@salesforce/commerce-sdk-react 5.2.0-nightly-20260430084253 → 5.2.0-preview.0

package/CHANGELOG.md

@@ -1,8 +1,6 @@
-## v5.2.0-nightly-20260430084253 (Apr 30, 2026)
-## v5.2.0-dev (Apr 30, 2026)
-## v3.18.0-nightly-20260430084253 (Apr 30, 2026)
-## v5.2.0-dev (Mar 20, 2026)
+## v5.2.0-preview.0 (May 01, 2026)
 - Allow auth related cookies domain to be set via config [#3782](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3782)
+- Add support for HttpOnly session cookies [#3804](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3804)
 
 ## v5.1.1 (Mar 20, 2026)
 - Update storefront preview to support base paths [#3614](https://github.com/SalesforceCommerceCloud/pwa-kit/pull/3614)

package/auth/index.d.ts

@@ -9,6 +9,7 @@ interface AuthConfig extends ApiClientConfigParams {
     proxy: string;
     headers?: Record<string, string>;
     privateClientProxyEndpoint?: string;
+    publicClientProxyEndpoint?: string;
     fetchOptions?: FetchOptions;
     fetchedToken?: string;
     enablePWAKitPrivateClient?: boolean;
@@ -21,6 +22,8 @@ interface AuthConfig extends ApiClientConfigParams {
     refreshTokenGuestCookieTTL?: number;
     hybridAuthEnabled?: boolean;
     cookieDomain?: string;
+    /** When true, session tokens are set as HttpOnly cookies */
+    enableHttpOnlySessionCookies?: boolean;
 }
 /**
  * Body type for loginRegisteredUserB2C - aligns with register function pattern
@@ -70,12 +73,20 @@ export type AuthData = Prettify<RemoveStringIndex<TokenResponse> & {
     idp_access_token: string;
 }>;
 /** A shopper could be guest or registered, so we store the refresh tokens individually. */
-type AuthDataKeys = Exclude<keyof AuthData, 'refresh_token'> | 'refresh_token_guest' | 'refresh_token_registered' | 'access_token_sfra' | typeof DNT_COOKIE_NAME | typeof DWSID_COOKIE_NAME | 'code_verifier' | 'uido' | 'idp_refresh_token' | 'dnt';
+type AuthDataKeys = Exclude<keyof AuthData, 'refresh_token'> | 'refresh_token_guest' | 'refresh_token_registered' | 'access_token_sfra' | typeof DNT_COOKIE_NAME | typeof DWSID_COOKIE_NAME | 'code_verifier' | 'uido' | 'idp_refresh_token' | 'dnt' | 'cc-at-expires' | 'cc-at-dnt' | 'cc-nx-exists';
 type DntOptions = {
     includeDefaults: boolean;
 };
 export declare const DEFAULT_SLAS_REFRESH_TOKEN_REGISTERED_TTL: number;
 export declare const DEFAULT_SLAS_REFRESH_TOKEN_GUEST_TTL: number;
+/**
+ * Module-level map for deduplicating concurrent refresh token requests across Auth instances.
+ * React may recreate Auth instances on re-renders (due to unstable useMemo deps like `headers`),
+ * so instance-level dedup via `this.pendingToken` is insufficient. This map ensures only one
+ * in-flight refresh request exists per siteId+clientId combination.
+ * @internal — exported for test access only
+ */
+export declare const pendingRefreshTokens: Map<string, Promise<AuthData>>;
 /**
  * This class is used to handle shopper authentication.
  * It is responsible for initializing shopper session, manage access
@@ -88,7 +99,6 @@ declare class Auth {
     private client;
     private shopperCustomersClient;
     private redirectURI;
-    private pendingToken;
     private stores;
     private fetchedToken;
     private clientSecret;
@@ -101,10 +111,17 @@ declare class Auth {
     private refreshTokenGuestCookieTTL;
     private refreshTrustedAgentHandler;
     private hybridAuthEnabled;
+    private enableHttpOnlySessionCookies;
     constructor(config: AuthConfig);
     get(name: AuthDataKeys): string;
     private set;
     private delete;
+    /**
+     * Returns the DNT value from the current access token, or undefined if
+     * no access token is available. In HttpOnly mode, reads from the
+     * cc-at-dnt companion cookie; otherwise parses the JWT directly.
+     */
+    private getDntFromAccessToken;
     /**
      * Return the value of the DNT cookie or undefined if it is not set.
      * The DNT cookie being undefined means that there is a necessity to
@@ -129,6 +146,27 @@ declare class Auth {
      * Used to validate JWT token expiration.
      */
     private isTokenExpired;
+    /**
+     * Returns whether a refresh token exists in an HttpOnly cookie. Since JavaScript cannot
+     * read HttpOnly cookies, we check the non-HttpOnly indicator cookie (cc-nx-exists) that
+     * is set alongside the refresh token with the same expiry.
+     */
+    private hasHttpOnlyRefreshToken;
+    /**
+     * Clears the non-HttpOnly access token expiry cookie (cc-at-expires).
+     *
+     * This is needed when SCAPI returns a 401 because the HttpOnly access token cookie
+     * (cc-at_{siteId}) was deleted externally while the expiry cookie remained valid.
+     * Clearing the expiry cookie ensures isAccessTokenExpired() returns true, so
+     * subsequent calls to ready() will trigger a refresh instead of assuming the token
+     * is still valid.
+     */
+    clearAccessTokenExpiry(): void;
+    /**
+     * Returns whether the access token is expired. When enableHttpOnlySessionCookies is true,
+     * uses cc-at-expires cookie from store; otherwise decodes the JWT from getAccessToken().
+     */
+    private isAccessTokenExpired;
     /**
      * Returns the SLAS access token or an empty string if the access token
      * is not found in local store or if SFRA wants PWA to trigger refresh token login.
@@ -186,45 +224,13 @@ declare class Auth {
      * store the data in storage.
      */
     private handleTokenResponse;
-    refreshAccessToken(): Promise<{
-        access_token: string;
-        id_token: string;
-        refresh_token: string;
-        expires_in: number;
-        refresh_token_expires_in: number;
-        token_type: "Bearer";
-        usid: string;
-        customer_id: string;
-        enc_user_id: string;
-        idp_access_token: string;
-        idp_refresh_token?: string | undefined;
-        dnt?: string | undefined;
-    } & {
-        [key: string]: any;
-    }>;
+    private get refreshDedupKey();
+    refreshAccessToken(): Promise<AuthData>;
     /**
-     * This method queues the requests and handles the SLAS token response.
-     *
-     * It returns the queue.
-     *
-     * @Internal
+     * Internal implementation of the refresh flow. Called only via refreshAccessToken()
+     * which wraps it in the module-level pendingRefreshTokens map for deduplication.
      */
-    queueRequest(fn: () => Promise<TokenResponse>, isGuest: boolean): Promise<{
-        access_token: string;
-        id_token: string;
-        refresh_token: string;
-        expires_in: number;
-        refresh_token_expires_in: number;
-        token_type: "Bearer";
-        usid: string;
-        customer_id: string;
-        enc_user_id: string;
-        idp_access_token: string;
-        idp_refresh_token?: string | undefined;
-        dnt?: string | undefined;
-    } & {
-        [key: string]: any;
-    }>;
+    private _refreshAccessToken;
     logWarning: (msg: string) => void;
     /**
      * This method extracts the status and message from a ResponseError that is returned
@@ -257,22 +263,7 @@ declare class Auth {
      * 3. If we have valid TAOB access token - refresh TAOB token flow
      * 4. PKCE flow
      */
-    ready(): Promise<{
-        access_token: string;
-        id_token: string;
-        refresh_token: string;
-        expires_in: number;
-        refresh_token_expires_in: number;
-        token_type: "Bearer";
-        usid: string;
-        customer_id: string;
-        enc_user_id: string;
-        idp_access_token: string;
-        idp_refresh_token?: string | undefined;
-        dnt?: string | undefined;
-    } & {
-        [key: string]: any;
-    }>;
+    ready(): Promise<AuthData>;
     /**
      * Creates a function that only executes after a session is initialized.
      * @param fn Function that needs to wait until the session is initialized.
@@ -283,22 +274,7 @@ declare class Auth {
      * A wrapper method for commerce-sdk-isomorphic helper: loginGuestUser.
      *
      */
-    loginGuestUser(parameters?: helpers.CustomQueryParameters): Promise<{
-        access_token: string;
-        id_token: string;
-        refresh_token: string;
-        expires_in: number;
-        refresh_token_expires_in: number;
-        token_type: "Bearer";
-        usid: string;
-        customer_id: string;
-        enc_user_id: string;
-        idp_access_token: string;
-        idp_refresh_token?: string | undefined;
-        dnt?: string | undefined;
-    } & {
-        [key: string]: any;
-    }>;
+    loginGuestUser(parameters?: helpers.CustomQueryParameters): Promise<AuthData>;
     /**
      * This is a wrapper method for ShopperCustomer API registerCustomer endpoint.
      *
@@ -333,6 +309,7 @@ declare class Auth {
         authType?: ("guest" | "registered") | undefined;
         birthday?: string | undefined;
         companyName?: string | undefined;
+        crmContactId?: string | undefined;
         creationDate?: string | undefined;
         currentPassword?: string | undefined;
         customerId?: string | undefined;
@@ -454,22 +431,7 @@ declare class Auth {
      * A wrapper method for commerce-sdk-isomorphic helper: logout.
      *
      */
-    logout(): Promise<{
-        access_token: string;
-        id_token: string;
-        refresh_token: string;
-        expires_in: number;
-        refresh_token_expires_in: number;
-        token_type: "Bearer";
-        usid: string;
-        customer_id: string;
-        enc_user_id: string;
-        idp_access_token: string;
-        idp_refresh_token?: string | undefined;
-        dnt?: string | undefined;
-    } & {
-        [key: string]: any;
-    }>;
+    logout(): Promise<AuthData>;
     /**
      * Handle updating customer password and re-log in after the access token is invalidated.
      *
@@ -512,6 +474,17 @@ declare class Auth {
      *
      */
     resetPassword(parameters: ShopperLoginTypes.resetPasswordBodyType): Promise<void>;
+    /**
+     * Get the current USID for Storefront Preview by forcing a SLAS refresh.
+     *
+     * Works for both guest and registered shoppers: when an existing refresh
+     * token is present (guest or registered, legacy or HttpOnly), the SLAS
+     * response provides a fresh USID. When no refresh token is present,
+     * `refreshAccessToken()` falls through to a guest login, which also yields
+     * a fresh USID. Preview can therefore always obtain a USID without
+     * requiring the shopper to sign in.
+     */
+    getUsidForPreview(): Promise<string>;
     /**
      * Decode SLAS JWT and extract information such as customer id, usid, etc.
      *

