@rei-standard/amsg-client 2.1.0 → 2.2.1

package/README.md

@@ -42,6 +42,8 @@ await client.scheduleMessage({
 
 新代码用 `client.sendInstant(payload)`，走 [`@rei-standard/amsg-instant`](https://github.com/Tosd0/ReiStandard/blob/main/packages/rei-standard-amsg/instant/README.md)。
 
+### 加密模式（默认；兼容 amsg-server / amsg-instant 0.1.x）
+
 ```js
 const client = new ReiClient({
   baseUrl: '/api/v1',
@@ -65,8 +67,55 @@ await client.sendInstant({
 
 > `customBaseUrls` 是按端点名（如 `instant`）覆盖 `baseUrl` 的通用机制；后续其他端点也可以用同一字段独立指定 base URL，不会再加新的命名字段。
 
+### 明文模式（配 amsg-instant 0.2.x，单租户自部署）
+
+```js
+const client = new ReiClient({
+  baseUrl: 'https://instant.example.com',   // amsg-instant Worker URL
+  instantEncryption: false,
+  instantClientToken: 'shared-secret-xyz',  // 可选；Worker 端配了再填
+});
+
+// init() 在明文模式下是 no-op，调用与否都跑得通
+await client.sendInstant({
+  contactName: 'Rei',
+  completePrompt: '你是 Rei，用一句话提醒用户带伞',
+  apiUrl: 'https://api.openai.com/v1/chat/completions',
+  apiKey: '...',
+  primaryModel: 'gpt-4o-mini',
+  pushSubscription: subscription.toJSON(),
+});
+```
+
+> ⚠️ **`instantClientToken` 是弱共享密钥**：它会随前端 bundle 发出去，devtools 一开就能看到。它只防 URL 直接被脚本小子打，不防有心人。要真正的鉴权，用 amsg-instant 的 `tokenSigningKey`（HMAC JWT，配合后端签发短期 token）。
+
+> ⚠️ **双模式陷阱**：`instantEncryption: false` 时 `init()` 变成 no-op，`scheduleMessage` / `listMessages` / `updateMessage` 这类**仍走加密**的方法会因 `userKey` 没初始化抛 "Not initialised"。如果同一前端既要 `sendInstant`（明文走 amsg-instant）又要 `scheduleMessage`（加密走 amsg-server），请改回 `instantEncryption: true`（默认）—— amsg-instant 0.1.x 与 amsg-server 用同一份 `userKey` 都吃得下。
+
 旧路径 `scheduleMessage({ ...payload, messageType: 'instant' })` 仍然可用（兼容保留，多一次 DB 来回）。
 
+### `messages` 模式（多轮上下文 / 带 system role，对接 amsg-instant 0.5.0+ / amsg-server 2.2.0+）
+
+需要 system role、保留多轮历史、tool role 这些场景时，把 `completePrompt` 换成标准 OpenAI 格式的 `messages` 数组。client 本身**完全透传**，所以 SDK 端零额外配置：
+
+```js
+await client.sendInstant({
+  contactName: 'Rei',
+  messages: [
+    { role: 'system', content: '你是 Rei，回复要简短自然。' },
+    { role: 'user', content: '今天会下雨吗？' },
+    { role: 'assistant', content: '看了下，下午有阵雨。' },
+    { role: 'user', content: '那提醒我一下带伞' },
+  ],
+  apiUrl: 'https://api.openai.com/v1/chat/completions',
+  apiKey: '...',
+  primaryModel: 'gpt-4o-mini',
+  temperature: 0.7,                                  // 可选
+  pushSubscription: subscription.toJSON(),
+});
+```
+
+注意 `completePrompt` 和 `messages` **必须恰好二选一**——两者同时给会被 Worker / Server 端返回 `400 INVALID_PAYLOAD_FORMAT` / `INVALID_PARAMETERS`。`scheduleMessage` 也接受同样的 `messages` 字段（amsg-server 2.2.0+ 起持久化层一并支持），用法相同。
+
 ## 导出 API（Exports）
 
 - `ReiClient`
@@ -91,8 +140,8 @@ await client.sendInstant({
 
 - 浏览器环境（需 `fetch`、`crypto.subtle`）
 - Push 订阅需可用 Service Worker 与 Push API
-- 需要可用的 `baseUrl`（示例：`/api/v1`）
-- `userId` 必须是 UUID v4
+- 需要可用的 `baseUrl`（示例：`/api/v1`；明文 instant 模式下可直接是 Worker URL）
+- `userId` 必须是 UUID v4（明文 instant 模式 `instantEncryption: false` 下可省）
 
 ## 相关链接（绝对 URL）
 

package/dist/index.cjs

@@ -28,7 +28,12 @@ var ReiClient = class {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error("[rei-standard-amsg-client] baseUrl is required");
-    if (!config.userId) throw new Error("[rei-standard-amsg-client] userId is required");
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        "[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)"
+      );
+    }
     this._baseUrl = config.baseUrl.replace(/\/+$/, "");
     this._customBaseUrls = {};
     if (config.customBaseUrls && typeof config.customBaseUrls === "object") {
@@ -38,8 +43,10 @@ var ReiClient = class {
         }
       }
     }
-    this._userId = config.userId;
+    this._userId = config.userId || "";
     this._userKey = null;
+    this._instantEncryption = instantEncryption;
+    this._instantClientToken = typeof config.instantClientToken === "string" && config.instantClientToken ? config.instantClientToken : "";
   }
   /**
    * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
@@ -55,8 +62,17 @@ var ReiClient = class {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: "GET",
       headers: { "X-User-Id": this._userId }
