@sekuire/sdk 0.1.22 → 0.1.24

package/dist/a2a-client.d.ts

@@ -13,6 +13,10 @@ export interface A2AClientOptions {
     timeout?: number;
     /** Optional device fingerprint for API-key auth on task endpoints */
     deviceFingerprint?: string;
+    /** Optional runtime token resolver for per-request credential sync */
+    tokenResolver?: () => string | undefined;
+    /** Optional callback to refresh credentials after runtime-token 401 */
+    onUnauthorized?: () => Promise<void>;
 }
 /**
  * A2A Protocol Client
@@ -45,6 +49,8 @@ export declare class A2AClient {
     private runtimeToken;
     private timeout;
     private deviceFingerprint;
+    private tokenResolver?;
+    private onUnauthorized?;
     constructor(options: A2AClientOptions);
     setRuntimeToken(token: string): void;
     /**
@@ -110,6 +116,8 @@ export declare class A2AClient {
     private jsonRpc;
     private fetch;
     private fetchTask;
+    private doFetchTask;
+    private resolveRuntimeToken;
     private taskAuthHeaders;
     private isLikelyJwt;
 }

package/dist/a2a-delegator.d.ts

@@ -17,6 +17,8 @@ export interface DelegatorConfig {
     retryDelayMs?: number;
     retryBackoffMultiplier?: number;
     policyGateway?: PolicyGateway;
+    tokenResolver?: () => string | undefined;
+    onUnauthorized?: () => Promise<void>;
 }
 export interface DelegationRequest {
     skill: string;

package/dist/beacon.d.ts

@@ -72,7 +72,7 @@ export interface InstallationCredentials {
 export interface BootstrapResponse {
     installation_id: string;
     runtime_token: string;
-    refresh_token: string;
+    refresh_token?: string;
     expires_at: string;
     heartbeat_interval: number;
 }

package/dist/index.d.ts

@@ -305,6 +305,8 @@ interface DelegatorConfig {
     retryDelayMs?: number;
     retryBackoffMultiplier?: number;
     policyGateway?: PolicyGateway;
+    tokenResolver?: () => string | undefined;
+    onUnauthorized?: () => Promise<void>;
 }
 interface DelegationRequest {
     skill: string;
@@ -366,12 +368,30 @@ interface RuntimeCredentials {
     refreshToken?: string;
     expiresAt?: string;
 }
+interface BootstrapResponseData {
+    installation_id: string;
+    runtime_token: string;
+    refresh_token?: string;
+    expires_at: string;
+}
+interface BootstrapTarget {
+    installationId: string | null;
+    runtimeToken: string | null;
+    refreshToken: string | null;
+    credentialsStore?: RuntimeCredentialsStore | null;
+}
+declare function applyBootstrapResponse(target: BootstrapTarget, data: BootstrapResponseData): void;
 declare class RuntimeCredentialsStore {
     private installationId?;
     private runtimeToken?;
     private refreshToken?;
     private expiresAt?;
-    constructor(initial?: RuntimeCredentials);
+    private apiBaseUrl?;
+    private inflightRefresh;
+    constructor(initial?: RuntimeCredentials & {
+        apiBaseUrl?: string;
+    });
+    setApiBaseUrl(url: string): void;
     update(partial: RuntimeCredentials): void;
     setRuntimeToken(runtimeToken: string, expiresAt?: string): void;
     setInstallationId(installationId: string): void;
@@ -383,6 +403,8 @@ declare class RuntimeCredentialsStore {
     getAll(): RuntimeCredentials;
     hasRecoveryCredentials(): boolean;
     hasRuntimeToken(): boolean;
+    refreshRuntimeToken(caller?: string): Promise<void>;
+    private doRefresh;
 }
 
 /**
@@ -458,7 +480,7 @@ interface InstallationCredentials {
 interface BootstrapResponse {
     installation_id: string;
     runtime_token: string;
-    refresh_token: string;
+    refresh_token?: string;
     expires_at: string;
     heartbeat_interval: number;
 }
@@ -1059,6 +1081,9 @@ declare class SekuireSDK {
     createDelegator(options?: {
         timeout?: number;
         pollInterval?: number;
+        maxRetries?: number;
+        retryDelayMs?: number;
+        retryBackoffMultiplier?: number;
     }): A2ATaskDelegator;
     /**
      * Get the agent ID.
@@ -3342,6 +3367,10 @@ interface A2AClientOptions {
     timeout?: number;
     /** Optional device fingerprint for API-key auth on task endpoints */
     deviceFingerprint?: string;
+    /** Optional runtime token resolver for per-request credential sync */
+    tokenResolver?: () => string | undefined;
+    /** Optional callback to refresh credentials after runtime-token 401 */
+    onUnauthorized?: () => Promise<void>;
 }
 /**
  * A2A Protocol Client
@@ -3374,6 +3403,8 @@ declare class A2AClient {
     private runtimeToken;
     private timeout;
     private deviceFingerprint;
+    private tokenResolver?;
+    private onUnauthorized?;
     constructor(options: A2AClientOptions);
     setRuntimeToken(token: string): void;
     /**
@@ -3439,6 +3470,8 @@ declare class A2AClient {
     private jsonRpc;
     private fetch;
     private fetchTask;
+    private doFetchTask;
+    private resolveRuntimeToken;
     private taskAuthHeaders;
     private isLikelyJwt;
 }
@@ -3534,5 +3567,5 @@ declare class A2AServer {
     private generateId;
 }
 
