npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/client/index.ts CHANGED Viewed

@@ -1,6 +1,39 @@
+import { Fx } from "@robelest/fx";
 import { ConvexHttpClient } from "convex/browser";
 import { ConvexError, Value } from "convex/values";
+import { AUTH_ERRORS } from "../server/errors";
+import { browserMutex, getStorageListenerRegistry } from "./runtime/browser";
+import { createDeviceClient } from "./factors/device";
+import { createInviteManager } from "./runtime/invite";
+import { createPasskeyClient } from "./factors/passkey";
+import {
+  createProxyHelpers,
+  isRetriableProxyRefreshError,
+  isTransientNetworkError,
+} from "./runtime/proxy";
+import { createStorageHelpers } from "./runtime/storage";
+import { createTotpClient } from "./factors/totp";
+import type {
+  AuthApiRefs,
+  AuthClient,
+  AuthFlowContext,
+  AuthHandshakeErrorCode,
+  AuthSession,
+  AuthState,
+  ClientOptions,
+  ConvexTransport,
+  DeviceClient,
+  DeviceCodeResult,
+  HandshakeWaiter,
+  PasskeyClient,
+  PendingInvite,
+  SignInActionResult,
+  SignInResult,
+  Storage,
+  TotpClient,
+} from "./core/types";
 // Re-export error utilities so consumers can import from `@robelest/convex-auth/client`.
 export {
   isAuthError,
@@ -8,139 +41,29 @@ export {
   AUTH_ERRORS,
   type AuthErrorCode,
 } from "../server/errors";
-/**
- * Structural interface for any Convex client.
- * Satisfied by `ConvexClient` (`convex/browser`),
- * `ConvexReactClient` (`convex/react`), and similar transports.
- *
- * `clearAuth` is present on `ConvexReactClient` and `BaseConvexClient`
- * but not on the simplified `ConvexClient`. When available we call it
- * during sign-out for a clean deauthentication.
- */
-interface ConvexTransport {
-  action(action: any, args: any): Promise<any>;
-  setAuth(
-    fetchToken: (args: {
-      forceRefreshToken: boolean;
-    }) => Promise<string | null | undefined>,
-    onChange?: (isAuthenticated: boolean) => void,
-  ): void;
-  clearAuth?(): void;
-}
-/** Pluggable key-value storage (defaults to `localStorage`). */
-export interface Storage {
-  getItem(
-    key: string,
-  ): string | null | undefined | Promise<string | null | undefined>;
-  setItem(key: string, value: string): void | Promise<void>;
-  removeItem(key: string): void | Promise<void>;
-}
-type AuthSession = {
-  token: string;
-  refreshToken: string;
-};
-/**
- * Device code response returned when signing in with the `"device"` provider.
- *
- * The device displays the `userCode` (or `verificationUriComplete`) and
- * polls via `auth.device.poll()` until the user authorizes.
- */
-export type DeviceCodeResult = {
-  /** High-entropy device code used for polling (keep secret). */
-  deviceCode: string;
-  /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
-  userCode: string;
-  /** Base verification URL (e.g. "https://myapp.com/device"). */
-  verificationUri: string;
-  /** Verification URL with user code pre-filled as `?code=XXXX-XXXX`. */
-  verificationUriComplete: string;
-  /** Lifetime of the codes in seconds. */
-  expiresIn: number;
-  /** Minimum polling interval in seconds. */
-  interval: number;
-};
-/**
- * Result of a `signIn` call.
- *
- * - `signingIn: true` — credentials were accepted and the user is authenticated.
- * - `redirect` — OAuth flow initiated; redirect the user to `redirect.toString()`.
- * - `totpRequired` — credentials valid but 2FA is needed; call `auth.totp.verify()`.
- * - `deviceCode` — device flow initiated; display the code and poll via `auth.device.poll()`.
- * - `verifier` — opaque string for multi-step flows (TOTP, passkey).
- */
-export type SignInResult = {
-  /** `true` when sign-in completed and the user is authenticated. */
-  signingIn: boolean;
-  /** OAuth redirect URL. Present when the provider requires a browser redirect. */
-  redirect?: URL;
-  /** `true` when the account has TOTP enabled and a code is required. */
-  totpRequired?: boolean;
-  /** Device code response for the device authorization flow (RFC 8628). */
-  deviceCode?: DeviceCodeResult;
-  /** Opaque verifier for multi-step flows (pass to `totp.verify` or passkey phase 2). */
-  verifier?: string;
-};
-/** Reactive auth state snapshot returned by `auth.state` and `auth.onChange`. */
-export type AuthState = {
-  /** `true` during initial hydration before the first token is resolved. */
-  isLoading: boolean;
-  /** `true` when a valid JWT exists (user is signed in). */
-  isAuthenticated: boolean;
-  /** The raw JWT string, or `null` when not authenticated. */
-  token: string | null;
-};
-/** Options for {@link client}. */
-export type ClientOptions = {
-  /** Any Convex client (`ConvexClient` or `ConvexReactClient`). */
-  convex: ConvexTransport;
-  /**
-   * Convex deployment URL. Derived automatically from the client internals
-   * when omitted — pass explicitly only if auto-detection fails.
-   */
-  url?: string;
-  /**
-   * Key-value storage for persisting tokens.
-   *
-   * - Defaults to `localStorage` in SPA mode.
-   * - Defaults to `null` (in-memory only) when `proxy` is set,
-   *   since httpOnly cookies handle persistence.
-   */
-  storage?: Storage | null;
-  /** Override how the URL bar is updated after OAuth code exchange. */
-  replaceURL?: (relativeUrl: string) => void | Promise<void>;
-  /**
-   * SSR proxy endpoint (e.g. `"/api/auth"`).
-   *
-   * When set, `signIn`/`signOut`/token refresh POST to this URL
-   * (with `credentials: "include"`) instead of calling Convex directly.
-   * The server handles httpOnly cookies for token persistence.
-   *
-   * Pair with {@link ClientOptions.token} for flash-free SSR hydration.
-   */
-  proxy?: string;
-  /**
-   * JWT from server-side hydration.
-   *
-   * In proxy mode the server reads the JWT from an httpOnly cookie
-   * and passes it to the client during SSR. This avoids a loading
-   * flash on first render — the client is immediately authenticated.
-   */
-  token?: string | null;
-};
+export type {
+  AuthApiRefs,
+  AuthClient,
+  AuthState,
+  ClientOptions,
+  DeviceClient,
+  DeviceCodeResult,
+  PasskeyClient,
+  PendingInvite,
+  SignInResult,
+  Storage,
+  TotpClient,
+} from "./core/types";
 const VERIFIER_STORAGE_KEY = "__convexAuthOAuthVerifier";
 const JWT_STORAGE_KEY = "__convexAuthJWT";
 const REFRESH_TOKEN_STORAGE_KEY = "__convexAuthRefreshToken";
+const INVITE_TOKEN_KEY = "__convexAuthPendingInvite";
+const INVITE_EMAIL_KEY = "__convexAuthPendingInviteEmail";
-const RETRY_BACKOFF = [500, 2000];
-const RETRY_JITTER = 100;
+const RETRY_BASE_MS = 500;
+const RETRY_MAX_RETRIES = 2;
+const AUTH_HANDSHAKE_TIMEOUT_MS = 5000;
 /**
  * Resolve the Convex deployment URL from the client.
@@ -169,9 +92,10 @@ function resolveUrl(convex: ConvexTransport, explicit?: string): string {
  * ```ts
  * import { ConvexClient } from 'convex/browser';
  * import { client } from '@robelest/convex-auth/client';
+ * import { api } from '../convex/_generated/api';
  *
  * const convex = new ConvexClient(CONVEX_URL);
- * const auth = client({ convex });
+ * const auth = client({ convex, api: api.auth });
  * ```
  *
  * ### SSR / proxy mode
@@ -179,8 +103,8 @@ function resolveUrl(convex: ConvexTransport, explicit?: string): string {
  * ```ts
  * const auth = client({
  *   convex,
- *   proxy: '/api/auth',
- *   token: tokenFromServer, // JWT read from httpOnly cookie during SSR
+ *   proxyPath: '/api/auth',
+ *   tokenSeed: tokenFromServer, // JWT read from httpOnly cookie during SSR
  * });
  * ```
  *
@@ -189,10 +113,26 @@ function resolveUrl(convex: ConvexTransport, explicit?: string): string {
  * holds the JWT in memory only.
