@phantom/browser-sdk 1.0.7 → 2.0.0

package/README.md

@@ -216,6 +216,7 @@ const sdk = new BrowserSDK({
   authOptions: {
     authUrl: "https://connect.phantom.app/login", // optional
     redirectUrl: "https://yourapp.com/callback", // optional, defaults to current page
+    authApiBaseUrl: "https://auth.phantom.app", // optional
   },
   autoConnect: true, // optional, auto-connect to existing session (default: true when embedded providers are used)
 });
@@ -231,8 +232,9 @@ const sdk = new BrowserSDK({
   addressTypes: [AddressType.solana, AddressType.ethereum],
   appId: "your-app-id", // Required for deeplink
   authOptions: {
-    authUrl: "https://connect.phantom.app/login",
+    authUrl: "https://connect.phantom.app/login/start",
     redirectUrl: "https://yourapp.com/callback",
+    authApiBaseUrl: "https://auth.phantom.app",
   },
 });
 ```
@@ -325,9 +327,11 @@ interface BrowserSDKConfig {
 
   // Optional configuration
   apiBaseUrl?: string; // Phantom API base URL (optional, has default)
+
   authOptions?: {
-    authUrl?: string; // Custom auth URL (optional, defaults to "https://connect.phantom.app/login")
+    authUrl?: string; // Custom auth URL (optional, defaults to "https://connect.phantom.app/login/start")
     redirectUrl?: string; // Custom redirect URL after authentication (optional)
+    authApiBaseUrl?: string; // Custom OAuth URL (optional, defaults to "https://auth.phantom.app")
   };
   embeddedWalletType?: "user-wallet"; // Wallet type (optional, defaults to "user-wallet")
   autoConnect?: boolean; // Auto-connect to existing session (default: true when embedded providers used)

package/dist/index.d.ts

@@ -119,11 +119,7 @@ type BrowserSDKConfig = Prettify<Omit<EmbeddedProviderConfig, "authOptions" | "a
     authOptions?: {
         authUrl?: string;
         redirectUrl?: string;
-    };
-    /** When also provided, the Auth2 PKCE flow is used instead of the legacy Phantom Connect flow. */
-    unstable__auth2Options?: {
-        authApiBaseUrl: string;
-        clientId: string;
+        authApiBaseUrl?: string;
     };
 }>;
 type Prettify<T> = {

package/dist/index.js

@@ -34,10 +34,10 @@ __export(src_exports, {
   BrowserSDK: () => BrowserSDK,
   DebugCategory: () => DebugCategory,
   DebugLevel: () => DebugLevel,
-  NetworkId: () => import_constants8.NetworkId,
-  PHANTOM_ICON: () => import_constants9.PHANTOM_ICON,
-  base64urlDecode: () => import_base64url2.base64urlDecode,
-  base64urlEncode: () => import_base64url2.base64urlEncode,
+  NetworkId: () => import_constants7.NetworkId,
+  PHANTOM_ICON: () => import_constants8.PHANTOM_ICON,
+  base64urlDecode: () => import_base64url.base64urlDecode,
+  base64urlEncode: () => import_base64url.base64urlEncode,
   debug: () => debug,
   detectBrowser: () => detectBrowser,
   getBrowserDisplayName: () => getBrowserDisplayName,
@@ -2457,7 +2457,7 @@ var InjectedProvider = class {
 
 // src/providers/embedded/index.ts
 var import_embedded_provider_core = require("@phantom/embedded-provider-core");
-var import_indexed_db_stamper = require("@phantom/indexed-db-stamper");
+var import_auth22 = require("@phantom/auth2");
 
 // src/providers/embedded/adapters/storage.ts
 var BrowserStorage = class {
@@ -2732,161 +2732,6 @@ function isMobileDevice() {
   return isMobileUA || isSmallScreen && isTouchDevice;
 }
 
-// src/providers/embedded/adapters/auth.ts
-var BrowserAuthProvider = class {
-  constructor(urlParamsAccessor) {
-    this.urlParamsAccessor = urlParamsAccessor;
-  }
-  getValidatedCurrentUrl() {
-    const currentUrl = window.location.href;
-    if (!currentUrl.startsWith("http:") && !currentUrl.startsWith("https:")) {
-      throw new Error("Invalid URL protocol - only HTTP/HTTPS URLs are supported");
-    }
-    return currentUrl;
-  }
-  authenticate(options) {
-    return new Promise((resolve) => {
-      if ("jwtToken" in options) {
-        throw new Error("JWT authentication should be handled by the core JWTAuth class");
-      }
-      const phantomOptions = options;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Starting Phantom Connect authentication", {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        authUrl: phantomOptions.authUrl
-      });
-      const baseUrl = phantomOptions.authUrl || import_constants3.DEFAULT_AUTH_URL;
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Using auth URL", { baseUrl });
-      const params = new URLSearchParams({
-        public_key: phantomOptions.publicKey,
-        app_id: phantomOptions.appId,
-        redirect_uri: phantomOptions.redirectUrl || (typeof window !== "undefined" ? this.getValidatedCurrentUrl() : ""),
-        session_id: phantomOptions.sessionId,
-        // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
-        clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
-        allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.7",
-        sdk_type: "browser",
-        platform: detectBrowser().name,
-        algorithm: phantomOptions.algorithm || import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM
-      });
-      if (phantomOptions.provider) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Provider specified, will skip selection", {
-          provider: phantomOptions.provider
-        });
-        params.append("provider", phantomOptions.provider);
-      } else {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "No provider specified, defaulting to Google");
-        params.append("provider", "google");
-      }
-      const authContext = {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        sessionId: phantomOptions.sessionId
-      };
-      sessionStorage.setItem("phantom-auth-context", JSON.stringify(authContext));
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Stored auth context in session storage", { authContext });
-      const authUrl = `${baseUrl}?${params.toString()}`;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Redirecting to Phantom Connect", { authUrl });
-      if (!authUrl.startsWith("https:") && !authUrl.startsWith("http://localhost")) {
-        throw new Error("Invalid auth URL - only HTTPS URLs are allowed for authentication");
-      }
-      window.location.href = authUrl;
-      resolve();
-    });
-  }
-  async resumeAuthFromRedirect(provider) {
-    try {
-      const walletId = this.urlParamsAccessor.getParam("wallet_id");
-      const sessionId = this.urlParamsAccessor.getParam("session_id");
-      const accountDerivationIndex = this.urlParamsAccessor.getParam("selected_account_index");
