@polyguard/sdk 1.4.2 → 1.5.1

package/LICENSE

@@ -0,0 +1,200 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may accept support,
+      warranty, indemnity, or other liability obligations and/or rights
+      consistent with this License. However, in accepting such obligations,
+      You may act only on Your own behalf and on Your sole responsibility,
+      not on behalf of any other Contributor, and only if You agree to
+      indemnify, defend, and hold each Contributor harmless for any
+      liability incurred by, or claims asserted against, such Contributor
+      by reason of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Polyguard, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied. See the License for the specific language governing
+   permissions and limitations under the License.

package/README.md

@@ -0,0 +1,328 @@
+# @polyguard/sdk
+
+[![npm version](https://img.shields.io/npm/v/@polyguard/sdk.svg)](https://www.npmjs.com/package/@polyguard/sdk)
+[![npm downloads](https://img.shields.io/npm/dm/@polyguard/sdk.svg)](https://www.npmjs.com/package/@polyguard/sdk)
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+The official JavaScript SDK for [Polyguard](https://polyguard.ai) — drop-in identity verification for web applications. Users scan a QR code with the Polyguard mobile app and your site receives a signed JWT containing the verified claims.
+
+## Features
+
+- QR-code based identity verification
+- Real-time WebSocket session with automatic reconnection
+- Two UI modes: full-screen modal or embedded into your own DOM
+- Mobile-aware: deep-links into the Polyguard app on the same device
+- Configurable required proofs (e.g. `Full Name`, age, document type)
+- Signed JWT response — verifiable with your Polyguard public key
+- Convenience `require()` helper for one-call proof matching
+- Server-side proxy helper for safe API-key usage (Next.js, Express, Workers, Bun, Deno)
+- Ships as both an ESM module (npm) and a browser IIFE (CDN)
+
+## Requirements
+
+- Browser runtime with `WebSocket`, `fetch`, and ES2020 features
+- Node.js 18+ for any server-side proxy code
+- A Polyguard account with an `appId` and API key — sign up at [console.polyguard.ai](https://console.polyguard.ai)
+
+## Installation
+
+### npm
+
+```bash
+npm install @polyguard/sdk
+```
+
+### CDN
+
+```html
+<script src="https://cdn.polyguard.ai/sdk/latest/sdk.js"></script>
+```
+
+Pin to a specific version in production:
+
+```html
+<script src="https://cdn.polyguard.ai/sdk/1.5.0/sdk.js"></script>
+```
+
+## Quick start
+
+### ESM (bundlers, frameworks)
+
+```js
+import { PolyguardClient } from '@polyguard/sdk';
+
+const client = new PolyguardClient({
+  appId: 'your-app-id',
+  apiServer: 'api.polyguard.ai', // optional
+  proxyUrl: '/api/polyguard', // your server-side proxy — see below
+});
+
+try {
+  const jwt = await client.verify();
+  // jwt is a signed token containing the verified identity claims
+} catch (err) {
+  // The user closed the modal or cancelled.
+}
+```
+
+### Browser (CDN)
+
+```html
+<script src="https://cdn.polyguard.ai/sdk/latest/sdk.js"></script>
+<script>
+  const client = new window.Polyguard.Client({
+    appId: 'your-app-id',
+    apiServer: 'api.polyguard.ai', // optional
+    proxyUrl: '/api/polyguard',
+  });
+
+  client.verify().then((jwt) => {
+    // jwt is a signed token containing the verified identity claims
+  });
+</script>
+```
+
+## Security: never ship an API key to the browser
+
+API keys grant role-based access to your Polyguard tenant. Passing `apiKey` to `PolyguardClient` in a browser context **throws** by design:
+
+```
+Error: apiKey is forbidden in browser code; use proxyUrl with a server-side proxy
+(see @polyguard/sdk/server). Set iKnowThisIsInsecure: true to bypass.
+```
+
+The supported pattern is:
+
+1. Run a tiny proxy on your own server that injects the API key.
+2. Point the browser SDK at that proxy with `proxyUrl`.
+
+The SDK provides `createProxyHandler` from the `@polyguard/sdk/server` entry point. It is a Fetch-API request handler that runs on Node 18+, Cloudflare Workers, Bun, Deno, Vercel Edge, Netlify Edge, and any framework that accepts a `(Request) => Response` function.
+
+### Server proxy with Next.js (App Router)
+
+```ts