-export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyGateway, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, RuntimeCredentialsStore, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, Tool, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };
-export type { A2AArtifact, A2AClientOptions, A2AMessage, A2AMessagePart, A2ARouteRequest, A2ARouteResponse, A2AServerOptions, A2ATask, A2ATaskState, A2ATaskStatus, ActivePolicy, ActivePolicyResponse, AgentCapabilities, AgentCard, AgentConfig, AgentId, AgentInvokeOptions, AgentOptions, AgentProvider, AgentResponse$1 as AgentResponse, AgentSkill, BeaconConfig, BeaconStatus, BootstrapResponse, BuiltInMemoryType, ChatChunk, ChatOptions, ChatResponse, CloudflareD1Config, CloudflareKVConfig, ComplianceConfig, ComplianceViolation, ConditionOperator, ToolDefinition$1 as ConfigToolDefinition, ConvexConfig, CreateOrgRequest, CreateWorkspaceRequest, CustomRule, DelegationRequest, DelegationResult, DelegatorConfig, DisputeRequest, DisputeResponse, DynamoDBConfig, EventLog, EventType, ExporterType, HandshakeAuth, HandshakeHello, HandshakeResult, HandshakeWelcome, HexString, IdentityConfig, InstallationCredentials, InviteRequest, InviteResponse, JsonRpcError, JsonRpcRequest, JsonRpcResponse, KeyPair, LLMConfig, Message as LLMMessage, LLMProvider, LLMProviderConfig, ToolCallFunction as LLMToolCall, ToolDefinition as LLMToolDefinition, LeaderboardEntry, LoggerConfig$1 as LoggerConfig, Manifest, MemoryConfig, MemoryFactoryConfig, MemoryMessage, MemoryStorage, MemoryType, Message$1 as Message, OrgResponse, OrgSummary, PerAgentLimits, PolicyDecision, PolicyViolation, PostgresConfig, ProjectMetadata, PublishAgentOptions, PublishRequest, PublishResponse, RateLimitsConfig$1 as RateLimitsConfig, RedisConfig, RegistryClientConfig, ReputationLog, ReputationResponse, RuleCondition, RuntimeCredentials, SQLiteConfig, SearchAgentsOptions, SekuireAgentConfig, SekuireClientConfig, SekuireConfig, SekuireExporterConfig, SekuireSDKConfig, Severity, SkillContext, SkillHandler, StreamingSkillContext, StreamingSkillHandler, StreamingUpdate, SubmitReputationRequest, TaskCompletion, TaskContext, TaskEvent, TaskHandler, TaskState, TaskUpdateEvent, TasksCancelParams, TasksGetParams, TasksSendParams, TasksSendSubscribeParams, TelemetryConfig, ToolCall, ToolDefinition$2 as ToolDefinition, ToolInput, ToolMetadata, ToolParameter, ToolsSchema, TrustHeaders, TrustHeadersRequest, TursoConfig, UpdateAgentOptions, UpstashConfig, UserContextResponse, VerificationIssue, VerificationRequest, VerificationResult, VerificationStatus, VerifyAgentRequest, WorkerConfig, WorkspaceResponse, WorkspaceSummary };
+export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyGateway, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, RuntimeCredentialsStore, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, Tool, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, applyBootstrapResponse, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };
+export type { A2AArtifact, A2AClientOptions, A2AMessage, A2AMessagePart, A2ARouteRequest, A2ARouteResponse, A2AServerOptions, A2ATask, A2ATaskState, A2ATaskStatus, ActivePolicy, ActivePolicyResponse, AgentCapabilities, AgentCard, AgentConfig, AgentId, AgentInvokeOptions, AgentOptions, AgentProvider, AgentResponse$1 as AgentResponse, AgentSkill, BeaconConfig, BeaconStatus, BootstrapResponse, BootstrapResponseData, BootstrapTarget, BuiltInMemoryType, ChatChunk, ChatOptions, ChatResponse, CloudflareD1Config, CloudflareKVConfig, ComplianceConfig, ComplianceViolation, ConditionOperator, ToolDefinition$1 as ConfigToolDefinition, ConvexConfig, CreateOrgRequest, CreateWorkspaceRequest, CustomRule, DelegationRequest, DelegationResult, DelegatorConfig, DisputeRequest, DisputeResponse, DynamoDBConfig, EventLog, EventType, ExporterType, HandshakeAuth, HandshakeHello, HandshakeResult, HandshakeWelcome, HexString, IdentityConfig, InstallationCredentials, InviteRequest, InviteResponse, JsonRpcError, JsonRpcRequest, JsonRpcResponse, KeyPair, LLMConfig, Message as LLMMessage, LLMProvider, LLMProviderConfig, ToolCallFunction as LLMToolCall, ToolDefinition as LLMToolDefinition, LeaderboardEntry, LoggerConfig$1 as LoggerConfig, Manifest, MemoryConfig, MemoryFactoryConfig, MemoryMessage, MemoryStorage, MemoryType, Message$1 as Message, OrgResponse, OrgSummary, PerAgentLimits, PolicyDecision, PolicyViolation, PostgresConfig, ProjectMetadata, PublishAgentOptions, PublishRequest, PublishResponse, RateLimitsConfig$1 as RateLimitsConfig, RedisConfig, RegistryClientConfig, ReputationLog, ReputationResponse, RuleCondition, RuntimeCredentials, SQLiteConfig, SearchAgentsOptions, SekuireAgentConfig, SekuireClientConfig, SekuireConfig, SekuireExporterConfig, SekuireSDKConfig, Severity, SkillContext, SkillHandler, StreamingSkillContext, StreamingSkillHandler, StreamingUpdate, SubmitReputationRequest, TaskCompletion, TaskContext, TaskEvent, TaskHandler, TaskState, TaskUpdateEvent, TasksCancelParams, TasksGetParams, TasksSendParams, TasksSendSubscribeParams, TelemetryConfig, ToolCall, ToolDefinition$2 as ToolDefinition, ToolInput, ToolMetadata, ToolParameter, ToolsSchema, TrustHeaders, TrustHeadersRequest, TursoConfig, UpdateAgentOptions, UpstashConfig, UserContextResponse, VerificationIssue, VerificationRequest, VerificationResult, VerificationStatus, VerifyAgentRequest, WorkerConfig, WorkspaceResponse, WorkspaceSummary };