-      const error = this.urlParamsAccessor.getParam("error");
-      const errorDescription = this.urlParamsAccessor.getParam("error_description");
-      if (error) {
-        const errorMsg = errorDescription || error;
-        switch (error) {
-          case "access_denied":
-            throw new Error(`Authentication cancelled: ${errorMsg}`);
-          case "invalid_request":
-            throw new Error(`Invalid authentication request: ${errorMsg}`);
-          case "server_error":
-            throw new Error(`Authentication server error: ${errorMsg}`);
-          case "temporarily_unavailable":
-            throw new Error(`Authentication service temporarily unavailable: ${errorMsg}`);
-          default:
-            throw new Error(`Authentication failed: ${errorMsg}`);
-        }
-      }
-      if (!walletId || !sessionId) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing auth parameters in URL", {
-          hasWalletId: !!walletId,
-          hasSessionId: !!sessionId
-        });
-        return null;
-      }
-      const contextStr = sessionStorage.getItem("phantom-auth-context");
-      let context = {};
-      if (contextStr) {
-        try {
-          context = JSON.parse(contextStr);
-        } catch (parseError) {
-          debug.warn(DebugCategory.PHANTOM_CONNECT_AUTH, "Failed to parse stored auth context", { error: parseError });
-        }
-      }
-      if (context.sessionId && sessionId !== context.sessionId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Session ID mismatch", {
-          urlSessionId: sessionId,
-          storedSessionId: context.sessionId
-        });
-        throw new Error("Session ID mismatch - possible session corruption or replay attack");
-      }
-      sessionStorage.removeItem("phantom-auth-context");
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Successfully resumed auth from redirect", {
-        walletId,
-        sessionId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : void 0
-      });
-      const organizationId = this.urlParamsAccessor.getParam("organization_id");
-      const expiresInMs = this.urlParamsAccessor.getParam("expires_in_ms");
-      const authUserId = this.urlParamsAccessor.getParam("auth_user_id");
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Auth redirect parameters", {
-        walletId,
-        organizationId,
-        sessionId,
-        accountDerivationIndex,
-        expiresInMs,
-        authUserId
-      });
-      if (!organizationId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing organization_id in auth response");
-        throw new Error("Missing organization_id in auth response");
-      }
-      if (organizationId.startsWith("temp-")) {
-        debug.warn(
-          DebugCategory.PHANTOM_CONNECT_AUTH,
-          "Received temporary organization_id, server may not be configured properly",
-          {
-            organizationId
-          }
-        );
-      }
-      return Promise.resolve({
-        walletId,
-        organizationId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
-        expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
-        authUserId: authUserId || void 0,
-        provider
-      });
-    } catch (error) {
-      sessionStorage.removeItem("phantom-auth-context");
-      throw error;
-    }
-  }
-};
-
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 var import_auth2 = require("@phantom/auth2");
 var Auth2AuthProvider = class {
@@ -2910,30 +2755,17 @@ var Auth2AuthProvider = class {
    * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
-    if (!this.stamper.getKeyInfo()) {
-      await this.stamper.init();
-    }
-    const keyPair = this.stamper.getCryptoKeyPair();
-    if (!keyPair) {
-      throw new Error("Stamper key pair not found.");
-    }
-    const codeVerifier = (0, import_auth2.createCodeVerifier)();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
-    const url = await (0, import_auth2.createConnectStartUrl)({
-      keyPair,
-      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const { url, codeVerifier } = await (0, import_auth2.prepareAuth2Flow)({
+      stamper: this.stamper,
+      auth2Options: this.auth2ProviderOptions,
       sessionId: options.sessionId,
-      provider: options.provider,
-      codeVerifier,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: ""
+      provider: options.provider
     });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     Auth2AuthProvider.navigate(url);
   }
   /**
@@ -2943,8 +2775,7 @@ var Auth2AuthProvider = class {
    * and wallet via KMS RPC, then returns a completed AuthResult.
    */
   async resumeAuthFromRedirect(provider) {
-    const code = this.urlParamsAccessor.getParam("code");
-    if (!code) {
+    if (!this.urlParamsAccessor.getParam("code")) {
       return null;
     }
     if (!this.stamper.getKeyInfo()) {
@@ -2958,226 +2789,39 @@ var Auth2AuthProvider = class {
     if (!codeVerifier) {
       return null;
     }
-    const state = this.urlParamsAccessor.getParam("state");
-    if (!state || state !== session.sessionId) {
-      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
-    }
-    const error = this.urlParamsAccessor.getParam("error");
-    if (error) {
-      const description = this.urlParamsAccessor.getParam("error_description");
-      throw new Error(`Auth2 callback error: ${description ?? error}`);
-    }
-    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await (0, import_auth2.exchangeAuthCode)({
-      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const code = (0, import_auth2.validateAuth2Callback)({
+      getParam: (key) => this.urlParamsAccessor.getParam(key),
+      expectedSessionId: session.sessionId
+    });
+    const result = await (0, import_auth2.completeAuth2Exchange)({
+      stamper: this.stamper,
+      kms: this.kms,
+      auth2Options: this.auth2ProviderOptions,
       code,
-      codeVerifier
+      codeVerifier,
+      provider
     });
-    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
-      bearerToken,
-      authUserId,
+      bearerToken: result.bearerToken,
+      authUserId: result.authUserId,
       pkceCodeVerifier: void 0
-      // no longer needed after code exchange
     });
-    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
-    return {
-      walletId,
-      organizationId,
-      provider,
-      accountDerivationIndex: 0,
-      // discoverWalletId uses derivation index of 0.
