@proveanything/smartlinks 1.13.18 → 1.13.20

package/dist/api/authKit.js

@@ -10,7 +10,10 @@ export var authKit;
      * =================================== */
     /** Login with email + password (public). */
     async function login(clientId, email, password) {
-        return post(`/authkit/${encodeURIComponent(clientId)}/auth/login`, { email, password });
+        const res = await post(`/authkit/${encodeURIComponent(clientId)}/auth/login`, { email, password });
+        if (res.token)
+            setBearerToken(res.token);
+        return res;
     }
     authKit.login = login;
     /** Register a new user (public). */
@@ -20,7 +23,10 @@ export var authKit;
     authKit.register = register;
     /** Google OAuth login (public). */
     async function googleLogin(clientId, idToken) {
-        return post(`/authkit/${encodeURIComponent(clientId)}/auth/google`, { idToken });
+        const res = await post(`/authkit/${encodeURIComponent(clientId)}/auth/google`, { idToken });
+        if (res.token)
+            setBearerToken(res.token);
+        return res;
     }
     authKit.googleLogin = googleLogin;
     /** Send a magic link email to the user (public). */
@@ -43,7 +49,9 @@ export var authKit;
     authKit.sendPhoneCode = sendPhoneCode;
     /** Verify phone verification code (public). */
     async function verifyPhoneCode(clientId, phoneNumber, code) {
-        return post(`/authkit/${encodeURIComponent(clientId)}/auth/phone/verify`, { phoneNumber, code });
+        const res = await post(`/authkit/${encodeURIComponent(clientId)}/auth/phone/verify`, { phoneNumber, code });
+        setBearerToken(res.token);
+        return res;
     }
     authKit.verifyPhoneCode = verifyPhoneCode;
     /** Send a WhatsApp verification deep-link (public). */
@@ -64,7 +72,9 @@ export var authKit;
     authKit.getWhatsAppStatus = getWhatsAppStatus;
     /** Exchange a verified WhatsApp token for an Auth Kit session (public). */
     async function exchangeWhatsAppSession(clientId, token, sessionKey) {
-        return post(`/authkit/${encodeURIComponent(clientId)}/auth/whatsapp/exchange-session`, { token, sessionKey });
+        const res = await post(`/authkit/${encodeURIComponent(clientId)}/auth/whatsapp/exchange-session`, { token, sessionKey });
+        setBearerToken(res.token);
+        return res;
     }
     authKit.exchangeWhatsAppSession = exchangeWhatsAppSession;
     /** Send an SMS click-to-verify link (public). */

package/dist/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.18  |  Generated: 2026-05-15T21:59:57.655Z
+Version: 1.13.20  |  Generated: 2026-05-16T07:39:45.235Z
 
 This is a concise summary of all available API functions and types.
 
@@ -162,7 +162,7 @@ Enable/disable automatic "ngrok-skip-browser-warning" header.
 Replace or augment globally applied custom headers.
 
 **setBearerToken**(token: string | undefined) → `void`
-Allows setting the bearerToken at runtime (e.g. after login/logout).
+Allows setting the bearerToken at runtime (e.g. after login/logout). Clears the HTTP cache whenever the token actually changes so that stale user-scoped responses (e.g. /account/profile) are not served after a login or logout event.
 
 **getBaseURL**() → `string | null`
 Get the currently configured API base URL. Returns null if initializeApi() has not been called yet.

