@proveanything/smartlinks 1.13.16 → 1.13.18

package/dist/api/authKit.d.ts

@@ -1,4 +1,4 @@
-import type { AuthLoginResponse, PhoneSendCodeResponse, PhoneVerifyResponse, PasswordResetRequestResponse, VerifyResetTokenResponse, PasswordResetCompleteResponse, EmailVerificationActionResponse, EmailVerifyTokenResponse, AuthKitConfig, MagicLinkSendResponse, MagicLinkVerifyResponse, UserProfile, ProfileUpdateData, SuccessResponse, SendWhatsAppRequest, SendWhatsAppResponse, ExchangeWhatsAppSessionResponse, VerifyWhatsAppResponse, WhatsAppStatusResponse, SendSmsVerifyRequest, SendSmsVerifyResponse, VerifySmsResponse, UpsertContactRequest, UpsertContactResponse } from "../types/authKit";
+import type { AuthLoginResponse, PhoneSendCodeResponse, PhoneVerifyResponse, PasswordResetRequestResponse, VerifyResetTokenResponse, PasswordResetCompleteResponse, EmailVerificationActionResponse, EmailVerifyTokenResponse, AuthKitConfig, MagicLinkSendResponse, MagicLinkVerifyResponse, UserProfile, UpdateProfileResponse, ProfileUpdateData, SuccessResponse, SendWhatsAppRequest, SendWhatsAppResponse, ExchangeWhatsAppSessionResponse, VerifyWhatsAppResponse, WhatsAppStatusResponse, SendSmsVerifyRequest, SendSmsVerifyResponse, VerifySmsResponse, UpsertContactRequest, UpsertContactResponse } from "../types/authKit";
 /**
  * Namespace containing helper functions for the new AuthKit API.
  * Legacy collection-based authKit helpers retained (marked as *Legacy*).
@@ -62,7 +62,8 @@ export declare namespace authKit {
         clientName?: string;
     }): Promise<EmailVerificationActionResponse>;
     function getProfile(clientId: string): Promise<UserProfile>;
-    function updateProfile(clientId: string, data: ProfileUpdateData): Promise<UserProfile>;
+    /** Update the authenticated user's profile and replace the bearer token when refreshed claims are returned. */
+    function updateProfile(clientId: string, data: ProfileUpdateData): Promise<UpdateProfileResponse>;
     function changePassword(clientId: string, currentPassword: string, newPassword: string): Promise<SuccessResponse>;
     function changeEmail(clientId: string, newEmail: string, password: string, redirectUrl: string): Promise<SuccessResponse>;
     function verifyEmailChange(clientId: string, token: string): Promise<SuccessResponse>;

package/dist/api/authKit.js

@@ -122,8 +122,12 @@ export var authKit;
         return request(`/authkit/${encodeURIComponent(clientId)}/account/profile`);
     }
     authKit.getProfile = getProfile;
+    /** Update the authenticated user's profile and replace the bearer token when refreshed claims are returned. */
     async function updateProfile(clientId, data) {
-        return post(`/authkit/${encodeURIComponent(clientId)}/account/update-profile`, data);
+        const res = await post(`/authkit/${encodeURIComponent(clientId)}/account/update-profile`, data);
+        if (res.token)
+            setBearerToken(res.token);
+        return res;
     }
     authKit.updateProfile = updateProfile;
     async function changePassword(clientId, currentPassword, newPassword) {

package/dist/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.16  |  Generated: 2026-05-15T19:36:34.712Z
+Version: 1.13.18  |  Generated: 2026-05-15T21:59:57.655Z
 
 This is a concise summary of all available API functions and types.
 