package/auth/index.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.default = exports.DEFAULT_SLAS_REFRESH_TOKEN_REGISTERED_TTL = exports.DEFAULT_SLAS_REFRESH_TOKEN_GUEST_TTL = void 0;
+exports.pendingRefreshTokens = exports.default = exports.DEFAULT_SLAS_REFRESH_TOKEN_REGISTERED_TTL = exports.DEFAULT_SLAS_REFRESH_TOKEN_GUEST_TTL = void 0;
 var _commerceSdkIsomorphic = require("commerce-sdk-isomorphic");
 var _jwtDecode = require("jwt-decode");
 var _storage = require("./storage");
@@ -139,11 +139,32 @@ const DATA_MAP = {
   uido: {
     storageType: 'local',
     key: 'uido'
+  },
+  'cc-at-expires': {
+    storageType: 'cookie',
+    key: 'cc-at-expires'
+  },
+  'cc-at-dnt': {
+    storageType: 'cookie',
+    key: 'cc-at-dnt'
+  },
+  'cc-nx-exists': {
+    storageType: 'cookie',
+    key: 'cc-nx-exists'
   }
 };
 const DEFAULT_SLAS_REFRESH_TOKEN_REGISTERED_TTL = exports.DEFAULT_SLAS_REFRESH_TOKEN_REGISTERED_TTL = 90 * 24 * 60 * 60;
 const DEFAULT_SLAS_REFRESH_TOKEN_GUEST_TTL = exports.DEFAULT_SLAS_REFRESH_TOKEN_GUEST_TTL = 30 * 24 * 60 * 60;
 
+/**
+ * Module-level map for deduplicating concurrent refresh token requests across Auth instances.
+ * React may recreate Auth instances on re-renders (due to unstable useMemo deps like `headers`),
+ * so instance-level dedup via `this.pendingToken` is insufficient. This map ensures only one
+ * in-flight refresh request exists per siteId+clientId combination.
+ * @internal — exported for test access only
+ */
+const pendingRefreshTokens = exports.pendingRefreshTokens = new Map();
+
 /**
  * This class is used to handle shopper authentication.
  * It is responsible for initializing shopper session, manage access
@@ -157,7 +178,7 @@ class Auth {
     // Special proxy endpoint for injecting SLAS private client secret.
     // We prioritize config.privateClientProxyEndpoint since that allows us to use the new envBasePath feature
     this.client = new _commerceSdkIsomorphic.ShopperLogin({
-      proxy: config.enablePWAKitPrivateClient ? config.privateClientProxyEndpoint : config.proxy,
+      proxy: config.enablePWAKitPrivateClient ? config.privateClientProxyEndpoint : config.enableHttpOnlySessionCookies ? config.publicClientProxyEndpoint : config.proxy,
       headers: config.headers || {},
       parameters: {
         clientId: config.clientId,
@@ -238,6 +259,7 @@ class Auth {
     this.isPrivate = !!this.clientSecret;
     this.passwordlessLoginCallbackURI = config.passwordlessLoginCallbackURI || '';
     this.hybridAuthEnabled = config.hybridAuthEnabled || false;
+    this.enableHttpOnlySessionCookies = config.enableHttpOnlySessionCookies ?? false;
   }
   get(name) {
     const {
@@ -266,6 +288,22 @@ class Auth {
     storage.delete(key);
   }
 