package/dist/index.esm.js

@@ -69,6 +69,8 @@ class A2AClient {
             options.deviceFingerprint ||
                 process.env.SEKUIRE_DEVICE_FINGERPRINT ||
                 "sekuire-typescript-sdk";
+        this.tokenResolver = options.tokenResolver;
+        this.onUnauthorized = options.onUnauthorized;
     }
     setRuntimeToken(token) {
         this.runtimeToken = token;
@@ -78,7 +80,7 @@ class A2AClient {
      * The API will find an agent with the matching skill and forward the task.
      */
     async sendBySkill(request) {
-        const response = await this.fetch("/a2a/route", {
+        const response = await this.fetchTask("/a2a/route", {
             method: "POST",
             body: JSON.stringify(request),
         });
@@ -291,19 +293,37 @@ class A2AClient {
         });
     }
     async fetchTask(path, init) {
+        const runtimeToken = this.resolveRuntimeToken();
+        const response = await this.doFetchTask(path, init, runtimeToken);
+        const usedRuntimeToken = !!runtimeToken && runtimeToken.startsWith("srt_");
+        if (response.status === 401 && usedRuntimeToken && this.onUnauthorized) {
+            try {
+                await this.onUnauthorized();
+            }
+            catch {
+                return response;
+            }
+            return this.doFetchTask(path, init, this.resolveRuntimeToken());
+        }
+        return response;
+    }
+    async doFetchTask(path, init, runtimeToken) {
         return fetch(`${this.baseUrl}${path}`, {
             ...init,
             headers: {
                 "Content-Type": "application/json",
-                ...this.taskAuthHeaders(),
+                ...this.taskAuthHeaders(runtimeToken),
                 ...init.headers,
             },
             signal: AbortSignal.timeout(this.timeout),
         });
     }
-    taskAuthHeaders() {
-        if (this.runtimeToken) {
-            return { Authorization: `Bearer ${this.runtimeToken}` };
+    resolveRuntimeToken() {
+        return this.tokenResolver?.() ?? this.runtimeToken;
+    }
+    taskAuthHeaders(runtimeToken) {
+        if (runtimeToken) {
+            return { Authorization: `Bearer ${runtimeToken}` };
         }
         if (this.isLikelyJwt(this.authToken)) {
             return { Authorization: `Bearer ${this.authToken}` };
@@ -396,6 +416,8 @@ class A2ATaskDelegator {
             baseUrl: config.apiUrl,
             authToken: config.authToken,
             timeout: this.config.timeout,
+            tokenResolver: config.tokenResolver,
+            onUnauthorized: config.onUnauthorized,
         });
     }
     setRuntimeToken(token) {
@@ -812,6 +834,121 @@ function detectDeploymentUrl() {
     return undefined;
 }
 
+function applyBootstrapResponse(target, data) {
+    target.installationId = data.installation_id;
+    target.runtimeToken = data.runtime_token;
+    if (data.refresh_token) {
+        target.refreshToken = data.refresh_token;
+    }
+    target.credentialsStore?.update({
+        installationId: data.installation_id,
+        runtimeToken: data.runtime_token,
+        refreshToken: data.refresh_token,
+        expiresAt: data.expires_at,
+    });
+}
+class RuntimeCredentialsStore {
+    constructor(initial) {
+        this.inflightRefresh = null;
+        if (initial) {
+            this.update(initial);
+        }
+        if (initial?.apiBaseUrl) {
+            this.apiBaseUrl = initial.apiBaseUrl;
+        }
+    }
+    setApiBaseUrl(url) {
+        this.apiBaseUrl = url;
+    }
+    update(partial) {
+        if (partial.installationId) {
+            this.installationId = partial.installationId;
+        }
+        if (partial.runtimeToken) {
+            this.runtimeToken = partial.runtimeToken;
+        }
+        if (partial.refreshToken) {
+            this.refreshToken = partial.refreshToken;
+        }
+        if (partial.expiresAt !== undefined) {
+            this.expiresAt = partial.expiresAt;
+        }
+    }
+    setRuntimeToken(runtimeToken, expiresAt) {
+        this.runtimeToken = runtimeToken;
+        if (expiresAt !== undefined) {
+            this.expiresAt = expiresAt;
+        }
+    }
+    setInstallationId(installationId) {
+        this.installationId = installationId;
+    }
+    setRefreshToken(refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+    getInstallationId() {
+        return this.installationId;
+    }
+    getRuntimeToken() {
+        return this.runtimeToken;
+    }
+    getRefreshToken() {
+        return this.refreshToken;
+    }
+    getExpiresAt() {
+        return this.expiresAt;
+    }
+    getAll() {
+        return {
+            installationId: this.installationId,
+            runtimeToken: this.runtimeToken,
+            refreshToken: this.refreshToken,
+            expiresAt: this.expiresAt,
+        };
+    }
+    hasRecoveryCredentials() {
+        return !!(this.installationId && this.refreshToken);
+    }
+    hasRuntimeToken() {
+        return !!this.runtimeToken;
+    }
+    async refreshRuntimeToken(caller) {
+        if (this.inflightRefresh) {
+            return this.inflightRefresh;
+        }
+        this.inflightRefresh = this.doRefresh(caller).finally(() => {
+            this.inflightRefresh = null;
+        });
+        return this.inflightRefresh;
+    }
+    async doRefresh(caller) {
+        const installationId = this.installationId;
+        const refreshToken = this.refreshToken;
+        const apiBaseUrl = this.apiBaseUrl;
+        if (!installationId || !refreshToken) {
+            throw new Error("Cannot refresh token - missing installation ID or refresh token");
+        }
+        if (!apiBaseUrl) {
+            throw new Error("Cannot refresh token - missing API base URL");
+        }
+        const response = await fetch(`${apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ refresh_token: refreshToken }),
+        });
+        if (!response.ok) {
+            const body = await response.text();
+            throw new Error(`Token refresh failed: ${response.status} - ${body}`);
+        }
+        const data = await response.json();
+        this.runtimeToken = data.runtime_token;
+        if (data.expires_at !== undefined) {
+            this.expiresAt = data.expires_at;
+        }
+        console.log(`[${caller || "CredentialsStore"}] Runtime token refreshed successfully`);
+    }
+}
+
 /**
  * Sekuire Beacon - Deployment Registration & Heartbeat
  *
@@ -855,6 +992,7 @@ class Beacon {
         this.credentialsStore = config.credentialsStore;
         this.policyGateway = config.policyGateway;
         if (this.credentialsStore) {
+            this.credentialsStore.setApiBaseUrl(this.config.apiBaseUrl);
             this.credentialsStore.update({
                 installationId: resolvedInstallationId,
                 refreshToken: resolvedRefreshToken,
@@ -1042,6 +1180,16 @@ class Beacon {
         }
         // Refresh to get a new runtime token
         try {
+            if (this.credentialsStore) {
+                this.credentialsStore.update({ installationId, refreshToken });
+                await this.credentialsStore.refreshRuntimeToken("Beacon");
+                this.installationId = installationId;
+                this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+                this.refreshToken = refreshToken;
+                this.expiresAt = this.credentialsStore.getExpiresAt() ?? null;
+                console.log('[Beacon] Credentials recovered via refresh token');
+                return true;
+            }
             const response = await fetch(`${this.config.apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
                 method: 'POST',
                 headers: {
@@ -1059,14 +1207,8 @@ class Beacon {
             const data = await response.json();
             this.installationId = installationId;
             this.runtimeToken = data.runtime_token;
-            this.refreshToken = refreshToken; // Refresh token is stable
+            this.refreshToken = refreshToken;
             this.expiresAt = data.expires_at || null;
-            this.credentialsStore?.update({
-                installationId,
-                runtimeToken: data.runtime_token,
-                refreshToken,
-                expiresAt: data.expires_at,
-            });
             console.log('[Beacon] Credentials recovered via refresh token');
             return true;
         }
@@ -1176,9 +1318,7 @@ class Beacon {
                 return false;
             }
             const data = await response.json();
-            this.installationId = data.installation_id;
-            this.runtimeToken = data.runtime_token;
-            this.refreshToken = data.refresh_token;
+            applyBootstrapResponse(this, data);
             console.log(`[Beacon] Recovery bootstrap successful, installation ID: ${this.installationId}`);
             return true;
         }
@@ -1215,16 +1355,8 @@ class Beacon {
             throw new Error(`Bootstrap failed: ${response.status} ${response.statusText} - ${body}`);
         }
         const data = await response.json();
-        this.installationId = data.installation_id;
-        this.runtimeToken = data.runtime_token;
-        this.refreshToken = data.refresh_token;
+        applyBootstrapResponse(this, data);
         this.expiresAt = data.expires_at || null;
-        this.credentialsStore?.update({
-            installationId: data.installation_id,
-            runtimeToken: data.runtime_token,
-            refreshToken: data.refresh_token,
-            expiresAt: data.expires_at,
-        });
     }
     /**
      * Send heartbeat (lease renewal) to Sekuire
@@ -1292,6 +1424,11 @@ class Beacon {
      * Refresh the runtime token using the refresh token
      */
     async refreshRuntimeToken() {
+        if (this.credentialsStore) {
+            await this.credentialsStore.refreshRuntimeToken("Beacon");
+            this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+            return;
+        }
         const installationId = this.getInstallationId();
         const refreshToken = this.getRefreshToken();
         if (!installationId || !refreshToken) {
@@ -1312,7 +1449,6 @@ class Beacon {
         }
         const data = await response.json();
         this.runtimeToken = data.runtime_token;
-        this.credentialsStore?.setRuntimeToken(data.runtime_token, data.expires_at);
         console.log('[Beacon] Runtime token refreshed successfully');
     }
     /**
@@ -2146,66 +2282,6 @@ class PolicyGateway {
     }
 }
 