@@ -3030,6 +3030,7 @@ interface WhatsAppReplyCta {
   body: string
   buttonLabel: string
   buttonUrl: string
+  mediaUrl?: string  // optional image (JPEG/PNG, public https) — selects image card template
 }
 ```
 
@@ -8282,41 +8283,41 @@ Upsert contact identity after lightweight verification (public).
 **getProfile**(clientId: string) → `Promise<UserProfile>`
 Upsert contact identity after lightweight verification (public).
 
-**updateProfile**(clientId: string, data: ProfileUpdateData) → `Promise<UserProfile>`
-Upsert contact identity after lightweight verification (public).
+**updateProfile**(clientId: string, data: ProfileUpdateData) → `Promise<UpdateProfileResponse>`
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **changePassword**(clientId: string, currentPassword: string, newPassword: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **changeEmail**(clientId: string, newEmail: string, password: string, redirectUrl: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **verifyEmailChange**(clientId: string, token: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **updatePhone**(clientId: string, phoneNumber: string, verificationCode: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **deleteAccount**(clientId: string, password: string, confirmText: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **load**(authKitId: string) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **get**(collectionId: string, authKitId: string) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **list**(collectionId: string, admin?: boolean) → `Promise<AuthKitConfig[]>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **create**(collectionId: string, data: any) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **update**(collectionId: string, authKitId: string, data: any) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **remove**(collectionId: string, authKitId: string) → `Promise<void>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 ### batch
 

package/dist/docs/auth-kit.md

@@ -105,6 +105,7 @@ const wa = await authKit.sendWhatsApp(clientId);
 //       body: "You're verified and ready to bid.",
 //       buttonLabel: 'Back to Auction',
 //       buttonUrl: '{{returnUrl}}',
+//       // mediaUrl: 'https://cdn.example.com/bid-confirmed.jpg',  // optional: include to use image card template
 //     },
 //     text: "You're verified. Return to the app to continue.",
 //   },
@@ -170,11 +171,15 @@ Verification status values returned by `authKit.getWhatsAppStatus` are:
 Pass a `reply` object in `sendWhatsApp` to send a message back to the user after they confirm `CONFIRM <token>`. Reply resolution order:
 
 1. `reply.contentSid` — explicit Twilio Content SID
-2. `reply.cta` — CTA shorthand using the shared generic Twilio Content template SID (`TWILIO_WHATSAPP_GENERIC_CTA_SID`)
+2. `reply.cta` — CTA shorthand:
+   - If `cta.mediaUrl` is present (valid public `https://` URL), uses the **image card** Twilio Content template (`TWILIO_WHATSAPP_IMAGE_CTA_SID`)
+   - Otherwise uses the **text CTA** template (`TWILIO_WHATSAPP_GENERIC_CTA_SID`)
 3. `reply.text` — plain-text fallback
 4. Per-client default (`authKit/{clientId}.whatsapp` config)
 5. Built-in default text
 
+> **Important:** Only pass `mediaUrl` when you have a valid, publicly reachable `https://` JPEG or PNG. If the field is absent or blank, the text-only CTA template is selected automatically. Never pass an empty string — omit the field entirely to avoid Twilio rejecting the send.
+
 The following template placeholders are available in `reply.text`, `reply.cta` fields, and `reply.contentVariables` values:
 
 | Placeholder | Description |
@@ -197,6 +202,8 @@ const session = await authKit.exchangeWhatsAppSession(clientId, wa.token, wa.ses
 
 `sessionKey` is returned by `sendWhatsApp` and is used to mitigate token replay from contexts that did not initiate the browser flow.
 
+When `contactData.name` or explicit name parts were supplied on the original `sendWhatsApp` call, `session.user.displayName` and the returned bearer token claims are now seeded from the verified contact record instead of staying `null`.
+
 > **Note:** `redirectUrl` is optional. WhatsApp tokens are short hex strings (16 chars) for better UX.
 >
 > **Legacy note:** `verifyWhatsApp` is for older phone-bound token flows. Prefer inbound WhatsApp token confirmation plus status polling for new implementations.
@@ -219,7 +226,13 @@ import { authKit } from '@proveanything/smartlinks';
 const profile = await authKit.getProfile(clientId);
 
 // Update profile
-await authKit.updateProfile(clientId, { displayName: 'Alice B.', avatarUrl: '...' });
+const updatedProfile = await authKit.updateProfile(clientId, {
+  displayName: 'Alice B.',
+  avatarUrl: '...'
+});
+
+// The SDK automatically swaps in updatedProfile.token so future auth.verify()
+// and authenticated calls use fresh displayName/photoURL claims immediately.
 
 // Change password
 await authKit.changePassword(clientId, 'currentPass', 'newPass');
@@ -231,6 +244,8 @@ await authKit.changeEmail(clientId, 'newemail@example.com', 'password', redirect
 await authKit.deleteAccount(clientId, 'password', 'DELETE');
 ```
 
