@phantom/react-native-sdk 1.0.6 → 2.0.0-beta.0

package/dist/index.js

@@ -31,8 +31,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   AddressType: () => import_client.AddressType,
-  NetworkId: () => import_constants5.NetworkId,
+  NetworkId: () => import_constants2.NetworkId,
   PhantomProvider: () => PhantomProvider,
+  base64urlDecode: () => import_base64url.base64urlDecode,
+  base64urlEncode: () => import_base64url.base64urlEncode,
   darkTheme: () => import_wallet_sdk_ui6.darkTheme,
   lightTheme: () => import_wallet_sdk_ui6.lightTheme,
   useAccounts: () => useAccounts,
@@ -48,7 +50,7 @@ module.exports = __toCommonJS(src_exports);
 // src/PhantomProvider.tsx
 var import_react8 = require("react");
 var import_embedded_provider_core = require("@phantom/embedded-provider-core");
-var import_constants4 = require("@phantom/constants");
+var import_constants = require("@phantom/constants");
 var import_wallet_sdk_ui5 = require("@phantom/wallet-sdk-ui");
 
 // src/ModalProvider.tsx
@@ -530,110 +532,8 @@ var ExpoSecureStorage = class {
   }
 };
 
-// src/providers/embedded/auth.ts
-var WebBrowser = __toESM(require("expo-web-browser"));
-var import_react_native5 = require("react-native");
-var import_constants = require("@phantom/constants");
-var ExpoAuthProvider = class {
-  async authenticate(options) {
-    if ("jwtToken" in options) {
-      return;
-    }
-    const phantomOptions = options;
-    const { authUrl, redirectUrl, publicKey, sessionId, provider, appId } = phantomOptions;
-    if (!redirectUrl) {
-      throw new Error("redirectUrl is required for web browser authentication");
-    }
-    if (!publicKey || !sessionId || !appId) {
-      throw new Error("publicKey, sessionId and appId are required for authentication");
-    }
-    try {
-      const baseUrl = authUrl || import_constants.DEFAULT_AUTH_URL;
-      const params = new URLSearchParams({
-        public_key: publicKey,
-        app_id: appId,
-        redirect_uri: redirectUrl,
-        session_id: sessionId,
-        // OAuth session management - defaults to allow refresh unless explicitly clearing after logout
-        clear_previous_session: (phantomOptions.clearPreviousSession ?? false).toString(),
-        allow_refresh: (phantomOptions.allowRefresh ?? true).toString(),
-        sdk_version: "1.0.6",
-        sdk_type: "react-native",
-        platform: import_react_native5.Platform.OS
-      });
-      if (provider) {
-        console.log("[ExpoAuthProvider] Provider specified, will skip selection", { provider });
-        params.append("provider", provider);
-      } else {
-        console.log("[ExpoAuthProvider] No provider specified, defaulting to Google");
-        params.append("provider", "google");
-      }
-      const fullAuthUrl = `${baseUrl}?${params.toString()}`;
-      console.log("[ExpoAuthProvider] Starting authentication", {
-        baseUrl,
-        redirectUrl,
-        publicKey,
-        sessionId,
-        provider
-      });
-      await WebBrowser.warmUpAsync();
-      const result = await WebBrowser.openAuthSessionAsync(fullAuthUrl, redirectUrl, {
-        // Use system browser on iOS for ASWebAuthenticationSession
-        preferEphemeralSession: false
-      });
-      console.log("[ExpoAuthProvider] Authentication result", {
-        type: result.type,
-        url: result.type === "success" && result.url ? result.url.substring(0, 100) + "..." : void 0
-      });
-      if (result.type === "success" && result.url) {
-        const url = new URL(result.url);
-        const walletId = url.searchParams.get("wallet_id");
-        const organizationId = url.searchParams.get("organization_id");
-        const accountDerivationIndex = url.searchParams.get("selected_account_index");
-        const expiresInMs = url.searchParams.get("expires_in_ms");
-        const authUserId = url.searchParams.get("auth_user_id");
-        if (!walletId) {
-          throw new Error("Authentication failed: no walletId in redirect URL");
-        }
-        if (!organizationId) {
-          console.error("[ExpoAuthProvider] Missing organizationId in redirect URL", { url: result.url });
-          throw new Error("Authentication failed: no organizationId in redirect URL");
-        }
-        console.log("[ExpoAuthProvider] Auth redirect parameters", {
-          walletId,
-          organizationId,
-          provider,