-class RuntimeCredentialsStore {
-    constructor(initial) {
-        if (initial) {
-            this.update(initial);
-        }
-    }
-    update(partial) {
-        if (partial.installationId) {
-            this.installationId = partial.installationId;
-        }
-        if (partial.runtimeToken) {
-            this.runtimeToken = partial.runtimeToken;
-        }
-        if (partial.refreshToken) {
-            this.refreshToken = partial.refreshToken;
-        }
-        if (partial.expiresAt !== undefined) {
-            this.expiresAt = partial.expiresAt;
-        }
-    }
-    setRuntimeToken(runtimeToken, expiresAt) {
-        this.runtimeToken = runtimeToken;
-        if (expiresAt !== undefined) {
-            this.expiresAt = expiresAt;
-        }
-    }
-    setInstallationId(installationId) {
-        this.installationId = installationId;
-    }
-    setRefreshToken(refreshToken) {
-        this.refreshToken = refreshToken;
-    }
-    getInstallationId() {
-        return this.installationId;
-    }
-    getRuntimeToken() {
-        return this.runtimeToken;
-    }
-    getRefreshToken() {
-        return this.refreshToken;
-    }
-    getExpiresAt() {
-        return this.expiresAt;
-    }
-    getAll() {
-        return {
-            installationId: this.installationId,
-            runtimeToken: this.runtimeToken,
-            refreshToken: this.refreshToken,
-            expiresAt: this.expiresAt,
-        };
-    }
-    hasRecoveryCredentials() {
-        return !!(this.installationId && this.refreshToken);
-    }
-    hasRuntimeToken() {
-        return !!this.runtimeToken;
-    }
-}
-
 function getDefaultExportFromCjs (x) {
 	return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, 'default') ? x['default'] : x;
 }
@@ -2758,6 +2834,7 @@ class TaskWorker {
         this.installationId = resolvedInstallationId || null;
         this.refreshToken = resolvedRefreshToken || null;
         if (this.credentialsStore) {
+            this.credentialsStore.setApiBaseUrl(this.config.apiBaseUrl);
             this.credentialsStore.update({
                 installationId: resolvedInstallationId,
                 refreshToken: resolvedRefreshToken,
@@ -2830,6 +2907,17 @@ class TaskWorker {
             return false;
         }
         try {
+            if (this.credentialsStore) {
+                this.credentialsStore.update({ installationId, refreshToken });
+                await this.credentialsStore.refreshRuntimeToken("Worker");
+                this.installationId = installationId;
+                this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+                this.refreshToken = refreshToken;
+                const expiresAt = this.credentialsStore.getExpiresAt();
+                this.expiresAt = expiresAt ? new Date(expiresAt).getTime() : null;
+                console.log(`[Worker] Credentials recovered for installation: ${installationId}`);
+                return true;
+            }
             const response = await fetch(`${this.config.apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
                 method: "POST",
                 headers: {
@@ -2849,12 +2937,6 @@ class TaskWorker {
             this.runtimeToken = data.runtime_token;
             this.refreshToken = refreshToken;
             this.expiresAt = data.expires_at ? new Date(data.expires_at).getTime() : null;
-            this.credentialsStore?.update({
-                installationId,
-                runtimeToken: data.runtime_token,
-                refreshToken,
-                expiresAt: data.expires_at,
-            });
             console.log(`[Worker] Credentials recovered for installation: ${installationId}`);
             return true;
         }
@@ -3097,18 +3179,10 @@ class TaskWorker {
                 throw new Error(`Bootstrap failed: ${response.status} - ${errorText}`);
             }
             const data = await response.json();
-            this.installationId = data.installation_id;
-            this.runtimeToken = data.runtime_token;
-            this.refreshToken = data.refresh_token;
+            applyBootstrapResponse(this, data);
             this.expiresAt = data.expires_at
                 ? new Date(data.expires_at).getTime()
                 : null;
-            this.credentialsStore?.update({
-                installationId: data.installation_id,
-                runtimeToken: data.runtime_token,
-                refreshToken: data.refresh_token,
-                expiresAt: data.expires_at,
-            });
             console.log(`[Worker] Bootstrapped installation: ${this.installationId}`);
         }
         catch (e) {
@@ -3181,6 +3255,11 @@ class TaskWorker {
      * Refresh the runtime token using the refresh token
      */
     async refreshRuntimeToken() {
+        if (this.credentialsStore) {
+            await this.credentialsStore.refreshRuntimeToken("Worker");
+            this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+            return;
+        }
         const installationId = this.getInstallationId();
         const refreshToken = this.getRefreshToken();
         if (!installationId || !refreshToken) {
@@ -3201,7 +3280,6 @@ class TaskWorker {
         }
         const data = await response.json();
         this.runtimeToken = data.runtime_token;
-        this.credentialsStore?.setRuntimeToken(data.runtime_token, data.expires_at);
         console.log("[Worker] Runtime token refreshed successfully");
     }
     getInstallationId() {
@@ -3267,6 +3345,7 @@ class SekuireSDK {
             installationId: this.config.installationId,
             refreshToken: this.config.refreshToken,
             runtimeToken: this.config.runtimeToken,
+            apiBaseUrl: this.config.apiUrl,
         });
         this.identity = new AgentIdentity(this.config.agentName, this.config.agentId, this.config.privateKey);
         const loggerConfig = {
@@ -3544,20 +3623,22 @@ class SekuireSDK {
      * task registration/completion can use runtime token if bootstrapped.
      */
     createDelegator(options) {
-        const credentials = this.getRuntimeCredentials();
-        const delegator = new A2ATaskDelegator({
+        return new A2ATaskDelegator({
             apiUrl: this.config.apiUrl,
             authToken: this.config.apiKey || "",
             workspaceId: this.config.workspaceId,
             agentId: this.config.agentId,
             timeout: options?.timeout,
             pollInterval: options?.pollInterval,
+            maxRetries: options?.maxRetries,
+            retryDelayMs: options?.retryDelayMs,
+            retryBackoffMultiplier: options?.retryBackoffMultiplier,
             policyGateway: this.policyGateway ?? undefined,
+            tokenResolver: () => this.credentialsStore.getRuntimeToken(),
+            onUnauthorized: async () => {
+                await this.credentialsStore.refreshRuntimeToken("A2AClient");
+            },
         });
-        if (credentials?.runtimeToken) {
-            delegator.setRuntimeToken(credentials.runtimeToken);
-        }
-        return delegator;
     }
     /**
      * Get the agent ID.
@@ -18350,4 +18431,4 @@ class A2AServer {
     }
 }
 