+// app/api/polyguard/[...path]/route.ts
+import { createProxyHandler } from '@polyguard/sdk/server';
+
+const handler = createProxyHandler({
+  apiKey: process.env.POLYGUARD_API_KEY,
+  apiServer: 'api.polyguard.ai',
+  pathPrefix: '/api/polyguard',
+});
+
+export const GET = handler;
+export const POST = handler;
+export const PUT = handler;
+```
+
+### Server proxy with Cloudflare Workers / Bun / Deno
+
+```js
+import { createProxyHandler } from '@polyguard/sdk/server';
+
+const polyguardProxy = createProxyHandler({
+  apiKey: globalThis.POLYGUARD_API_KEY, // bind in wrangler.toml / env
+  apiServer: 'api.polyguard.ai',
+});
+
+export default { fetch: polyguardProxy };
+```
+
+### Server proxy with Express
+
+```js
+import express from 'express';
+import { createProxyHandler } from '@polyguard/sdk/server';
+
+const app = express();
+const polyguardProxy = createProxyHandler({
+  apiKey: process.env.POLYGUARD_API_KEY,
+  apiServer: 'api.polyguard.ai',
+});
+
+// Wrap the Fetch-style handler for Express
+app.all('/api/polyguard/*', async (req, res) => {
+  const url = `http://${req.headers.host}${req.originalUrl}`;
+  const request = new Request(url, {
+    method: req.method,
+    headers: req.headers,
+    body: ['GET', 'HEAD'].includes(req.method) ? undefined : req,
+    duplex: 'half',
+  });
+  const response = await polyguardProxy(request);
+  res.status(response.status);
+  response.headers.forEach((v, k) => res.setHeader(k, v));
+  if (response.body) {
+    const reader = response.body.getReader();
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      res.write(value);
+    }
+  }
+  res.end();
+});
+```
+
+### Proxy options
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `apiKey` | string | **required** | Your Polyguard API key — must come from a secret store / env var. |
+| `apiServer` | string | `api.polyguard.ai` | Hostname of the Polyguard API. |
+| `pathPrefix` | string | `/api/polyguard` | Prefix stripped from incoming requests before forwarding. |
+| `allowedPaths` | string[] | `['POST /v2/ticket/', 'PUT /link/', 'GET /v2/preview/']` | Whitelist of `METHOD path-prefix` patterns. Requests that do not match return `404`. |
+
+The default whitelist is the minimum surface the browser SDK calls. **Do not broaden `allowedPaths` without reason** — the proxy attaches your API key to every forwarded request, so each entry is an open door to that part of the Polyguard API.
+
+## Usage
+
+### Modal verification
+
+The default `verify()` call opens an overlay modal with the QR code, a spinner, and a cancel button. It returns the JWT once the user completes verification on their phone.
+
+```js
+const jwt = await client.verify();
+```
+
+### Embedded verification
+
+Pass the `id` of an element you already render. The SDK injects the QR code there instead of opening a modal:
+
+```html
+<div id="pg-qr"></div>
+```
+
+```js
+const jwt = await client.verify('pg-qr');
+```
+
+Embedded mode does **not** render a close button — you control the surrounding UI.
+
+### Proof matching with `require()`
+
+`require()` runs `verify()` and then checks the decoded JWT payload for specific expected values. It is a convenience wrapper for the common "is this the user who claims to be X?" pattern:
+
+```js
+const isJane = await client.require({ 'Full Name': 'Jane Doe' });
+if (isJane) {
+  // proceed
+}
+```
+
+`require()` resolves to `false` if the user cancels, the server is unreachable, or any expected claim does not match. It never throws.
+
+> **Always verify the JWT signature on your backend** before trusting any claim. You can also receive the complete JWT in your backend from a Polyguard webhook. `require()` decodes the payload client-side for UX gating only, and can be used to begin polling the backend for the webhook response.
+
+### Raw response
+
+For target/embedded mode, pass `rawJwt: true` (second argument to `verify`) to get the full JWT string instead of the decoded object:
+
+```js
+const response = await client.verify('pg-qr', true);
+```
+
+### Error handling
+
+The behavior differs by UI mode — this is intentional:
+
+| Scenario | Modal mode | Embedded / target mode |
+|---|---|---|
+| User clicks the close button | rejects with `Error('User cancelled')` | n/a (no close button) |