-          accountDerivationIndex,
-          expiresInMs,
-          authUserId
-        });
-        return {
-          walletId,
-          organizationId,
-          provider: provider || void 0,
-          accountDerivationIndex: accountDerivationIndex ? parseInt(accountDerivationIndex) : 0,
-          expiresInMs: expiresInMs ? parseInt(expiresInMs) : 0,
-          authUserId: authUserId || void 0
-        };
-      } else if (result.type === "cancel") {
-        throw new Error("User cancelled authentication");
-      } else {
-        throw new Error("Authentication failed");
-      }
-    } catch (error) {
-      console.error("[ExpoAuthProvider] Authentication error", error);
-      throw error;
-    } finally {
-      await WebBrowser.coolDownAsync();
-    }
-  }
-  isAvailable() {
-    return Promise.resolve(true);
-  }
-};
-
 // src/providers/embedded/ExpoAuth2AuthProvider.ts
-var WebBrowser2 = __toESM(require("expo-web-browser"));
+var WebBrowser = __toESM(require("expo-web-browser"));
 var import_auth2 = require("@phantom/auth2");
 var ExpoAuth2AuthProvider = class {
   constructor(stamper, auth2ProviderOptions, kmsClientOptions) {
@@ -649,246 +549,111 @@ var ExpoAuth2AuthProvider = class {
    * so the token exchange and KMS calls all happen here before returning AuthResult.
    */
   async authenticate(options) {
-    if (!this.stamper.getKeyInfo()) {
-      await this.stamper.init();
-    }
-    const keyPair = this.stamper.getCryptoKeyPair();
-    if (!keyPair) {
-      throw new Error("Stamper key pair not found.");
-    }
-    const codeVerifier = (0, import_auth2.createCodeVerifier)();
-    const url = await (0, import_auth2.createConnectStartUrl)({
-      keyPair,
-      connectLoginUrl: this.auth2ProviderOptions.connectLoginUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const { url, codeVerifier } = await (0, import_auth2.prepareAuth2Flow)({
+      stamper: this.stamper,
+      auth2Options: this.auth2ProviderOptions,
       sessionId: options.sessionId,
-      provider: options.provider,
-      codeVerifier,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: ""
+      provider: options.provider
     });
-    await WebBrowser2.warmUpAsync();
+    await WebBrowser.warmUpAsync();
     let result;
     try {
-      result = await WebBrowser2.openAuthSessionAsync(url, this.auth2ProviderOptions.redirectUri);
+      result = await WebBrowser.openAuthSessionAsync(url, this.auth2ProviderOptions.redirectUri);
     } finally {
-      await WebBrowser2.coolDownAsync();
+      await WebBrowser.coolDownAsync();
     }
     if (!result.url) {
       throw new Error("Authentication failed");
     }
     const callbackUrl = new URL(result.url);
-    const state = callbackUrl.searchParams.get("state");
-    if (state && state !== options.sessionId) {
-      throw new Error("Auth2 state mismatch \u2014 possible CSRF attack.");
-    }
-    const error = callbackUrl.searchParams.get("error");
-    if (error) {
-      const description = callbackUrl.searchParams.get("error_description");
-      throw new Error(`Auth2 callback error: ${description ?? error}`);
-    }
-    const code = callbackUrl.searchParams.get("code");
-    if (!code) {
-      throw new Error("Auth2 callback missing authorization code");
-    }
-    const { idToken, bearerToken, authUserId, expiresInMs, refreshToken } = await (0, import_auth2.exchangeAuthCode)({
-      authApiBaseUrl: this.auth2ProviderOptions.authApiBaseUrl,
-      clientId: this.auth2ProviderOptions.clientId,
-      redirectUri: this.auth2ProviderOptions.redirectUri,
+    const code = (0, import_auth2.validateAuth2Callback)({
+      getParam: (key) => callbackUrl.searchParams.get(key),
+      expectedSessionId: options.sessionId
+    });
+    return (0, import_auth2.completeAuth2Exchange)({
+      stamper: this.stamper,
+      kms: this.kms,
+      auth2Options: this.auth2ProviderOptions,
       code,
-      codeVerifier
+      codeVerifier,
+      provider: options.provider
     });
-    await this.stamper.setTokens({ idToken, bearerToken, refreshToken, expiresInMs });
-    const { organizationId, walletId } = await this.kms.discoverOrganizationAndWalletId(bearerToken, authUserId);
-    return {
-      walletId,
-      organizationId,
-      provider: options.provider,
-      accountDerivationIndex: 0,
-      // discoverWalletId uses derivation index of 0.