-export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyGateway, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, RuntimeCredentialsStore, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };
+export { A2AClient, A2AError, A2AServer, A2ATaskDelegator, SekuireAgent as Agent, AgentIdentity, AnthropicProvider, BaseMemoryStorage, Beacon, CONVEX_FUNCTIONS_TEMPLATE, CONVEX_SCHEMA_TEMPLATE, CloudflareD1Storage, CloudflareKVStorage, ComplianceError, ComplianceMonitor, ContentPolicyError, ConvexStorage, CryptoError, DEFAULT_API_URL, DynamoDBStorage, FileAccessError, GoogleProvider, InMemoryStorage, NetworkComplianceError, NetworkError, OllamaProvider, OpenAIProvider, PolicyClient, PolicyEnforcer, PolicyGateway, PolicyViolationError, PostgresStorage, ProtocolError, RedisStorage, RuntimeCredentialsStore, SQLiteStorage, SekuireAgent$1 as SekuireAgent, SekuireAgentBuilder, SekuireClient, SekuireCrypto, SekuireError, SekuireLogger, SekuireRegistryClient, SekuireSDK, SekuireServer, SekuireSpanExporter, TaskWorker, ToolPatternParser, ToolRegistry, ToolUsageError, TursoStorage, UpstashStorage, applyBootstrapResponse, builtInTools, calculateSekuireId, createAgent, createBeacon, createDefaultToolRegistry, createDelegationTool, createDelegator, createDiscoveryTool, createLLMProvider, createMemoryStorage, createRegistryClient, createSekuireClient, createSekuireExpressMiddleware, createSekuireFastifyPlugin, createWorker, detectDeploymentUrl, generateKeyPair, getAgent, getAgentConfig, getAgents, getTools$1 as getLegacyTools, getStorageInfo, getSystemPrompt, getTools, getTracer, hasStorage, initTelemetry, listStorageTypes, llm, loadConfig, loadSystemPrompt, loadTools, registerStorage, shutdownTelemetry, tool, tools };