  *
  * @param options - Client configuration. See {@link ClientOptions}.
- * @returns Auth client with `signIn`, `signOut`, `onChange`, `state`, `passkey`, and `totp`.
+ * @typeParam Api - An AuthApiRefs type determining which factor helpers are available.
+ * @returns Auth client with conditional `passkey`, `totp`, and `device` helpers.
+ * @throws {Error} When the Convex deployment URL cannot be determined and `url` is not passed explicitly.
+ * @throws {Error} When `proxyPath` is not set and the `api` option is missing.
  */
-export function client(options: ClientOptions) {
-  const { convex, proxy } = options;
+export function client<
+  Api extends AuthApiRefs<boolean, boolean, boolean> = AuthApiRefs,
+>(options: ClientOptions<Api>): AuthClient<Api> {
+  const { convex, proxyPath, api: apiRefs } = options;
+  const proxy = proxyPath;
+  function requireApiRefs() {
+    if (!apiRefs) {
+      throw new Error(
+        "The `api` option is required when `proxyPath` is not set. " +
+          "Pass { api: api.auth }.",
+      );
+    }
+    return apiRefs;
+  }
   // In proxy mode, default storage to null (cookies handle persistence).
   const storage =
@@ -204,20 +144,79 @@ export function client(options: ClientOptions) {
           ? null
           : window.localStorage;
-  const replaceURL =
-    options.replaceURL ??
+  const replaceUrl =
+    options.replaceUrl ??
     ((url: string) => {
       if (typeof window !== "undefined") {
         window.history.replaceState({}, "", url);
       }
     });
+  // ---------------------------------------------------------------------------
+  // Location — SSR-safe URL reading
+  // ---------------------------------------------------------------------------
+  function getLocation(): URL | null {
+    if (typeof options.location === "function") return options.location();
+    if (options.location instanceof URL) return options.location;
+    if (typeof window !== "undefined") return new URL(window.location.href);
+    return null;
+  }
+  /**
+   * SSR-safe URL parameter reader.
+   *
+   * Uses the `location` option if provided, otherwise falls back to
+   * `window.location` (returns `null` during SSR where `window` is unavailable).
+   *
+   * @param name - The query parameter name.
+   * @returns The parameter value, or `null` if not present or in SSR.
+   *
+   * @example
+   * ```ts
+   * const workspaceId = auth.param("workspace");
+   * const tab = auth.param("tab") ?? "issues";
+   * ```
+   */
+  function param(name: string): string | null {
+    const loc = getLocation();
+    return loc?.searchParams.get(name) ?? null;
+  }
+  function cleanUrlParams(params: string[]) {
+    const loc = getLocation();
+    if (!loc) return;
+    const searchParams = new URLSearchParams(loc.search);
+    let changed = false;
+    for (const p of params) {
+      if (searchParams.has(p)) {
+        searchParams.delete(p);
+        changed = true;
+      }
+    }
+    if (changed) {
+      const next = searchParams.toString()
+        ? `${loc.pathname}?${searchParams}`
+        : loc.pathname;
+      void replaceUrl(next);
+    }
+  }
   const url = proxy ? undefined : resolveUrl(convex, options.url);
   const escapedNamespace = proxy
     ? proxy.replace(/[^a-zA-Z0-9]/g, "")
     : url!.replace(/[^a-zA-Z0-9]/g, "");
   const key = (name: string) => `${name}_${escapedNamespace}`;
+  const {
+    get: storageGet,
+    set: storageSet,
+    remove: storageRemove,
+  } = createStorageHelpers({ storage, key });
+  const { isAbsoluteUrl, proxyFetch, resolveProxyUrl } = createProxyHelpers({
+    proxy,
+  });
   const subscribers = new Set<() => void>();
+  let disposeStorageListener: (() => void) | null = null;
   // Unauthenticated HTTP client for code verification & OAuth exchange.
   // Only needed in SPA mode — proxy mode routes everything through the proxy.
@@ -227,30 +226,173 @@ export function client(options: ClientOptions) {
   // State
   // ---------------------------------------------------------------------------
-  // If a server-provided token was supplied (SSR hydration), start authenticated.
-  const serverToken = options.token ?? null;
+  // If a server-provided token was supplied (SSR hydration), treat it as
+  // immediately authenticated to avoid a handshake-only loading screen.
+  const serverToken =
+    typeof options.tokenSeed === "string" && options.tokenSeed.trim().length > 0
+      ? options.tokenSeed
+      : null;
   const hasServerToken = serverToken !== null;
   let token: string | null = serverToken;
   let isLoading = !hasServerToken;
+  let authConfirmed = hasServerToken;
+  let handshakePending = false;
+  let authEpoch = 0;
+  let destroyed = false;
+  const handshakeWaiters = new Set<HandshakeWaiter>();
   let snapshot: AuthState = {
+    phase: hasServerToken
+      ? "authenticated"
+      : isLoading
+        ? "loading"
+        : "unauthenticated",
     isLoading,
     isAuthenticated: hasServerToken,
     token,
   };
   let handlingCodeFlow = false;
+  const createHandshakeError = (
+    code: AuthHandshakeErrorCode,
+    context: Record<string, unknown>,
+  ) => {
+    return new ConvexError({
+      code,
+      message: AUTH_ERRORS[code],
+      ...context,
+    } as Value);
+  };
+  const settleHandshakeWaiters = (
+    epoch: number,
+    outcome:
+      | { type: "resolve" }
+      | { type: "reject"; error: ConvexError<Value> },
+  ) => {
+    for (const waiter of Array.from(handshakeWaiters)) {
+      if (waiter.epoch !== epoch) {
+        continue;
+      }
+      clearTimeout(waiter.timeoutId);
+      handshakeWaiters.delete(waiter);
+      if (outcome.type === "resolve") {
+        waiter.resolve();
+      } else {
+        waiter.reject(outcome.error);
+      }
+    }
+  };
+  const rejectObsoleteHandshakeWaiters = (activeEpoch: number) => {
+    for (const waiter of Array.from(handshakeWaiters)) {
+      if (waiter.epoch >= activeEpoch) {
+        continue;
+      }
+      clearTimeout(waiter.timeoutId);
+      handshakeWaiters.delete(waiter);
+      waiter.reject(
+        createHandshakeError("AUTH_HANDSHAKE_REJECTED", {
+          ...waiter.context,
+          reason: "token_changed",
+        }),
+      );
+    }
+  };
+  const waitForAuthHandshake = async (context: AuthFlowContext) => {
+    if (token === null) {
+      return;
+    }
+    if (authConfirmed && !handshakePending) {
+      return;
+    }
+    if (!handshakePending) {
+      throw createHandshakeError("AUTH_HANDSHAKE_REJECTED", {
+        ...context,
+        reason: "auth_rejected",
+      });
+    }
+    const epoch = authEpoch;
+    await new Promise<void>((resolve, reject) => {
+      const waiterRef: { current: HandshakeWaiter | null } = { current: null };
+      const timeoutId = setTimeout(() => {
+        if (waiterRef.current !== null) {
+          handshakeWaiters.delete(waiterRef.current);
+        }
+        reject(
+          createHandshakeError("AUTH_HANDSHAKE_TIMEOUT", {
+            ...context,
+            timeoutMs: AUTH_HANDSHAKE_TIMEOUT_MS,
+          }),
+        );
+      }, AUTH_HANDSHAKE_TIMEOUT_MS);
+      const waiter: HandshakeWaiter = {
+        epoch,
+        context,
+        resolve,
+        reject,
+        timeoutId,
+      };
+      waiterRef.current = waiter;
+      handshakeWaiters.add(waiter);
+    });
+  };
+  const handleConvexAuthChange = (isAuthenticated: boolean) => {
+    if (destroyed) {
+      return;
+    }
+    if (isAuthenticated) {
+      authConfirmed = true;
+      handshakePending = false;
+      settleHandshakeWaiters(authEpoch, { type: "resolve" });
+    } else {
+      authConfirmed = false;
+      // Do not reject immediately while a handshake is pending.