-      expiresInMs,
-      authUserId,
-      bearerToken
-    };
   }
 };
 
-// src/providers/embedded/ExpoAuth2Stamper.ts
+// src/PhantomProvider.tsx
+var import_auth22 = require("@phantom/auth2");
+
+// src/providers/embedded/SecureStoreAuth2StamperStorage.ts
 var SecureStore2 = __toESM(require("expo-secure-store"));
 var import_bs58 = __toESM(require("bs58"));
 var import_buffer = require("buffer");
-var import_base64url = require("@phantom/base64url");
-var import_sdk_types = require("@phantom/sdk-types");
-var import_auth22 = require("@phantom/auth2");
-var import_constants2 = require("@phantom/constants");
-var ExpoAuth2Stamper = class {
-  /**
-   * @param storageKey - expo-secure-store key used to persist the P-256 private key.
-   *   Use a unique key per app, e.g. `phantom-auth2-<appId>`.
-   * @param refreshConfig - When provided, the stamper will automatically refresh
-   *   the id_token using the refresh_token before it expires.
-   */
-  constructor(storageKey, refreshConfig) {
+var SecureStoreAuth2StamperStorage = class {
+  constructor(storageKey) {
     this.storageKey = storageKey;
-    this.refreshConfig = refreshConfig;
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-    this.algorithm = import_sdk_types.Algorithm.secp256r1;
-    this.type = "OIDC";
+    this.requiresExtractableKeys = true;
   }
-  async init() {
-    const stored = await this.loadRecord();
-    if (stored) {
-      this._keyPair = {
-        privateKey: await this.importPrivateKey(stored.privateKeyPkcs8),
-        publicKey: await this.importPublicKeyFromBase58(stored.keyInfo.publicKey)
-      };
-      this._keyInfo = stored.keyInfo;
-      if (stored.idToken) {
-        this._idToken = stored.idToken;
-      }
-      if (stored.bearerToken) {
-        this._bearerToken = stored.bearerToken;
-      }
-      if (stored.refreshToken) {
-        this._refreshToken = stored.refreshToken;
-      }
-      if (stored.tokenExpiresAt) {
-        this._tokenExpiresAt = stored.tokenExpiresAt;
-      }
-      return this._keyInfo;
+  async load() {
+    const raw = await SecureStore2.getItemAsync(this.storageKey);
+    if (raw === null) {
+      return null;
     }
-    return this.generateAndStore();
-  }
-  getKeyInfo() {
-    return this._keyInfo;
-  }
-  getCryptoKeyPair() {
-    return this._keyPair;
-  }
-  /**
-   * Returns the current token state (refreshing proactively if near expiry),
-   * or null if no token has been set yet.