package/dist/index.js

@@ -93,6 +93,8 @@ class A2AClient {
             options.deviceFingerprint ||
                 process.env.SEKUIRE_DEVICE_FINGERPRINT ||
                 "sekuire-typescript-sdk";
+        this.tokenResolver = options.tokenResolver;
+        this.onUnauthorized = options.onUnauthorized;
     }
     setRuntimeToken(token) {
         this.runtimeToken = token;
@@ -102,7 +104,7 @@ class A2AClient {
      * The API will find an agent with the matching skill and forward the task.
      */
     async sendBySkill(request) {
-        const response = await this.fetch("/a2a/route", {
+        const response = await this.fetchTask("/a2a/route", {
             method: "POST",
             body: JSON.stringify(request),
         });
@@ -315,19 +317,37 @@ class A2AClient {
         });
     }
     async fetchTask(path, init) {
+        const runtimeToken = this.resolveRuntimeToken();
+        const response = await this.doFetchTask(path, init, runtimeToken);
+        const usedRuntimeToken = !!runtimeToken && runtimeToken.startsWith("srt_");
+        if (response.status === 401 && usedRuntimeToken && this.onUnauthorized) {
+            try {
+                await this.onUnauthorized();
+            }
+            catch {
+                return response;
+            }
+            return this.doFetchTask(path, init, this.resolveRuntimeToken());
+        }
+        return response;
+    }
+    async doFetchTask(path, init, runtimeToken) {
         return fetch(`${this.baseUrl}${path}`, {
             ...init,
             headers: {
                 "Content-Type": "application/json",
-                ...this.taskAuthHeaders(),
+                ...this.taskAuthHeaders(runtimeToken),
                 ...init.headers,
             },
             signal: AbortSignal.timeout(this.timeout),
         });
     }
-    taskAuthHeaders() {
-        if (this.runtimeToken) {
-            return { Authorization: `Bearer ${this.runtimeToken}` };
+    resolveRuntimeToken() {
+        return this.tokenResolver?.() ?? this.runtimeToken;
+    }
+    taskAuthHeaders(runtimeToken) {
+        if (runtimeToken) {
+            return { Authorization: `Bearer ${runtimeToken}` };
         }
         if (this.isLikelyJwt(this.authToken)) {
             return { Authorization: `Bearer ${this.authToken}` };
@@ -420,6 +440,8 @@ class A2ATaskDelegator {
             baseUrl: config.apiUrl,
             authToken: config.authToken,
             timeout: this.config.timeout,
+            tokenResolver: config.tokenResolver,
+            onUnauthorized: config.onUnauthorized,
         });
     }
     setRuntimeToken(token) {
@@ -836,6 +858,121 @@ function detectDeploymentUrl() {
     return undefined;
 }
 
+function applyBootstrapResponse(target, data) {
+    target.installationId = data.installation_id;
+    target.runtimeToken = data.runtime_token;
+    if (data.refresh_token) {
+        target.refreshToken = data.refresh_token;
+    }
+    target.credentialsStore?.update({
+        installationId: data.installation_id,
+        runtimeToken: data.runtime_token,
+        refreshToken: data.refresh_token,
+        expiresAt: data.expires_at,
+    });
+}
+class RuntimeCredentialsStore {
+    constructor(initial) {
+        this.inflightRefresh = null;
+        if (initial) {
+            this.update(initial);
+        }
+        if (initial?.apiBaseUrl) {
+            this.apiBaseUrl = initial.apiBaseUrl;
+        }
+    }
+    setApiBaseUrl(url) {
+        this.apiBaseUrl = url;
+    }
+    update(partial) {
+        if (partial.installationId) {
+            this.installationId = partial.installationId;
+        }
+        if (partial.runtimeToken) {
+            this.runtimeToken = partial.runtimeToken;
+        }
+        if (partial.refreshToken) {
+            this.refreshToken = partial.refreshToken;
+        }
+        if (partial.expiresAt !== undefined) {
+            this.expiresAt = partial.expiresAt;
+        }
+    }
+    setRuntimeToken(runtimeToken, expiresAt) {
+        this.runtimeToken = runtimeToken;
+        if (expiresAt !== undefined) {
+            this.expiresAt = expiresAt;
+        }
+    }
+    setInstallationId(installationId) {
+        this.installationId = installationId;
+    }
+    setRefreshToken(refreshToken) {
+        this.refreshToken = refreshToken;
+    }
+    getInstallationId() {
+        return this.installationId;
+    }
+    getRuntimeToken() {
+        return this.runtimeToken;
+    }
+    getRefreshToken() {
+        return this.refreshToken;
+    }
+    getExpiresAt() {
+        return this.expiresAt;
+    }
+    getAll() {
+        return {
+            installationId: this.installationId,
+            runtimeToken: this.runtimeToken,
+            refreshToken: this.refreshToken,
+            expiresAt: this.expiresAt,
+        };
+    }
+    hasRecoveryCredentials() {
+        return !!(this.installationId && this.refreshToken);
+    }
+    hasRuntimeToken() {
+        return !!this.runtimeToken;
+    }
+    async refreshRuntimeToken(caller) {
+        if (this.inflightRefresh) {
+            return this.inflightRefresh;
+        }
+        this.inflightRefresh = this.doRefresh(caller).finally(() => {
+            this.inflightRefresh = null;
+        });
+        return this.inflightRefresh;
+    }
+    async doRefresh(caller) {
+        const installationId = this.installationId;
+        const refreshToken = this.refreshToken;
+        const apiBaseUrl = this.apiBaseUrl;
+        if (!installationId || !refreshToken) {
+            throw new Error("Cannot refresh token - missing installation ID or refresh token");
+        }
+        if (!apiBaseUrl) {
+            throw new Error("Cannot refresh token - missing API base URL");
+        }
+        const response = await fetch(`${apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ refresh_token: refreshToken }),
+        });
+        if (!response.ok) {
+            const body = await response.text();
+            throw new Error(`Token refresh failed: ${response.status} - ${body}`);
+        }
+        const data = await response.json();
+        this.runtimeToken = data.runtime_token;
+        if (data.expires_at !== undefined) {
+            this.expiresAt = data.expires_at;
+        }
+        console.log(`[${caller || "CredentialsStore"}] Runtime token refreshed successfully`);
+    }
+}
+
 /**
  * Sekuire Beacon - Deployment Registration & Heartbeat
  *
@@ -879,6 +1016,7 @@ class Beacon {
         this.credentialsStore = config.credentialsStore;
         this.policyGateway = config.policyGateway;
         if (this.credentialsStore) {
+            this.credentialsStore.setApiBaseUrl(this.config.apiBaseUrl);
             this.credentialsStore.update({
                 installationId: resolvedInstallationId,
                 refreshToken: resolvedRefreshToken,
@@ -1066,6 +1204,16 @@ class Beacon {
         }
         // Refresh to get a new runtime token
         try {
+            if (this.credentialsStore) {
+                this.credentialsStore.update({ installationId, refreshToken });
+                await this.credentialsStore.refreshRuntimeToken("Beacon");
+                this.installationId = installationId;
+                this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+                this.refreshToken = refreshToken;
+                this.expiresAt = this.credentialsStore.getExpiresAt() ?? null;
+                console.log('[Beacon] Credentials recovered via refresh token');
+                return true;
+            }
             const response = await fetch(`${this.config.apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
                 method: 'POST',
                 headers: {
@@ -1083,14 +1231,8 @@ class Beacon {
             const data = await response.json();
             this.installationId = installationId;
             this.runtimeToken = data.runtime_token;
-            this.refreshToken = refreshToken; // Refresh token is stable
+            this.refreshToken = refreshToken;
             this.expiresAt = data.expires_at || null;
-            this.credentialsStore?.update({
-                installationId,
-                runtimeToken: data.runtime_token,
-                refreshToken,
-                expiresAt: data.expires_at,
-            });
             console.log('[Beacon] Credentials recovered via refresh token');
             return true;
         }
@@ -1200,9 +1342,7 @@ class Beacon {
                 return false;
             }
             const data = await response.json();
-            this.installationId = data.installation_id;
-            this.runtimeToken = data.runtime_token;
-            this.refreshToken = data.refresh_token;
+            applyBootstrapResponse(this, data);
             console.log(`[Beacon] Recovery bootstrap successful, installation ID: ${this.installationId}`);
             return true;
         }
@@ -1239,16 +1379,8 @@ class Beacon {
             throw new Error(`Bootstrap failed: ${response.status} ${response.statusText} - ${body}`);
         }
         const data = await response.json();
-        this.installationId = data.installation_id;
-        this.runtimeToken = data.runtime_token;
-        this.refreshToken = data.refresh_token;
+        applyBootstrapResponse(this, data);
         this.expiresAt = data.expires_at || null;
-        this.credentialsStore?.update({
-            installationId: data.installation_id,
-            runtimeToken: data.runtime_token,
-            refreshToken: data.refresh_token,
-            expiresAt: data.expires_at,
-        });
     }
     /**
      * Send heartbeat (lease renewal) to Sekuire
@@ -1316,6 +1448,11 @@ class Beacon {
      * Refresh the runtime token using the refresh token
      */
     async refreshRuntimeToken() {
+        if (this.credentialsStore) {
+            await this.credentialsStore.refreshRuntimeToken("Beacon");
+            this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+            return;
+        }
         const installationId = this.getInstallationId();
         const refreshToken = this.getRefreshToken();
         if (!installationId || !refreshToken) {
@@ -1336,7 +1473,6 @@ class Beacon {
         }
         const data = await response.json();
         this.runtimeToken = data.runtime_token;
-        this.credentialsStore?.setRuntimeToken(data.runtime_token, data.expires_at);
         console.log('[Beacon] Runtime token refreshed successfully');
     }
     /**
@@ -2170,66 +2306,6 @@ class PolicyGateway {
     }
 }
 