+  /**
+   * Returns the DNT value from the current access token, or undefined if
+   * no access token is available. In HttpOnly mode, reads from the
+   * cc-at-dnt companion cookie; otherwise parses the JWT directly.
+   */
+  getDntFromAccessToken() {
+    if (this.enableHttpOnlySessionCookies && (0, _utils.onClient)()) {
+      return this.get('cc-at-dnt') || undefined;
+    }
+    const accessToken = this.getAccessToken();
+    if (accessToken) {
+      return this.parseSlasJWT(accessToken).dnt;
+    }
+    return undefined;
+  }
+
   /**
    * Return the value of the DNT cookie or undefined if it is not set.
    * The DNT cookie being undefined means that there is a necessity to
@@ -282,14 +320,8 @@ class Auth {
   getDnt(options) {
     const dntCookieVal = this.get(_constant.DNT_COOKIE_NAME);
     let dntCookieStatus = undefined;
-    const accessToken = this.getAccessToken();
-    let isInSync = true;
-    if (accessToken) {
-      const {
-        dnt
-      } = this.parseSlasJWT(accessToken);
-      isInSync = dnt === dntCookieVal;
-    }
+    const accessTokenDnt = this.getDntFromAccessToken();
+    const isInSync = accessTokenDnt === undefined || accessTokenDnt === dntCookieVal;
     if (dntCookieVal !== '1' && dntCookieVal !== '0' || !isInSync) {
       this.delete(_constant.DNT_COOKIE_NAME);
     } else {
@@ -322,15 +354,8 @@ class Auth {
       _this.set(_constant.DNT_COOKIE_NAME, dntCookieVal, _objectSpread(_objectSpread({}, (0, _utils.getDefaultCookieAttributes)()), {}, {
         secure: true
       }));
-      const accessToken = _this.getAccessToken();
-      if (accessToken !== '') {
-        const {
-          dnt
-        } = _this.parseSlasJWT(accessToken);
-        if (dnt !== dntCookieVal) {
-          yield _this.refreshAccessToken();
-        }
-      } else {
+      const accessTokenDnt = _this.getDntFromAccessToken();
+      if (accessTokenDnt === undefined || accessTokenDnt !== dntCookieVal) {
         yield _this.refreshAccessToken();
       }
       if (preference !== null) {
@@ -387,6 +412,46 @@ class Auth {
     return validTimeSeconds <= tokenAgeSeconds;
   }
 
+  /**
+   * Returns whether a refresh token exists in an HttpOnly cookie. Since JavaScript cannot
+   * read HttpOnly cookies, we check the non-HttpOnly indicator cookie (cc-nx-exists) that
+   * is set alongside the refresh token with the same expiry.
+   */
+  hasHttpOnlyRefreshToken() {
+    return this.enableHttpOnlySessionCookies && (0, _utils.onClient)() && this.get('cc-nx-exists') === '1';
+  }
+
+  /**
+   * Clears the non-HttpOnly access token expiry cookie (cc-at-expires).
+   *
+   * This is needed when SCAPI returns a 401 because the HttpOnly access token cookie
+   * (cc-at_{siteId}) was deleted externally while the expiry cookie remained valid.
+   * Clearing the expiry cookie ensures isAccessTokenExpired() returns true, so
+   * subsequent calls to ready() will trigger a refresh instead of assuming the token
+   * is still valid.
+   */
+  clearAccessTokenExpiry() {
+    this.delete('cc-at-expires');
+  }
+
+  /**
+   * Returns whether the access token is expired. When enableHttpOnlySessionCookies is true,
+   * uses cc-at-expires cookie from store; otherwise decodes the JWT from getAccessToken().
+   */
+  isAccessTokenExpired() {
+    if (this.enableHttpOnlySessionCookies && (0, _utils.onClient)()) {
+      const expiresAt = this.get('cc-at-expires');
+      if (expiresAt == null || expiresAt === '') return true;
+      const expiresAtSec = Number(expiresAt);
+      if (Number.isNaN(expiresAtSec)) return true;
+      const bufferSeconds = 60;
+      return Date.now() / 1000 >= expiresAtSec - bufferSeconds;
+    }
+    // Server (SSR) or httpOnly disabled: decode JWT from stored token
+    const token = this.getAccessToken();
+    return !token || this.isTokenExpired(token);
+  }
+
   /**
    * Returns the SLAS access token or an empty string if the access token
    * is not found in local store or if SFRA wants PWA to trigger refresh token login.
@@ -543,79 +608,144 @@ class Auth {
   handleTokenResponse(res, isGuest) {
     // Delete the SFRA auth token cookie if it exists
     this.clearSFRAAuthToken();
-    this.set('access_token', res.access_token);
     this.set('customer_id', res.customer_id);
     this.set('enc_user_id', res.enc_user_id);
     this.set('expires_in', `${res.expires_in}`);
     this.set('id_token', res.id_token);
-    this.set('idp_access_token', res.idp_access_token);
     this.set('token_type', res.token_type);
     this.set('customer_type', isGuest ? 'guest' : 'registered');
-    const refreshTokenKey = isGuest ? 'refresh_token_guest' : 'refresh_token_registered';
     const refreshTokenTTLValue = this.getRefreshTokenCookieTTLValue(res.refresh_token_expires_in, isGuest);
-    if (res.access_token) {
-      const {
-        uido
-      } = this.parseSlasJWT(res.access_token);
-      this.set('uido', uido);
-    }
-    const expiresDate = this.convertSecondsToDate(refreshTokenTTLValue);
     this.set('refresh_token_expires_in', refreshTokenTTLValue.toString());
-    this.set(refreshTokenKey, res.refresh_token, {
-      expires: expiresDate
-    });
-    this.set('usid', res.usid, {
+    const expiresDate = this.convertSecondsToDate(refreshTokenTTLValue);
+    this.set('usid', res.usid ?? '', {
       expires: expiresDate
     });
+    if (this.enableHttpOnlySessionCookies && (0, _utils.onClient)()) {
+      // Browser: skip token storage, httpOnly cookies handle it
+      const uidoFromCookie = this.stores['cookie'].get('uido');
+      if (uidoFromCookie) this.set('uido', uidoFromCookie);
+    } else {
+      // Server (SSR) or httpOnly disabled: store tokens normally
+      this.set('access_token', res.access_token);
+      this.set('idp_access_token', res.idp_access_token);
+      if (res.access_token) {
+        const {
+          uido
+        } = this.parseSlasJWT(res.access_token);
+        this.set('uido', uido);
+      }
+      const refreshTokenKey = isGuest ? 'refresh_token_guest' : 'refresh_token_registered';
+      this.set(refreshTokenKey, res.refresh_token, {
+        expires: expiresDate
+      });
+    }
+  }
+  get refreshDedupKey() {
+    const params = this.client.clientConfig.parameters;
+    return `refresh:${params.siteId}:${params.clientId}`;
   }
   refreshAccessToken() {
     var _this2 = this;
     return _asyncToGenerator(function* () {
-      const dntPref = _this2.getDnt({
+      // Dedup uses a module-level map (not an instance field) because React may recreate
+      // the Auth instance on re-renders, giving each instance its own state. The map is
+      // keyed by siteId+clientId so different sites/clients remain independent.
+      // On the server (SSR), each request is isolated — skip dedup entirely.
+      if (!(0, _utils.onClient)()) {
+        return yield _this2._refreshAccessToken();
+      }
+      const key = _this2.refreshDedupKey;
+      const existing = pendingRefreshTokens.get(key);
+      if (existing) {
+        yield existing;
+        return _this2.data;
+      }
+      const promise = _this2._refreshAccessToken().finally(() => {
+        pendingRefreshTokens.delete(key);
+      });
+      pendingRefreshTokens.set(key, promise);
+      return yield promise;
+    })();
+  }
+
+  /**
+   * Internal implementation of the refresh flow. Called only via refreshAccessToken()
+   * which wraps it in the module-level pendingRefreshTokens map for deduplication.
+   */
+  _refreshAccessToken() {
+    var _this3 = this;
+    return _asyncToGenerator(function* () {
+      const dntPref = _this3.getDnt({
         includeDefaults: true
       });
-      const refreshTokenRegistered = _this2.get('refresh_token_registered');
-      const refreshTokenGuest = _this2.get('refresh_token_guest');
+      const refreshTokenRegistered = _this3.get('refresh_token_registered');
+      const refreshTokenGuest = _this3.get('refresh_token_guest');
       const refreshToken = refreshTokenRegistered || refreshTokenGuest;
-      if (refreshToken) {
+
+      // When HttpOnly session cookies are enabled on the client, the refresh token is in an
+      // HttpOnly cookie that JavaScript cannot read. We check the non-HttpOnly indicator
+      // cookie (cc-nx-exists) to avoid a wasted round-trip when the refresh token is absent.
+      // If cc-nx-exists is also missing (e.g. cleared by the user), the proxy layer will
+      // catch the missing refresh token and return a 401, falling through to guest login.
+      if (refreshToken || !refreshToken && _this3.hasHttpOnlyRefreshToken()) {
         try {
-          return yield _this2.queueRequest(() => _commerceSdkIsomorphic.helpers.refreshAccessToken({
-            slasClient: _this2.client,
+          const isGuest = _this3.get('customer_type') !== 'registered';
+          // Signal the proxy that this is a refresh token request so it can
+          // inject the HttpOnly refresh token cookie as the sfdc_refresh_token header.
+          if (_this3.enableHttpOnlySessionCookies) {
+            _this3.client.clientConfig.headers[_constant.X_GRANT_TYPE] = 'refresh_token';
+          }
+          const token = yield _commerceSdkIsomorphic.helpers.refreshAccessToken({
+            slasClient: _this3.client,
             parameters: {
-              refreshToken,
+              refreshToken: refreshToken || '',
               dnt: dntPref
             },
             credentials: {
-              clientSecret: _this2.clientSecret
-            }
-          }), !!refreshTokenGuest);
+              clientSecret: _this3.clientSecret
+            },
+            enableHttpOnlySessionCookies: _this3.enableHttpOnlySessionCookies
+          });
+          _this3.handleTokenResponse(token, isGuest);
+          return _this3.data;
         } catch (error) {
-          // If the refresh token is invalid, we need to re-login the user
+          // If the refresh token is invalid, we need to re-login the user.
           if (error instanceof Error && 'response' in error) {
             // commerce-sdk-isomorphic throws a `ResponseError`, but doesn't export the class.
             // We can't use `instanceof`, so instead we just check for the `response` property
             // and assume it is a fetch Response.
             const json = yield error['response'].json();
             if (json.message === 'invalid refresh_token') {
-              // clean up storage and restart the login flow
-              _this2.clearStorage();
+              // In a multi-tab scenario, another tab may have already consumed the
+              // one-time-use refresh token and stored fresh tokens. Re-check storage
+              // before clearing — if a valid access token exists, use it instead of
+              // wiping the other tab's work and falling back to guest login.
+              if (!_this3.isAccessTokenExpired()) {
+                return _this3.data;
+              }
+              // No valid token found — clean up storage and restart the login flow.
+              _this3.clearStorage();
             }
           }
+        } finally {
+          delete _this3.client.clientConfig.headers[_constant.X_GRANT_TYPE];
         }
       }
 