-   */
-  async getTokens() {
-    if (this.refreshConfig && this._refreshToken && this._tokenExpiresAt !== null && Date.now() >= this._tokenExpiresAt - import_constants2.TOKEN_REFRESH_BUFFER_MS) {
-      const refreshed = await (0, import_auth22.refreshToken)({
-        authApiBaseUrl: this.refreshConfig.authApiBaseUrl,
-        clientId: this.refreshConfig.clientId,
-        redirectUri: this.refreshConfig.redirectUri,
-        refreshToken: this._refreshToken
-      });
-      await this.setTokens(refreshed);
+    let record;
+    try {
+      record = JSON.parse(raw);
+    } catch (err) {
+      await SecureStore2.deleteItemAsync(this.storageKey);
+      throw new Error(`SecureStoreAuth2StamperStorage: corrupt stored record (JSON parse failed): ${err}`);
     }
-    if (!this._idToken || !this._bearerToken) {
-      return null;
+    let privateKey;
+    let publicKey;
+    try {
+      privateKey = await this.importPrivateKey(record.privateKeyPkcs8);
+      publicKey = await this.importPublicKeyFromBase58(record.keyInfo.publicKey);
+    } catch (err) {
+      await SecureStore2.deleteItemAsync(this.storageKey);
+      throw new Error(`SecureStoreAuth2StamperStorage: corrupt stored record (key import failed): ${err}`);
     }
     return {
-      idToken: this._idToken,
-      bearerToken: this._bearerToken,
-      refreshToken: this._refreshToken ?? void 0
+      keyPair: { privateKey, publicKey },
+      keyInfo: record.keyInfo,
+      accessToken: record.accessToken,
+      idType: record.idType,
+      refreshToken: record.refreshToken,
+      tokenExpiresAt: record.tokenExpiresAt
     };
   }
-  /**
-   * Arms the stamper with the OIDC token data for subsequent KMS stamp() calls.
-   *
-   * Persists the tokens to SecureStore alongside the key pair so that
-   * auto-connect can restore them on the next app launch without a new login.
-   *
-   * @param refreshToken - When provided alongside a `refreshConfig`, enables
-   *   silent token refresh before the token expires.
-   * @param expiresInMs - Token lifetime in milliseconds (from `expires_in * 1000`).
-   *   Used to compute the absolute expiry time for proactive refresh.
-   */
-  async setTokens({
-    idToken,
-    bearerToken,
-    refreshToken,
-    expiresInMs
-  }) {
-    this._idToken = idToken;
-    this._bearerToken = bearerToken;
-    this._refreshToken = refreshToken ?? null;
-    this._tokenExpiresAt = expiresInMs != null ? Date.now() + expiresInMs : null;
-    const existing = await this.loadRecord();
-    if (existing) {
-      await this.storeRecord({
-        ...existing,
-        idToken,
-        bearerToken,
-        refreshToken,
-        tokenExpiresAt: this._tokenExpiresAt ?? void 0
-      });
-    }
-  }
-  async stamp(params) {
-    if (!this._keyPair || !this._keyInfo || this._idToken === null) {
-      throw new Error("ExpoAuth2Stamper not initialized. Call init() first.");
-    }
-    const signatureRaw = await crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this._keyPair.privateKey,
-      new Uint8Array(params.data)
-    );
-    const rawPublicKey = import_bs58.default.decode(this._keyInfo.publicKey);
-    const stampData = {
-      kind: this.type,
-      idToken: this._idToken,
-      publicKey: (0, import_base64url.base64urlEncode)(rawPublicKey),
-      algorithm: this.algorithm,
-      // The P-256 ephemeral key is unique per wallet, so no additional salt is needed.
-      salt: "",
-      signature: (0, import_base64url.base64urlEncode)(new Uint8Array(signatureRaw))
+  async save(record) {
+    const pkcs8Buffer = await crypto.subtle.exportKey("pkcs8", record.keyPair.privateKey);
+    const privateKeyPkcs8 = import_buffer.Buffer.from(pkcs8Buffer).toString("base64");
+    const serialized = {
+      privateKeyPkcs8,
+      keyInfo: record.keyInfo,
+      accessToken: record.accessToken,
+      idType: record.idType,
+      refreshToken: record.refreshToken,
+      tokenExpiresAt: record.tokenExpiresAt
     };
-    return (0, import_base64url.base64urlEncode)(new TextEncoder().encode(JSON.stringify(stampData)));
-  }
-  async resetKeyPair() {
-    await this.clear();
-    return this.generateAndStore();
+    await SecureStore2.setItemAsync(this.storageKey, JSON.stringify(serialized), {
+      requireAuthentication: false
+    });
   }
   async clear() {
-    await this.clearStoredRecord();
-    this._keyPair = null;
-    this._keyInfo = null;
-    this._idToken = null;
-    this._bearerToken = null;
-    this._refreshToken = null;
-    this._tokenExpiresAt = null;
-  }
-  // Auth2 doesn't use key rotation; minimal no-op implementations.