@@ -106,11 +122,16 @@ var ReiClient = class {
    *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
    *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
    *
-   * The payload uses the same field names as `scheduleMessage`, minus
-   * `firstSendTime` and `recurrenceType`. It is auto-encrypted with the
-   * same `userKey` fetched by `init()`, so the upstream deployment of
-   * amsg-instant must share the same `masterKey` as the amsg-server
-   * tenant.
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
    *
    * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
    *
@@ -120,13 +141,20 @@ var ReiClient = class {
    * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
    */
   async sendInstant(payload, endpointPath = "/instant", opts = {}) {
-    const encrypted = await this._encrypt(JSON.stringify(payload));
-    const headers = {
-      "Content-Type": "application/json",
-      "X-User-Id": this._userId,
-      "X-Payload-Encrypted": "true",
-      "X-Encryption-Version": "1"
-    };
+    const headers = { "Content-Type": "application/json" };
+    let body;
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers["X-Client-Token"] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers["X-User-Id"] = this._userId;
+      headers["X-Payload-Encrypted"] = "true";
+      headers["X-Encryption-Version"] = "1";
+      body = JSON.stringify(encrypted);
+    }
     if (opts.authorization) {
       headers["Authorization"] = opts.authorization;
     }
@@ -134,7 +162,7 @@ var ReiClient = class {
     const res = await fetch(`${this._resolveBaseUrl("instant")}${path}`, {
       method: "POST",
       headers,
-      body: JSON.stringify(encrypted)
+      body
     });
     return res.json();
   }

package/dist/index.d.cts

@@ -1,11 +1,11 @@
 /**
  * ReiStandard Client SDK
- * v2.0.1
  *
  * Lightweight browser client that handles:
- *  - AES-256-GCM encryption using the Web Crypto API
+ *  - AES-256-GCM encryption using the Web Crypto API (for amsg-server's
+ *    schedule path and amsg-instant 0.1.x)
+ *  - Optional plaintext mode for amsg-instant 0.2.x (instantEncryption: false)
  *  - Push subscription management via the Push API
- *  - Convenient request helpers for amsg-server endpoints + amsg-instant
  *
  * Usage:
  *   import { ReiClient } from '@rei-standard/amsg-client';
@@ -25,6 +25,8 @@
 /**
  * @typedef {Object} ReiClientConfig
  * @property {string} baseUrl                            - Default base URL of the API (e.g. https://host/api/v1).
+ *                                                         In plaintext-instant mode (`instantEncryption: false`)
+ *                                                         this can be the amsg-instant Worker URL directly.
  * @property {Record<string, string>} [customBaseUrls]   - Optional per-endpoint base URL overrides.
  *                                                         Key is the endpoint name (e.g. `instant`); value is
  *                                                         the base URL to use for that endpoint instead of
@@ -33,7 +35,21 @@
  *                                                         Workers while the rest run on Netlify). Future
  *                                                         endpoints (e.g. `schedule`, `messages`) can be
  *                                                         overridden the same way without an API change.
- * @property {string} userId                             - Current user identifier (UUID v4).
+ * @property {string} [userId]                           - Current user identifier (UUID v4). Required for the
+ *                                                         encrypted path (default `instantEncryption: true`,
+ *                                                         and for `scheduleMessage` / `listMessages` /
+ *                                                         `updateMessage` always). Can be omitted only when
+ *                                                         `instantEncryption: false` AND you do not call any
+ *                                                         encrypted method.