+      // Convex can transiently emit `false` while reauth is still in flight,
+      // and a subsequent `true` confirms the same session.
+    }
+    if (updateSnapshot()) {
+      notify();
+    }
+  };
   const notify = () => {
     for (const cb of subscribers) cb();
   };
   const updateSnapshot = () => {
+    const phaseDispatch = {
+      tag:
+        token !== null && handshakePending
+          ? "handshake"
+          : isLoading
+            ? "loading"
+            : token !== null && authConfirmed
+              ? "authenticated"
+              : "unauthenticated",
+    } as const;
+    const phase = {
+      handshake: "handshake",
+      loading: "loading",
+      authenticated: "authenticated",
+      unauthenticated: "unauthenticated",
+    }[phaseDispatch.tag] as AuthState["phase"];
     const next: AuthState = {
-      isLoading,
-      isAuthenticated: token !== null,
+      phase,
+      isLoading: phase === "loading" || phase === "handshake",
+      isAuthenticated: phase === "authenticated",
       token,
     };
     if (
+      snapshot.phase === next.phase &&
       snapshot.isLoading === next.isLoading &&
       snapshot.isAuthenticated === next.isAuthenticated &&
       snapshot.token === next.token
@@ -261,28 +403,54 @@ export function client(options: ClientOptions) {
     return true;
   };
-  // ---------------------------------------------------------------------------
-  // Storage helpers (SPA mode only)
-  // ---------------------------------------------------------------------------
-  const storageGet = async (name: string) =>
-    storage ? ((await storage.getItem(key(name))) ?? null) : null;
-  const storageSet = async (name: string, value: string) => {
-    if (storage) await storage.setItem(key(name), value);
-  };
-  const storageRemove = async (name: string) => {
-    if (storage) await storage.removeItem(key(name));
+  const finalizeLoadingState = () => {
+    if (!isLoading) {
+      return;
+    }
+    isLoading = false;
+    if (updateSnapshot()) {
+      notify();
+    }
   };
+  const inviteManager = createInviteManager({
+    param,
+    storageGet,
+    storageSet,
+    storageRemove,
+    cleanUrlParams,
+    tokenKey: INVITE_TOKEN_KEY,
+    emailKey: INVITE_EMAIL_KEY,
+  });
+  const getPendingInvite = () => inviteManager.getPendingInvite();
+  const persistInvite = () => inviteManager.persistInvite();
+  const acceptInvite = () => inviteManager.acceptInvite();
   // ---------------------------------------------------------------------------
   // Token management
   // ---------------------------------------------------------------------------
+  const bindConvexAuth = () => {
+    convex.setAuth(fetchAccessToken, handleConvexAuthChange);
+  };
   const setToken = async (
     args:
-      | { shouldStore: true; tokens: AuthSession | null }
-      | { shouldStore: false; tokens: { token: string } | null },
+      | {
+          shouldStore: true;
+          tokens: AuthSession | null;
+          requireHandshake?: boolean;
+          resyncConvexAuth?: boolean;
+        }
+      | {
+          shouldStore: false;
+          tokens: { token: string } | null;
+          requireHandshake?: boolean;
+          resyncConvexAuth?: boolean;
+        },
   ) => {
+    const previousToken = token;
     if (args.tokens === null) {
       token = null;
       if (args.shouldStore) {
@@ -296,49 +464,72 @@ export function client(options: ClientOptions) {
         await storageSet(REFRESH_TOKEN_STORAGE_KEY, args.tokens.refreshToken);
       }
     }
+    if (token !== previousToken) {
+      authEpoch += 1;
+      rejectObsoleteHandshakeWaiters(authEpoch);
+    }
+    if (token === null) {
+      authConfirmed = false;
+      handshakePending = false;
+      settleHandshakeWaiters(authEpoch, {
+        type: "reject",
+        error: createHandshakeError("AUTH_HANDSHAKE_REJECTED", {
+          reason: "token_cleared",
+        }),
+      });
+    } else {
+      const shouldEnterHandshake =
+        args.requireHandshake === true || !authConfirmed;
+      if (shouldEnterHandshake) {
+        authConfirmed = false;
+        handshakePending = true;
+      } else {
+        handshakePending = false;
+      }
+    }
     const hadPendingLoad = isLoading;
     isLoading = false;
     const changed = updateSnapshot();
+    if (args.resyncConvexAuth !== false) {
+      bindConvexAuth();
+    }
     if (hadPendingLoad || changed) {
-      // Re-sync the Convex client so it picks up the new token immediately.
-      // Without this, the initial convex.setAuth(fetchAccessToken) from
-      // initialization never re-polls and queries run unauthenticated after
-      // magic link code exchange.
-      if (!proxy) {
-        convex.setAuth(fetchAccessToken);
-      }
       notify();
     }
   };
-  // ---------------------------------------------------------------------------
-  // Proxy fetch helper
-  // ---------------------------------------------------------------------------
-  const proxyFetch = async (body: Record<string, unknown>) => {
-    const response = await fetch(proxy!, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      credentials: "include",
-      body: JSON.stringify(body),
+  const setTokenAndMaybeWait = async (
+    args:
+      | {
+          shouldStore: true;
+          tokens: AuthSession | null;
+          waitForHandshake: boolean;
+          context: AuthFlowContext;
+        }
+      | {
+          shouldStore: false;
+          tokens: { token: string } | null;
+          waitForHandshake: boolean;
+          context: AuthFlowContext;
+        },
+  ): Promise<boolean> => {
+    const { waitForHandshake, context, ...tokenArgs } = args;
+    await setToken({
+      ...(tokenArgs as
+        | { shouldStore: true; tokens: AuthSession | null }
+        | { shouldStore: false; tokens: { token: string } | null }),
+      requireHandshake: waitForHandshake,
     });
-    if (!response.ok) {
-      const errorBody = await response.json().catch(() => ({} as Record<string, unknown>));
-      // Reconstruct ConvexError when the proxy forwards structured auth error data.
-      if (
-        typeof errorBody === "object" &&
-        errorBody !== null &&
-        "authError" in errorBody &&
-        typeof (errorBody as Record<string, unknown>).authError === "object"
-      ) {
-        throw new ConvexError((errorBody as Record<string, unknown>).authError as Value);
-      }
-      throw new Error(
-        (errorBody as Record<string, unknown>).error as string ??