-  async rotateKeyPair() {
-    return this.init();
-  }
-  // eslint-disable-next-line @typescript-eslint/require-await
-  async commitRotation(authenticatorId) {
-    if (this._keyInfo) {
-      this._keyInfo.authenticatorId = authenticatorId;
+    try {
+      await SecureStore2.deleteItemAsync(this.storageKey);
+    } catch {
     }
   }
-  async rollbackRotation() {
-  }
-  async generateAndStore() {
-    const keyPair = await crypto.subtle.generateKey(
+  async importPrivateKey(pkcs8Base64) {
+    const pkcs8Bytes = import_buffer.Buffer.from(pkcs8Base64, "base64");
+    return crypto.subtle.importKey(
+      "pkcs8",
+      pkcs8Bytes,
       { name: "ECDSA", namedCurve: "P-256" },
-      true,
-      // extractable — needed to export PKCS#8 for SecureStore
-      ["sign", "verify"]
+      this.requiresExtractableKeys,
+      // extractable so save() can re-export via pkcs8
+      ["sign"]
     );
-    const rawPublicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keyPair.publicKey));
-    const publicKeyBase58 = import_bs58.default.encode(rawPublicKey);
-    const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKey.buffer);
-    const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
-    this._keyPair = keyPair;
-    this._keyInfo = { keyId, publicKey: publicKeyBase58, createdAt: Date.now() };
-    const pkcs8Buffer = await crypto.subtle.exportKey("pkcs8", keyPair.privateKey);
-    const privateKeyPkcs8 = import_buffer.Buffer.from(pkcs8Buffer).toString("base64");
-    await this.storeRecord({ privateKeyPkcs8, keyInfo: this._keyInfo });
-    return this._keyInfo;
   }
   async importPublicKeyFromBase58(base58PublicKey) {
     const rawBytes = import_bs58.default.decode(base58PublicKey);
@@ -901,38 +666,10 @@ var ExpoAuth2Stamper = class {
       ["verify"]
     );
   }
-  async importPrivateKey(pkcs8Base64) {
-    const pkcs8Bytes = import_buffer.Buffer.from(pkcs8Base64, "base64");
-    return crypto.subtle.importKey(
-      "pkcs8",
-      pkcs8Bytes,
-      { name: "ECDSA", namedCurve: "P-256" },
-      false,
-      // non-extractable once loaded into memory
-      ["sign"]
-    );
-  }
-  async loadRecord() {
-    try {
-      const raw = await SecureStore2.getItemAsync(this.storageKey);
-      return raw ? JSON.parse(raw) : null;
-    } catch {
-      return null;
-    }
-  }
-  async storeRecord(record) {
-    await SecureStore2.setItemAsync(this.storageKey, JSON.stringify(record), { requireAuthentication: false });
-  }
-  async clearStoredRecord() {
-    try {
-      await SecureStore2.deleteItemAsync(this.storageKey);
-    } catch {
-    }
-  }
 };
 
 // src/providers/embedded/url-params.ts
-var import_react_native6 = require("react-native");
+var import_react_native5 = require("react-native");
 var ExpoURLParamsAccessor = class {
   constructor() {
     this.listeners = /* @__PURE__ */ new Set();
@@ -944,7 +681,7 @@ var ExpoURLParamsAccessor = class {
   }
   async getInitialParams() {
     try {
-      const url = await import_react_native6.Linking.getInitialURL();
+      const url = await import_react_native5.Linking.getInitialURL();
       if (!url) {
         return null;
       }
@@ -960,7 +697,7 @@ var ExpoURLParamsAccessor = class {
     if (this.subscription) {
       return;
     }
-    this.subscription = import_react_native6.Linking.addEventListener("url", ({ url }) => {
+    this.subscription = import_react_native5.Linking.addEventListener("url", ({ url }) => {
       const params = this.parseURLParams(url);
       if (params && Object.keys(params).length > 0) {
         this.currentParams = { ...this.currentParams, ...params };
@@ -999,180 +736,6 @@ var ExpoURLParamsAccessor = class {
   }
 };
 
-// src/providers/embedded/stamper.ts
