sessionId
-      };
-      sessionStorage.setItem("phantom-auth-context", JSON.stringify(authContext));
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Stored auth context in session storage", { authContext });
-      const authUrl = `${baseUrl}?${params.toString()}`;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Redirecting to Phantom Connect", { authUrl });
-      if (!authUrl.startsWith("https:") && !authUrl.startsWith("http://localhost")) {
-        throw new Error("Invalid auth URL - only HTTPS URLs are allowed for authentication");
-      }
-      window.location.href = authUrl;
-      resolve();
-    });
-  }
-  async resumeAuthFromRedirect(provider) {
-    try {
-      const walletId = this.urlParamsAccessor.getParam("wallet_id");
-      const sessionId = this.urlParamsAccessor.getParam("session_id");
-      const accountDerivationIndex = this.urlParamsAccessor.getParam("selected_account_index");
-      const error = this.urlParamsAccessor.getParam("error");
-      const errorDescription = this.urlParamsAccessor.getParam("error_description");
-      if (error) {
-        const errorMsg = errorDescription || error;
-        switch (error) {
-          case "access_denied":
-            throw new Error(`Authentication cancelled: ${errorMsg}`);
-          case "invalid_request":
-            throw new Error(`Invalid authentication request: ${errorMsg}`);
-          case "server_error":
-            throw new Error(`Authentication server error: ${errorMsg}`);
-          case "temporarily_unavailable":
-            throw new Error(`Authentication service temporarily unavailable: ${errorMsg}`);
-          default:
-            throw new Error(`Authentication failed: ${errorMsg}`);
-        }
-      }
-      if (!walletId || !sessionId) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing auth parameters in URL", {
-          hasWalletId: !!walletId,
-          hasSessionId: !!sessionId
-        });
-        return null;
-      }
-      const contextStr = sessionStorage.getItem("phantom-auth-context");
-      let context = {};
-      if (contextStr) {
-        try {
-          context = JSON.parse(contextStr);
-        } catch (parseError) {
-          debug.warn(DebugCategory.PHANTOM_CONNECT_AUTH, "Failed to parse stored auth context", { error: parseError });
-        }
-      }
-      if (context.sessionId && sessionId !== context.sessionId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Session ID mismatch", {
-          urlSessionId: sessionId,
-          storedSessionId: context.sessionId
-        });
-        throw new Error("Session ID mismatch - possible session corruption or replay attack");
-      }
-      sessionStorage.removeItem("phantom-auth-context");
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Successfully resumed auth from redirect", {
-        walletId,
-        sessionId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : void 0
-      });
-      const organizationId = this.urlParamsAccessor.getParam("organization_id");
-      const expiresInMs = this.urlParamsAccessor.getParam("expires_in_ms");
-      const authUserId = this.urlParamsAccessor.getParam("auth_user_id");
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Auth redirect parameters", {
-        walletId,
-        organizationId,
-        sessionId,
-        accountDerivationIndex,
-        expiresInMs,
-        authUserId
-      });
-      if (!organizationId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing organization_id in auth response");
-        throw new Error("Missing organization_id in auth response");
-      }
-      if (organizationId.startsWith("temp-")) {
-        debug.warn(
-          DebugCategory.PHANTOM_CONNECT_AUTH,
-          "Received temporary organization_id, server may not be configured properly",
-          {
-            organizationId
-          }
-        );
-      }
-      return Promise.resolve({
-        walletId,
-        organizationId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
-        expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
-        authUserId: authUserId || void 0,
-        provider
-      });
-    } catch (error) {
-      sessionStorage.removeItem("phantom-auth-context");
-      throw error;
-    }
-  }
-};
-
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 import {
-  createCodeVerifier,
-  createConnectStartUrl,
-  exchangeAuthCode,
-  Auth2KmsRpcClient
+  Auth2KmsRpcClient,
+  prepareAuth2Flow,
+  validateAuth2Callback,
+  completeAuth2Exchange
 } from "@phantom/auth2";
 var Auth2AuthProvider = class {
   constructor(stamper, storage, urlParamsAccessor, auth2ProviderOptions, kmsClientOptions) {
@@ -2863,30 +2708,17 @@ var Auth2AuthProvider = class {
    * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
-    if (!this.stamper.getKeyInfo()) {
-      await this.stamper.init();
-    }
-    const keyPair = this.stamper.getCryptoKeyPair();
-    if (!keyPair) {
-      throw new Error("Stamper key pair not found.");
-    }
-    const codeVerifier = createCodeVerifier();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
-    const url = await createConnectStartUrl({
-      keyPair,
-      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const { url, codeVerifier } = await prepareAuth2Flow({
+      stamper: this.stamper,
+      auth2Options: this.auth2ProviderOptions,
       sessionId: options.sessionId,
-      provider: options.provider,
-      codeVerifier,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: ""
+      provider: options.provider
     });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     Auth2AuthProvider.navigate(url);
   }
   /**
@@ -2896,8 +2728,7 @@ var Auth2AuthProvider = class {
    * and wallet via KMS RPC, then returns a completed AuthResult.