package/dist/docs/portal-auth-broadcast.md

@@ -52,32 +52,8 @@ function BidButton() {
 
 ## Iframe Apps (Cross-Origin)
 
-Iframe apps don't share React context. Use the SDK's `authKit` helper —
-it posts the framework-recognised messages on `window.parent`:
-
-```ts
-import { authKit } from '@proveanything/smartlinks';
-
-// After your custom flow succeeds:
-await authKit.publishLogin({
-  token,                // string — your API's bearer token
-  user: {               // mirrors AuthUser
-    uid: 'usr_123',
-    email: 'bidder@example.com',
-    displayName: 'Jane Bidder',
-  },
-  accountData: { tier: 'gold' }, // optional, free-form
-});
-
-// On sign-out:
-await authKit.publishLogout();
-```
-
-### Raw postMessage (fallback)
-
-If you can't use the helper (e.g. you're outside the SDK), post the raw
-messages from the iframe to its parent. The portal's `IframeResponder`
-listens for these:
+Iframe apps don't share React context. Post messages directly from the
+iframe to its parent — the portal's `IframeResponder` listens for these:
 
 ```ts
 // LOGIN
@@ -138,7 +114,7 @@ through the standard portal UI.
    wiped.
 
 ❌ Implementing logout by just clearing your own state. Always call
-   `useAuth().logout()` (container/widget) or `authKit.publishLogout()`
+   `useAuth().logout()` (container/widget) or post `smartlinks:authkit:logout`
    (iframe) so the whole portal session ends cleanly.
 
 ---

package/dist/http.d.ts

@@ -30,6 +30,9 @@ export declare function setNgrokSkipBrowserWarning(flag: boolean): void;
 export declare function setExtraHeaders(headers: Record<string, string>): void;
 /**
  * Allows setting the bearerToken at runtime (e.g. after login/logout).
+ * Clears the HTTP cache whenever the token actually changes so that stale
+ * user-scoped responses (e.g. /account/profile) are not served after a
+ * login or logout event.
  */
 export declare function setBearerToken(token: string | undefined): void;
 /**

package/dist/http.js

@@ -405,9 +405,17 @@ export function setExtraHeaders(headers) {
 }
 /**
  * Allows setting the bearerToken at runtime (e.g. after login/logout).
+ * Clears the HTTP cache whenever the token actually changes so that stale
+ * user-scoped responses (e.g. /account/profile) are not served after a
+ * login or logout event.
  */
 export function setBearerToken(token) {
+    if (token === bearerToken)
+        return;
     bearerToken = token;
+    httpCache.clear();
+    if (cachePersistence !== 'none')
+        idbClear().catch(() => { });
 }
 /**
  * Get the currently configured API base URL.

package/dist/index.d.ts

@@ -28,3 +28,4 @@ AdminMobileHostContext, AdminMobileComponentManifest, AdminMobileBundleManifest,
 MobileAdminBundleManifest, } from './mobile-admin/types';
 export { HostCapabilityUnavailableError, HostPermissionDeniedError, HostTimeoutError, } from './mobile-admin/errors';
 export type { NativeCapability, NativeFacade, ShareFacade, ClipboardFacade, HapticImpactStyle, HapticNotificationStyle, HapticsFacade, NetworkStatus, NetworkFacade, DeviceInfo, DeviceFacade, StorageFacade, QrScanOptions, QrFacade, AuthFacade, NfcReadResult, NfcFacade, RfidScanOptions, RfidFacade, EventsFacade, WebSourceMode, WebSourceConfig, WebSourceFacade, } from './native/types';
+export type { AuthKitUser, UserProfile, ProfileUpdateData, UpdateProfileResponse, SuccessResponse, AuthLoginResponse, MagicLinkSendResponse, MagicLinkVerifyResponse, PhoneSendCodeResponse, PhoneVerifyResponse, PasswordResetRequestResponse, VerifyResetTokenResponse, PasswordResetCompleteResponse, EmailVerificationActionResponse, EmailVerifyTokenResponse, VerifyStatus, WhatsAppReplyCta, WhatsAppReplyOptions, WhatsAppContactData, SendWhatsAppRequest, SendWhatsAppResponse, ExchangeWhatsAppSessionResponse, VerifyWhatsAppResponse, WhatsAppStatusResponse, SendSmsVerifyRequest, SendSmsVerifyResponse, VerifySmsResponse, UpsertContactRequest, UpsertContactResponse, AuthKitBrandingConfig, AuthKitConfig, } from './types/authKit';

package/docs/API_SUMMARY.md

@@ -1,6 +1,6 @@
 # Smartlinks API Summary
 
-Version: 1.13.18  |  Generated: 2026-05-15T21:59:57.655Z
+Version: 1.13.20  |  Generated: 2026-05-16T07:39:45.235Z
 
 This is a concise summary of all available API functions and types.
 
@@ -162,7 +162,7 @@ Enable/disable automatic "ngrok-skip-browser-warning" header.
 Replace or augment globally applied custom headers.
 
 **setBearerToken**(token: string | undefined) → `void`
-Allows setting the bearerToken at runtime (e.g. after login/logout).
+Allows setting the bearerToken at runtime (e.g. after login/logout). Clears the HTTP cache whenever the token actually changes so that stale user-scoped responses (e.g. /account/profile) are not served after a login or logout event.
 
 **getBaseURL**() → `string | null`
 Get the currently configured API base URL. Returns null if initializeApi() has not been called yet.

package/docs/portal-auth-broadcast.md

@@ -52,32 +52,8 @@ function BidButton() {
 
 ## Iframe Apps (Cross-Origin)
 
-Iframe apps don't share React context. Use the SDK's `authKit` helper —
-it posts the framework-recognised messages on `window.parent`:
-
-```ts
-import { authKit } from '@proveanything/smartlinks';
-
-// After your custom flow succeeds:
-await authKit.publishLogin({
-  token,                // string — your API's bearer token
-  user: {               // mirrors AuthUser
-    uid: 'usr_123',
-    email: 'bidder@example.com',
-    displayName: 'Jane Bidder',
-  },
-  accountData: { tier: 'gold' }, // optional, free-form
-});
-
-// On sign-out:
-await authKit.publishLogout();
-```
-
-### Raw postMessage (fallback)
-
-If you can't use the helper (e.g. you're outside the SDK), post the raw
-messages from the iframe to its parent. The portal's `IframeResponder`
-listens for these:
+Iframe apps don't share React context. Post messages directly from the
+iframe to its parent — the portal's `IframeResponder` listens for these:
 
 ```ts
 // LOGIN
@@ -138,7 +114,7 @@ through the standard portal UI.
    wiped.
 
 ❌ Implementing logout by just clearing your own state. Always call
-   `useAuth().logout()` (container/widget) or `authKit.publishLogout()`
+   `useAuth().logout()` (container/widget) or post `smartlinks:authkit:logout`
    (iframe) so the whole portal session ends cleanly.
 
 ---

package/package.json

@@ -1,9 +1,15 @@
 {
   "name": "@proveanything/smartlinks",
-  "version": "1.13.18",
+  "version": "1.13.20",
   "description": "Official JavaScript/TypeScript SDK for the Smartlinks API",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
   "files": [
     "dist/",
     "docs/",