       // refresh flow for TAOB
-      const accessToken = _this2.getAccessToken();
-      if (accessToken && _this2.isTokenExpired(accessToken)) {
+      const accessToken = _this3.getAccessToken();
+      if (_this3.isAccessTokenExpired()) {
         try {
           const {
             isGuest,
             usid,
             loginId,
             isAgent
-          } = _this2.parseSlasJWT(accessToken);
+          } = _this3.parseSlasJWT(accessToken);
           if (isAgent) {
-            return yield _this2.queueRequest(() => _this2.refreshTrustedAgent(loginId, usid), isGuest);
+            const token = yield _this3.refreshTrustedAgent(loginId, usid);
+            _this3.handleTokenResponse(token, isGuest);
+            return _this3.data;
           }
         } catch (e) {
           /* catch invalid jwt */
@@ -626,39 +756,14 @@ class Auth {
       // use it, we will be stuck in a fail loop
       let token;
       try {
-        token = yield _this2.loginGuestUser();
+        token = yield _this3.loginGuestUser();
       } catch (e) {
-        _this2.clearStorage();
-        token = yield _this2.loginGuestUser();
+        _this3.clearStorage();
+        token = yield _this3.loginGuestUser();
       }
       return token;
     })();
   }
-
-  /**
-   * This method queues the requests and handles the SLAS token response.
-   *
-   * It returns the queue.
-   *
-   * @Internal
-   */
-  queueRequest(fn, isGuest) {
-    var _this3 = this;
-    return _asyncToGenerator(function* () {
-      const queue = _this3.pendingToken ?? Promise.resolve();
-      _this3.pendingToken = queue.then(/*#__PURE__*/_asyncToGenerator(function* () {
-        const token = yield fn();
-        _this3.handleTokenResponse(token, isGuest);
-        // Q: Why don't we just return token? Why re-construct the same object again?
-        // A: because a user could open multiple tabs and the data in memory could be out-dated
-        // We must always grab the data from the storage (cookie/localstorage) directly
-        return _this3.data;
-      })).finally(() => {
-        _this3.pendingToken = undefined;
-      });
-      return yield _this3.pendingToken;
-    })();
-  }
   logWarning = msg => {
     if (!this.silenceWarnings) {
       this.logger.warn(msg);
@@ -681,7 +786,7 @@ class Auth {
    * @Internal
    */
   extractResponseError = (() => function () {
-    var _ref2 = _asyncToGenerator(function* (error) {
+    var _ref = _asyncToGenerator(function* (error) {
       // the regular error.message will return only the generic status code message
       // ie. 'Bad Request' for 400. We need to drill specifically into the ResponseError
       // to get a more descriptive error message from SLAS
@@ -697,7 +802,7 @@ class Auth {
       throw error;
     });
     return function (_x) {
-      return _ref2.apply(this, arguments);
+      return _ref.apply(this, arguments);
     };
   }())();
 