    */
   async resumeAuthFromRedirect(provider) {
-    const code = this.urlParamsAccessor.getParam("code");
-    if (!code) {
+    if (!this.urlParamsAccessor.getParam("code")) {
       return null;
     }
     if (!this.stamper.getKeyInfo()) {
@@ -2911,226 +2742,39 @@ var Auth2AuthProvider = class {
     if (!codeVerifier) {
       return null;
     }
-    const state = this.urlParamsAccessor.getParam("state");
-    if (!state || state !== session.sessionId) {
-      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
-    }
-    const error = this.urlParamsAccessor.getParam("error");
-    if (error) {
-      const description = this.urlParamsAccessor.getParam("error_description");
-      throw new Error(`Auth2 callback error: ${description ?? error}`);
-    }
-    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await exchangeAuthCode({
-      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const code = validateAuth2Callback({
+      getParam: (key) => this.urlParamsAccessor.getParam(key),
+      expectedSessionId: session.sessionId
+    });
+    const result = await completeAuth2Exchange({
+      stamper: this.stamper,
+      kms: this.kms,
+      auth2Options: this.auth2ProviderOptions,
       code,
-      codeVerifier
+      codeVerifier,
+      provider
     });
-    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
-      bearerToken,
-      authUserId,
+      bearerToken: result.bearerToken,
+      authUserId: result.authUserId,
       pkceCodeVerifier: void 0
-      // no longer needed after code exchange
     });
-    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
-    return {
-      walletId,
-      organizationId,
-      provider,
-      accountDerivationIndex: 0,
-      // discoverWalletId uses derivation index of 0.
-      expiresInMs,
-      authUserId,
-      bearerToken
-    };
+    return result;
   }
 };
 
-// src/providers/embedded/adapters/Auth2Stamper.ts
-import bs582 from "bs58";
-import { base64urlEncode } from "@phantom/base64url";
-import { Algorithm } from "@phantom/sdk-types";
-import { refreshToken as refreshTokenRequest } from "@phantom/auth2";
-import { TOKEN_REFRESH_BUFFER_MS } from "@phantom/constants";
+// src/providers/embedded/adapters/IndexedDBAuth2StamperStorage.ts
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
-var Auth2Stamper = class {
-  /**
-   * @param dbName - IndexedDB database name (use a unique name per app to
-   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
-   * @param refreshConfig - When provided, the stamper will automatically refresh
-   *   the id_token using the refresh_token before it expires.
-   */
-  constructor(dbName, refreshConfig) {
+var IndexedDBAuth2StamperStorage = class {
+  constructor(dbName) {
     this.dbName = dbName;
-    this.refreshConfig = refreshConfig;
     this.db = null;
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-    this.algorithm = Algorithm.secp256r1;
-    this.type = "OIDC";
-  }
-  async init() {
-    await this.openDB();
-    const stored = await this.loadRecord();
-    if (stored) {
-      this._keyPair = stored.keyPair;
-      this._keyInfo = stored.keyInfo;
-      if (stored.idToken) {
-        this._idToken = stored.idToken;
-      }
-      if (stored.bearerToken) {
-        this._bearerToken = stored.bearerToken;
-      }
-      if (stored.refreshToken) {
-        this._refreshToken = stored.refreshToken;
-      }
-      if (stored.tokenExpiresAt) {
-        this._tokenExpiresAt = stored.tokenExpiresAt;
-      }
-      return this._keyInfo;
-    }
-    return this.generateAndStore();
-  }
-  getKeyInfo() {
-    return this._keyInfo;
-  }
-  getCryptoKeyPair() {
-    return this._keyPair;
-  }
-  /**
-   * Returns the current token state (refreshing proactively if near expiry),
-   * or null if no token has been set yet.