-var SecureStore3 = __toESM(require("expo-secure-store"));
-var import_api_key_stamper = require("@phantom/api-key-stamper");
-var import_constants3 = require("@phantom/constants");
-var import_crypto = require("@phantom/crypto");
-var import_base64url2 = require("@phantom/base64url");
-var ReactNativeStamper = class {
-  // Optional for PKI, required for OIDC
-  constructor(config = {}) {
-    this.activeKeyRecord = null;
-    this.pendingKeyRecord = null;
-    this.algorithm = import_constants3.DEFAULT_AUTHENTICATOR_ALGORITHM;
-    this.type = "PKI";
-    this.keyPrefix = config.keyPrefix || "phantom-rn-stamper";
-    this.appId = config.appId || "default";
-  }
-  /**
-   * Initialize the stamper and generate/load cryptographic keys
-   */
-  async init() {
-    this.activeKeyRecord = await this.loadActiveKeyRecord();
-    if (!this.activeKeyRecord) {
-      this.activeKeyRecord = await this.generateAndStoreNewKeyRecord("active");
-    }
-    this.pendingKeyRecord = await this.loadPendingKeyRecord();
-    return this.activeKeyRecord.keyInfo;
-  }
-  /**
-   * Get the current key information
-   */
-  getKeyInfo() {
-    return this.activeKeyRecord?.keyInfo || null;
-  }
-  /**
-   * Generate and store a new key pair, replacing any existing keys
-   */
-  async resetKeyPair() {
-    await this.clear();
-    this.activeKeyRecord = await this.generateAndStoreNewKeyRecord("active");
-    this.pendingKeyRecord = null;
-    return this.activeKeyRecord.keyInfo;
-  }
-  /**
-   * Create X-Phantom-Stamp header value using stored secret key
-   * @param params - Parameters object with data to sign and optional override params
-   * @returns Complete X-Phantom-Stamp header value
-   */
-  async stamp(params) {
-    if (!this.activeKeyRecord) {
-      throw new Error("Stamper not initialized. Call init() first.");
-    }
-    const apiKeyStamper = new import_api_key_stamper.ApiKeyStamper({ apiSecretKey: this.activeKeyRecord.secretKey });
-    return await apiKeyStamper.stamp(params);
-  }
-  /**
-   * Clear all stored keys from SecureStore
-   */
-  async clear() {
-    const activeKey = this.getActiveKeyName();
-    const pendingKey = this.getPendingKeyName();
-    try {
-      await SecureStore3.deleteItemAsync(activeKey);
-    } catch (error) {
-    }
-    try {
-      await SecureStore3.deleteItemAsync(pendingKey);
-    } catch (error) {
-    }
-    this.activeKeyRecord = null;
-    this.pendingKeyRecord = null;
-  }
-  /**
-   * Generate a new keypair for rotation without making it active
-   */
-  async rotateKeyPair() {
-    this.pendingKeyRecord = await this.generateAndStoreNewKeyRecord("pending");
-    return this.pendingKeyRecord.keyInfo;
-  }
-  /**
-   * Switch to the pending keypair, making it active and cleaning up the old one
-   */
-  async commitRotation(authenticatorId) {
-    if (!this.pendingKeyRecord) {
-      throw new Error("No pending keypair to commit");
-    }
-    if (this.activeKeyRecord) {
-      try {
-        await SecureStore3.deleteItemAsync(this.getActiveKeyName());
-      } catch (error) {
-      }
-    }
-    this.pendingKeyRecord.status = "active";
-    this.pendingKeyRecord.authenticatorId = authenticatorId;
-    this.pendingKeyRecord.keyInfo.authenticatorId = authenticatorId;
-    this.activeKeyRecord = this.pendingKeyRecord;
-    this.pendingKeyRecord = null;
-    await this.storeKeyRecord(this.activeKeyRecord, "active");
-    try {
-      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
-    } catch (error) {
-    }
-  }
-  /**
-   * Discard the pending keypair on rotation failure
-   */
-  async rollbackRotation() {
-    if (!this.pendingKeyRecord) {
-      return;
-    }
-    try {
-      await SecureStore3.deleteItemAsync(this.getPendingKeyName());
