@phantom/react-native-sdk 1.0.3 → 1.0.4

package/dist/index.d.ts

@@ -25,6 +25,11 @@ interface PhantomSDKConfig extends Omit<EmbeddedProviderConfig, "apiBaseUrl" | "
         authUrl?: string;
         redirectUrl?: string;
     };
+    /** When also provided, the Auth2 PKCE flow is used instead of the legacy Phantom Connect flow. */
+    unstable__auth2Options?: {
+        authApiBaseUrl: string;
+        clientId: string;
+    };
 }
 interface ConnectOptions {
     /** OAuth provider to use (required) */

package/dist/index.js

@@ -557,7 +557,7 @@ var ExpoAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.3",
+        sdk_version: "1.0.4",
         sdk_type: "react-native",
         platform: import_react_native5.Platform.OS
       });
@@ -632,6 +632,235 @@ var ExpoAuthProvider = class {
   }
 };
 
+// src/providers/embedded/ExpoAuth2AuthProvider.ts
+var WebBrowser2 = __toESM(require("expo-web-browser"));
+var import_auth2 = require("@phantom/auth2");
+var ExpoAuth2AuthProvider = class {
+  constructor(stamper, auth2ProviderOptions, kmsClientOptions) {
+    this.stamper = stamper;
+    this.auth2ProviderOptions = auth2ProviderOptions;
+    this.kms = new import_auth2.Auth2KmsRpcClient(stamper, kmsClientOptions);
+  }
+  /**
+   * Runs the full PKCE Auth2 flow inline using expo-web-browser.
+   *
+   * Unlike the browser flow (which requires a page redirect and resumeAuthFromRedirect),
+   * expo-web-browser intercepts the OAuth callback URL and returns it synchronously,
+   * so the token exchange and KMS calls all happen here before returning AuthResult.
+   */
+  async authenticate(options) {
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const keyPair = this.stamper.getCryptoKeyPair();
+    if (!keyPair) {
+      throw new Error("Stamper key pair not found.");
+    }
+    const codeVerifier = (0, import_auth2.createCodeVerifier)();
+    const salt = (0, import_auth2.createSalt)();
+    const url = await (0, import_auth2.createConnectStartUrl)({
+      keyPair,
+      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      sessionId: options.sessionId,
+      provider: options.provider,
+      codeVerifier,
+      salt
+    });
+    await WebBrowser2.warmUpAsync();
+    let result;
+    try {
+      result = await WebBrowser2.openAuthSessionAsync(url, this.auth2ProviderOptions.redirectUri);
+    } finally {
+      await WebBrowser2.coolDownAsync();
+    }
+    if (!result.url) {
+      throw new Error("Authentication failed");
+    }
+    const callbackUrl = new URL(result.url);
+    const state = callbackUrl.searchParams.get("state");
+    if (state && state !== options.sessionId) {
+      throw new Error("Auth2 state mismatch \u2014 possible CSRF attack.");
+    }
+    const error = callbackUrl.searchParams.get("error");
+    if (error) {
+      const description = callbackUrl.searchParams.get("error_description");
+      throw new Error(`Auth2 callback error: ${description ?? error}`);
+    }
+    const code = callbackUrl.searchParams.get("code");
+    if (!code) {
+      throw new Error("Auth2 callback missing authorization code");
+    }
+    const { idToken, bearerToken, authUserId, expiresInMs } = await (0, import_auth2.exchangeAuthCode)({
+      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      code,
+      codeVerifier
+    });
+    this.stamper.idToken = idToken;
+    this.stamper.salt = salt;
+    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
+    return {
+      walletId,
+      organizationId,
+      provider: options.provider,
+      accountDerivationIndex: 0,
+      // discoverWalletId uses derivation index of 0.