-      expiresInMs,
-      authUserId,
-      bearerToken
-    };
+    return result;
   }
 };
 
-// src/providers/embedded/adapters/Auth2Stamper.ts
-var import_bs582 = __toESM(require("bs58"));
-var import_base64url = require("@phantom/base64url");
-var import_sdk_types = require("@phantom/sdk-types");
-var import_auth22 = require("@phantom/auth2");
-var import_constants4 = require("@phantom/constants");
+// src/providers/embedded/adapters/IndexedDBAuth2StamperStorage.ts
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
-var Auth2Stamper = class {
-  /**
-   * @param dbName - IndexedDB database name (use a unique name per app to
-   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
-   * @param refreshConfig - When provided, the stamper will automatically refresh
-   *   the id_token using the refresh_token before it expires.
-   */
-  constructor(dbName, refreshConfig) {
+var IndexedDBAuth2StamperStorage = class {
+  constructor(dbName) {
     this.dbName = dbName;
-    this.refreshConfig = refreshConfig;
     this.db = null;
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-    this.algorithm = import_sdk_types.Algorithm.secp256r1;
-    this.type = "OIDC";
-  }
-  async init() {
-    await this.openDB();
-    const stored = await this.loadRecord();
-    if (stored) {
-      this._keyPair = stored.keyPair;
-      this._keyInfo = stored.keyInfo;
-      if (stored.idToken) {
-        this._idToken = stored.idToken;
-      }
-      if (stored.bearerToken) {
-        this._bearerToken = stored.bearerToken;
-      }
-      if (stored.refreshToken) {
-        this._refreshToken = stored.refreshToken;
-      }
-      if (stored.tokenExpiresAt) {
-        this._tokenExpiresAt = stored.tokenExpiresAt;
-      }
-      return this._keyInfo;
-    }
-    return this.generateAndStore();
-  }
-  getKeyInfo() {
-    return this._keyInfo;
-  }
-  getCryptoKeyPair() {
-    return this._keyPair;
-  }
-  /**
-   * Returns the current token state (refreshing proactively if near expiry),
-   * or null if no token has been set yet.
-   */
-  async getTokens() {
-    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - import_constants4.TOKEN_REFRESH_BUFFER_MS) {
-      const refreshed = await (0, import_auth22.refreshToken)({
-        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
-        clientId: this.refreshConfig.clientId,
-        redirectUri: this.refreshConfig.redirectUri,
-        refreshToken: this._refreshToken
-      });
-      await this.setTokens(refreshed);
-    }
-    if (!this._idToken || !this._bearerToken) {
-      return null;
-    }
-    return {
-      idToken: this._idToken,
-      bearerToken: this._bearerToken,
-      refreshToken: this._refreshToken ?? void 0
-    };
-  }
-  /**
-   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
-   *
-   * Persists the tokens to IndexedDB alongside the key pair so that
-   * auto-connect can restore them on the next page load without a new login.
-   *
-   * @param refreshToken - When provided alongside a `refreshConfig`, enables
-   *   silent token refresh before the token expires.
-   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
-   *   Used to compute the absolute expiry time for proactive refresh.
-   */
-  async setTokens({
-    idToken,
-    bearerToken,
-    refreshToken,
-    expiresInMs
-  }) {
-    if (!this.db) {
-      await this.openDB();
-    }
-    this._idToken = idToken;
-    this._bearerToken = bearerToken;
-    this._refreshToken = refreshToken ?? null;
-    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
-    const existing = await this.loadRecord();
-    if (existing) {
-      await this.storeRecord({
-        ...existing,
-        idToken,
-        bearerToken,
-        refreshToken,
-        tokenExpiresAt: this._tokenExpiresAt ?? void 0
-      });
-    }
+    this.requiresExtractableKeys = false;
   }
-  async stamp(params) {
-    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
-      throw new Error("Auth2Stamper not initialized. Call init() first.");
-    }
-    const signatureRaw = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this._keyPair.privateKey,
-      new Uint8Array(params.data)
-    );
-    const rawPublicKey = import_bs582.default.decode(this._keyInfo.publicKey);
-    const stampData = {
-      kind: this.type,
-      idToken: this._idToken,
-      publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
-      algorithm: this.algorithm,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: "",
-      signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
-    };
-    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
-  }
-  async resetKeyPair() {
-    await this.clear();
-    return this.generateAndStore();
-  }
-  async clear() {
-    await this.clearStoredRecord();
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-  }
-  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
-  async rotateKeyPair() {
-    return this.init();
-  }
-  // eslint-disable-next-line @typescript-eslint/require-await
-  async commitRotation(authenticatorId) {
-    if (this._keyInfo) {
-      this._keyInfo.authenticatorId = authenticatorId;
-    }
-  }
-  async rollbackRotation() {
-  }
-  async generateAndStore() {
-    const keyPair = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      // non-extractable — private key never leaves Web Crypto
-      ["sign", "verify"]
-    );
-    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
-    const publicKeyBase58 = import_bs582.default.encode(rawPublicKey);
-    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
-    const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this._keyPair = keyPair;
-    this._keyInfo = {
-      keyId,
-      publicKey: publicKeyBase58,
-      createdAt: Date.now()
-    };
-    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
-    return this._keyInfo;
-  }
-  async openDB() {
+  async open() {
     return new Promise((resolve, reject) => {
       const request = indexedDB.open(this.dbName, 1);
       request.onsuccess = () => {