+ * @property {boolean} [instantEncryption=true]          - When `false`, `sendInstant()` posts plaintext JSON
+ *                                                         to amsg-instant 0.2.x. `init()` becomes a no-op.
+ *                                                         All other methods (`scheduleMessage` etc.) keep
+ *                                                         using AES-256-GCM regardless of this flag.
+ * @property {string} [instantClientToken]               - When set, sent as the `X-Client-Token` header by
+ *                                                         `sendInstant()` in plaintext mode. Note: this is
+ *                                                         a *weak* shared secret — it ships inside any
+ *                                                         frontend bundle that uses it, so devtools can
+ *                                                         read it. Use for casual URL-direct abuse only.
  */
 
 class ReiClient {
@@ -42,7 +58,13 @@ class ReiClient {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error('[rei-standard-amsg-client] baseUrl is required');
-    if (!config.userId) throw new Error('[rei-standard-amsg-client] userId is required');
+
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        '[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)'
+      );
+    }
 
     /** @private */
     this._baseUrl = config.baseUrl.replace(/\/+$/, '');
@@ -56,9 +78,15 @@ class ReiClient {
       }
     }
     /** @private */
-    this._userId = config.userId;
+    this._userId = config.userId || '';
     /** @private */
     this._userKey = null;
+    /** @private */
+    this._instantEncryption = instantEncryption;
+    /** @private */
+    this._instantClientToken = typeof config.instantClientToken === 'string' && config.instantClientToken
+      ? config.instantClientToken
+      : '';
   }
 
   /**
@@ -77,8 +105,18 @@ class ReiClient {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
+
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: 'GET',
       headers: { 'X-User-Id': this._userId }
@@ -136,11 +174,16 @@ class ReiClient {
    *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
    *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
    *
-   * The payload uses the same field names as `scheduleMessage`, minus
-   * `firstSendTime` and `recurrenceType`. It is auto-encrypted with the
-   * same `userKey` fetched by `init()`, so the upstream deployment of
-   * amsg-instant must share the same `masterKey` as the amsg-server
-   * tenant.
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
    *
    * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
    *
@@ -150,14 +193,22 @@ class ReiClient {
    * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
    */
   async sendInstant(payload, endpointPath = '/instant', opts = {}) {
-    const encrypted = await this._encrypt(JSON.stringify(payload));
+    const headers = { 'Content-Type': 'application/json' };
+    let body;
+
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers['X-Client-Token'] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers['X-User-Id'] = this._userId;
+      headers['X-Payload-Encrypted'] = 'true';
+      headers['X-Encryption-Version'] = '1';
+      body = JSON.stringify(encrypted);
+    }
 
-    const headers = {
-      'Content-Type': 'application/json',
-      'X-User-Id': this._userId,
-      'X-Payload-Encrypted': 'true',
-      'X-Encryption-Version': '1'
-    };
     if (opts.authorization) {
       headers['Authorization'] = opts.authorization;
     }
@@ -166,7 +217,7 @@ class ReiClient {
     const res = await fetch(`${this._resolveBaseUrl('instant')}${path}`, {
       method: 'POST',
       headers,
-      body: JSON.stringify(encrypted)
+      body
     });
 
     return res.json();

package/dist/index.d.ts

@@ -1,11 +1,11 @@
 /**
  * ReiStandard Client SDK
- * v2.0.1
  *
  * Lightweight browser client that handles:
- *  - AES-256-GCM encryption using the Web Crypto API
+ *  - AES-256-GCM encryption using the Web Crypto API (for amsg-server's
+ *    schedule path and amsg-instant 0.1.x)
+ *  - Optional plaintext mode for amsg-instant 0.2.x (instantEncryption: false)
  *  - Push subscription management via the Push API
- *  - Convenient request helpers for amsg-server endpoints + amsg-instant
  *
  * Usage:
  *   import { ReiClient } from '@rei-standard/amsg-client';
@@ -25,6 +25,8 @@
 /**
  * @typedef {Object} ReiClientConfig
  * @property {string} baseUrl                            - Default base URL of the API (e.g. https://host/api/v1).
+ *                                                         In plaintext-instant mode (`instantEncryption: false`)
+ *                                                         this can be the amsg-instant Worker URL directly.
  * @property {Record<string, string>} [customBaseUrls]   - Optional per-endpoint base URL overrides.