+      expiresInMs,
+      authUserId,
+      bearerToken
+    };
+  }
+};
+
+// src/providers/embedded/ExpoAuth2Stamper.ts
+var SecureStore2 = __toESM(require("expo-secure-store"));
+var import_bs58 = __toESM(require("bs58"));
+var import_buffer = require("buffer");
+var import_base64url = require("@phantom/base64url");
+var import_sdk_types = require("@phantom/sdk-types");
+var ExpoAuth2Stamper = class {
+  /**
+   * @param storageKey - expo-secure-store key used to persist the P-256 private key.
+   *   Use a unique key per app, e.g. `phantom-auth2-<appId>`.
+   */
+  constructor(storageKey) {
+    this.storageKey = storageKey;
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+    this.algorithm = import_sdk_types.Algorithm.secp256r1;
+    this.type = "OIDC";
+  }
+  async init() {
+    const stored = await this.loadRecord();
+    if (stored) {
+      this.privateKey = await this.importPrivateKey(stored.privateKeyPkcs8);
+      this.publicKey = await this.importPublicKeyFromBase58(stored.keyInfo.publicKey);
+      this._keyInfo = stored.keyInfo;
+      return this._keyInfo;
+    }
+    return this.generateAndStore();
+  }
+  getKeyInfo() {
+    return this._keyInfo;
+  }
+  getCryptoKeyPair() {
+    if (!this.privateKey || !this.publicKey)
+      return null;
+    return { privateKey: this.privateKey, publicKey: this.publicKey };
+  }
+  async stamp(params) {
+    if (!this.privateKey || !this._keyInfo) {
+      throw new Error("ExpoAuth2Stamper not initialized. Call init() first.");
+    }
+    const signatureRaw = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this.privateKey,
+      new Uint8Array(params.data)
+    );
+    const rawPublicKey = import_bs58.default.decode(this._keyInfo.publicKey);
+    if (this.idToken === void 0 || this.salt === void 0) {
+      throw new Error("ExpoAuth2Stamper not initialized with idToken or salt.");
+    }
+    const stampData = {
+      kind: "OIDC",
+      idToken: this.idToken,
+      publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
+      algorithm: "Secp256r1",
+      salt: this.salt,
+      signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
+    };
+    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
+  }
+  async resetKeyPair() {
+    await this.clearStoredRecord();
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+    return this.generateAndStore();
+  }
+  async clear() {
+    await this.clearStoredRecord();
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+  }
+  // Auth2 doesn't use key rotation; minimal no-op implementations.
+  async rotateKeyPair() {
+    return this.init();
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await
+  async commitRotation(authenticatorId) {
+    if (this._keyInfo) {
+      this._keyInfo.authenticatorId = authenticatorId;
+    }
+  }
+  async rollbackRotation() {
+  }
+  async generateAndStore() {
+    const keyPair = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      true,
+      // extractable — needed to export PKCS#8 for SecureStore
+      ["sign", "verify"]
+    );
+    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const publicKeyBase58 = import_bs58.default.encode(rawPublicKey);
+    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
+    const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    this._keyInfo = { keyId, publicKey: publicKeyBase58, createdAt: Date.now() };
+    const pkcs8Buffer = await crypto.subtle.exportKey("pkcs8", keyPair.privateKey);
+    const privateKeyPkcs8 = import_buffer.Buffer.from(pkcs8Buffer).toString("base64");
+    await SecureStore2.setItemAsync(
+      this.storageKey,
+      JSON.stringify({ privateKeyPkcs8, keyInfo: this._keyInfo }),
+      { requireAuthentication: false }
+    );
+    this.privateKey = await this.importPrivateKey(privateKeyPkcs8);
+    this.publicKey = keyPair.publicKey;
+    return this._keyInfo;
+  }
+  async importPublicKeyFromBase58(base58PublicKey) {
+    const rawBytes = import_bs58.default.decode(base58PublicKey);