+| Verification succeeds | resolves with the decoded JWT object (or raw JWT string if `rawJwt: true`) | resolves with the decoded JWT object (or raw JWT string if `rawJwt: true`) |
+
+Always handle both a rejected promise and a `FAIL` result.
+
+## Configuration
+
+```js
+new PolyguardClient(options)
+```
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `appId` | string | — | Your Polyguard application ID. |
+| `apiServer` | string | — | Hostname of the Polyguard API (e.g. `api.polyguard.ai`). |
+| `proxyUrl` | string | — | URL of your server-side proxy. **Recommended** for all browser deployments. |
+| `baseUrl` | string | — | Direct API base URL. Mutually exclusive with `proxyUrl`. |
+| `apiKey` | string | — | API key. **Throws in browser code.** Use a proxy instead. |
+| `iKnowThisIsInsecure` | boolean | `false` | Escape hatch that disables the browser `apiKey` check. Do not use in production. |
+| `requiredProofs` | string[] | `['Full Name']` | Claims the user must satisfy during verification. |
+| `scanType` | string | `'single'` | Verification mode — `single` is the standard one-shot flow. `multi` should be used for trust checks with PG-Presence enabled. |
+| `link_uuid` | string | — | UUID for a pre-created (semi-dynamic / "Adhoc") verification link. Omit for fully dynamic flows. |
+| `integrationType` | string | `'websocket'` | Reserved for future transports. Leave at the default. |
+
+## API reference
+
+### `new PolyguardClient(options)`
+
+Creates a client and instantiates all underlying API services. See **Configuration** above.
+
+### `client.verify(target?, rawJwt?) → Promise<string | object>`
+
+Starts the verification flow.
+
+- `target` (string, optional) — DOM element id to render the QR into. Omit for modal mode.
+- `rawJwt` (boolean, optional) — when `true`, resolve with the full response object instead of the JWT string.
+
+### `client.require(expectedProofs, target?) → Promise<boolean>`
+
+Runs `verify()` and returns `true` only if every key in `expectedProofs` matches the decoded JWT payload exactly. Returns `false` on cancellation, server errors, or any mismatch. Never throws.
+
+### Browser global
+
+When loaded via `<script>`, the SDK is exposed as:
+
+- `window.Polyguard.Client` — the `PolyguardClient` constructor
+- `window.Polyguard.ApiClient` — the underlying API client class
+- `window.Polyguard.<ServiceName>Api` — every generated API service (e.g. `TicketApi`)
+
+## Verifying JWTs on your backend
+
+The SDK's job ends when it hands you a JWT. To trust the contents you must verify the signature using Polyguard's public key. A minimal Node example:
+
+```js
+import jwt from 'jsonwebtoken';
+
+const POLYGUARD_PUBKEY = process.env.POLYGUARD_PUBKEY;
+
+const payload = jwt.verify(tokenFromBrowser, POLYGUARD_PUBKEY, {
+  algorithms: ['RS256'],
+});
+
+// payload['Full Name'], payload.iat, payload.exp, ...
+```
+
+See the [Polyguard documentation](https://polyguard.ai/docs) for the canonical key distribution and claim list.
+
+## Module entry points
+
+| Import | Use it for |
+|---|---|
+| `@polyguard/sdk` | Browser code — `PolyguardClient`, generated API services. |
+| `@polyguard/sdk/server` | Server code — `createProxyHandler`. Has no browser-only dependencies. |
+
+The CDN bundle (`https://cdn.polyguard.ai/sdk/<version>/sdk.js`) is browser-only and exposes the `window.Polyguard` global.
+
+## Versioning and distribution
+
+`@polyguard/sdk` follows semantic versioning. Each release ships in two places:
+
+- **npm** — `@polyguard/sdk` (ESM)
+- **CDN** — `https://cdn.polyguard.ai/sdk/<version>/sdk.js` (IIFE) and `https://cdn.polyguard.ai/sdk/latest/sdk.js` (latest)
+
+The `latest/` path tracks the most recent published tag. For production deployments, pin to a specific version.
+
+## Browser support
+
+Modern evergreen browsers (Chrome, Edge, Firefox, Safari). The SDK relies on `WebSocket`, `fetch`, `Promise`, and ES2020 syntax. Internet Explorer is not supported.
+
+## Support
+
+- Issues and feature requests: <https://github.com/polyguard-ai/web-sdk/issues>
+- Product documentation: <[https://dev.polyguard.ai/documentation](https://dev.polyguard.ai/documentation)>
+- Email: <support@polyguard.ai>
+
+## License
+
+Apache License 2.0 © Polyguard, Inc. See [LICENSE](./LICENSE) for the full text.