-          `Proxy request failed: ${response.status}`,
-      );
+    if (tokenArgs.tokens === null) {
+      return false;
+    }
+    if (waitForHandshake) {
+      await waitForAuthHandshake(context);
     }
-    return response.json();
+    return true;
   };
   // ---------------------------------------------------------------------------
@@ -348,40 +539,58 @@ export function client(options: ClientOptions) {
   const verifyCode = async (
     args: { code: string; verifier?: string } | { refreshToken: string },
   ) => {
-    let lastError: unknown;
-    let retry = 0;
-    while (retry < RETRY_BACKOFF.length) {
-      try {
-        return await httpClient!.action(
-          "auth:signIn" as any,
-          "code" in args
-            ? { params: { code: args.code }, verifier: args.verifier }
-            : args,
-        );
-      } catch (e) {
-        lastError = e;
-        const isNetworkError =
-          e instanceof Error && /network/i.test(e.message || "");
-        if (!isNetworkError) break;
-        const wait = RETRY_BACKOFF[retry]! + RETRY_JITTER * Math.random();
-        retry++;
-        await new Promise((resolve) => setTimeout(resolve, wait));
-      }
-    }
-    throw lastError;
+    const verifyCodeRetryPolicy = Fx.retry.while(
+      Fx.retry.compose(
+        Fx.retry.jittered(Fx.retry.exponential(RETRY_BASE_MS)),
+        Fx.retry.recurs(RETRY_MAX_RETRIES),
+      ),
+      (meta) => isTransientNetworkError(meta.input),
+    );
+    return Fx.run(
+      Fx.from({
+        ok: () =>
+          httpClient!.action(
+            requireApiRefs().signIn,
+            "code" in args
+              ? { params: { code: args.code }, verifier: args.verifier }
+              : args,
+          ),
+        err: (e) => e,
+      }).pipe(
+        Fx.retry(verifyCodeRetryPolicy),
+        Fx.recover((e) => Fx.fatal(e)),
+      ),
+    );
   };
   const verifyCodeAndSetToken = async (
     args: { code: string; verifier?: string } | { refreshToken: string },
+    opts?: { resyncConvexAuth?: boolean },
   ) => {
     const { tokens } = await verifyCode(args);
     await setToken({
       shouldStore: true,
       tokens: (tokens as AuthSession | null) ?? null,
+      resyncConvexAuth: opts?.resyncConvexAuth,
     });
     return tokens !== null;
   };
+  const normalizeDeviceCodeResult = (device_code: any): DeviceCodeResult => {
+    return {
+      deviceCode: device_code.deviceCode,
+      userCode: device_code.userCode,
+      verificationUri:
+        device_code.verification_uri ?? device_code.verificationUri,
+      verificationUriComplete:
+        device_code.verification_uri_complete ??
+        device_code.verificationUriComplete,
+      expiresIn: device_code.expiresIn,
+      interval: device_code.interval,
+    };
+  };
   // ---------------------------------------------------------------------------
   // signIn
   // ---------------------------------------------------------------------------
@@ -394,6 +603,7 @@ export function client(options: ClientOptions) {
    * @param args - Provider-specific arguments. Pass a `Record<string, Value>`
    *   or `FormData`. Common fields: `email`, `password`, `code`, `redirectTo`.
    * @returns A {@link SignInResult} indicating the outcome.
+   * @throws {ConvexError} When the server action rejects the sign-in attempt (e.g. invalid credentials, provider error, or rate limiting).
    *
    * @example Email magic link
    * ```ts
@@ -403,8 +613,8 @@ export function client(options: ClientOptions) {
    * @example Password
    * ```ts
    * const result = await auth.signIn('password', { email, password, flow: 'signIn' });
-   * if (result.totpRequired) {
-   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier! });
+   * if (result.kind === 'totpRequired') {
+   *   await auth.totp.verify({ code: totpCode, verifier: result.verifier });
    * }
    * ```
    *
@@ -417,80 +627,121 @@ export function client(options: ClientOptions) {
     provider?: string,
     args?: FormData | Record<string, Value>,
   ): Promise<SignInResult> => {
+    // Persist invite before potential OAuth redirect
+    await persistInvite();
     const params =
       args instanceof FormData
-        ? Array.from(args.entries()).reduce(
-            (acc, [k, v]) => {
-              acc[k] = v as string;
-              return acc;
-            },
-            {} as Record<string, string>,
-          )
-        : args ?? {};
+        ? (() => {
+            const formParams: Record<string, Value> = {};
+            args.forEach((value, key) => {
+              formParams[key] = typeof value === "string" ? value : value.name;
+            });
+            return formParams;
+          })()
+        : (args ?? {});
+    const flow =
+      typeof params.flow === "string" && params.flow.length > 0
+        ? params.flow
+        : "signIn";
+    const handleSignInActionResult = async (
+      result: SignInActionResult,
+      options: { shouldStore: boolean; persistVerifier: boolean },
+    ): Promise<SignInResult> =>
+      Fx.run(
+        Fx.match(result, result.kind, {
+          redirect: (redirectResult) =>
+            Fx.from({
+              ok: async () => {
+                const redirectUrl = new URL(redirectResult.redirect);
+                if (options.persistVerifier) {
+                  await storageSet(
+                    VERIFIER_STORAGE_KEY,
+                    redirectResult.verifier,
+                  );
+                }
+                if (typeof window !== "undefined") {
+                  window.location.href = redirectUrl.toString();
+                }
+                return {
+                  kind: "redirect" as const,
+                  redirect: redirectUrl,
+                  verifier: redirectResult.verifier,
+                };
+              },
+              err: (e) => e as never,
+            }),
+          totpRequired: (totpRequiredResult) =>
+            Fx.succeed({
+              kind: "totpRequired" as const,
+              verifier: totpRequiredResult.verifier,
+            }),
+          deviceCode: (deviceCodeResult) =>
+            Fx.succeed({
+              kind: "deviceCode" as const,
+              deviceCode: normalizeDeviceCodeResult(
+                deviceCodeResult.deviceCode,
+              ),
+            }),
+          signedIn: (signedInResult) =>
+            Fx.from({
+              ok: async () => {
+                const signingIn = await setTokenAndMaybeWait(
+                  options.shouldStore
+                    ? {
+                        shouldStore: true as const,
+                        tokens: signedInResult.tokens,
+                        waitForHandshake: true,
+                        context: { provider, flow },
+                      }
+                    : {
+                        shouldStore: false as const,
+                        tokens:
+                          signedInResult.tokens === null
+                            ? null
+                            : { token: signedInResult.tokens.token },
+                        waitForHandshake: true,
+                        context: { provider, flow },
+                      },
+                );
+                return signingIn
+                  ? ({ kind: "signedIn" as const } as SignInResult)
+                  : ({ kind: "started" as const } as SignInResult);
+              },
+              err: (e) => e as never,
+            }),
+          started: (_startedResult) => Fx.succeed({ kind: "started" as const }),
+          passkeyOptions: (_passkeyOptionsResult) =>
+            Fx.succeed({ kind: "started" as const }),
+          totpSetup: (_totpSetupResult) =>
+            Fx.succeed({ kind: "started" as const }),
+        }),
+      );
     if (proxy) {
-      // Proxy mode: POST to the proxy endpoint.
-      const result = await proxyFetch({
+      const result = (await proxyFetch({
         action: "auth:signIn",
         args: { provider, params },
+      })) as SignInActionResult;
+      return handleSignInActionResult(result, {
+        shouldStore: false,
+        persistVerifier: false,
       });
-      if (result.redirect !== undefined) {
-        const redirectUrl = new URL(result.redirect);
-        // Verifier is stored server-side in an httpOnly cookie.
-        if (typeof window !== "undefined") {
-          window.location.href = redirectUrl.toString();
-        }
-        return { signingIn: false, redirect: redirectUrl };
-      }
-      if (result.totpRequired) {
-        return { signingIn: false, totpRequired: true, verifier: result.verifier };
-      }
-      if (result.deviceCode !== undefined) {
-        return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };
-      }
-      if (result.tokens !== undefined) {
-        // Proxy returns { token, refreshToken: "dummy" }.
-        // Store JWT in memory only — real refresh token is in httpOnly cookie.