+    return crypto.subtle.importKey(
+      "raw",
+      rawBytes.buffer.slice(rawBytes.byteOffset, rawBytes.byteOffset + rawBytes.byteLength),
+      { name: "ECDSA", namedCurve: "P-256" },
+      true,
+      // extractable so createAuth2RequestJar can export it as JWK
+      ["verify"]
+    );
+  }
+  async importPrivateKey(pkcs8Base64) {
+    const pkcs8Bytes = import_buffer.Buffer.from(pkcs8Base64, "base64");
+    return crypto.subtle.importKey(
+      "pkcs8",
+      pkcs8Bytes,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      // non-extractable once loaded into memory
+      ["sign"]
+    );
+  }
+  async loadRecord() {
+    try {
+      const raw = await SecureStore2.getItemAsync(this.storageKey);
+      return raw ? JSON.parse(raw) : null;
+    } catch {
+      return null;
+    }
+  }
+  async clearStoredRecord() {
+    try {
+      await SecureStore2.deleteItemAsync(this.storageKey);
+    } catch {
+    }
+  }
+};
+
 // src/providers/embedded/url-params.ts
 var import_react_native6 = require("react-native");
 var ExpoURLParamsAccessor = class {
@@ -701,11 +930,11 @@ var ExpoURLParamsAccessor = class {
 };
 
 // src/providers/embedded/stamper.ts
-var SecureStore2 = __toESM(require("expo-secure-store"));
+var SecureStore3 = __toESM(require("expo-secure-store"));
 var import_api_key_stamper = require("@phantom/api-key-stamper");
 var import_constants2 = require("@phantom/constants");
 var import_crypto = require("@phantom/crypto");
-var import_base64url = require("@phantom/base64url");
+var import_base64url2 = require("@phantom/base64url");
 var ReactNativeStamper = class {
   // Optional for PKI, required for OIDC
   constructor(config = {}) {
@@ -761,11 +990,11 @@ var ReactNativeStamper = class {
     const activeKey = this.getActiveKeyName();
     const pendingKey = this.getPendingKeyName();
     try {
-      await SecureStore2.deleteItemAsync(activeKey);
+      await SecureStore3.deleteItemAsync(activeKey);
     } catch (error) {
     }
     try {
-      await SecureStore2.deleteItemAsync(pendingKey);
+      await SecureStore3.deleteItemAsync(pendingKey);
     } catch (error) {
     }
     this.activeKeyRecord = null;
@@ -787,7 +1016,7 @@ var ReactNativeStamper = class {
     }
     if (this.activeKeyRecord) {
       try {
-        await SecureStore2.deleteItemAsync(this.getActiveKeyName());
+        await SecureStore3.deleteItemAsync(this.getActiveKeyName());
       } catch (error) {
       }
     }
@@ -798,7 +1027,7 @@ var ReactNativeStamper = class {
     this.pendingKeyRecord = null;
     await this.storeKeyRecord(this.activeKeyRecord, "active");
     try {
-      await SecureStore2.deleteItemAsync(this.getPendingKeyName());
+      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
     } catch (error) {
     }
   }
@@ -810,7 +1039,7 @@ var ReactNativeStamper = class {
       return;
     }
     try {
-      await SecureStore2.deleteItemAsync(this.getPendingKeyName());
+      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
     } catch (error) {
     }
     this.pendingKeyRecord = null;
@@ -836,18 +1065,18 @@ var ReactNativeStamper = class {
     return record;
   }
   createKeyId(publicKey) {
-    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(publicKey)).substring(0, 16);
+    return (0, import_base64url2.base64urlEncode)(new TextEncoder().encode(publicKey)).substring(0, 16);
   }
   async storeKeyRecord(record, type) {
     const keyName = type === "active" ? this.getActiveKeyName() : this.getPendingKeyName();
-    await SecureStore2.setItemAsync(keyName, JSON.stringify(record), {
+    await SecureStore3.setItemAsync(keyName, JSON.stringify(record), {
       requireAuthentication: false
     });
   }
   async loadActiveKeyRecord() {
     try {
       const activeKey = this.getActiveKeyName();
-      const storedRecord = await SecureStore2.getItemAsync(activeKey);
+      const storedRecord = await SecureStore3.getItemAsync(activeKey);
       if (storedRecord) {
         return JSON.parse(storedRecord);