@@ -3193,7 +2837,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadRecord() {
+  async load() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3207,7 +2851,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeRecord(record) {
+  async save(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3221,7 +2865,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredRecord() {
+  async clear() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3355,38 +2999,34 @@ var BrowserLogger = class {
 };
 
 // src/providers/embedded/index.ts
-var import_constants5 = require("@phantom/constants");
+var import_constants4 = require("@phantom/constants");
 var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvider {
   constructor(config) {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
-      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
-      clientId: config.unstable__auth2Options.clientId,
-      redirectUri: config.authOptions?.redirectUrl ?? ""
-    }) : new import_indexed_db_stamper.IndexedDbStamper({
-      dbName: `phantom-embedded-sdk-${config.appId}`,
-      storeName: "crypto-keys",
-      keyName: "signing-key"
+    const stamper = new import_auth22.Auth2Stamper(new IndexedDBAuth2StamperStorage(`phantom-auth2-${config.appId}`), {
+      authApiBaseUrl: config.authOptions.authApiBaseUrl,
+      clientId: config.appId,
+      redirectUri: config.authOptions.redirectUrl
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
-    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+    const authProvider = new Auth2AuthProvider(
       stamper,
       storage,
       urlParamsAccessor,
       {
         redirectUri: config.authOptions.redirectUrl,
         connectLoginUrl: config.authOptions.authUrl,
-        clientId: config.unstable__auth2Options.clientId,
-        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+        clientId: config.appId,
+        authApiBaseUrl: config.authOptions.authApiBaseUrl
       },
       {
         apiBaseUrl: config.apiBaseUrl,
         appId: config.appId
       }
-    ) : new BrowserAuthProvider(urlParamsAccessor);
+    );
     const platform = {
       storage,
       authProvider,
@@ -3396,13 +3036,13 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
       name: platformName,
       // Use detected browser name and version for identification
       analyticsHeaders: {
-        [import_constants5.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
-        [import_constants5.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
-        [import_constants5.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
-        [import_constants5.ANALYTICS_HEADERS.CLIENT]: browserName,
-        [import_constants5.ANALYTICS_HEADERS.APP_ID]: config.appId,
-        [import_constants5.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants5.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.7"
+        [import_constants4.ANALYTICS_HEADERS.SDK_TYPE]: "browser",
+        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
+        [import_constants4.ANALYTICS_HEADERS.PLATFORM_VERSION]: version,
+        [import_constants4.ANALYTICS_HEADERS.CLIENT]: browserName,
+        [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
+        [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
+        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "2.0.0"
         // Replaced at build time
       }
     };
@@ -3419,7 +3059,7 @@ var EmbeddedProvider = class extends import_embedded_provider_core.EmbeddedProvi
 
 // src/ProviderManager.ts
 var import_embedded_provider_core2 = require("@phantom/embedded-provider-core");
-var import_constants6 = require("@phantom/constants");
+var import_constants5 = require("@phantom/constants");
 
 // src/utils/auth-callback.ts
 function isAuthFailureCallback(searchParams) {
@@ -3810,18 +3450,19 @@ var ProviderManager = class {
       if (!this.config.appId) {
         throw new Error("appId is required for embedded provider");
       }
-      const apiBaseUrl = this.config.apiBaseUrl || import_constants6.DEFAULT_WALLET_API_URL;
-      const authUrl = this.config.authOptions?.authUrl || import_constants6.DEFAULT_AUTH_URL;
+      const apiBaseUrl = this.config.apiBaseUrl || import_constants5.DEFAULT_WALLET_API_URL;
+      const authUrl = this.config.authOptions?.authUrl || import_constants5.DEFAULT_AUTH_URL;
+      const authApiBaseUrl = this.config.authOptions?.authApiBaseUrl || import_constants5.DEFAULT_AUTH_API_BASE_URL;
       provider = new EmbeddedProvider({
         apiBaseUrl,
         appId: this.config.appId,
         authOptions: {
           ...this.config.authOptions || {},
           authUrl,
-          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
+          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl(),
+          authApiBaseUrl
         },
-        unstable__auth2Options: this.config.unstable__auth2Options,
-        embeddedWalletType: embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE,
+        embeddedWalletType: embeddedWalletType || import_constants5.DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [import_client.AddressType.solana]
       });
     } else {
@@ -3857,7 +3498,7 @@ var ProviderManager = class {
 
 // src/BrowserSDK.ts
 var import_embedded_provider_core3 = require("@phantom/embedded-provider-core");
-var import_constants7 = require("@phantom/constants");
+var import_constants6 = require("@phantom/constants");
 var BROWSER_SDK_PROVIDER_TYPES = [
   ...import_embedded_provider_core3.EMBEDDED_PROVIDER_AUTH_TYPES,
   "injected",
@@ -3893,7 +3534,7 @@ var BrowserSDK = class {
       });
       throw new Error("appId is required when using embedded providers (google, apple, phantom, etc.)");
     }
-    const embeddedWalletType = config.embeddedWalletType || import_constants7.DEFAULT_EMBEDDED_WALLET_TYPE;
+    const embeddedWalletType = config.embeddedWalletType || import_constants6.DEFAULT_EMBEDDED_WALLET_TYPE;
     if (!["app-wallet", "user-wallet"].includes(embeddedWalletType)) {
       debug.error(DebugCategory.BROWSER_SDK, "Invalid embeddedWalletType", {