+`updateProfile` now returns a fresh bearer token together with the updated profile fields. The SDK replaces the in-memory bearer token automatically so token-backed identity reads stay current without an extra refresh step.
+
 ---
 
 ## Email verification

package/dist/openapi.yaml

@@ -8016,7 +8016,7 @@ paths:
     post:
       tags:
         - authKit
-      summary: authKit.updateProfile
+      summary: "Update the authenticated user's profile and replace the bearer token when refreshed claims are returned."
       operationId: authKit_updateProfile
       security: []
       parameters:
@@ -8031,7 +8031,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/UserProfile"
+                $ref: "#/components/schemas/UpdateProfileResponse"
         400:
           description: Bad request
         401:
@@ -17756,6 +17756,13 @@ components:
         accountData:
           type: object
           additionalProperties: true
+    UpdateProfileResponse:
+      type: object
+      properties:
+        token:
+          type: string
+      required:
+        - token
     SuccessResponse:
       type: object
       properties:
@@ -17899,6 +17906,8 @@ components:
           type: string
         buttonUrl:
           type: string
+        mediaUrl:
+          type: string
       required:
         - body
         - buttonLabel

package/dist/types/authKit.d.ts

@@ -21,6 +21,9 @@ export interface ProfileUpdateData {
     photoURL?: string;
     accountData?: Record<string, any>;
 }
+export interface UpdateProfileResponse extends UserProfile {
+    token: string;
+}
 export interface SuccessResponse {
     success: boolean;
     message?: string;
@@ -80,6 +83,7 @@ export interface WhatsAppReplyCta {
     body: string;
     buttonLabel: string;
     buttonUrl: string;
+    mediaUrl?: string;
 }
 export interface WhatsAppReplyOptions {
     /** Option A: explicit Twilio Content SID */

package/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.16  |  Generated: 2026-05-15T19:36:34.712Z
+Version: 1.13.18  |  Generated: 2026-05-15T21:59:57.655Z
 
 This is a concise summary of all available API functions and types.
 