       }
@@ -858,7 +1087,7 @@ var ReactNativeStamper = class {
   async loadPendingKeyRecord() {
     try {
       const pendingKey = this.getPendingKeyName();
-      const storedRecord = await SecureStore2.getItemAsync(pendingKey);
+      const storedRecord = await SecureStore3.getItemAsync(pendingKey);
       if (storedRecord) {
         return JSON.parse(storedRecord);
       }
@@ -940,13 +1169,25 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
   }, [config]);
   const sdk = (0, import_react8.useMemo)(() => {
     const storage = new ExpoSecureStorage();
-    const authProvider = new ExpoAuthProvider();
     const urlParamsAccessor = new ExpoURLParamsAccessor();
     const logger = new ExpoLogger(debugConfig?.enabled || false);
-    const stamper = new ReactNativeStamper({
+    const stamper = config.unstable__auth2Options ? new ExpoAuth2Stamper(`phantom-auth2-${memoizedConfig.appId}`) : new ReactNativeStamper({
       keyPrefix: `phantom-rn-${memoizedConfig.appId}`,
       appId: memoizedConfig.appId
     });
+    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && config.apiBaseUrl && stamper instanceof ExpoAuth2Stamper ? new ExpoAuth2AuthProvider(
+      stamper,
+      {
+        redirectUri: config.authOptions.redirectUrl,
+        connectLoginUrl: config.authOptions.authUrl,
+        clientId: config.unstable__auth2Options.clientId,
+        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+      },
+      {
+        apiBaseUrl: config.apiBaseUrl,
+        appId: config.appId
+      }
+    ) : new ExpoAuthProvider();
     const platformName = `${import_react_native7.Platform.OS}-${import_react_native7.Platform.Version}`;
     const platform = {
       storage,
@@ -957,16 +1198,17 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
       name: platformName,
       analyticsHeaders: {
         [import_constants3.ANALYTICS_HEADERS.SDK_TYPE]: "react-native",
-        [import_constants3.ANALYTICS_HEADERS.PLATFORM]: import_react_native7.Platform.OS,
+        [import_constants3.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
         [import_constants3.ANALYTICS_HEADERS.PLATFORM_VERSION]: `${import_react_native7.Platform.Version}`,
+        [import_constants3.ANALYTICS_HEADERS.CLIENT]: import_react_native7.Platform.OS,
         [import_constants3.ANALYTICS_HEADERS.APP_ID]: config.appId,
         [import_constants3.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants3.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.3"
+        [import_constants3.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
         // Replaced at build time
       }
     };
     return new import_embedded_provider_core.EmbeddedProvider(memoizedConfig, platform, logger);
-  }, [memoizedConfig, debugConfig, config.appId, config.embeddedWalletType]);
+  }, [memoizedConfig, debugConfig, config]);
   (0, import_react8.useEffect)(() => {
     const handleConnectStart = () => {
       setIsConnecting(true);

package/dist/index.mjs

@@ -515,7 +515,7 @@ var ExpoAuthProvider = class {
         // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
         clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
         allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.3",
+        sdk_version: "1.0.4",
         sdk_type: "react-native",
         platform: Platform.OS
       });
@@ -590,6 +590,241 @@ var ExpoAuthProvider = class {
   }
 };
 
+// src/providers/embedded/ExpoAuth2AuthProvider.ts
+import * as WebBrowser2 from "expo-web-browser";
+import {
+  createCodeVerifier,
+  createSalt,
+  exchangeAuthCode,
+  Auth2KmsRpcClient,
+  createConnectStartUrl
+} from "@phantom/auth2";
+var ExpoAuth2AuthProvider = class {
+  constructor(stamper, auth2ProviderOptions, kmsClientOptions) {
+    this.stamper = stamper;
+    this.auth2ProviderOptions = auth2ProviderOptions;
+    this.kms = new Auth2KmsRpcClient(stamper, kmsClientOptions);
+  }
+  /**
+   * Runs the full PKCE Auth2 flow inline using expo-web-browser.