@@ -751,11 +856,14 @@ class Auth {
         _this4.set('customer_type', isGuest ? 'guest' : 'registered');
         return _this4.data;
       }
-      if (_this4.pendingToken) {
-        return yield _this4.pendingToken;
+      if ((0, _utils.onClient)()) {
+        const pendingRefresh = pendingRefreshTokens.get(_this4.refreshDedupKey);
+        if (pendingRefresh) {
+          yield pendingRefresh;
+          return _this4.data;
+        }
       }
-      const accessToken = _this4.getAccessToken();
-      if (accessToken && !_this4.isTokenExpired(accessToken)) {
+      if (!_this4.isAccessTokenExpired()) {
         return _this4.data;
       }
       return yield _this4.refreshAccessToken();
@@ -810,9 +918,16 @@ class Auth {
           usid
         }), parameters)
       };
-      const callback = _this6.clientSecret ? () => _commerceSdkIsomorphic.helpers.loginGuestUserPrivate(_objectSpread({}, guestPrivateArgs)) : () => _commerceSdkIsomorphic.helpers.loginGuestUser(_objectSpread({}, guestPublicArgs));
+      const enableHttpOnlySessionCookies = _this6.enableHttpOnlySessionCookies;
+      const callback = _this6.clientSecret ? () => _commerceSdkIsomorphic.helpers.loginGuestUserPrivate(_objectSpread(_objectSpread({}, guestPrivateArgs), {}, {
+        enableHttpOnlySessionCookies
+      })) : () => _commerceSdkIsomorphic.helpers.loginGuestUser(_objectSpread(_objectSpread({}, guestPublicArgs), {}, {
+        enableHttpOnlySessionCookies
+      }));
       try {
-        return yield _this6.queueRequest(callback, isGuest);
+        const token = yield callback();
+        _this6.handleTokenResponse(token, isGuest);
+        return _this6.data;
       } catch (error) {
         // We catch the error here to do logging but we still need to
         // throw an error to stop the login flow from continuing.
@@ -908,7 +1023,8 @@ class Auth {
         }, usid && {
           usid
         }),
-        body: customParameters
+        body: customParameters,
+        enableHttpOnlySessionCookies: _this8.enableHttpOnlySessionCookies
       };
       const token = yield _commerceSdkIsomorphic.helpers.loginRegisteredUserB2C(loginParams);
       _this8.handleTokenResponse(token, isGuest);
@@ -1013,14 +1129,23 @@ class Auth {
     var _this10 = this;
     return _asyncToGenerator(function* () {
       if (_this10.get('customer_type') === 'registered') {
-        // Not awaiting on purpose because there isn't much we can do if this fails.
-        void _commerceSdkIsomorphic.helpers.logout({
+        const logoutPromise = _commerceSdkIsomorphic.helpers.logout({
           slasClient: _this10.client,
           parameters: {
             accessToken: _this10.get('access_token'),
             refreshToken: _this10.get('refresh_token_registered')
           }
         });
+        if (_this10.enableHttpOnlySessionCookies) {
+          // When HttpOnly cookies are enabled, the proxy expires session cookies
+          // on the logout response. We must await so the browser processes the
+          // Set-Cookie headers before guest login sets new cookies.
+          try {
+            yield logoutPromise;
+          } catch (error) {
+            _this10.logger.warn(`SLAS logout failed: ${error instanceof Error ? error.message : String(error)}. The error is ignored and session cookies are still cleared by the proxy.`);
+          }
+        }
       }
       _this10.clearStorage();
       return yield _this10.ready();
@@ -1142,7 +1267,8 @@ class Auth {
           dnt: dntPref
         }, usid && {
           usid
-        })
+        }),
+        enableHttpOnlySessionCookies: _this13.enableHttpOnlySessionCookies
       });
       const isGuest = false;
       _this13.handleTokenResponse(token, isGuest);
@@ -1223,7 +1349,8 @@ class Auth {
           usid
         }), parameters.register_customer !== undefined && {
           register_customer: typeof parameters.register_customer === 'boolean' ? String(parameters.register_customer) : parameters.register_customer
-        })
+        }),
+        enableHttpOnlySessionCookies: _this15.enableHttpOnlySessionCookies
       });
       const isGuest = false;
       _this15.handleTokenResponse(token, isGuest);
@@ -1313,6 +1440,28 @@ class Auth {
     })();
   }
 
+  /**
+   * Get the current USID for Storefront Preview by forcing a SLAS refresh.
+   *
+   * Works for both guest and registered shoppers: when an existing refresh
+   * token is present (guest or registered, legacy or HttpOnly), the SLAS
+   * response provides a fresh USID. When no refresh token is present,
+   * `refreshAccessToken()` falls through to a guest login, which also yields
+   * a fresh USID. Preview can therefore always obtain a USID without
+   * requiring the shopper to sign in.
+   */
+  getUsidForPreview() {
+    var _this18 = this;
+    return _asyncToGenerator(function* () {
+      yield _this18.refreshAccessToken();
+      const usid = _this18.get('usid');
+      if (!usid) {
+        throw new Error('SLAS refresh did not return a USID');
+      }
+      return usid;
+    })();
+  }
+
   /**
    * Decode SLAS JWT and extract information such as customer id, usid, etc.
    *

package/components/StorefrontPreview/storefront-preview.js

@@ -35,8 +35,8 @@ const PWA_KIT_PATH_PREFIX = '/__pwa-kit/';
 /**
  * Runtime Admin always prepends envBasePath to /__pwa-kit/ paths (e.g. /test/__pwa-kit/refresh),
  * but when showBasePath is false, React Router has no basename and expects /__pwa-kit/refresh.
- * 
- * This ensures that regardless of the showBasePath setting, these paths are normalized to 
+ *
+ * This ensures that regardless of the showBasePath setting, these paths are normalized to
  * remove the base path.
  */
 function normalizePwaKitPath(pathOrLocation) {
@@ -92,10 +92,14 @@ const StorefrontPreview = ({
   const {
     siteId
   } = (0, _hooks.useConfig)();
+  const {
+    getUsidForPreview
+  } = (0, _hooks.useUsid)();
   (0, _react.useEffect)(() => {
     if (enabled && isHostTrusted) {
       window.STOREFRONT_PREVIEW = _objectSpread(_objectSpread({}, window.STOREFRONT_PREVIEW), {}, {
         getToken,
+        getUsid: getUsidForPreview,
         onContextChange,
         siteId,
         experimentalUnsafeNavigate: (path, action = 'push', ...args) => {
@@ -106,7 +110,7 @@ const StorefrontPreview = ({
         }
       });
     }
-  }, [enabled, getToken, onContextChange, siteId, getBasePath]);
+  }, [enabled, getToken, getUsidForPreview, onContextChange, siteId, getBasePath]);
   (0, _react.useEffect)(() => {
     if (enabled && isHostTrusted) {
       // In Storefront Preview mode, add cache breaker for all SCAPI's requests.