-    } catch (error) {
-    }
-    this.pendingKeyRecord = null;
-  }
-  async generateAndStoreNewKeyRecord(type) {
-    const keypair = (0, import_crypto.generateKeyPair)();
-    const keyId = this.createKeyId(keypair.publicKey);
-    const now = Date.now();
-    const keyInfo = {
-      keyId,
-      publicKey: keypair.publicKey,
-      createdAt: now
-    };
-    const record = {
-      keyInfo,
-      secretKey: keypair.secretKey,
-      createdAt: now,
-      expiresAt: 0,
-      // Not used anymore, kept for backward compatibility
-      status: type
-    };
-    await this.storeKeyRecord(record, type);
-    return record;
-  }
-  createKeyId(publicKey) {
-    return (0, import_base64url2.base64urlEncode)(new TextEncoder().encode(publicKey)).substring(0, 16);
-  }
-  async storeKeyRecord(record, type) {
-    const keyName = type === "active" ? this.getActiveKeyName() : this.getPendingKeyName();
-    await SecureStore3.setItemAsync(keyName, JSON.stringify(record), {
-      requireAuthentication: false
-    });
-  }
-  async loadActiveKeyRecord() {
-    try {
-      const activeKey = this.getActiveKeyName();
-      const storedRecord = await SecureStore3.getItemAsync(activeKey);
-      if (storedRecord) {
-        return JSON.parse(storedRecord);
-      }
-    } catch (error) {
-    }
-    return null;
-  }
-  async loadPendingKeyRecord() {
-    try {
-      const pendingKey = this.getPendingKeyName();
-      const storedRecord = await SecureStore3.getItemAsync(pendingKey);
-      if (storedRecord) {
-        return JSON.parse(storedRecord);
-      }
-    } catch (error) {
-    }
-    return null;
-  }
-  getActiveKeyName() {
-    return `${this.keyPrefix}-${this.appId}-active`;
-  }
-  getPendingKeyName() {
-    return `${this.keyPrefix}-${this.appId}-pending`;
-  }
-};
-
 // src/providers/embedded/logger.ts
 var ExpoLogger = class {
   constructor(enabled = false) {
@@ -1215,7 +778,7 @@ var ReactNativePhantomAppProvider = class {
 };
 
 // src/PhantomProvider.tsx
-var import_react_native7 = require("react-native");
+var import_react_native6 = require("react-native");
 var import_jsx_runtime6 = require("react/jsx-runtime");
 function PhantomProvider({ children, config, debugConfig, theme, appIcon, appName }) {
   const [isConnected, setIsConnected] = (0, import_react8.useState)(false);
@@ -1228,12 +791,12 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
     const redirectUrl = config.authOptions?.redirectUrl || `${config.scheme}://phantom-auth-callback`;
     return {
       ...config,
-      apiBaseUrl: config.apiBaseUrl || import_constants4.DEFAULT_WALLET_API_URL,
-      embeddedWalletType: config.embeddedWalletType || import_constants4.DEFAULT_EMBEDDED_WALLET_TYPE,
+      apiBaseUrl: config.apiBaseUrl || import_constants.DEFAULT_WALLET_API_URL,
+      embeddedWalletType: config.embeddedWalletType || import_constants.DEFAULT_EMBEDDED_WALLET_TYPE,
       authOptions: {
-        ...config.authOptions || {},
         redirectUrl,
-        authUrl: config.authOptions?.authUrl || import_constants4.DEFAULT_AUTH_URL
+        authUrl: config.authOptions?.authUrl || import_constants.DEFAULT_AUTH_URL,
+        authApiBaseUrl: config.authOptions?.authApiBaseUrl || import_constants.DEFAULT_AUTH_API_BASE_URL
       }
     };
   }, [config]);
@@ -1241,28 +804,25 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
     const storage = new ExpoSecureStorage();
     const urlParamsAccessor = new ExpoURLParamsAccessor();
     const logger = new ExpoLogger(debugConfig?.enabled || false);
-    const stamper = config.unstable__auth2Options && config.authOptions?.redirectUrl ? new ExpoAuth2Stamper(`phantom-auth2-${memoizedConfig.appId}`, {
-      authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl,