         embeddedWalletType: config.embeddedWalletType
@@ -4168,7 +3809,7 @@ var BrowserSDK = class {
 };
 
 // src/index.ts
-var import_constants8 = require("@phantom/constants");
+var import_constants7 = require("@phantom/constants");
 var import_client5 = require("@phantom/client");
-var import_base64url2 = require("@phantom/base64url");
-var import_constants9 = require("@phantom/constants");
+var import_base64url = require("@phantom/base64url");
+var import_constants8 = require("@phantom/constants");

package/dist/index.mjs

@@ -2405,7 +2405,7 @@ var InjectedProvider = class {
 
 // src/providers/embedded/index.ts
 import { EmbeddedProvider as CoreEmbeddedProvider } from "@phantom/embedded-provider-core";
-import { IndexedDbStamper } from "@phantom/indexed-db-stamper";
+import { Auth2Stamper } from "@phantom/auth2";
 
 // src/providers/embedded/adapters/storage.ts
 var BrowserStorage = class {
@@ -2680,167 +2680,12 @@ function isMobileDevice() {
   return isMobileUA || isSmallScreen && isTouchDevice;
 }
 
-// src/providers/embedded/adapters/auth.ts
-var BrowserAuthProvider = class {
-  constructor(urlParamsAccessor) {
-    this.urlParamsAccessor = urlParamsAccessor;
-  }
-  getValidatedCurrentUrl() {
-    const currentUrl = window.location.href;
-    if (!currentUrl.startsWith("http:") && !currentUrl.startsWith("https:")) {
-      throw new Error("Invalid URL protocol - only HTTP/HTTPS URLs are supported");
-    }
-    return currentUrl;
-  }
-  authenticate(options) {
-    return new Promise((resolve) => {
-      if ("jwtToken" in options) {
-        throw new Error("JWT authentication should be handled by the core JWTAuth class");
-      }
-      const phantomOptions = options;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Starting Phantom Connect authentication", {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        authUrl: phantomOptions.authUrl
-      });
-      const baseUrl = phantomOptions.authUrl || DEFAULT_AUTH_URL;
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Using auth URL", { baseUrl });
-      const params = new URLSearchParams({
-        public_key: phantomOptions.publicKey,
-        app_id: phantomOptions.appId,
-        redirect_uri: phantomOptions.redirectUrl || (typeof window !== "undefined" ? this.getValidatedCurrentUrl() : ""),
-        session_id: phantomOptions.sessionId,
-        // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
-        clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
-        allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.7",
-        sdk_type: "browser",
-        platform: detectBrowser().name,
-        algorithm: phantomOptions.algorithm || DEFAULT_AUTHENTICATOR_ALGORITHM
-      });
-      if (phantomOptions.provider) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Provider specified, will skip selection", {
-          provider: phantomOptions.provider
-        });
-        params.append("provider", phantomOptions.provider);
-      } else {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "No provider specified, defaulting to Google");
-        params.append("provider", "google");
-      }
-      const authContext = {
-        publicKey: phantomOptions.publicKey,
-        appId: phantomOptions.appId,
-        provider: phantomOptions.provider,
-        sessionId: phantomOptions.sessionId
-      };
-      sessionStorage.setItem("phantom-auth-context", JSON.stringify(authContext));
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Stored auth context in session storage", { authContext });
-      const authUrl = `${baseUrl}?${params.toString()}`;
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Redirecting to Phantom Connect", { authUrl });
-      if (!authUrl.startsWith("https:") && !authUrl.startsWith("http://localhost")) {
-        throw new Error("Invalid auth URL - only HTTPS URLs are allowed for authentication");
-      }
-      window.location.href = authUrl;
-      resolve();
-    });
-  }
-  async resumeAuthFromRedirect(provider) {
-    try {
-      const walletId = this.urlParamsAccessor.getParam("wallet_id");
-      const sessionId = this.urlParamsAccessor.getParam("session_id");
-      const accountDerivationIndex = this.urlParamsAccessor.getParam("selected_account_index");
-      const error = this.urlParamsAccessor.getParam("error");
-      const errorDescription = this.urlParamsAccessor.getParam("error_description");
-      if (error) {
-        const errorMsg = errorDescription || error;
-        switch (error) {
-          case "access_denied":
-            throw new Error(`Authentication cancelled: ${errorMsg}`);
-          case "invalid_request":
-            throw new Error(`Invalid authentication request: ${errorMsg}`);
-          case "server_error":
-            throw new Error(`Authentication server error: ${errorMsg}`);
-          case "temporarily_unavailable":
-            throw new Error(`Authentication service temporarily unavailable: ${errorMsg}`);
-          default:
-            throw new Error(`Authentication failed: ${errorMsg}`);
-        }
-      }
-      if (!walletId || !sessionId) {
-        debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing auth parameters in URL", {
-          hasWalletId: !!walletId,
-          hasSessionId: !!sessionId
-        });
-        return null;
-      }
-      const contextStr = sessionStorage.getItem("phantom-auth-context");
-      let context = {};
-      if (contextStr) {
-        try {
-          context = JSON.parse(contextStr);
-        } catch (parseError) {
-          debug.warn(DebugCategory.PHANTOM_CONNECT_AUTH, "Failed to parse stored auth context", { error: parseError });
-        }
-      }
-      if (context.sessionId && sessionId !== context.sessionId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Session ID mismatch", {
-          urlSessionId: sessionId,
-          storedSessionId: context.sessionId
-        });
-        throw new Error("Session ID mismatch - possible session corruption or replay attack");
-      }
-      sessionStorage.removeItem("phantom-auth-context");