package/dist/sdk.esm.js

@@ -10920,8 +10920,9 @@ function renderQRCode(qrDiv, qrUrl) {
 }
 
 // src/ticketService.js
-async function fetchTicket({ apiServer, appId, link_uuid, requiredProofs, scanType }) {
-  const ticketUrl = link_uuid ? `https://${apiServer}/v2/ticket/${appId}/${link_uuid}` : `https://${apiServer}/v2/ticket/${appId}`;
+async function fetchTicket({ apiServer, proxyUrl, appId, link_uuid, requiredProofs, scanType }) {
+  const base = proxyUrl ? proxyUrl.replace(/\/$/, "") : `https://${apiServer}`;
+  const ticketUrl = link_uuid ? `${base}/v2/ticket/${appId}/${link_uuid}` : `${base}/v2/ticket/${appId}`;
   const ticketRes = await fetch(ticketUrl, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
@@ -11033,15 +11034,24 @@ function handleWebSocketMessage(event, ctx) {
 var PolyguardWebsocketClientImpl = class {
   constructor(params = {}) {
     this.apiClient = new ApiClient_default();
-    const { apiKey, baseUrl, appId, apiServer, requiredProofs = ["Full Name"], scanType = "single", redirectUrl, callbackUrl, cookieName, link_uuid, sidebarUrl } = params;
+    const { apiKey, baseUrl, appId, apiServer, proxyUrl, iKnowThisIsInsecure, requiredProofs = ["Full Name"], scanType = "single", redirectUrl, callbackUrl, cookieName, link_uuid, sidebarUrl } = params;
     this.sidebarUrl = sidebarUrl;
-    if (baseUrl) {
+    if (apiKey && typeof window !== "undefined" && iKnowThisIsInsecure !== true) {
+      throw new Error(
+        "apiKey is forbidden in browser code; use proxyUrl with a server-side proxy (see @polyguard/sdk/server). Set iKnowThisIsInsecure: true to bypass."
+      );
+    }
+    if (proxyUrl) {
+      this.apiClient.basePath = proxyUrl.replace(/\/$/, "");
+    } else if (baseUrl) {
       this.apiClient.basePath = baseUrl;
     }
     if (apiKey) {
       if (this.apiClient.authentications["bearerAuth"]) {
         this.apiClient.authentications["bearerAuth"].apiKey = apiKey;
       }
+      this.apiClient.defaultHeaders = this.apiClient.defaultHeaders || {};
+      this.apiClient.defaultHeaders["x-pg-api-key"] = apiKey;
     }
     for (const key in src_exports) {
       if (key.endsWith("Api")) {
@@ -11052,6 +11062,7 @@ var PolyguardWebsocketClientImpl = class {
     this.integrationType = "websocket";
     this.appId = appId;
     this.apiServer = apiServer;
+    this.proxyUrl = proxyUrl;
     this.requiredProofs = requiredProofs;
     this.scanType = scanType;
     this.redirectUrl = redirectUrl;
@@ -11132,6 +11143,7 @@ var PolyguardWebsocketClientImpl = class {
         const wsProtocol = window.location.protocol === "https:" ? "wss" : "ws";
         const newTicket = await fetchTicket({
           apiServer: this.apiServer,
+          proxyUrl: this.proxyUrl,
           appId: this.appId,
           link_uuid: this.link_uuid,
           requiredProofs: this.requiredProofs,