+   *
+   * Unlike the browser flow (which requires a page redirect and resumeAuthFromRedirect),
+   * expo-web-browser intercepts the OAuth callback URL and returns it synchronously,
+   * so the token exchange and KMS calls all happen here before returning AuthResult.
+   */
+  async authenticate(options) {
+    if (!this.stamper.getKeyInfo()) {
+      await this.stamper.init();
+    }
+    const keyPair = this.stamper.getCryptoKeyPair();
+    if (!keyPair) {
+      throw new Error("Stamper key pair not found.");
+    }
+    const codeVerifier = createCodeVerifier();
+    const salt = createSalt();
+    const url = await createConnectStartUrl({
+      keyPair,
+      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      sessionId: options.sessionId,
+      provider: options.provider,
+      codeVerifier,
+      salt
+    });
+    await WebBrowser2.warmUpAsync();
+    let result;
+    try {
+      result = await WebBrowser2.openAuthSessionAsync(url, this.auth2ProviderOptions.redirectUri);
+    } finally {
+      await WebBrowser2.coolDownAsync();
+    }
+    if (!result.url) {
+      throw new Error("Authentication failed");
+    }
+    const callbackUrl = new URL(result.url);
+    const state = callbackUrl.searchParams.get("state");
+    if (state && state !== options.sessionId) {
+      throw new Error("Auth2 state mismatch \u2014 possible CSRF attack.");
+    }
+    const error = callbackUrl.searchParams.get("error");
+    if (error) {
+      const description = callbackUrl.searchParams.get("error_description");
+      throw new Error(`Auth2 callback error: ${description ?? error}`);
+    }
+    const code = callbackUrl.searchParams.get("code");
+    if (!code) {
+      throw new Error("Auth2 callback missing authorization code");
+    }
+    const { idToken, bearerToken, authUserId, expiresInMs } = await exchangeAuthCode({
+      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
+      clientId: this.auth2ProviderOptions.clientId,
+      redirectUri: this.auth2ProviderOptions.redirectUri,
+      code,
+      codeVerifier
+    });
+    this.stamper.idToken = idToken;
+    this.stamper.salt = salt;
+    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
+    return {
+      walletId,
+      organizationId,
+      provider: options.provider,
+      accountDerivationIndex: 0,
+      // discoverWalletId uses derivation index of 0.
+      expiresInMs,
+      authUserId,
+      bearerToken
+    };
+  }
+};
+
+// src/providers/embedded/ExpoAuth2Stamper.ts
+import * as SecureStore2 from "expo-secure-store";
+import bs58 from "bs58";
+import { Buffer } from "buffer";
+import { base64urlEncode } from "@phantom/base64url";
+import { Algorithm } from "@phantom/sdk-types";
+var ExpoAuth2Stamper = class {
+  /**
+   * @param storageKey - expo-secure-store key used to persist the P-256 private key.
+   *   Use a unique key per app, e.g. `phantom-auth2-<appId>`.