package/constant.d.ts

@@ -20,6 +20,7 @@ export declare const EXCLUDE_COOKIE_SUFFIX: string[];
  * Use the header key below to send dwsid value with SCAPI/OCAPI requests.
  */
 export declare const SERVER_AFFINITY_HEADER_KEY = "sfdc_dwsid";
+export declare const X_GRANT_TYPE = "x-grant-type";
 export declare const CLIENT_KEYS: {
     readonly SHOPPER_BASKETS: "shopperBaskets";
     readonly SHOPPER_BASKETS_V2: "shopperBasketsV2";

package/constant.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.SLAS_SECRET_WARNING_MSG = exports.SLAS_SECRET_PLACEHOLDER = exports.SLAS_SECRET_OVERRIDE_MSG = exports.SLAS_REFRESH_TOKEN_COOKIE_TTL_OVERRIDE_MSG = exports.SERVER_AFFINITY_HEADER_KEY = exports.IFRAME_HOST_ALLOW_LIST = exports.EXCLUDE_COOKIE_SUFFIX = exports.DWSID_COOKIE_NAME = exports.DNT_COOKIE_NAME = exports.CLIENT_KEYS = void 0;
+exports.X_GRANT_TYPE = exports.SLAS_SECRET_WARNING_MSG = exports.SLAS_SECRET_PLACEHOLDER = exports.SLAS_SECRET_OVERRIDE_MSG = exports.SLAS_REFRESH_TOKEN_COOKIE_TTL_OVERRIDE_MSG = exports.SERVER_AFFINITY_HEADER_KEY = exports.IFRAME_HOST_ALLOW_LIST = exports.EXCLUDE_COOKIE_SUFFIX = exports.DWSID_COOKIE_NAME = exports.DNT_COOKIE_NAME = exports.CLIENT_KEYS = void 0;
 /*
  * Copyright (c) 2025, Salesforce, Inc.
  * All rights reserved.
@@ -36,6 +36,9 @@ const EXCLUDE_COOKIE_SUFFIX = exports.EXCLUDE_COOKIE_SUFFIX = [DWSID_COOKIE_NAME
  * Use the header key below to send dwsid value with SCAPI/OCAPI requests.
  */
 const SERVER_AFFINITY_HEADER_KEY = exports.SERVER_AFFINITY_HEADER_KEY = 'sfdc_dwsid';
+
+// Custom header sent by the SDK to signal a refresh token request to the proxy.
+const X_GRANT_TYPE = exports.X_GRANT_TYPE = 'x-grant-type';
 const CLIENT_KEYS = exports.CLIENT_KEYS = {
   SHOPPER_BASKETS: 'shopperBaskets',
   SHOPPER_BASKETS_V2: 'shopperBasketsV2',

package/hooks/helpers.d.ts

@@ -9,22 +9,7 @@ import { CustomEndpointArg, OptionalCustomEndpointClientConfig, TMutationVariabl
  * @param error - the error
  * @returns a new guest access token
  */
-export declare const handleInvalidToken: (error: any, auth: Auth, logger: Logger) => Promise<{
-    access_token: string;
-    id_token: string;
-    refresh_token: string;
-    expires_in: number;
-    refresh_token_expires_in: number;
-    token_type: "Bearer";
-    usid: string;
-    customer_id: string;
-    enc_user_id: string;
-    idp_access_token: string;
-    idp_refresh_token?: string | undefined;
-    dnt?: string | undefined;
-} & {
-    [key: string]: any;
-}>;
+export declare const handleInvalidToken: (error: any, auth: Auth, logger: Logger) => Promise<import("../auth").AuthData>;
 /**
  * A helper function for preparing a call to the SCAPI custom API endpoint
  */

package/hooks/helpers.js

@@ -4,20 +4,19 @@ Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.handleInvalidToken = exports.generateCustomEndpointOptions = void 0;
+var _utils = require("../utils");
 function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
 function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
 function _defineProperty(e, r, t) { return (r = _toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
 function _toPropertyKey(t) { var i = _toPrimitive(t, "string"); return "symbol" == typeof i ? i : i + ""; }
 function _toPrimitive(t, r) { if ("object" != typeof t || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != typeof i) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
 function asyncGeneratorStep(n, t, e, r, o, a, c) { try { var i = n[a](c), u = i.value; } catch (n) { return void e(n); } i.done ? t(u) : Promise.resolve(u).then(r, o); }
-function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; }
-/*
+function _asyncToGenerator(n) { return function () { var t = this, e = arguments; return new Promise(function (r, o) { var a = n.apply(t, e); function _next(n) { asyncGeneratorStep(a, r, o, _next, _throw, "next", n); } function _throw(n) { asyncGeneratorStep(a, r, o, _next, _throw, "throw", n); } _next(void 0); }); }; } /*
  * Copyright (c) 2024, Salesforce, Inc.
  * All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause
  */
-
 /**
  * A helper function for handling bad responses from SCAPI when an invalid access token is used.
  *
@@ -27,16 +26,30 @@ function _asyncToGenerator(n) { return function () { var t = this, e = arguments
  */
 const handleInvalidToken = exports.handleInvalidToken = /*#__PURE__*/function () {
   var _ref = _asyncToGenerator(function* (error, auth, logger) {
-    var _error$response, _error$response2;
-    if ((error === null || error === void 0 ? void 0 : (_error$response = error.response) === null || _error$response === void 0 ? void 0 : _error$response.status) !== 401) {
-      throw error;
+    var _error$response, _error$response3, _error$response4;
+    // The proxy returns a 400 with this message when the HttpOnly access token cookie
+    // (cc-at_{siteId}) is missing. This can happen if the cookie was deleted externally
+    // (e.g. via dev tools) while the non-HttpOnly expiry cookie (cc-at-expires) remained
+    // valid, causing isAccessTokenExpired() to incorrectly report the token as not expired.
+    // Clear the stale expiry cookie and trigger a token refresh.
+    if ((error === null || error === void 0 ? void 0 : (_error$response = error.response) === null || _error$response === void 0 ? void 0 : _error$response.status) === 400) {
+      var _error$response2;
+      const response = yield error === null || error === void 0 ? void 0 : (_error$response2 = error.response) === null || _error$response2 === void 0 ? void 0 : _error$response2.json();
+      if ((response === null || response === void 0 ? void 0 : response.message) === 'access_token_cookie_missing') {
+        logger.warn('Access token cookie missing. Clearing expiry and refreshing token.');
+        auth.clearAccessTokenExpiry();
+        return yield auth.refreshAccessToken();
+      }
     }
-    const response = yield error === null || error === void 0 ? void 0 : (_error$response2 = error.response) === null || _error$response2 === void 0 ? void 0 : _error$response2.json();
-    if ((response === null || response === void 0 ? void 0 : response.detail) !== 'Customer credentials changed after token was issued.') {
+    if ((error === null || error === void 0 ? void 0 : (_error$response3 = error.response) === null || _error$response3 === void 0 ? void 0 : _error$response3.status) !== 401) {
       throw error;
     }
-    logger.info('Login was invalidated. Clearing login state.');
-    return yield auth.logout();
+    const response = yield error === null || error === void 0 ? void 0 : (_error$response4 = error.response) === null || _error$response4 === void 0 ? void 0 : _error$response4.json();
+    if ((response === null || response === void 0 ? void 0 : response.detail) === 'Customer credentials changed after token was issued.') {
+      logger.info('Login was invalidated. Clearing login state.');
+      return yield auth.logout();
+    }
+    throw error;
   });
   return function handleInvalidToken(_x, _x2, _x3) {
     return _ref.apply(this, arguments);
@@ -62,9 +75,9 @@ const generateCustomEndpointOptions = (options, config, access_token, args) => {
   return _objectSpread(_objectSpread({}, options), {}, {
     options: _objectSpread(_objectSpread({}, options.options), {}, {
       method: ((_options$options = options.options) === null || _options$options === void 0 ? void 0 : _options$options.method) || 'GET',
-      headers: _objectSpread(_objectSpread(_objectSpread({
+      headers: _objectSpread(_objectSpread(_objectSpread(_objectSpread({}, config.enableHttpOnlySessionCookies && (0, _utils.onClient)() ? {} : {
         Authorization: `Bearer ${access_token}`
-      }, globalHeaders), (_options$options2 = options.options) === null || _options$options2 === void 0 ? void 0 : _options$options2.headers), args !== null && args !== void 0 && args.headers ? args.headers : {})
+      }), globalHeaders), (_options$options2 = options.options) === null || _options$options2 === void 0 ? void 0 : _options$options2.headers), args !== null && args !== void 0 && args.headers ? args.headers : {})
     }),
     clientConfig: _objectSpread(_objectSpread({}, globalClientConfig), options.clientConfig || {})
   });