@@ -3030,6 +3030,7 @@ interface WhatsAppReplyCta {
   body: string
   buttonLabel: string
   buttonUrl: string
+  mediaUrl?: string  // optional image (JPEG/PNG, public https) — selects image card template
 }
 ```
 
@@ -8282,41 +8283,41 @@ Upsert contact identity after lightweight verification (public).
 **getProfile**(clientId: string) → `Promise<UserProfile>`
 Upsert contact identity after lightweight verification (public).
 
-**updateProfile**(clientId: string, data: ProfileUpdateData) → `Promise<UserProfile>`
-Upsert contact identity after lightweight verification (public).
+**updateProfile**(clientId: string, data: ProfileUpdateData) → `Promise<UpdateProfileResponse>`
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **changePassword**(clientId: string, currentPassword: string, newPassword: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **changeEmail**(clientId: string, newEmail: string, password: string, redirectUrl: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **verifyEmailChange**(clientId: string, token: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **updatePhone**(clientId: string, phoneNumber: string, verificationCode: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **deleteAccount**(clientId: string, password: string, confirmText: string) → `Promise<SuccessResponse>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **load**(authKitId: string) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **get**(collectionId: string, authKitId: string) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **list**(collectionId: string, admin?: boolean) → `Promise<AuthKitConfig[]>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **create**(collectionId: string, data: any) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **update**(collectionId: string, authKitId: string, data: any) → `Promise<AuthKitConfig>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 **remove**(collectionId: string, authKitId: string) → `Promise<void>`
-Upsert contact identity after lightweight verification (public).
+Update the authenticated user's profile and replace the bearer token when refreshed claims are returned.
 
 ### batch
 

package/docs/auth-kit.md

@@ -105,6 +105,7 @@ const wa = await authKit.sendWhatsApp(clientId);
 //       body: "You're verified and ready to bid.",
 //       buttonLabel: 'Back to Auction',
 //       buttonUrl: '{{returnUrl}}',
+//       // mediaUrl: 'https://cdn.example.com/bid-confirmed.jpg',  // optional: include to use image card template
 //     },
 //     text: "You're verified. Return to the app to continue.",
 //   },
@@ -170,11 +171,15 @@ Verification status values returned by `authKit.getWhatsAppStatus` are:
 Pass a `reply` object in `sendWhatsApp` to send a message back to the user after they confirm `CONFIRM <token>`. Reply resolution order:
 
 1. `reply.contentSid` — explicit Twilio Content SID
-2. `reply.cta` — CTA shorthand using the shared generic Twilio Content template SID (`TWILIO_WHATSAPP_GENERIC_CTA_SID`)
+2. `reply.cta` — CTA shorthand:
+   - If `cta.mediaUrl` is present (valid public `https://` URL), uses the **image card** Twilio Content template (`TWILIO_WHATSAPP_IMAGE_CTA_SID`)
+   - Otherwise uses the **text CTA** template (`TWILIO_WHATSAPP_GENERIC_CTA_SID`)
 3. `reply.text` — plain-text fallback
 4. Per-client default (`authKit/{clientId}.whatsapp` config)
 5. Built-in default text
 
+> **Important:** Only pass `mediaUrl` when you have a valid, publicly reachable `https://` JPEG or PNG. If the field is absent or blank, the text-only CTA template is selected automatically. Never pass an empty string — omit the field entirely to avoid Twilio rejecting the send.
+
 The following template placeholders are available in `reply.text`, `reply.cta` fields, and `reply.contentVariables` values:
 
 | Placeholder | Description |
@@ -197,6 +202,8 @@ const session = await authKit.exchangeWhatsAppSession(clientId, wa.token, wa.ses
 
 `sessionKey` is returned by `sendWhatsApp` and is used to mitigate token replay from contexts that did not initiate the browser flow.
 
+When `contactData.name` or explicit name parts were supplied on the original `sendWhatsApp` call, `session.user.displayName` and the returned bearer token claims are now seeded from the verified contact record instead of staying `null`.
+
 > **Note:** `redirectUrl` is optional. WhatsApp tokens are short hex strings (16 chars) for better UX.
 >
 > **Legacy note:** `verifyWhatsApp` is for older phone-bound token flows. Prefer inbound WhatsApp token confirmation plus status polling for new implementations.
@@ -219,7 +226,13 @@ import { authKit } from '@proveanything/smartlinks';
 const profile = await authKit.getProfile(clientId);
 
 // Update profile
-await authKit.updateProfile(clientId, { displayName: 'Alice B.', avatarUrl: '...' });
+const updatedProfile = await authKit.updateProfile(clientId, {
+  displayName: 'Alice B.',
+  avatarUrl: '...'
+});
+
+// The SDK automatically swaps in updatedProfile.token so future auth.verify()
+// and authenticated calls use fresh displayName/photoURL claims immediately.
 
 // Change password
 await authKit.changePassword(clientId, 'currentPass', 'newPass');
@@ -231,6 +244,8 @@ await authKit.changeEmail(clientId, 'newemail@example.com', 'password', redirect
 await authKit.deleteAccount(clientId, 'password', 'DELETE');
 ```
 
+`updateProfile` now returns a fresh bearer token together with the updated profile fields. The SDK replaces the in-memory bearer token automatically so token-backed identity reads stay current without an extra refresh step.
+
 ---
 
 ## Email verification

package/openapi.yaml

@@ -8016,7 +8016,7 @@ paths:
     post:
       tags:
         - authKit
-      summary: authKit.updateProfile
+      summary: "Update the authenticated user's profile and replace the bearer token when refreshed claims are returned."
       operationId: authKit_updateProfile
       security: []
       parameters:
@@ -8031,7 +8031,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/UserProfile"
+                $ref: "#/components/schemas/UpdateProfileResponse"
         400:
           description: Bad request
         401:
@@ -17756,6 +17756,13 @@ components:
         accountData:
           type: object
           additionalProperties: true
+    UpdateProfileResponse:
+      type: object
+      properties:
+        token:
+          type: string
+      required:
+        - token
     SuccessResponse:
       type: object
       properties:
@@ -17899,6 +17906,8 @@ components:
           type: string
         buttonUrl:
           type: string
+        mediaUrl:
+          type: string
       required:
         - body
         - buttonLabel

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@proveanything/smartlinks",
-  "version": "1.13.16",
+  "version": "1.13.18",
   "description": "Official JavaScript/TypeScript SDK for the Smartlinks API",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",