+   */
+  constructor(storageKey) {
+    this.storageKey = storageKey;
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+    this.algorithm = Algorithm.secp256r1;
+    this.type = "OIDC";
+  }
+  async init() {
+    const stored = await this.loadRecord();
+    if (stored) {
+      this.privateKey = await this.importPrivateKey(stored.privateKeyPkcs8);
+      this.publicKey = await this.importPublicKeyFromBase58(stored.keyInfo.publicKey);
+      this._keyInfo = stored.keyInfo;
+      return this._keyInfo;
+    }
+    return this.generateAndStore();
+  }
+  getKeyInfo() {
+    return this._keyInfo;
+  }
+  getCryptoKeyPair() {
+    if (!this.privateKey || !this.publicKey)
+      return null;
+    return { privateKey: this.privateKey, publicKey: this.publicKey };
+  }
+  async stamp(params) {
+    if (!this.privateKey || !this._keyInfo) {
+      throw new Error("ExpoAuth2Stamper not initialized. Call init() first.");
+    }
+    const signatureRaw = await crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this.privateKey,
+      new Uint8Array(params.data)
+    );
+    const rawPublicKey = bs58.decode(this._keyInfo.publicKey);
+    if (this.idToken === void 0 || this.salt === void 0) {
+      throw new Error("ExpoAuth2Stamper not initialized with idToken or salt.");
+    }
+    const stampData = {
+      kind: "OIDC",
+      idToken: this.idToken,
+      publicKey: base64urlEncode(rawPublicKey),
+      algorithm: "Secp256r1",
+      salt: this.salt,
+      signature: base64urlEncode(new Uint8Array(signatureRaw))
+    };
+    return base64urlEncode(new TextEncoder().encode(JSON.stringify(stampData)));
+  }
+  async resetKeyPair() {
+    await this.clearStoredRecord();
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+    return this.generateAndStore();
+  }
+  async clear() {
+    await this.clearStoredRecord();
+    this.privateKey = null;
+    this.publicKey = null;
+    this._keyInfo = null;
+  }
+  // Auth2 doesn't use key rotation; minimal no-op implementations.
+  async rotateKeyPair() {
+    return this.init();
+  }
+  // eslint-disable-next-line @typescript-eslint/require-await
+  async commitRotation(authenticatorId) {
+    if (this._keyInfo) {
+      this._keyInfo.authenticatorId = authenticatorId;
+    }
+  }
+  async rollbackRotation() {
+  }
+  async generateAndStore() {
+    const keyPair = await crypto.subtle.generateKey(
+      { name: "ECDSA", namedCurve: "P-256" },
+      true,
+      // extractable — needed to export PKCS#8 for SecureStore
+      ["sign", "verify"]
+    );
+    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
+    const publicKeyBase58 = bs58.encode(rawPublicKey);
+    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
+    const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    this._keyInfo = { keyId, publicKey: publicKeyBase58, createdAt: Date.now() };
+    const pkcs8Buffer = await crypto.subtle.exportKey("pkcs8", keyPair.privateKey);
+    const privateKeyPkcs8 = Buffer.from(pkcs8Buffer).toString("base64");
+    await SecureStore2.setItemAsync(
+      this.storageKey,
+      JSON.stringify({ privateKeyPkcs8, keyInfo: this._keyInfo }),
+      { requireAuthentication: false }
+    );
+    this.privateKey = await this.importPrivateKey(privateKeyPkcs8);
+    this.publicKey = keyPair.publicKey;
+    return this._keyInfo;
+  }
+  async importPublicKeyFromBase58(base58PublicKey) {
+    const rawBytes = bs58.decode(base58PublicKey);
+    return crypto.subtle.importKey(
+      "raw",
+      rawBytes.buffer.slice(rawBytes.byteOffset, rawBytes.byteOffset + rawBytes.byteLength),
+      { name: "ECDSA", namedCurve: "P-256" },
+      true,
+      // extractable so createAuth2RequestJar can export it as JWK