-        await setToken({
-          shouldStore: false,
-          tokens:
-            result.tokens === null ? null : { token: result.tokens.token },
-        });
-        return { signingIn: result.tokens !== null };
-      }
-      return { signingIn: false };
     }
     // SPA mode: call Convex directly.
     const verifier = (await storageGet(VERIFIER_STORAGE_KEY)) ?? undefined;
     await storageRemove(VERIFIER_STORAGE_KEY);
-    const result = await convex.action("auth:signIn" as any, {
+    const result = (await convex.action(requireApiRefs().signIn, {
       provider,
       params,
       verifier,
+    })) as SignInActionResult;
+    return handleSignInActionResult(result, {
+      shouldStore: true,
+      persistVerifier: true,
     });
-    if (result.redirect !== undefined) {
-      const redirectUrl = new URL(result.redirect);
-      await storageSet(VERIFIER_STORAGE_KEY, result.verifier!);
-      if (typeof window !== "undefined") {
-        window.location.href = redirectUrl.toString();
-      }
-      return { signingIn: false, redirect: redirectUrl };
-    }
-    if (result.totpRequired) {
-      return { signingIn: false, totpRequired: true, verifier: result.verifier };
-    }
-    if (result.deviceCode !== undefined) {
-      return { signingIn: false, deviceCode: result.deviceCode as DeviceCodeResult };
-    }
-    if (result.tokens !== undefined) {
-      await setToken({
-        shouldStore: true,
-        tokens: (result.tokens as AuthSession | null) ?? null,
-      });
-      return { signingIn: result.tokens !== null };
-    }
-    return { signingIn: false };
   };
   // ---------------------------------------------------------------------------
@@ -506,22 +757,24 @@ export function client(options: ClientOptions) {
    */
   const signOut = async () => {
     if (proxy) {
-      try {
-        await proxyFetch({ action: "auth:signOut", args: {} });
-      } catch {
-        // Already signed out is fine.
-      }
+      await Fx.run(
+        Fx.from({
+          ok: () => proxyFetch({ action: "auth:signOut", args: {} }),
+          err: () => undefined,
+        }).pipe(Fx.recover(() => Fx.succeed(undefined))),
+      );
       await setToken({ shouldStore: false, tokens: null });
       if (convex.clearAuth) convex.clearAuth();
       return;
     }
     // SPA mode.
-    try {
-      await convex.action("auth:signOut" as any, {});
-    } catch {
-      // Already signed out is fine.
-    }
+    await Fx.run(
+      Fx.from({
+        ok: () => convex.action(requireApiRefs().signOut, {}),
+        err: () => undefined,
+      }).pipe(Fx.recover(() => Fx.succeed(undefined))),
+    );
     await setToken({ shouldStore: true, tokens: null });
     if (convex.clearAuth) convex.clearAuth();
   };
@@ -540,26 +793,71 @@ export function client(options: ClientOptions) {
     if (proxy) {
       // Proxy mode: POST to the proxy to refresh.
       // The proxy reads the real refresh token from the httpOnly cookie.
+      const resolvedProxyUrl = await resolveProxyUrl();
+      if (
+        typeof window === "undefined" &&
+        !(await isAbsoluteUrl(resolvedProxyUrl))
+      ) {
+        finalizeLoadingState();
+        return token;
+      }
       const tokenBeforeRefresh = token;
       return await browserMutex("__convexAuthProxyRefresh", async () => {
         // Another tab/call may have already refreshed.
         if (token !== tokenBeforeRefresh) return token;
-        try {
-          const result = await proxyFetch({
-            action: "auth:signIn",
-            args: { refreshToken: true },
-          });
-          if (result.tokens) {
-            await setToken({
-              shouldStore: false,
-              tokens: { token: result.tokens.token },
-            });
-          } else {
-            await setToken({ shouldStore: false, tokens: null });
-          }
-        } catch {
-          await setToken({ shouldStore: false, tokens: null });
-        }
+        const proxyRefreshRetryPolicy = Fx.retry.while(
+          Fx.retry.compose(
+            Fx.retry.jittered(Fx.retry.exponential(RETRY_BASE_MS)),
+            Fx.retry.recurs(RETRY_MAX_RETRIES),
+          ),
+          (meta) => isRetriableProxyRefreshError(meta.input),
+        );
+        await Fx.run(
+          Fx.from({
+            ok: () =>
+              proxyFetch({
+                action: "auth:signIn",
+                args: { refreshToken: true },
+              }),
+            err: (e) => e,
+          }).pipe(
+            Fx.retry(proxyRefreshRetryPolicy),
+            Fx.chain((result: any) =>
+              Fx.from({
+                ok: async () => {
+                  if (result.tokens) {
+                    await setToken({
+                      shouldStore: false,
+                      tokens: { token: result.tokens.token },
+                      resyncConvexAuth: false,
+                    });
+                  } else {
+                    await setToken({
+                      shouldStore: false,
+                      tokens: null,
+                      resyncConvexAuth: false,
+                    });
+                  }
+                },
+                err: (e) => e,
+              }),
+            ),
+            Fx.inspect((error) =>
+              Fx.sync(() =>
+                console.error("[convex-auth] Proxy refresh failed:", error),
+              ),
+            ),
+            Fx.recover(() => {
+              if (token === null) {
+                finalizeLoadingState();
+              }
+              return Fx.succeed(undefined);
+            }),
+          ),
+        );
         return token;
       });
     }
@@ -574,9 +872,13 @@ export function client(options: ClientOptions) {
       const refreshToken =
         (await storageGet(REFRESH_TOKEN_STORAGE_KEY)) ?? null;
       if (!refreshToken) {
+        finalizeLoadingState();
         return null;
       }
-      await verifyCodeAndSetToken({ refreshToken });
+      await verifyCodeAndSetToken(
+        { refreshToken },
+        { resyncConvexAuth: false },
+      );
       return token;
     });
   };
@@ -591,14 +893,32 @@ export function client(options: ClientOptions) {
     const code = new URLSearchParams(window.location.search).get("code");
     if (!code) return;
     handlingCodeFlow = true;
-    const codeUrl = new URL(window.location.href);
-    codeUrl.searchParams.delete("code");
-    try {
-      await replaceURL(codeUrl.pathname + codeUrl.search + codeUrl.hash);
-      await signIn(undefined, { code });
-    } finally {
-      handlingCodeFlow = false;
-    }
+    await Fx.run(
+      Fx.from({
+        ok: async () => {
+          await signIn(undefined, { code });
+          const codeUrl = new URL(window.location.href);
+          codeUrl.searchParams.delete("code");
+          await replaceUrl(codeUrl.pathname + codeUrl.search + codeUrl.hash);
+        },
+        err: (e) => e,
+      }).pipe(
+        Fx.recover(() => Fx.succeed(undefined)),
+        Fx.tap(() =>
+          Fx.sync(() => {
+            handlingCodeFlow = false;
+          }),
+        ),
+        Fx.inspect(() =>
+          Fx.sync(() => {
+            handlingCodeFlow = false;
+          }),
+        ),
+      ),
+    );
+    // The flag is always reset — Fx.recover above ensures success path,
+    // but reset defensively here too.
+    handlingCodeFlow = false;
   };
   // ---------------------------------------------------------------------------
@@ -643,636 +963,124 @@ export function client(options: ClientOptions) {
   // Cross-tab sync via storage events (SPA mode only).
   if (!proxy && typeof window !== "undefined") {
+    const registryKey = key(JWT_STORAGE_KEY);
+    const registry = getStorageListenerRegistry();
+    const existingListener = registry[registryKey];
+    if (existingListener !== undefined) {
+      window.removeEventListener("storage", existingListener);
+    }
     const onStorage = (event: StorageEvent) => {
-      void (async () => {
+      Fx.detach(async () => {
         if (event.key !== key(JWT_STORAGE_KEY)) return;
         await setToken({
           shouldStore: false,
-          tokens:
-            event.newValue === null ? null : { token: event.newValue },
+          tokens: event.newValue === null ? null : { token: event.newValue },
         });
-      })();
+      }, "[convex-auth] Storage event handler failed:");
     };
     window.addEventListener("storage", onStorage);
+    registry[registryKey] = onStorage;
+    disposeStorageListener = () => {
+      if (registry[registryKey] === onStorage) {
+        delete registry[registryKey];
+      }
+      window.removeEventListener("storage", onStorage);
+    };
   }
   // Auto-wire: feed our tokens into the Convex client so
   // queries and mutations are automatically authenticated.