-   */
-  async getTokens() {
-    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - TOKEN_REFRESH_BUFFER_MS) {
-      const refreshed = await refreshTokenRequest({
-        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
-        clientId: this.refreshConfig.clientId,
-        redirectUri: this.refreshConfig.redirectUri,
-        refreshToken: this._refreshToken
-      });
-      await this.setTokens(refreshed);
-    }
-    if (!this._idToken || !this._bearerToken) {
-      return null;
-    }
-    return {
-      idToken: this._idToken,
-      bearerToken: this._bearerToken,
-      refreshToken: this._refreshToken ?? void 0
-    };
-  }
-  /**
-   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
-   *
-   * Persists the tokens to IndexedDB alongside the key pair so that
-   * auto-connect can restore them on the next page load without a new login.
-   *
-   * @param refreshToken - When provided alongside a `refreshConfig`, enables
-   *   silent token refresh before the token expires.
-   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
-   *   Used to compute the absolute expiry time for proactive refresh.
-   */
-  async setTokens({
-    idToken,
-    bearerToken,
-    refreshToken,
-    expiresInMs
-  }) {
-    if (!this.db) {
-      await this.openDB();
-    }
-    this._idToken = idToken;
-    this._bearerToken = bearerToken;
-    this._refreshToken = refreshToken ?? null;
-    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
-    const existing = await this.loadRecord();
-    if (existing) {
-      await this.storeRecord({
-        ...existing,
-        idToken,
-        bearerToken,
-        refreshToken,
-        tokenExpiresAt: this._tokenExpiresAt ?? void 0
-      });
-    }
+    this.requiresExtractableKeys = false;
   }
-  async stamp(params) {
-    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
-      throw new Error("Auth2Stamper not initialized. Call init() first.");
-    }
-    const signatureRaw = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this._keyPair.privateKey,
-      new Uint8Array(params.data)
-    );
-    const rawPublicKey = bs582.decode(this._keyInfo.publicKey);
-    const stampData = {
-      kind: this.type,
-      idToken: this._idToken,
-      publicKey: base64urlEncode(rawPublicKey),
-      algorithm: this.algorithm,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: "",
-      signature: base64urlEncode(new Uint8Array(signatureRaw))
-    };
-    return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
-  }
-  async resetKeyPair() {
-    await this.clear();
-    return this.generateAndStore();
-  }
-  async clear() {
-    await this.clearStoredRecord();
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-  }
-  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
-  async rotateKeyPair() {
-    return this.init();
-  }
-  // eslint-disable-next-line @typescript-eslint/require-await
-  async commitRotation(authenticatorId) {
-    if (this._keyInfo) {
-      this._keyInfo.authenticatorId = authenticatorId;
-    }
-  }
-  async rollbackRotation() {
-  }
-  async generateAndStore() {
-    const keyPair = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      // non-extractable — private key never leaves Web Crypto
-      ["sign", "verify"]
-    );
-    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
-    const publicKeyBase58 = bs582.encode(rawPublicKey);
-    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
-    const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this._keyPair = keyPair;
-    this._keyInfo = {
-      keyId,
-      publicKey: publicKeyBase58,
-      createdAt: Date.now()
-    };
-    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
-    return this._keyInfo;
-  }
-  async openDB() {
+  async open() {
     return new Promise((resolve, reject) => {
       const request = indexedDB.open(this.dbName, 1);
       request.onsuccess = () => {
@@ -3146,7 +2790,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadRecord() {
+  async load() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3160,7 +2804,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeRecord(record) {
+  async save(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3174,7 +2818,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredRecord() {
+  async clear() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3314,32 +2958,28 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
-      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
-      clientId: config.unstable__auth2Options.clientId,
-      redirectUri: config.authOptions?.redirectUrl ?? ""
-    }) : new IndexedDbStamper({