package/dist/sdk.js

@@ -10953,8 +10953,9 @@ var Polyguard = (() => {
   }
 
   // src/ticketService.js
-  async function fetchTicket({ apiServer, appId, link_uuid, requiredProofs, scanType }) {
-    const ticketUrl = link_uuid ? `https://${apiServer}/v2/ticket/${appId}/${link_uuid}` : `https://${apiServer}/v2/ticket/${appId}`;
+  async function fetchTicket({ apiServer, proxyUrl, appId, link_uuid, requiredProofs, scanType }) {
+    const base = proxyUrl ? proxyUrl.replace(/\/$/, "") : `https://${apiServer}`;
+    const ticketUrl = link_uuid ? `${base}/v2/ticket/${appId}/${link_uuid}` : `${base}/v2/ticket/${appId}`;
     const ticketRes = await fetch(ticketUrl, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
@@ -11066,15 +11067,24 @@ var Polyguard = (() => {
   var PolyguardWebsocketClientImpl = class {
     constructor(params = {}) {
       this.apiClient = new ApiClient_default();
-      const { apiKey, baseUrl, appId, apiServer, requiredProofs = ["Full Name"], scanType = "single", redirectUrl, callbackUrl, cookieName, link_uuid, sidebarUrl } = params;
+      const { apiKey, baseUrl, appId, apiServer, proxyUrl, iKnowThisIsInsecure, requiredProofs = ["Full Name"], scanType = "single", redirectUrl, callbackUrl, cookieName, link_uuid, sidebarUrl } = params;
       this.sidebarUrl = sidebarUrl;
-      if (baseUrl) {
+      if (apiKey && typeof window !== "undefined" && iKnowThisIsInsecure !== true) {
+        throw new Error(
+          "apiKey is forbidden in browser code; use proxyUrl with a server-side proxy (see @polyguard/sdk/server). Set iKnowThisIsInsecure: true to bypass."
+        );
+      }
+      if (proxyUrl) {
+        this.apiClient.basePath = proxyUrl.replace(/\/$/, "");
+      } else if (baseUrl) {
         this.apiClient.basePath = baseUrl;
       }
       if (apiKey) {
         if (this.apiClient.authentications["bearerAuth"]) {
           this.apiClient.authentications["bearerAuth"].apiKey = apiKey;
         }
+        this.apiClient.defaultHeaders = this.apiClient.defaultHeaders || {};
+        this.apiClient.defaultHeaders["x-pg-api-key"] = apiKey;
       }
       for (const key in src_exports) {
         if (key.endsWith("Api")) {
@@ -11085,6 +11095,7 @@ var Polyguard = (() => {
       this.integrationType = "websocket";
       this.appId = appId;
       this.apiServer = apiServer;
+      this.proxyUrl = proxyUrl;
       this.requiredProofs = requiredProofs;
       this.scanType = scanType;
       this.redirectUrl = redirectUrl;
@@ -11165,6 +11176,7 @@ var Polyguard = (() => {
           const wsProtocol = window.location.protocol === "https:" ? "wss" : "ws";
           const newTicket = await fetchTicket({
             apiServer: this.apiServer,
+            proxyUrl: this.proxyUrl,
             appId: this.appId,
             link_uuid: this.link_uuid,
             requiredProofs: this.requiredProofs,