package/hooks/useAuthorizationHeader.js

@@ -7,6 +7,7 @@ exports.useAuthorizationHeader = void 0;
 var _useAuthContext = _interopRequireDefault(require("./useAuthContext"));
 var _useConfig = _interopRequireDefault(require("./useConfig"));
 var _helpers = require("./helpers");
+var _utils = require("../utils");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
 function ownKeys(e, r) { var t = Object.keys(e); if (Object.getOwnPropertySymbols) { var o = Object.getOwnPropertySymbols(e); r && (o = o.filter(function (r) { return Object.getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
 function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? ownKeys(Object(t), !0).forEach(function (r) { _defineProperty(e, r, t[r]); }) : Object.getOwnPropertyDescriptors ? Object.defineProperties(e, Object.getOwnPropertyDescriptors(t)) : ownKeys(Object(t)).forEach(function (r) { Object.defineProperty(e, r, Object.getOwnPropertyDescriptor(t, r)); }); } return e; }
@@ -38,21 +39,25 @@ const useAuthorizationHeader = method => {
       const {
         access_token
       } = yield auth.ready();
+      // When HttpOnly session cookies are enabled on the client, the proxy injects the
+      // Authorization header from the cookie — skip adding it here.
+      const authHeaders = config.enableHttpOnlySessionCookies && (0, _utils.onClient)() ? {} : {
+        Authorization: `Bearer ${access_token}`
+      };
       return yield method(_objectSpread(_objectSpread({}, options), {}, {
-        headers: _objectSpread({
-          Authorization: `Bearer ${access_token}`
-        }, options.headers)
+        headers: _objectSpread(_objectSpread({}, authHeaders), options.headers)
       })).catch(/*#__PURE__*/function () {
         var _ref2 = _asyncToGenerator(function* (error) {
           const {
             access_token
           } = yield (0, _helpers.handleInvalidToken)(error, auth, logger);
+          const retryAuthHeaders = config.enableHttpOnlySessionCookies && (0, _utils.onClient)() ? {} : {
+            Authorization: `Bearer ${access_token}`
+          };
 
           // Retry again after resetting auth state
           return yield method(_objectSpread(_objectSpread({}, options), {}, {
-            headers: _objectSpread({
-              Authorization: `Bearer ${access_token}`
-            }, options.headers)
+            headers: _objectSpread(_objectSpread({}, retryAuthHeaders), options.headers)
           }));
         });
         return function (_x2) {

package/hooks/useUsid.d.ts

@@ -4,6 +4,7 @@
 interface Usid {
     usid: string | null;
     getUsidWhenReady: () => Promise<string>;
+    getUsidForPreview: () => Promise<string>;
 }
 /**
  * Hook that returns the usid associated with the current access token.

package/hooks/useUsid.js

@@ -35,9 +35,11 @@ const useUsid = () => {
   const getUsidWhenReady = () => auth.ready().then(({
     usid
   }) => usid);
+  const getUsidForPreview = () => auth.getUsidForPreview();
   return {
     usid,
-    getUsidWhenReady
+    getUsidWhenReady,
+    getUsidForPreview
   };
 };
 var _default = exports.default = useUsid;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@salesforce/commerce-sdk-react",
-  "version": "5.2.0-nightly-20260430084253",
+  "version": "5.2.0-preview.0",
   "description": "A library that provides react hooks for fetching data from Commerce Cloud",
   "homepage": "https://github.com/SalesforceCommerceCloud/pwa-kit/tree/develop/packages/ecom-react-hooks#readme",
   "bugs": {
@@ -41,12 +41,12 @@
   },
   "dependencies": {
     "@salesforce/storefront-next-runtime": "0.1.1",
-    "commerce-sdk-isomorphic": "5.1.0",
+    "commerce-sdk-isomorphic": "5.2.0",
     "js-cookie": "^3.0.1",
     "jwt-decode": "^4.0.0"
   },
   "devDependencies": {
-    "@salesforce/pwa-kit-dev": "3.18.0-nightly-20260430084253",
+    "@salesforce/pwa-kit-dev": "3.18.0-preview.0",
     "@tanstack/react-query": "^4.28.0",
     "@testing-library/jest-dom": "^5.16.5",
     "@testing-library/react": "^14.0.0",
@@ -61,7 +61,7 @@
     "@types/react-helmet": "~6.1.6",
     "@types/react-router-dom": "~5.3.3",
     "cross-env": "^5.2.1",
-    "internal-lib-build": "3.18.0-nightly-20260430084253",
+    "internal-lib-build": "3.18.0-preview.0",
     "jsonwebtoken": "^9.0.0",
     "nock": "^13.3.0",
     "nodemon": "^2.0.22",
@@ -97,5 +97,5 @@
   "publishConfig": {
     "directory": "dist"
   },
-  "gitHead": "d9b8eb1683c7256b9f250c36b1cfecf323aa40d3"
+  "gitHead": "75dd6afbf5269009754337c2cddc5bc0c508e3b3"
 }

package/provider.d.ts

@@ -19,6 +19,7 @@ export interface CommerceApiProviderProps extends ApiClientConfigParams {
     fetchedToken?: string;
     enablePWAKitPrivateClient?: boolean;
     privateClientProxyEndpoint?: string;
+    publicClientProxyEndpoint?: string;
     clientSecret?: string;
     silenceWarnings?: boolean;
     logger?: Logger;
@@ -31,6 +32,8 @@ export interface CommerceApiProviderProps extends ApiClientConfigParams {
     hybridAuthEnabled?: boolean;
     cookieDomain?: string;
     pageDesignerParams?: PageDesignerParams;
+    /** When true, proxy returns tokens in HttpOnly cookies. */
+    enableHttpOnlySessionCookies?: boolean;
 }
 /**
  * @internal

package/provider.js

@@ -108,6 +108,7 @@ const CommerceApiProvider = props => {
     fetchedToken,
     enablePWAKitPrivateClient,
     privateClientProxyEndpoint,
+    publicClientProxyEndpoint,
     clientSecret,
     silenceWarnings,
     logger,
@@ -119,11 +120,32 @@ const CommerceApiProvider = props => {
     disableAuthInit = false,
     hybridAuthEnabled = false,
     cookieDomain,
-    pageDesignerParams = {}
+    pageDesignerParams = {},
+    enableHttpOnlySessionCookies = false
   } = props;
 