+      ["verify"]
+    );
+  }
+  async importPrivateKey(pkcs8Base64) {
+    const pkcs8Bytes = Buffer.from(pkcs8Base64, "base64");
+    return crypto.subtle.importKey(
+      "pkcs8",
+      pkcs8Bytes,
+      { name: "ECDSA", namedCurve: "P-256" },
+      false,
+      // non-extractable once loaded into memory
+      ["sign"]
+    );
+  }
+  async loadRecord() {
+    try {
+      const raw = await SecureStore2.getItemAsync(this.storageKey);
+      return raw ? JSON.parse(raw) : null;
+    } catch {
+      return null;
+    }
+  }
+  async clearStoredRecord() {
+    try {
+      await SecureStore2.deleteItemAsync(this.storageKey);
+    } catch {
+    }
+  }
+};
+
 // src/providers/embedded/url-params.ts
 import { Linking } from "react-native";
 var ExpoURLParamsAccessor = class {
@@ -659,11 +894,11 @@ var ExpoURLParamsAccessor = class {
 };
 
 // src/providers/embedded/stamper.ts
-import * as SecureStore2 from "expo-secure-store";
+import * as SecureStore3 from "expo-secure-store";
 import { ApiKeyStamper } from "@phantom/api-key-stamper";
 import { DEFAULT_AUTHENTICATOR_ALGORITHM } from "@phantom/constants";
 import { generateKeyPair } from "@phantom/crypto";
-import { base64urlEncode } from "@phantom/base64url";
+import { base64urlEncode as base64urlEncode2 } from "@phantom/base64url";
 var ReactNativeStamper = class {
   // Optional for PKI, required for OIDC
   constructor(config = {}) {
@@ -719,11 +954,11 @@ var ReactNativeStamper = class {
     const activeKey = this.getActiveKeyName();
     const pendingKey = this.getPendingKeyName();
     try {
-      await SecureStore2.deleteItemAsync(activeKey);
+      await SecureStore3.deleteItemAsync(activeKey);
     } catch (error) {
     }
     try {
-      await SecureStore2.deleteItemAsync(pendingKey);
+      await SecureStore3.deleteItemAsync(pendingKey);
     } catch (error) {
     }
     this.activeKeyRecord = null;
@@ -745,7 +980,7 @@ var ReactNativeStamper = class {
     }
     if (this.activeKeyRecord) {
       try {
-        await SecureStore2.deleteItemAsync(this.getActiveKeyName());
+        await SecureStore3.deleteItemAsync(this.getActiveKeyName());
       } catch (error) {
       }
     }
@@ -756,7 +991,7 @@ var ReactNativeStamper = class {
     this.pendingKeyRecord = null;
     await this.storeKeyRecord(this.activeKeyRecord, "active");
     try {
-      await SecureStore2.deleteItemAsync(this.getPendingKeyName());
+      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
     } catch (error) {
     }
   }
@@ -768,7 +1003,7 @@ var ReactNativeStamper = class {
       return;
     }
     try {
-      await SecureStore2.deleteItemAsync(this.getPendingKeyName());
+      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
     } catch (error) {
     }
     this.pendingKeyRecord = null;
@@ -794,18 +1029,18 @@ var ReactNativeStamper = class {
     return record;
   }
   createKeyId(publicKey) {
-    return base64urlEncode(new TextEncoder().encode(publicKey)).substring(0, 16);
+    return base64urlEncode2(new TextEncoder().encode(publicKey)).substring(0, 16);
   }
   async storeKeyRecord(record, type) {
     const keyName = type === "active" ? this.getActiveKeyName() : this.getPendingKeyName();
-    await SecureStore2.setItemAsync(keyName, JSON.stringify(record), {
+    await SecureStore3.setItemAsync(keyName, JSON.stringify(record), {
       requireAuthentication: false
     });
   }
   async loadActiveKeyRecord() {
     try {
       const activeKey = this.getActiveKeyName();
-      const storedRecord = await SecureStore2.getItemAsync(activeKey);
+      const storedRecord = await SecureStore3.getItemAsync(activeKey);
       if (storedRecord) {
         return JSON.parse(storedRecord);
       }