-  convex.setAuth(fetchAccessToken);
+  bindConvexAuth();
   // Auto-hydrate and handle code flow.
   if (typeof window !== "undefined") {
     if (proxy) {
-      // Proxy mode: if no initialToken was provided, try a refresh
-      // to pick up any existing session from httpOnly cookies.
+      // Proxy mode: eagerly resolve auth once on startup so routes that only
+      // read auth state (and do not issue Convex queries yet) don't stay in
+      // the initial loading phase.
       if (!hasServerToken) {
-        void fetchAccessToken({ forceRefreshToken: true });
-      } else {
-        // initialToken already set — mark loading as done.
-        isLoading = false;
-        updateSnapshot();
+        Fx.detach(
+          () => fetchAccessToken({ forceRefreshToken: true }),
+          "[convex-auth] Proxy token refresh failed:",
+        );
       }
     } else {
       // SPA mode: hydrate from localStorage, then handle OAuth code flow.
-      void hydrateFromStorage().then(() =>
-        handleCodeFlow().catch((error: unknown) => {
-          console.error("[convex-auth] Code exchange failed:", error);
-        }),
-      );
+      Fx.detach(async () => {
+        await Fx.run(
+          Fx.from({
+            ok: async () => {
+              await hydrateFromStorage();
+              await handleCodeFlow();
+            },
+            err: (e) => e,
+          }).pipe(
+            Fx.inspect((error) =>
+              Fx.sync(() =>
+                console.error(
+                  "[convex-auth] Client initialization failed:",
+                  error,
+                ),
+              ),
+            ),
+            Fx.recover((_error) =>
+              Fx.from({
+                ok: () => setToken({ shouldStore: false, tokens: null }),
+                err: (e) => e,
+              }).pipe(Fx.recover(() => Fx.succeed(undefined))),
+            ),
+          ),
+        );
+      }, "[convex-auth] SPA initialization failed:");
     }
   }
   // ---------------------------------------------------------------------------
-  // Passkey helpers
+  // Auth factor helpers
   // ---------------------------------------------------------------------------
-  /**
-   * Base64url encode/decode helpers for the WebAuthn credential API.
-   * These run client-side only (browser context).
-   */
-  const base64urlEncode = (buffer: ArrayBuffer): string => {
-    const bytes = new Uint8Array(buffer);
-    let binary = "";
-    for (let i = 0; i < bytes.byteLength; i++) {
-      binary += String.fromCharCode(bytes[i]!);
-    }
-    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  };
-  const base64urlDecode = (str: string): Uint8Array => {
-    const padded = str.replace(/-/g, "+").replace(/_/g, "/");
-    const binary = atob(padded);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-  };
-  const passkey = {
-    /**
-     * Check if WebAuthn passkeys are supported in the current environment.
-     */
-    isSupported: (): boolean => {
-      return (
-        typeof window !== "undefined" &&
-        typeof window.PublicKeyCredential !== "undefined"
-      );
-    },
-    /**
-     * Check if conditional UI (autofill-assisted passkey sign-in) is supported.
-     *
-     * ```ts
-     * if (await auth.passkey.isAutofillSupported()) {
-     *   auth.passkey.authenticate({ autofill: true });
-     * }
-     * ```
-     */
-    isAutofillSupported: async (): Promise<boolean> => {
-      if (typeof window === "undefined") return false;
-      if (typeof window.PublicKeyCredential === "undefined") return false;
-      if (
-        typeof (
-          window.PublicKeyCredential as any
-        ).isConditionalMediationAvailable !== "function"
-      ) {
-        return false;
-      }
-      return (
-        window.PublicKeyCredential as any
-      ).isConditionalMediationAvailable();
-    },
-    /**
-     * Register a new passkey for the current or new user.
-     *
-     * Performs the full two-round-trip WebAuthn registration ceremony:
-     * 1. Requests creation options from the server (challenge, RP info)
-     * 2. Calls `navigator.credentials.create()` with the options
-     * 3. Sends the attestation back to the server for verification
-     * 4. Server creates user + account + passkey records and returns tokens
-     *
-     * Works in both SPA and proxy (SSR) modes.
-     *
-     * ```ts
-     * await auth.passkey.register({ name: "MacBook Touch ID" });
-     * ```
-     *
-     * @param opts.name - Friendly name for this passkey
-     * @param opts.email - Email to associate with the new account
-     * @param opts.userName - Username for the credential (defaults to email)
-     * @param opts.userDisplayName - Display name for the credential
-     * @returns `{ signingIn: true }` on success
-     */
-    register: async (
-      opts?: {
-        name?: string;
-        email?: string;
-        userName?: string;
-        userDisplayName?: string;
-      },
-    ): Promise<SignInResult> => {
-      const phase1Params = {
-        flow: "register-options",
-        email: opts?.email,
-        userName: opts?.userName,
-        userDisplayName: opts?.userDisplayName,
-      };
-      // Phase 1: Get registration options from server
-      let phase1Result: any;
-      if (proxy) {
-        phase1Result = await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "passkey", params: phase1Params },
-        });
-      } else {
-        phase1Result = await convex.action("auth:signIn" as any, {
-          provider: "passkey",
-          params: phase1Params,
-        });
-      }
-      if (!phase1Result.options) {
-        throw new Error("Server did not return passkey registration options");
-      }
-      const options = phase1Result.options;
-      // Convert base64url strings to ArrayBuffers for the credential API
-      const createOptions: CredentialCreationOptions = {
-        publicKey: {
-          rp: options.rp,
-          user: {
-            id: base64urlDecode(options.user.id).buffer as ArrayBuffer,
-            name: options.user.name,
-            displayName: options.user.displayName,
-          },
-          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,
-          pubKeyCredParams: options.pubKeyCredParams,
-          timeout: options.timeout,
-          attestation: options.attestation,
-          authenticatorSelection: options.authenticatorSelection,
-          excludeCredentials: (options.excludeCredentials ?? []).map(
-            (cred: any) => ({
-              type: cred.type ?? "public-key",
-              id: base64urlDecode(cred.id).buffer as ArrayBuffer,
-              transports: cred.transports,
-            }),
-          ),
-        },
-      };
-      // Phase 2: Create credential via browser API
-      const credential = (await navigator.credentials.create(
-        createOptions,
-      )) as PublicKeyCredential | null;
-      if (!credential) {
-        throw new Error("Passkey registration was cancelled");
-      }
-      const response =
-        credential.response as AuthenticatorAttestationResponse;
-      // Extract transports if available
-      const transports =
-        typeof response.getTransports === "function"
-          ? response.getTransports()
-          : undefined;
-      const phase2Params = {
-        flow: "register-verify",
-        clientDataJSON: base64urlEncode(response.clientDataJSON),
-        attestationObject: base64urlEncode(response.attestationObject),
-        transports,
-        passkeyName: opts?.name,
-        email: opts?.email,
-      };
-      // Phase 3: Send attestation to server for verification
-      let phase2Result: any;
-      if (proxy) {
-        // In proxy mode the verifier is stored in an httpOnly cookie by the proxy.
-        // We pass it back explicitly so the proxy can forward it to Convex.
-        phase2Result = await proxyFetch({
-          action: "auth:signIn",
-          args: {
-            provider: "passkey",
-            params: phase2Params,
-            verifier: phase1Result.verifier,
-          },
-        });
-      } else {
-        phase2Result = await convex.action("auth:signIn" as any, {
-          provider: "passkey",
-          params: phase2Params,
-          verifier: phase1Result.verifier,
-        });
-      }
-      if (phase2Result.tokens) {
-        if (proxy) {
-          await setToken({
-            shouldStore: false,
-            tokens:
-              phase2Result.tokens === null
-                ? null
-                : { token: phase2Result.tokens.token },
-          });
-        } else {
-          await setToken({
-            shouldStore: true,
-            tokens: phase2Result.tokens as AuthSession,
-          });
-        }
-        return { signingIn: true };
-      }
-      return { signingIn: false };
-    },
-    /**
-     * Authenticate with an existing passkey.