-class RuntimeCredentialsStore {
-    constructor(initial) {
-        if (initial) {
-            this.update(initial);
-        }
-    }
-    update(partial) {
-        if (partial.installationId) {
-            this.installationId = partial.installationId;
-        }
-        if (partial.runtimeToken) {
-            this.runtimeToken = partial.runtimeToken;
-        }
-        if (partial.refreshToken) {
-            this.refreshToken = partial.refreshToken;
-        }
-        if (partial.expiresAt !== undefined) {
-            this.expiresAt = partial.expiresAt;
-        }
-    }
-    setRuntimeToken(runtimeToken, expiresAt) {
-        this.runtimeToken = runtimeToken;
-        if (expiresAt !== undefined) {
-            this.expiresAt = expiresAt;
-        }
-    }
-    setInstallationId(installationId) {
-        this.installationId = installationId;
-    }
-    setRefreshToken(refreshToken) {
-        this.refreshToken = refreshToken;
-    }
-    getInstallationId() {
-        return this.installationId;
-    }
-    getRuntimeToken() {
-        return this.runtimeToken;
-    }
-    getRefreshToken() {
-        return this.refreshToken;
-    }
-    getExpiresAt() {
-        return this.expiresAt;
-    }
-    getAll() {
-        return {
-            installationId: this.installationId,
-            runtimeToken: this.runtimeToken,
-            refreshToken: this.refreshToken,
-            expiresAt: this.expiresAt,
-        };
-    }
-    hasRecoveryCredentials() {
-        return !!(this.installationId && this.refreshToken);
-    }
-    hasRuntimeToken() {
-        return !!this.runtimeToken;
-    }
-}
-
 function getDefaultExportFromCjs (x) {
 	return x && x.__esModule && Object.prototype.hasOwnProperty.call(x, 'default') ? x['default'] : x;
 }
@@ -2782,6 +2858,7 @@ class TaskWorker {
         this.installationId = resolvedInstallationId || null;
         this.refreshToken = resolvedRefreshToken || null;
         if (this.credentialsStore) {
+            this.credentialsStore.setApiBaseUrl(this.config.apiBaseUrl);
             this.credentialsStore.update({
                 installationId: resolvedInstallationId,
                 refreshToken: resolvedRefreshToken,
@@ -2854,6 +2931,17 @@ class TaskWorker {
             return false;
         }
         try {
+            if (this.credentialsStore) {
+                this.credentialsStore.update({ installationId, refreshToken });
+                await this.credentialsStore.refreshRuntimeToken("Worker");
+                this.installationId = installationId;
+                this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+                this.refreshToken = refreshToken;
+                const expiresAt = this.credentialsStore.getExpiresAt();
+                this.expiresAt = expiresAt ? new Date(expiresAt).getTime() : null;
+                console.log(`[Worker] Credentials recovered for installation: ${installationId}`);
+                return true;
+            }
             const response = await fetch(`${this.config.apiBaseUrl}/api/v1/installations/${installationId}/refresh`, {
                 method: "POST",
                 headers: {
@@ -2873,12 +2961,6 @@ class TaskWorker {
             this.runtimeToken = data.runtime_token;
             this.refreshToken = refreshToken;
             this.expiresAt = data.expires_at ? new Date(data.expires_at).getTime() : null;
-            this.credentialsStore?.update({
-                installationId,
-                runtimeToken: data.runtime_token,
-                refreshToken,
-                expiresAt: data.expires_at,
-            });
             console.log(`[Worker] Credentials recovered for installation: ${installationId}`);
             return true;
         }
@@ -3121,18 +3203,10 @@ class TaskWorker {
                 throw new Error(`Bootstrap failed: ${response.status} - ${errorText}`);
             }
             const data = await response.json();
-            this.installationId = data.installation_id;
-            this.runtimeToken = data.runtime_token;
-            this.refreshToken = data.refresh_token;
+            applyBootstrapResponse(this, data);
             this.expiresAt = data.expires_at
                 ? new Date(data.expires_at).getTime()
                 : null;
-            this.credentialsStore?.update({
-                installationId: data.installation_id,
-                runtimeToken: data.runtime_token,
-                refreshToken: data.refresh_token,
-                expiresAt: data.expires_at,
-            });
             console.log(`[Worker] Bootstrapped installation: ${this.installationId}`);
         }
         catch (e) {
@@ -3205,6 +3279,11 @@ class TaskWorker {
      * Refresh the runtime token using the refresh token
      */
     async refreshRuntimeToken() {
+        if (this.credentialsStore) {
+            await this.credentialsStore.refreshRuntimeToken("Worker");
+            this.runtimeToken = this.credentialsStore.getRuntimeToken() ?? null;
+            return;
+        }
         const installationId = this.getInstallationId();
         const refreshToken = this.getRefreshToken();
         if (!installationId || !refreshToken) {
@@ -3225,7 +3304,6 @@ class TaskWorker {
         }
         const data = await response.json();
         this.runtimeToken = data.runtime_token;
-        this.credentialsStore?.setRuntimeToken(data.runtime_token, data.expires_at);
         console.log("[Worker] Runtime token refreshed successfully");
     }
     getInstallationId() {
@@ -3291,6 +3369,7 @@ class SekuireSDK {
             installationId: this.config.installationId,
             refreshToken: this.config.refreshToken,
             runtimeToken: this.config.runtimeToken,
+            apiBaseUrl: this.config.apiUrl,
         });
         this.identity = new AgentIdentity(this.config.agentName, this.config.agentId, this.config.privateKey);
         const loggerConfig = {
@@ -3568,20 +3647,22 @@ class SekuireSDK {
      * task registration/completion can use runtime token if bootstrapped.
      */
     createDelegator(options) {
-        const credentials = this.getRuntimeCredentials();
-        const delegator = new A2ATaskDelegator({
+        return new A2ATaskDelegator({
             apiUrl: this.config.apiUrl,
             authToken: this.config.apiKey || "",
             workspaceId: this.config.workspaceId,
             agentId: this.config.agentId,
             timeout: options?.timeout,
             pollInterval: options?.pollInterval,
+            maxRetries: options?.maxRetries,
+            retryDelayMs: options?.retryDelayMs,
+            retryBackoffMultiplier: options?.retryBackoffMultiplier,
             policyGateway: this.policyGateway ?? undefined,
+            tokenResolver: () => this.credentialsStore.getRuntimeToken(),
+            onUnauthorized: async () => {
+                await this.credentialsStore.refreshRuntimeToken("A2AClient");
+            },
         });
-        if (credentials?.runtimeToken) {
-            delegator.setRuntimeToken(credentials.runtimeToken);
-        }
-        return delegator;
     }
     /**
      * Get the agent ID.
@@ -18426,6 +18507,7 @@ exports.ToolRegistry = ToolRegistry;
 exports.ToolUsageError = ToolUsageError;
 exports.TursoStorage = TursoStorage;
 exports.UpstashStorage = UpstashStorage;
+exports.applyBootstrapResponse = applyBootstrapResponse;
 exports.builtInTools = builtInTools;
 exports.calculateSekuireId = calculateSekuireId;
 exports.createAgent = createAgent;