  *                                                         Key is the endpoint name (e.g. `instant`); value is
  *                                                         the base URL to use for that endpoint instead of
@@ -33,7 +35,21 @@
  *                                                         Workers while the rest run on Netlify). Future
  *                                                         endpoints (e.g. `schedule`, `messages`) can be
  *                                                         overridden the same way without an API change.
- * @property {string} userId                             - Current user identifier (UUID v4).
+ * @property {string} [userId]                           - Current user identifier (UUID v4). Required for the
+ *                                                         encrypted path (default `instantEncryption: true`,
+ *                                                         and for `scheduleMessage` / `listMessages` /
+ *                                                         `updateMessage` always). Can be omitted only when
+ *                                                         `instantEncryption: false` AND you do not call any
+ *                                                         encrypted method.
+ * @property {boolean} [instantEncryption=true]          - When `false`, `sendInstant()` posts plaintext JSON
+ *                                                         to amsg-instant 0.2.x. `init()` becomes a no-op.
+ *                                                         All other methods (`scheduleMessage` etc.) keep
+ *                                                         using AES-256-GCM regardless of this flag.
+ * @property {string} [instantClientToken]               - When set, sent as the `X-Client-Token` header by
+ *                                                         `sendInstant()` in plaintext mode. Note: this is
+ *                                                         a *weak* shared secret — it ships inside any
+ *                                                         frontend bundle that uses it, so devtools can
+ *                                                         read it. Use for casual URL-direct abuse only.
  */
 
 class ReiClient {
@@ -42,7 +58,13 @@ class ReiClient {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error('[rei-standard-amsg-client] baseUrl is required');
-    if (!config.userId) throw new Error('[rei-standard-amsg-client] userId is required');
+
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        '[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)'
+      );
+    }
 
     /** @private */
     this._baseUrl = config.baseUrl.replace(/\/+$/, '');
@@ -56,9 +78,15 @@ class ReiClient {
       }
     }
     /** @private */
-    this._userId = config.userId;
+    this._userId = config.userId || '';
     /** @private */
     this._userKey = null;
+    /** @private */
+    this._instantEncryption = instantEncryption;
+    /** @private */
+    this._instantClientToken = typeof config.instantClientToken === 'string' && config.instantClientToken
+      ? config.instantClientToken
+      : '';
   }
 
   /**
@@ -77,8 +105,18 @@ class ReiClient {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
+
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: 'GET',
       headers: { 'X-User-Id': this._userId }
@@ -136,11 +174,16 @@ class ReiClient {
    *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
    *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
    *
-   * The payload uses the same field names as `scheduleMessage`, minus
-   * `firstSendTime` and `recurrenceType`. It is auto-encrypted with the
-   * same `userKey` fetched by `init()`, so the upstream deployment of
-   * amsg-instant must share the same `masterKey` as the amsg-server
-   * tenant.
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
    *
    * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
    *
@@ -150,14 +193,22 @@ class ReiClient {
    * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
    */
   async sendInstant(payload, endpointPath = '/instant', opts = {}) {
-    const encrypted = await this._encrypt(JSON.stringify(payload));
+    const headers = { 'Content-Type': 'application/json' };
+    let body;
+
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers['X-Client-Token'] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers['X-User-Id'] = this._userId;
+      headers['X-Payload-Encrypted'] = 'true';
+      headers['X-Encryption-Version'] = '1';
+      body = JSON.stringify(encrypted);
+    }
 
-    const headers = {
-      'Content-Type': 'application/json',
-      'X-User-Id': this._userId,
-      'X-Payload-Encrypted': 'true',
-      'X-Encryption-Version': '1'
-    };
     if (opts.authorization) {
       headers['Authorization'] = opts.authorization;
     }
@@ -166,7 +217,7 @@ class ReiClient {
     const res = await fetch(`${this._resolveBaseUrl('instant')}${path}`, {
       method: 'POST',
       headers,
-      body: JSON.stringify(encrypted)
+      body
     });
 
     return res.json();

package/dist/index.mjs

@@ -5,7 +5,12 @@ var ReiClient = class {
    */
   constructor(config) {
     if (!config || !config.baseUrl) throw new Error("[rei-standard-amsg-client] baseUrl is required");
-    if (!config.userId) throw new Error("[rei-standard-amsg-client] userId is required");
+    const instantEncryption = config.instantEncryption !== false;
+    if (!config.userId && instantEncryption) {
+      throw new Error(
+        "[rei-standard-amsg-client] userId is required (omit only when instantEncryption: false)"
+      );
+    }
     this._baseUrl = config.baseUrl.replace(/\/+$/, "");
     this._customBaseUrls = {};
     if (config.customBaseUrls && typeof config.customBaseUrls === "object") {
@@ -15,8 +20,10 @@ var ReiClient = class {
         }
       }
     }
-    this._userId = config.userId;
+    this._userId = config.userId || "";
     this._userKey = null;
+    this._instantEncryption = instantEncryption;
+    this._instantClientToken = typeof config.instantClientToken === "string" && config.instantClientToken ? config.instantClientToken : "";
   }
   /**
    * Resolve the base URL for a given endpoint, falling back to `baseUrl`.