-      clientId: config.unstable__auth2Options.clientId,
-      redirectUri: config.authOptions.redirectUrl
-    }) : new ReactNativeStamper({
-      keyPrefix: `phantom-rn-${memoizedConfig.appId}`,
-      appId: memoizedConfig.appId
+    const stamper = new import_auth22.Auth2Stamper(new SecureStoreAuth2StamperStorage(`phantom-auth2-${memoizedConfig.appId}`), {
+      authApiBaseUrl: memoizedConfig.authOptions.authApiBaseUrl,
+      clientId: memoizedConfig.appId,
+      redirectUri: memoizedConfig.authOptions.redirectUrl
     });
-    const authProvider = config.unstable__auth2Options && config.authOptions?.authUrl && config.authOptions?.redirectUrl && config.apiBaseUrl && stamper instanceof ExpoAuth2Stamper ? new ExpoAuth2AuthProvider(
+    const authProvider = new ExpoAuth2AuthProvider(
       stamper,
       {
-        redirectUri: config.authOptions.redirectUrl,
-        connectLoginUrl: config.authOptions.authUrl,
-        clientId: config.unstable__auth2Options.clientId,
-        authApiBaseUrl: config.unstable__auth2Options.authApiBaseUrl
+        redirectUri: memoizedConfig.authOptions.redirectUrl,
+        connectLoginUrl: memoizedConfig.authOptions.authUrl,
+        clientId: memoizedConfig.appId,
+        authApiBaseUrl: memoizedConfig.authOptions.authApiBaseUrl
       },
       {
-        apiBaseUrl: config.apiBaseUrl,
-        appId: config.appId
+        apiBaseUrl: memoizedConfig.apiBaseUrl,
+        appId: memoizedConfig.appId
       }
-    ) : new ExpoAuthProvider();
-    const platformName = `${import_react_native7.Platform.OS}-${import_react_native7.Platform.Version}`;
+    );
+    const platformName = `${import_react_native6.Platform.OS}-${import_react_native6.Platform.Version}`;
     const platform = {
       storage,
       authProvider,
@@ -1271,13 +831,13 @@ function PhantomProvider({ children, config, debugConfig, theme, appIcon, appNam
       phantomAppProvider: new ReactNativePhantomAppProvider(),
       name: platformName,
       analyticsHeaders: {
-        [import_constants4.ANALYTICS_HEADERS.SDK_TYPE]: "react-native",
-        [import_constants4.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
-        [import_constants4.ANALYTICS_HEADERS.PLATFORM_VERSION]: `${import_react_native7.Platform.Version}`,
-        [import_constants4.ANALYTICS_HEADERS.CLIENT]: import_react_native7.Platform.OS,
-        [import_constants4.ANALYTICS_HEADERS.APP_ID]: config.appId,
-        [import_constants4.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
-        [import_constants4.ANALYTICS_HEADERS.SDK_VERSION]: "1.0.6"
+        [import_constants.ANALYTICS_HEADERS.SDK_TYPE]: "react-native",
+        [import_constants.ANALYTICS_HEADERS.PLATFORM]: "ext-sdk",
+        [import_constants.ANALYTICS_HEADERS.PLATFORM_VERSION]: `${import_react_native6.Platform.Version}`,
+        [import_constants.ANALYTICS_HEADERS.CLIENT]: import_react_native6.Platform.OS,
+        [import_constants.ANALYTICS_HEADERS.APP_ID]: config.appId,
+        [import_constants.ANALYTICS_HEADERS.WALLET_TYPE]: config.embeddedWalletType,
+        [import_constants.ANALYTICS_HEADERS.SDK_VERSION]: "2.0.0-beta.0"
         // Replaced at build time
       }
     };
@@ -1391,13 +951,16 @@ function useEthereum() {
 
 // src/index.ts
 var import_client = require("@phantom/client");
-var import_constants5 = require("@phantom/constants");
+var import_constants2 = require("@phantom/constants");
+var import_base64url = require("@phantom/base64url");
 var import_wallet_sdk_ui6 = require("@phantom/wallet-sdk-ui");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AddressType,
   NetworkId,
   PhantomProvider,
+  base64urlDecode,
+  base64urlEncode,
   darkTheme,
   lightTheme,
   useAccounts,