package/dist/runtime-credentials.d.ts

@@ -4,12 +4,30 @@ export interface RuntimeCredentials {
     refreshToken?: string;
     expiresAt?: string;
 }
+export interface BootstrapResponseData {
+    installation_id: string;
+    runtime_token: string;
+    refresh_token?: string;
+    expires_at: string;
+}
+export interface BootstrapTarget {
+    installationId: string | null;
+    runtimeToken: string | null;
+    refreshToken: string | null;
+    credentialsStore?: RuntimeCredentialsStore | null;
+}
+export declare function applyBootstrapResponse(target: BootstrapTarget, data: BootstrapResponseData): void;
 export declare class RuntimeCredentialsStore {
     private installationId?;
     private runtimeToken?;
     private refreshToken?;
     private expiresAt?;
-    constructor(initial?: RuntimeCredentials);
+    private apiBaseUrl?;
+    private inflightRefresh;
+    constructor(initial?: RuntimeCredentials & {
+        apiBaseUrl?: string;
+    });
+    setApiBaseUrl(url: string): void;
     update(partial: RuntimeCredentials): void;
     setRuntimeToken(runtimeToken: string, expiresAt?: string): void;
     setInstallationId(installationId: string): void;
@@ -21,4 +39,6 @@ export declare class RuntimeCredentialsStore {
     getAll(): RuntimeCredentials;
     hasRecoveryCredentials(): boolean;
     hasRuntimeToken(): boolean;
+    refreshRuntimeToken(caller?: string): Promise<void>;
+    private doRefresh;
 }

package/dist/sdk.d.ts

@@ -205,6 +205,9 @@ export declare class SekuireSDK {
     createDelegator(options?: {
         timeout?: number;
         pollInterval?: number;
+        maxRetries?: number;
+        retryDelayMs?: number;
+        retryBackoffMultiplier?: number;
     }): A2ATaskDelegator;
     /**
      * Get the agent ID.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sekuire/sdk",
-  "version": "0.1.22",
+  "version": "0.1.24",
   "description": "Sekuire Identity Protocol SDK for TypeScript/JavaScript",
   "type": "module",
   "main": "dist/index.js",