-      dbName: `phantom-embedded-sdk-${config.appId}`,
-      storeName: "crypto-keys",
-      keyName: "signing-key"
+    const stamper = new Auth2Stamper(new IndexedDBAuth2StamperStorage(`phantom-auth2-${config.appId}`), {
+      authApiBaseUrl: config.authOptions.authApiBaseUrl,
+      clientId: config.appId,
+      redirectUri: config.authOptions.redirectUrl
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
-    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+    const authProvider = new Auth2AuthProvider(
       stamper,
       storage,
       urlParamsAccessor,
       {
         redirectUri: config.authOptions.redirectUrl,
         connectLoginUrl: config.authOptions.authUrl,
-        clientId: config.unstable__auth2Options.clientId,
-        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+        clientId: config.appId,
+        authApiBaseUrl: config.authOptions.authApiBaseUrl
       },
       {
         apiBaseUrl: config.apiBaseUrl,
         appId: config.appId
       }
-    ) : new BrowserAuthProvider(urlParamsAccessor);
+    );
     const platform = {
       storage,
       authProvider,
@@ -3355,7 +2995,7 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
         [ANALYTICS_HEADERS.CLIENT]: browserName,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.6"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "2.0.0-beta.0"
         // Replaced at build time
       }
     };
@@ -3374,7 +3014,12 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
 import {
   EMBEDDED_PROVIDER_AUTH_TYPES
 } from "@phantom/embedded-provider-core";
-import { DEFAULT_WALLET_API_URL, DEFAULT_EMBEDDED_WALLET_TYPE, DEFAULT_AUTH_URL as DEFAULT_AUTH_URL2 } from "@phantom/constants";
+import {
+  DEFAULT_WALLET_API_URL,
+  DEFAULT_EMBEDDED_WALLET_TYPE,
+  DEFAULT_AUTH_URL as DEFAULT_AUTH_URL2,
+  DEFAULT_AUTH_API_BASE_URL
+} from "@phantom/constants";
 
 // src/utils/auth-callback.ts
 function isAuthFailureCallback(searchParams) {
@@ -3767,15 +3412,16 @@ var ProviderManager = class {
       }
       const apiBaseUrl = this.config.apiBaseUrl || DEFAULT_WALLET_API_URL;
       const authUrl = this.config.authOptions?.authUrl || DEFAULT_AUTH_URL2;
+      const authApiBaseUrl = this.config.authOptions?.authApiBaseUrl || DEFAULT_AUTH_API_BASE_URL;
       provider = new EmbeddedProvider({
         apiBaseUrl,
         appId: this.config.appId,
         authOptions: {
           ...this.config.authOptions || {},
           authUrl,
-          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
+          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl(),
+          authApiBaseUrl
         },
-        unstable__auth2Options: this.config.unstable__auth2Options,
         embeddedWalletType: embeddedWalletType || DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [AddressType.solana]
       });
@@ -4125,6 +3771,7 @@ var BrowserSDK = class {
 // src/index.ts
 import { NetworkId } from "@phantom/constants";
 import { AddressType as AddressType4 } from "@phantom/client";
+import { base64urlEncode, base64urlDecode } from "@phantom/base64url";
 import { PHANTOM_ICON as PHANTOM_ICON3 } from "@phantom/constants";
 export {
   AddressType4 as AddressType,
@@ -4133,6 +3780,8 @@ export {
   DebugLevel,
   NetworkId,
   PHANTOM_ICON3 as PHANTOM_ICON,
+  base64urlDecode,
+  base64urlEncode,
   debug,
   detectBrowser,
   getBrowserDisplayName,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/browser-sdk",
-  "version": "1.0.6",
+  "version": "2.0.0-beta.0",
   "description": "Browser SDK for Phantom Wallet",
   "repository": {
     "type": "git",
@@ -33,16 +33,16 @@
     "prettier": "prettier --write \"src/**/*.{ts,tsx}\""
   },
   "dependencies": {
-    "@phantom/auth2": "^1.0.2",
-    "@phantom/base64url": "^1.0.6",
-    "@phantom/browser-injected-sdk": "^1.0.6",
-    "@phantom/chain-interfaces": "^1.0.6",
-    "@phantom/client": "^1.0.6",
-    "@phantom/constants": "^1.0.6",
-    "@phantom/embedded-provider-core": "^1.0.6",
-    "@phantom/indexed-db-stamper": "^1.0.6",
-    "@phantom/parsers": "^1.0.6",
-    "@phantom/sdk-types": "^1.0.6",
+    "@phantom/auth2": "^2.0.0-beta.0",
+    "@phantom/base64url": "^2.0.0-beta.0",
+    "@phantom/browser-injected-sdk": "^2.0.0-beta.0",
+    "@phantom/chain-interfaces": "^2.0.0-beta.0",
+    "@phantom/client": "^2.0.0-beta.0",
+    "@phantom/constants": "^2.0.0-beta.0",
+    "@phantom/embedded-provider-core": "^2.0.0-beta.0",
+    "@phantom/indexed-db-stamper": "^2.0.0-beta.0",
+    "@phantom/parsers": "^2.0.0-beta.0",
+    "@phantom/sdk-types": "^2.0.0-beta.0",
     "axios": "^1.10.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3",