   // Set the logger based on provided configuration, or default to the console object if no logger is provided
   const configLogger = logger || console;
+
+  // Stabilize object references that may be recreated on every render (e.g. inline
+  // `headers={{...}}` or `logger={createLogger(...)}` in the parent component).
+  // Without this, the Auth useMemo would recreate the Auth instance on every render,
+  // causing unnecessary useEffect re-runs, context re-renders, and breaking
+  // request deduplication.
+  const headersKey = JSON.stringify(headers);
+  const stableHeaders = (0, _react.useMemo)(() => headers, [headersKey]);
+  const loggerRef = (0, _react.useRef)(configLogger);
+  loggerRef.current = configLogger;
+  // Logger identity is not meaningful — keep the first instance for reference stability.
+  // The ref ensures the Auth instance always calls the latest logger.
+  const stableLogger = (0, _react.useMemo)(() => loggerRef.current, []);
+
+  // When HttpOnly cookies are enabled, ensure fetch credentials allow cookies to be sent.
+  const effectiveFetchOptions = (0, _react.useMemo)(() => {
+    return enableHttpOnlySessionCookies && (!(fetchOptions !== null && fetchOptions !== void 0 && fetchOptions.credentials) || fetchOptions.credentials === 'omit') ? _objectSpread(_objectSpread({}, fetchOptions), {}, {
+      credentials: 'same-origin'
+    }) : fetchOptions;
+  }, [enableHttpOnlySessionCookies, fetchOptions]);
   const auth = (0, _react.useMemo)(() => {
     return new _auth.default({
       clientId,
@@ -132,22 +154,23 @@ const CommerceApiProvider = props => {
       siteId,
       proxy,
       redirectURI,
-      headers,
-      fetchOptions,
+      headers: stableHeaders,
+      fetchOptions: effectiveFetchOptions,
       fetchedToken,
       enablePWAKitPrivateClient,
       privateClientProxyEndpoint,
+      publicClientProxyEndpoint,
       clientSecret,
       silenceWarnings,
-      logger: configLogger,
+      logger: stableLogger,
       defaultDnt,
       passwordlessLoginCallbackURI,
       refreshTokenRegisteredCookieTTL,
       refreshTokenGuestCookieTTL,
       hybridAuthEnabled,
-      cookieDomain
+      enableHttpOnlySessionCookies
     });
-  }, [clientId, organizationId, shortCode, siteId, proxy, redirectURI, headers, fetchOptions, fetchedToken, enablePWAKitPrivateClient, privateClientProxyEndpoint, clientSecret, silenceWarnings, configLogger, defaultDnt, passwordlessLoginCallbackURI, refreshTokenRegisteredCookieTTL, refreshTokenGuestCookieTTL, apiClients, hybridAuthEnabled, cookieDomain]);
+  }, [clientId, organizationId, shortCode, siteId, proxy, redirectURI, stableHeaders, effectiveFetchOptions, fetchedToken, enablePWAKitPrivateClient, privateClientProxyEndpoint, publicClientProxyEndpoint, clientSecret, silenceWarnings, stableLogger, defaultDnt, passwordlessLoginCallbackURI, refreshTokenRegisteredCookieTTL, refreshTokenGuestCookieTTL, apiClients, hybridAuthEnabled, cookieDomain, enableHttpOnlySessionCookies]);
   const dwsid = auth.get(_constant.DWSID_COOKIE_NAME);
   const serverAffinityHeader = {};
   if (dwsid) {
@@ -157,7 +180,7 @@ const CommerceApiProvider = props => {
     return _objectSpread(_objectSpread({}, options), {}, {
       headers: _objectSpread(_objectSpread({}, options.headers), serverAffinityHeader),
       throwOnBadResponse: true,
-      fetchOptions: _objectSpread(_objectSpread({}, options.fetchOptions), fetchOptions)
+      fetchOptions: _objectSpread(_objectSpread({}, options.fetchOptions), effectiveFetchOptions)
     });
   };
   const updatedClients = (0, _react.useMemo)(() => {
@@ -192,8 +215,14 @@ const CommerceApiProvider = props => {
         currency
       },
       throwOnBadResponse: true,
-      fetchOptions
+      fetchOptions: effectiveFetchOptions
     };
+
+    // Determine the proxy endpoint for ShopperLogin based on the client mode:
+    // - Private client mode uses a dedicated private proxy endpoint
+    // - HttpOnly session cookies mode uses a public proxy endpoint
+    // - Otherwise, fall back to the default proxy
+    const shopperLoginProxy = enablePWAKitPrivateClient ? privateClientProxyEndpoint : enableHttpOnlySessionCookies ? publicClientProxyEndpoint : config.proxy;
     return {
       shopperBaskets: new _commerceSdkIsomorphic.ShopperBaskets(config),
       shopperBasketsV2: new _commerceSdkIsomorphic.ShopperBasketsV2(config),
@@ -204,7 +233,7 @@ const CommerceApiProvider = props => {
       shopperExperience: new _commerceSdkIsomorphic.ShopperExperience(config),
       shopperGiftCertificates: new _commerceSdkIsomorphic.ShopperGiftCertificates(config),
       shopperLogin: new _commerceSdkIsomorphic.ShopperLogin(_objectSpread(_objectSpread({}, config), {}, {
-        proxy: enablePWAKitPrivateClient ? privateClientProxyEndpoint : config.proxy
+        proxy: shopperLoginProxy
       })),
       shopperOrders: new _commerceSdkIsomorphic.ShopperOrders(config),
       shopperPayments: new _commerceSdkIsomorphic.ShopperPayments(config),
@@ -214,7 +243,7 @@ const CommerceApiProvider = props => {
       shopperSeo: new _commerceSdkIsomorphic.ShopperSEO(config),
       shopperStores: new _commerceSdkIsomorphic.ShopperStores(config)
     };
-  }, [clientId, organizationId, shortCode, siteId, proxy, fetchOptions, locale, currency, headers === null || headers === void 0 ? void 0 : headers['correlation-id'], apiClients]);
+  }, [clientId, organizationId, shortCode, siteId, proxy, effectiveFetchOptions, locale, currency, headers === null || headers === void 0 ? void 0 : headers['correlation-id'], apiClients, enablePWAKitPrivateClient, privateClientProxyEndpoint, publicClientProxyEndpoint, enableHttpOnlySessionCookies]);
 
   // Initialize the session
   (0, _react.useEffect)(() => {
@@ -240,7 +269,8 @@ const CommerceApiProvider = props => {
       passwordlessLoginCallbackURI,
       refreshTokenRegisteredCookieTTL,
       refreshTokenGuestCookieTTL,
-      pageDesignerParams
+      pageDesignerParams,
+      enableHttpOnlySessionCookies
     }
   }, /*#__PURE__*/_react.default.createElement(CommerceApiContext.Provider, {
     value: updatedClients