-     *
-     * Performs the full two-round-trip WebAuthn authentication ceremony:
-     * 1. Requests assertion options from the server (challenge, allowed credentials)
-     * 2. Calls `navigator.credentials.get()` with the options
-     * 3. Sends the assertion back to the server for signature verification
-     * 4. Server verifies signature, updates counter, creates session, returns tokens
-     *
-     * Works in both SPA and proxy (SSR) modes.
-     *
-     * ```ts
-     * // Discoverable credential (no email needed)
-     * await auth.passkey.authenticate();
-     *
-     * // Scoped to a specific user's credentials
-     * await auth.passkey.authenticate({ email: "user@example.com" });
-     *
-     * // Autofill-assisted (conditional UI)
-     * await auth.passkey.authenticate({ autofill: true });
-     * ```
-     *
-     * @param opts.email - Scope to credentials for this email's user
-     * @param opts.autofill - Use conditional mediation (autofill UI)
-     * @returns `{ signingIn: true }` on success
-     */
-    authenticate: async (
-      opts?: { email?: string; autofill?: boolean },
-    ): Promise<SignInResult> => {
-      const phase1Params = {
-        flow: "auth-options",
-        email: opts?.email,
-      };
-      // Phase 1: Get assertion options from server
-      let phase1Result: any;
-      if (proxy) {
-        phase1Result = await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "passkey", params: phase1Params },
-        });
-      } else {
-        phase1Result = await convex.action("auth:signIn" as any, {
-          provider: "passkey",
-          params: phase1Params,
-        });
-      }
-      if (!phase1Result.options) {
-        throw new Error("Server did not return passkey authentication options");
-      }
-      const options = phase1Result.options;
-      // Convert base64url strings to ArrayBuffers for the credential API
-      const getOptions: CredentialRequestOptions = {
-        publicKey: {
-          challenge: base64urlDecode(options.challenge).buffer as ArrayBuffer,
-          timeout: options.timeout,
-          rpId: options.rpId,
-          userVerification: options.userVerification,
-          allowCredentials: (options.allowCredentials ?? []).map(
-            (cred: any) => ({
-              type: cred.type ?? "public-key",
-              id: base64urlDecode(cred.id).buffer as ArrayBuffer,
-              transports: cred.transports,
-            }),
-          ),
-        },
-        ...(opts?.autofill ? { mediation: "conditional" as any } : {}),
-      };
-      // Phase 2: Get credential via browser API
-      const credential = (await navigator.credentials.get(
-        getOptions,
-      )) as PublicKeyCredential | null;
-      if (!credential) {
-        throw new Error("Passkey authentication was cancelled");
-      }
-      const response =
-        credential.response as AuthenticatorAssertionResponse;
-      const phase2Params = {
-        flow: "auth-verify",
-        credentialId: base64urlEncode(credential.rawId),
-        clientDataJSON: base64urlEncode(response.clientDataJSON),
-        authenticatorData: base64urlEncode(response.authenticatorData),
-        signature: base64urlEncode(response.signature),
-      };
-      // Phase 3: Send assertion to server for verification
-      let phase2Result: any;
-      if (proxy) {
-        phase2Result = await proxyFetch({
-          action: "auth:signIn",
-          args: {
-            provider: "passkey",
-            params: phase2Params,
-            verifier: phase1Result.verifier,
-          },
-        });
-      } else {
-        phase2Result = await convex.action("auth:signIn" as any, {
-          provider: "passkey",
-          params: phase2Params,
-          verifier: phase1Result.verifier,
-        });
-      }
-      if (phase2Result.tokens) {
-        if (proxy) {
-          await setToken({
-            shouldStore: false,
-            tokens:
-              phase2Result.tokens === null
-                ? null
-                : { token: phase2Result.tokens.token },
-          });
-        } else {
-          await setToken({
-            shouldStore: true,
-            tokens: phase2Result.tokens as AuthSession,
-          });
-        }
-        return { signingIn: true };
-      }
-      return { signingIn: false };
-    },
-  };
-  const totp = {
-    /**
-     * Start TOTP enrollment. Must be authenticated.
-     *
-     * Returns a URI for QR code display and a base32 secret for manual entry.
-     *
-     * ```ts
-     * const setup = await auth.totp.setup();
-     * // Display QR code from setup.uri
-     * // Or show setup.secret for manual entry
-     * ```
-     */
-    setup: async (
-      opts?: { name?: string; accountName?: string },
-    ): Promise<{ uri: string; secret: string; verifier: string; totpId: string }> => {
-      const params: Record<string, any> = { flow: "setup" };
-      if (opts?.name) params.name = opts.name;
-      if (opts?.accountName) params.accountName = opts.accountName;
-      if (proxy) {
-        const result = await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "totp", params },
-        });
-        return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };
-      }
-      const result = await convex.action("auth:signIn" as any, {
-        provider: "totp",
-        params,
-      });
-      return { uri: result.totpSetup.uri, secret: result.totpSetup.secret, verifier: result.verifier, totpId: result.totpSetup.totpId };
-    },
-    /**
-     * Complete TOTP enrollment by verifying the first code from the authenticator app.
-     *
-     * ```ts
-     * await auth.totp.confirm({ code: "123456", verifier: setup.verifier, totpId: setup.totpId });
-     * ```
-     */
-    confirm: async (opts: {
-      code: string;
-      verifier: string;
-      totpId: string;
-    }): Promise<void> => {
-      const params: Record<string, any> = {
-        flow: "confirm",
-        code: opts.code,
-        totpId: opts.totpId,
-      };
-      if (proxy) {
-        const result = await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "totp", params, verifier: opts.verifier },
-        });
-        if (result.tokens) {
-          await setToken({
-            shouldStore: false,
-            tokens: result.tokens === null ? null : { token: result.tokens.token },
-          });
-        }
-        return;
-      }
-      const result = await convex.action("auth:signIn" as any, {
-        provider: "totp",
-        params,
-        verifier: opts.verifier,
-      });
-      if (result.tokens) {
-        await setToken({
-          shouldStore: true,
-          tokens: (result.tokens as AuthSession | null) ?? null,
-        });
-      }
-    },
-    /**
-     * Complete 2FA verification during sign-in.
-     *
-     * Called after a credentials sign-in returns `totpRequired: true`.
-     *
-     * ```ts
-     * const result = await auth.signIn("password", { email, password });
-     * if (result.totpRequired) {
-     *   await auth.totp.verify({ code: "123456", verifier: result.verifier! });
-     * }
-     * ```
-     */
-    verify: async (opts: { code: string; verifier: string }): Promise<void> => {
-      const params: Record<string, any> = {
-        flow: "verify",
-        code: opts.code,
-      };
-      if (proxy) {
-        const result = await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "totp", params, verifier: opts.verifier },
-        });
-        if (result.tokens) {
-          await setToken({
-            shouldStore: false,
-            tokens: result.tokens === null ? null : { token: result.tokens.token },
-          });
-        }
-        return;
-      }
-      const result = await convex.action("auth:signIn" as any, {
-        provider: "totp",
-        params,
-        verifier: opts.verifier,
-      });
-      if (result.tokens) {
-        await setToken({
-          shouldStore: true,
-          tokens: (result.tokens as AuthSession | null) ?? null,
-        });
-      }
-    },
-  };
-  const device = {
-    /**
-     * Poll for device authorization status.
-     *
-     * The device calls this repeatedly (respecting `interval`) after
-     * initiating a device flow via `signIn("device")`. Returns when
-     * the user authorizes, or throws on timeout/denial.
-     *
-     * ```ts
-     * const result = await auth.signIn("device");
-     * const { deviceCode } = result;
-     * // Display deviceCode.userCode to the user, then poll:
-     * await auth.device.poll(deviceCode);
-     * // User is now signed in
-     * ```
-     *
-     * @param code - The {@link DeviceCodeResult} from `signIn("device")`.
-     * @returns Resolves when the device is authorized and tokens are stored.