@@ -816,7 +1051,7 @@ var ReactNativeStamper = class {
   async loadPendingKeyRecord() {
     try {
       const pendingKey = this.getPendingKeyName();
-      const storedRecord = await SecureStore2.getItemAsync(pendingKey);
+      const storedRecord = await SecureStore3.getItemAsync(pendingKey);
       if (storedRecord) {
         return JSON.parse(storedRecord);
       }
@@ -898,13 +1133,25 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
   }, [config]);
   const sdk = useMemo2(() => {
     const storage = new ExpoSecureStorage();
-    const authProvider = new ExpoAuthProvider();
     const urlParamsAccessor = new ExpoURLParamsAccessor();
     const logger = new ExpoLogger(debugConfig?.enabled || false);
-    const stamper = new ReactNativeStamper({
+    const stamper = config.unstable__auth2Options ? new ExpoAuth2Stamper(`phantom-auth2-${memoizedConfig.appId}`) : new ReactNativeStamper({
       keyPrefix: `phantom-rn-${memoizedConfig.appId}`,
       appId: memoizedConfig.appId
     });
+    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && config.apiBaseUrl && stamper instanceof ExpoAuth2Stamper ? new ExpoAuth2AuthProvider(
+      stamper,
+      {
+        redirectUri: config.authOptions.redirectUrl,
+        connectLoginUrl: config.authOptions.authUrl,
+        clientId: config.unstable__auth2Options.clientId,
+        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+      },
+      {
+        apiBaseUrl: config.apiBaseUrl,
+        appId: config.appId
+      }
+    ) : new ExpoAuthProvider();
     const platformName = `${Platform2.OS}-${Platform2.Version}`;
     const platform = {
       storage,
@@ -915,16 +1162,17 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
       name: platformName,
       analyticsHeaders: {
         [ANALYTICS_HEADERS.SDK_TYPE]: "react-native",
-        [ANALYTICS_HEADERS.PLATFORM]: Platform2.OS,
+        [ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
         [ANALYTICS_HEADERS.PLATFORM_VERSION]: `${Platform2.Version}`,
+        [ANALYTICS_HEADERS.CLIENT]: Platform2.OS,
         [ANALYTICS_HEADERS.APP_ID]: config.appId,
         [ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.3"
+        [ANALYTICS_HEADERS.SDK_VERSION]: "1.0.4"
         // Replaced at build time
       }
     };
     return new EmbeddedProvider(memoizedConfig, platform, logger);
-  }, [memoizedConfig, debugConfig, config.appId, config.embeddedWalletType]);
+  }, [memoizedConfig, debugConfig, config]);
   useEffect2(() => {
     const handleConnectStart = () => {
       setIsConnecting(true);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/react-native-sdk",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Phantom Wallet SDK for React Native and Expo applications",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -45,15 +45,16 @@
     "directory": "packages/react-native-sdk"
   },
   "dependencies": {
-    "@phantom/api-key-stamper": "^1.0.3",
-    "@phantom/base64url": "^1.0.3",
-    "@phantom/chain-interfaces": "^1.0.3",
-    "@phantom/client": "^1.0.3",
-    "@phantom/constants": "^1.0.3",
-    "@phantom/crypto": "^1.0.3",
-    "@phantom/embedded-provider-core": "^1.0.3",
-    "@phantom/sdk-types": "^1.0.3",
-    "@phantom/wallet-sdk-ui": "^1.0.3",
+    "@phantom/api-key-stamper": "^1.0.4",
+    "@phantom/auth2": "^1.0.0",
+    "@phantom/base64url": "^1.0.4",
+    "@phantom/chain-interfaces": "^1.0.4",
+    "@phantom/client": "^1.0.4",
+    "@phantom/constants": "^1.0.4",
+    "@phantom/crypto": "^1.0.4",
+    "@phantom/embedded-provider-core": "^1.0.4",
+    "@phantom/sdk-types": "^1.0.4",
+    "@phantom/wallet-sdk-ui": "^1.0.4",
     "@types/bs58": "^5.0.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3"