-      debug.info(DebugCategory.PHANTOM_CONNECT_AUTH, "Successfully resumed auth from redirect", {
-        walletId,
-        sessionId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : void 0
-      });
-      const organizationId = this.urlParamsAccessor.getParam("organization_id");
-      const expiresInMs = this.urlParamsAccessor.getParam("expires_in_ms");
-      const authUserId = this.urlParamsAccessor.getParam("auth_user_id");
-      debug.log(DebugCategory.PHANTOM_CONNECT_AUTH, "Auth redirect parameters", {
-        walletId,
-        organizationId,
-        sessionId,
-        accountDerivationIndex,
-        expiresInMs,
-        authUserId
-      });
-      if (!organizationId) {
-        debug.error(DebugCategory.PHANTOM_CONNECT_AUTH, "Missing organization_id in auth response");
-        throw new Error("Missing organization_id in auth response");
-      }
-      if (organizationId.startsWith("temp-")) {
-        debug.warn(
-          DebugCategory.PHANTOM_CONNECT_AUTH,
-          "Received temporary organization_id, server may not be configured properly",
-          {
-            organizationId
-          }
-        );
-      }
-      return Promise.resolve({
-        walletId,
-        organizationId,
-        accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
-        expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
-        authUserId: authUserId || void 0,
-        provider
-      });
-    } catch (error) {
-      sessionStorage.removeItem("phantom-auth-context");
-      throw error;
-    }
-  }
-};
-
 // src/providers/embedded/adapters/Auth2AuthProvider.ts
 import {
-  createCodeVerifier,
-  createConnectStartUrl,
-  exchangeAuthCode,
-  Auth2KmsRpcClient
+  Auth2KmsRpcClient,
+  prepareAuth2Flow,
+  validateAuth2Callback,
+  completeAuth2Exchange
 } from "@phantom/auth2";
 var Auth2AuthProvider = class {
   constructor(stamper, storage, urlParamsAccessor, auth2ProviderOptions, kmsClientOptions) {
@@ -2863,30 +2708,17 @@ var Auth2AuthProvider = class {
    * redirect without ever touching sessionStorage.
    */
   async authenticate(options) {
-    if (!this.stamper.getKeyInfo()) {
-      await this.stamper.init();
-    }
-    const keyPair = this.stamper.getCryptoKeyPair();
-    if (!keyPair) {
-      throw new Error("Stamper key pair not found.");
-    }
-    const codeVerifier = createCodeVerifier();
     const session = await this.storage.getSession();
     if (!session) {
       throw new Error("Session not found.");
     }
-    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
-    const url = await createConnectStartUrl({
-      keyPair,
-      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const { url, codeVerifier } = await prepareAuth2Flow({
+      stamper: this.stamper,
+      auth2Options: this.auth2ProviderOptions,
       sessionId: options.sessionId,
-      provider: options.provider,
-      codeVerifier,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: ""
+      provider: options.provider
     });
+    await this.storage.saveSession({ ...session, pkceCodeVerifier: codeVerifier });
     Auth2AuthProvider.navigate(url);
   }
   /**
@@ -2896,8 +2728,7 @@ var Auth2AuthProvider = class {
    * and wallet via KMS RPC, then returns a completed AuthResult.
    */
   async resumeAuthFromRedirect(provider) {
-    const code = this.urlParamsAccessor.getParam("code");
-    if (!code) {
+    if (!this.urlParamsAccessor.getParam("code")) {
       return null;
     }
     if (!this.stamper.getKeyInfo()) {
@@ -2911,226 +2742,39 @@ var Auth2AuthProvider = class {
     if (!codeVerifier) {
       return null;
     }
-    const state = this.urlParamsAccessor.getParam("state");
-    if (!state || state !== session.sessionId) {
-      throw new Error("Missing or invalid Auth2 state parameter \u2014 possible CSRF attack.");
-    }
-    const error = this.urlParamsAccessor.getParam("error");
-    if (error) {
-      const description = this.urlParamsAccessor.getParam("error_description");
-      throw new Error(`Auth2 callback error: ${description ?? error}`);
-    }
-    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await exchangeAuthCode({
-      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const code = validateAuth2Callback({
+      getParam: (key) => this.urlParamsAccessor.getParam(key),
+      expectedSessionId: session.sessionId
+    });
+    const result = await completeAuth2Exchange({
+      stamper: this.stamper,
+      kms: this.kms,
+      auth2Options: this.auth2ProviderOptions,
       code,
-      codeVerifier
+      codeVerifier,
+      provider
     });
-    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
     await this.storage.saveSession({
       ...session,
       status: "completed",
-      bearerToken,
-      authUserId,
+      bearerToken: result.bearerToken,
+      authUserId: result.authUserId,
       pkceCodeVerifier: void 0
-      // no longer needed after code exchange
     });
-    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
-    return {
-      walletId,
-      organizationId,
-      provider,
-      accountDerivationIndex: 0,
-      // discoverWalletId uses derivation index of 0.
-      expiresInMs,
-      authUserId,
-      bearerToken
-    };
+    return result;
   }
 };
 
-// src/providers/embedded/adapters/Auth2Stamper.ts
-import bs582 from "bs58";
-import { base64urlEncode } from "@phantom/base64url";
-import { Algorithm } from "@phantom/sdk-types";
-import { refreshToken as refreshTokenRequest } from "@phantom/auth2";
-import { TOKEN_REFRESH_BUFFER_MS } from "@phantom/constants";
+// src/providers/embedded/adapters/IndexedDBAuth2StamperStorage.ts
 var STORE_NAME = "crypto-keys";
 var ACTIVE_KEY = "auth2-p256-signing-key";
-var Auth2Stamper = class {
-  /**
-   * @param dbName - IndexedDB database name (use a unique name per app to
-   *   avoid key collisions with other stampers, e.g. `phantom-auth2-<appId>`).
-   * @param refreshConfig - When provided, the stamper will automatically refresh
-   *   the id_token using the refresh_token before it expires.