-     * @throws When the code expires, is denied, or polling encounters an error.
-     */
-    poll: async (code: DeviceCodeResult): Promise<void> => {
-      const intervalMs = code.interval * 1000;
-      const expiresAt = Date.now() + code.expiresIn * 1000;
-      while (Date.now() < expiresAt) {
-        await new Promise((resolve) => setTimeout(resolve, intervalMs));
-        try {
-          let result: any;
-          const params: Record<string, any> = {
-            flow: "poll",
-            deviceCode: code.deviceCode,
-          };
-          if (proxy) {
-            result = await proxyFetch({
-              action: "auth:signIn",
-              args: { provider: "device", params },
-            });
-          } else {
-            result = await convex.action("auth:signIn" as any, {
-              provider: "device",
-              params,
-            });
-          }
-          // Authorized — tokens received
-          if (result.tokens) {
-            if (proxy) {
-              await setToken({
-                shouldStore: false,
-                tokens:
-                  result.tokens === null
-                    ? null
-                    : { token: result.tokens.token },
-              });
-            } else {
-              await setToken({
-                shouldStore: true,
-                tokens: (result.tokens as AuthSession | null) ?? null,
-              });
-            }
-            return;
-          }
-        } catch (e: unknown) {
-          // Handle expected polling errors
-          if (e instanceof ConvexError) {
-            const data = e.data as Record<string, unknown>;
-            const code_ = data?.code as string | undefined;
-            if (code_ === "DEVICE_AUTHORIZATION_PENDING") {
-              continue; // Keep polling
-            }
-            if (code_ === "DEVICE_SLOW_DOWN") {
-              // Back off by adding one interval
-              await new Promise((resolve) =>
-                setTimeout(resolve, intervalMs),
-              );
-              continue;
-            }
-          }
-          // Non-recoverable error — rethrow
-          throw e;
-        }
-      }
-      throw new Error("Device authorization timed out.");
-    },
+  const passkey = createPasskeyClient({
+    proxy,
+    convex,
+    requireApiRefs,
+    proxyFetch,
+    setTokenAndMaybeWait,
+  });
-    /**
-     * Authorize a device from the verification page.
-     *
-     * Called by an authenticated user on the verification page after
-     * they enter the user code displayed on the device.
-     *
-     * ```ts
-     * // On the /device verification page:
-     * await auth.device.verify(userCode);
-     * ```
-     *
-     * @param userCode - The user code entered by the user (e.g. "WDJB-MJHT").
-     */
-    verify: async (userCode: string): Promise<void> => {
-      const params: Record<string, any> = {
-        flow: "verify",
-        userCode,
-      };
+  const totp = createTotpClient({
+    proxy,
+    convex,
+    requireApiRefs,
+    proxyFetch,
+    setTokenAndMaybeWait,
+  });
-      if (proxy) {
-        await proxyFetch({
-          action: "auth:signIn",
-          args: { provider: "device", params },
-        });
-      } else {
-        await convex.action("auth:signIn" as any, {
-          provider: "device",
-          params,
-        });
-      }
-    },
-  };
+  const device = createDeviceClient({
+    proxy,
+    convex,
+    requireApiRefs,
+    proxyFetch,
+    setTokenAndMaybeWait,
+  });
   return {
     /** Current auth state snapshot. */
     get state(): AuthState {
       return snapshot;
     },
+    /** SSR-safe URL param reader. */
+    param,
+    /** Pending invite from URL or recovered from storage. Null if none. */
+    get invite(): PendingInvite | null {
+      const pendingInvite = getPendingInvite();
+      if (!pendingInvite) return null;
+      return {
+        token: pendingInvite.token,
+        email: pendingInvite.email,
+        accept: acceptInvite,
+      };
+    },
     /** Sign in with a provider. See {@link SignInResult} for return shape. */
     signIn,
     /** Sign out and clear all token state. */
@@ -1285,94 +1093,42 @@ export function client(options: ClientOptions) {
     totp,
     /** Device authorization (RFC 8628) helpers. */
     device,
-  };
-}
-// ---------------------------------------------------------------------------
-// Browser mutex — ensures only one tab refreshes a token at a time.
-// ---------------------------------------------------------------------------
-async function browserMutex<T>(
-  key: string,
-  callback: () => Promise<T>,
-): Promise<T> {
-  const lockManager = (globalThis as any)?.navigator?.locks;
-  return lockManager !== undefined
-    ? await lockManager.request(key, callback)
-    : await manualMutex(key, callback);
-}
-function getMutexValue(key: string): {
-  currentlyRunning: Promise<void> | null;
-  waiting: Array<() => Promise<void>>;
-} {
-  if ((globalThis as any).__convexAuthMutexes === undefined) {
-    (globalThis as any).__convexAuthMutexes = {} as Record<
-      string,
-      {
-        currentlyRunning: Promise<void> | null;
-        waiting: Array<() => Promise<void>>;
-      }
-    >;
-  }
-  let mutex = (globalThis as any).__convexAuthMutexes[key];
-  if (mutex === undefined) {
-    (globalThis as any).__convexAuthMutexes[key] = {
-      currentlyRunning: null,
-      waiting: [],
-    };
-  }
-  mutex = (globalThis as any).__convexAuthMutexes[key];
-  return mutex;
-}
-function setMutexValue(
-  key: string,
-  value: {
-    currentlyRunning: Promise<void> | null;
-    waiting: Array<() => Promise<void>>;
-  },
-) {
-  (globalThis as any).__convexAuthMutexes[key] = value;
-}
-async function enqueueCallbackForMutex(
-  key: string,
-  callback: () => Promise<void>,
-) {
-  const mutex = getMutexValue(key);
-  if (mutex.currentlyRunning === null) {
-    setMutexValue(key, {
-      currentlyRunning: callback().finally(() => {
-        const nextCb = getMutexValue(key).waiting.shift();
-        getMutexValue(key).currentlyRunning = null;
-        setMutexValue(key, {
-          ...getMutexValue(key),
-          currentlyRunning:
-            nextCb === undefined ? null : enqueueCallbackForMutex(key, nextCb),
-        });
-      }),
-      waiting: [],
-    });
-  } else {
-    setMutexValue(key, {
-      ...mutex,
-      waiting: [...mutex.waiting, callback],
-    });
-  }
-}
-async function manualMutex<T>(
-  key: string,
-  callback: () => Promise<T>,
-): Promise<T> {
-  const outerPromise = new Promise<T>((resolve, reject) => {
-    const wrappedCallback: () => Promise<void> = () => {
-      return callback()
-        .then((v) => resolve(v))
-        .catch((e) => reject(e));
-    };
-    void enqueueCallbackForMutex(key, wrappedCallback);
-  });
-  return outerPromise;
+    /**
+     * Tear down this auth client instance.
+     *
+     * Removes the cross-tab `storage` event listener, clears all
+     * `onChange` subscribers, and rejects any in-flight handshake
+     * waiters. Call this when the client is no longer needed
+     * (e.g. on SPA unmount or hot-module replacement) to prevent
+     * memory leaks and stale callbacks.
+     *
+     * @example
+     * ```ts
+     * // SvelteKit onDestroy
+     * import { onDestroy } from "svelte";
+     * const auth = client({ convex, api: api.auth });
+     * onDestroy(() => auth.destroy());
+     * ```
+     *
+     * @example
+     * ```ts
+     * const unsubscribe = auth.onChange((state) => console.log(state.phase));
+     *
+     * // Later, during cleanup:
+     * unsubscribe();
+     * auth.destroy();
+     * ```
+     */
+    destroy: () => {
+      destroyed = true;
+      settleHandshakeWaiters(authEpoch, {
+        type: "reject",
+        error: createHandshakeError("AUTH_HANDSHAKE_REJECTED", {
+          reason: "destroyed",
+        }),
+      });
+      disposeStorageListener?.();
+      subscribers.clear();
+    },
+  } as AuthClient<Api>;
 }