@@ -32,8 +39,17 @@ var ReiClient = class {
   /**
    * Fetch the user-specific encryption key.
    * Must be called before any encrypted request.
+   *
+   * In plaintext-instant mode (`instantEncryption: false`) this is a no-op:
+   * `sendInstant()` does not need a userKey. Note that if you also intend to
+   * call `scheduleMessage` / `listMessages` / `updateMessage` (which always
+   * use AES-256-GCM), you must construct with `instantEncryption: true`
+   * (the default) — those methods will throw "Not initialised" otherwise.
    */
   async init() {
+    if (this._instantEncryption === false) {
+      return;
+    }
     const res = await fetch(`${this._baseUrl}/get-user-key`, {
       method: "GET",
       headers: { "X-User-Id": this._userId }
@@ -83,11 +99,16 @@ var ReiClient = class {
    *   - Deployable to Cloudflare Workers / Deno Deploy / Vercel Edge
    *   - Rejects scheduled-only fields (`firstSendTime`, `recurrenceType`)
    *
-   * The payload uses the same field names as `scheduleMessage`, minus
-   * `firstSendTime` and `recurrenceType`. It is auto-encrypted with the
-   * same `userKey` fetched by `init()`, so the upstream deployment of
-   * amsg-instant must share the same `masterKey` as the amsg-server
-   * tenant.
+   * Two transport modes (chosen by constructor `instantEncryption`):
+   *
+   * - **Encrypted (default)** — payload is AES-256-GCM encrypted with the
+   *   `userKey` fetched by `init()`. Compatible with amsg-instant 0.1.x and
+   *   with amsg-server's `schedule-message` instant path. Sends
+   *   `X-User-Id` + `X-Payload-Encrypted: true` + `X-Encryption-Version: 1`.
+   *
+   * - **Plaintext** (`instantEncryption: false`) — payload is sent as raw
+   *   JSON. Targets amsg-instant 0.2.x. Sends `X-Client-Token` if
+   *   `instantClientToken` was configured.
    *
    * Routes to `customBaseUrls.instant` if configured, otherwise `baseUrl`.
    *
@@ -97,13 +118,20 @@ var ReiClient = class {
    * @returns {Promise<Object>} `{ success, data?: { messagesSent, sentAt }, error? }`
    */
   async sendInstant(payload, endpointPath = "/instant", opts = {}) {
-    const encrypted = await this._encrypt(JSON.stringify(payload));
-    const headers = {
-      "Content-Type": "application/json",
-      "X-User-Id": this._userId,
-      "X-Payload-Encrypted": "true",
-      "X-Encryption-Version": "1"
-    };
+    const headers = { "Content-Type": "application/json" };
+    let body;
+    if (this._instantEncryption === false) {
+      body = JSON.stringify(payload);
+      if (this._instantClientToken) {
+        headers["X-Client-Token"] = this._instantClientToken;
+      }
+    } else {
+      const encrypted = await this._encrypt(JSON.stringify(payload));
+      headers["X-User-Id"] = this._userId;
+      headers["X-Payload-Encrypted"] = "true";
+      headers["X-Encryption-Version"] = "1";
+      body = JSON.stringify(encrypted);
+    }
     if (opts.authorization) {
       headers["Authorization"] = opts.authorization;
     }
@@ -111,7 +139,7 @@ var ReiClient = class {
     const res = await fetch(`${this._resolveBaseUrl("instant")}${path}`, {
       method: "POST",
       headers,
-      body: JSON.stringify(encrypted)
+      body
     });
     return res.json();
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rei-standard/amsg-client",
-  "version": "2.1.0",
+  "version": "2.2.1",
   "description": "ReiStandard Active Messaging browser client SDK",
   "repository": {
     "type": "git",