-   */
-  constructor(dbName, refreshConfig) {
+var IndexedDBAuth2StamperStorage = class {
+  constructor(dbName) {
     this.dbName = dbName;
-    this.refreshConfig = refreshConfig;
     this.db = null;
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-    this.algorithm = Algorithm.secp256r1;
-    this.type = "OIDC";
-  }
-  async init() {
-    await this.openDB();
-    const stored = await this.loadRecord();
-    if (stored) {
-      this._keyPair = stored.keyPair;
-      this._keyInfo = stored.keyInfo;
-      if (stored.idToken) {
-        this._idToken = stored.idToken;
-      }
-      if (stored.bearerToken) {
-        this._bearerToken = stored.bearerToken;
-      }
-      if (stored.refreshToken) {
-        this._refreshToken = stored.refreshToken;
-      }
-      if (stored.tokenExpiresAt) {
-        this._tokenExpiresAt = stored.tokenExpiresAt;
-      }
-      return this._keyInfo;
-    }
-    return this.generateAndStore();
-  }
-  getKeyInfo() {
-    return this._keyInfo;
-  }
-  getCryptoKeyPair() {
-    return this._keyPair;
-  }
-  /**
-   * Returns the current token state (refreshing proactively if near expiry),
-   * or null if no token has been set yet.
-   */
-  async getTokens() {
-    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - TOKEN_REFRESH_BUFFER_MS) {
-      const refreshed = await refreshTokenRequest({
-        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
-        clientId: this.refreshConfig.clientId,
-        redirectUri: this.refreshConfig.redirectUri,
-        refreshToken: this._refreshToken
-      });
-      await this.setTokens(refreshed);
-    }
-    if (!this._idToken || !this._bearerToken) {
-      return null;
-    }
-    return {
-      idToken: this._idToken,
-      bearerToken: this._bearerToken,
-      refreshToken: this._refreshToken ?? void 0
-    };
-  }
-  /**
-   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
-   *
-   * Persists the tokens to IndexedDB alongside the key pair so that
-   * auto-connect can restore them on the next page load without a new login.
-   *
-   * @param refreshToken - When provided alongside a `refreshConfig`, enables
-   *   silent token refresh before the token expires.
-   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
-   *   Used to compute the absolute expiry time for proactive refresh.
-   */
-  async setTokens({
-    idToken,
-    bearerToken,
-    refreshToken,
-    expiresInMs
-  }) {
-    if (!this.db) {
-      await this.openDB();
-    }
-    this._idToken = idToken;
-    this._bearerToken = bearerToken;
-    this._refreshToken = refreshToken ?? null;
-    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
-    const existing = await this.loadRecord();
-    if (existing) {
-      await this.storeRecord({
-        ...existing,
-        idToken,
-        bearerToken,
-        refreshToken,
-        tokenExpiresAt: this._tokenExpiresAt ?? void 0
-      });
-    }
+    this.requiresExtractableKeys = false;
   }
-  async stamp(params) {
-    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
-      throw new Error("Auth2Stamper not initialized. Call init() first.");
-    }
-    const signatureRaw = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this._keyPair.privateKey,
-      new Uint8Array(params.data)
-    );
-    const rawPublicKey = bs582.decode(this._keyInfo.publicKey);
-    const stampData = {
-      kind: this.type,
-      idToken: this._idToken,
-      publicKey: base64urlEncode(rawPublicKey),
-      algorithm: this.algorithm,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: "",
-      signature: base64urlEncode(new Uint8Array(signatureRaw))
-    };
-    return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
-  }
-  async resetKeyPair() {
-    await this.clear();
-    return this.generateAndStore();
-  }
-  async clear() {
-    await this.clearStoredRecord();
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-  }
-  // Auth2 doesn't use key rotation; provide minimal no-op implementations.
-  async rotateKeyPair() {
-    return this.init();
-  }
-  // eslint-disable-next-line @typescript-eslint/require-await
-  async commitRotation(authenticatorId) {
-    if (this._keyInfo) {
-      this._keyInfo.authenticatorId = authenticatorId;
-    }
-  }
-  async rollbackRotation() {
-  }
-  async generateAndStore() {
-    const keyPair = await crypto.subtle.generateKey(
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      // non-extractable — private key never leaves Web Crypto
-      ["sign", "verify"]
-    );
-    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
-    const publicKeyBase58 = bs582.encode(rawPublicKey);
-    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
-    const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this._keyPair = keyPair;
-    this._keyInfo = {
-      keyId,
-      publicKey: publicKeyBase58,
-      createdAt: Date.now()
-    };
-    await this.storeRecord({ keyPair, keyInfo: this._keyInfo });
-    return this._keyInfo;
-  }
-  async openDB() {
+  async open() {
     return new Promise((resolve, reject) => {
       const request = indexedDB.open(this.dbName, 1);
       request.onsuccess = () => {
@@ -3146,7 +2790,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async loadRecord() {
+  async load() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3160,7 +2804,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async storeRecord(record) {
+  async save(record) {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3174,7 +2818,7 @@ var Auth2Stamper = class {
       };
     });
   }
-  async clearStoredRecord() {
+  async clear() {
     return new Promise((resolve, reject) => {
       if (!this.db) {
         throw new Error("Database not initialized");
@@ -3314,32 +2958,28 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
     debug.log(DebugCategory.EMBEDDED_PROVIDER, "Initializing Browser EmbeddedProvider", { config });
     const urlParamsAccessor = new BrowserURLParamsAccessor();
     const storage = new BrowserStorage();
-    const stamper = config.unstable__auth2Options ? new Auth2Stamper(`phantom-auth2-${config.appId}`, {
-      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
-      clientId: config.unstable__auth2Options.clientId,
-      redirectUri: config.authOptions?.redirectUrl ?? ""
-    }) : new IndexedDbStamper({
-      dbName: `phantom-embedded-sdk-${config.appId}`,
-      storeName: "crypto-keys",
-      keyName: "signing-key"
+    const stamper = new Auth2Stamper(new IndexedDBAuth2StamperStorage(`phantom-auth2-${config.appId}`), {
+      authApiBaseUrl: config.authOptions.authApiBaseUrl,
+      clientId: config.appId,
+      redirectUri: config.authOptions.redirectUrl
     });
     const platformName = getPlatformName();
     const { name: browserName, version } = detectBrowser();
-    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && stamper instanceof Auth2Stamper ? new Auth2AuthProvider(
+    const authProvider = new Auth2AuthProvider(
       stamper,
       storage,
       urlParamsAccessor,
       {
         redirectUri: config.authOptions.redirectUrl,
         connectLoginUrl: config.authOptions.authUrl,
-        clientId: config.unstable__auth2Options.clientId,
-        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+        clientId: config.appId,
+        authApiBaseUrl: config.authOptions.authApiBaseUrl
       },
       {
         apiBaseUrl: config.apiBaseUrl,
         appId: config.appId
       }
-    ) : new BrowserAuthProvider(urlParamsAccessor);
+    );
     const platform = {
       storage,
       authProvider,
@@ -3355,7 +2995,7 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
         [ANALYTICS_HEADERS.CLIENT]: browserName,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.7"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "2.0.0"
         // Replaced at build time
       }
     };
@@ -3374,7 +3014,12 @@ var EmbeddedProvider = class extends CoreEmbeddedProvider {
 import {
   EMBEDDED_PROVIDER_AUTH_TYPES
 } from "@phantom/embedded-provider-core";
-import { DEFAULT_WALLET_API_URL, DEFAULT_EMBEDDED_WALLET_TYPE, DEFAULT_AUTH_URL as DEFAULT_AUTH_URL2 } from "@phantom/constants";
+import {
+  DEFAULT_WALLET_API_URL,
+  DEFAULT_EMBEDDED_WALLET_TYPE,
+  DEFAULT_AUTH_URL as DEFAULT_AUTH_URL2,
+  DEFAULT_AUTH_API_BASE_URL
+} from "@phantom/constants";
 
 // src/utils/auth-callback.ts
 function isAuthFailureCallback(searchParams) {
@@ -3767,15 +3412,16 @@ var ProviderManager = class {
       }
       const apiBaseUrl = this.config.apiBaseUrl || DEFAULT_WALLET_API_URL;
       const authUrl = this.config.authOptions?.authUrl || DEFAULT_AUTH_URL2;
+      const authApiBaseUrl = this.config.authOptions?.authApiBaseUrl || DEFAULT_AUTH_API_BASE_URL;
       provider = new EmbeddedProvider({
         apiBaseUrl,
         appId: this.config.appId,
         authOptions: {
           ...this.config.authOptions || {},
           authUrl,
-          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl()
+          redirectUrl: this.config.authOptions?.redirectUrl || this.getValidatedCurrentUrl(),
+          authApiBaseUrl
         },
-        unstable__auth2Options: this.config.unstable__auth2Options,
         embeddedWalletType: embeddedWalletType || DEFAULT_EMBEDDED_WALLET_TYPE,
         addressTypes: this.config.addressTypes || [AddressType.solana]
       });
@@ -4125,7 +3771,7 @@ var BrowserSDK = class {
 // src/index.ts
 import { NetworkId } from "@phantom/constants";
 import { AddressType as AddressType4 } from "@phantom/client";
-import { base64urlEncode as base64urlEncode2, base64urlDecode } from "@phantom/base64url";
+import { base64urlEncode, base64urlDecode } from "@phantom/base64url";
 import { PHANTOM_ICON as PHANTOM_ICON3 } from "@phantom/constants";
 export {
   AddressType4 as AddressType,
@@ -4135,7 +3781,7 @@ export {
   NetworkId,
   PHANTOM_ICON3 as PHANTOM_ICON,
   base64urlDecode,
-  base64urlEncode2 as base64urlEncode,
+  base64urlEncode,
   debug,
   detectBrowser,
   getBrowserDisplayName,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/browser-sdk",
-  "version": "1.0.7",
+  "version": "2.0.0",
   "description": "Browser SDK for Phantom Wallet",
   "repository": {
     "type": "git",
@@ -33,16 +33,16 @@
     "prettier": "prettier --write \"src/**/*.{ts,tsx}\""
   },
   "dependencies": {
-    "@phantom/auth2": "^1.0.2",
-    "@phantom/base64url": "^1.0.7",
-    "@phantom/browser-injected-sdk": "^1.0.7",
-    "@phantom/chain-interfaces": "^1.0.7",
-    "@phantom/client": "^1.0.7",
-    "@phantom/constants": "^1.0.7",
-    "@phantom/embedded-provider-core": "^1.0.7",
-    "@phantom/indexed-db-stamper": "^1.0.7",
-    "@phantom/parsers": "^1.0.7",
-    "@phantom/sdk-types": "^1.0.7",
+    "@phantom/auth2": "^2.0.0",
+    "@phantom/base64url": "^2.0.0",
+    "@phantom/browser-injected-sdk": "^2.0.0",
+    "@phantom/chain-interfaces": "^2.0.0",
+    "@phantom/client": "^2.0.0",
+    "@phantom/constants": "^2.0.0",
+    "@phantom/embedded-provider-core": "^2.0.0",
+    "@phantom/indexed-db-stamper": "^2.0.0",
+    "@phantom/parsers": "^2.0.0",
+    "@phantom/sdk-types": "^2.0.0",
     "axios": "^1.10.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3",