@turnkey/core 1.0.0 → 1.1.0

package/dist/__clients__/core.js

@@ -2,14 +2,15 @@
 
 var sdkClientBase = require('../__generated__/sdk-client-base.js');
 var sdkTypes = require('@turnkey/sdk-types');
-var base = require('../__types__/base.js');
+var auth = require('../__types__/auth.js');
+var externalWallets = require('../__types__/external-wallets.js');
 var utils = require('../utils.js');
-var base$1 = require('../__storage__/base.js');
-var base$2 = require('../__stampers__/api/base.js');
-var base$3 = require('../__stampers__/passkey/base.js');
+var base = require('../__storage__/base.js');
+var base$1 = require('../__stampers__/api/base.js');
+var base$2 = require('../__stampers__/passkey/base.js');
 var turnkeyHelpers = require('../turnkey-helpers.js');
 var jwtDecode = require('jwt-decode');
-var base$4 = require('../__wallet__/base.js');
+var base$3 = require('../__wallet__/base.js');
 var ethers = require('ethers');
 
 class TurnkeyClient {
@@ -24,29 +25,30 @@ class TurnkeyClient {
          * - The resulting attestation and challenge can be used to register the passkey with Turnkey.
          *
          * @param params.name - display name for the passkey (defaults to a generated name based on the current timestamp).
-         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @param params.challenge - challenge string to use for passkey registration. If not provided, a new challenge will be generated.
-         * @returns A promise that resolves to an object containing:
-         *   - attestation: attestation object returned from the passkey creation process.
-         *   - encodedChallenge: encoded challenge string used for passkey registration.
+         * @returns A promise that resolves to {@link CreatePasskeyResult}
          * @throws {TurnkeyError} If there is an error during passkey creation, or if the platform is unsupported.
          */
         this.createPasskey = async (params) => {
+            const { name: nameFromParams, challenge } = params || {};
             return utils.withTurnkeyErrorHandling(async () => {
-                const name = utils.isValidPasskeyName(params?.name || `passkey-${Date.now()}`);
+                if (!this.passkeyStamper) {
+                    throw new sdkTypes.TurnkeyError("Passkey stamper is not initialized", sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
+                }
+                const name = utils.isValidPasskeyName(nameFromParams || `passkey-${Date.now()}`);
                 let passkey;
                 if (utils.isWeb()) {
-                    const res = await this.passkeyStamper?.createWebPasskey({
+                    const res = await this.passkeyStamper.createWebPasskey({
                         publicKey: {
                             user: {
                                 name,
                                 displayName: name,
                             },
-                            ...(params?.challenge && { challenge: params.challenge }),
+                            ...(challenge && { challenge }),
                         },
                     });
                     if (!res) {
-                        throw new sdkTypes.TurnkeyError("Failed to create React Native passkey", sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
+                        throw new sdkTypes.TurnkeyError("Failed to create Web passkey", sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
                     }
                     passkey = {
                         encodedChallenge: res?.encodedChallenge,
@@ -54,7 +56,7 @@ class TurnkeyClient {
                     };
                 }
                 else if (utils.isReactNative()) {
-                    const res = await this.passkeyStamper?.createReactNativePasskey({
+                    const res = await this.passkeyStamper.createReactNativePasskey({
                         name,
                         displayName: name,
                     });
@@ -127,6 +129,7 @@ class TurnkeyClient {
          * @param params.publicKey - public key to use for authentication. If not provided, a new key pair will be generated.
          * @param params.sessionKey - session key to use for session creation (defaults to the default session key).
          * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to a {@link PasskeyAuthResult}, which includes:
          *          - `sessionToken`: the signed JWT session token.
          *          - `credentialId`: an empty string.
@@ -137,16 +140,16 @@ class TurnkeyClient {
             return await utils.withTurnkeyErrorHandling(async () => {
                 generatedPublicKey =
                     params?.publicKey || (await this.apiKeyStamper?.createKeyPair());
-                const sessionKey = params?.sessionKey || base.SessionKey.DefaultSessionkey;
-                const expirationSeconds = params?.expirationSeconds || base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
+                const sessionKey = params?.sessionKey || auth.SessionKey.DefaultSessionkey;
+                const expirationSeconds = params?.expirationSeconds || auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
                 if (!generatedPublicKey) {
                     throw new sdkTypes.TurnkeyError("A publickey could not be found or generated.", sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
                 }
                 const sessionResponse = await this.httpClient.stampLogin({
                     publicKey: generatedPublicKey,
-                    organizationId: this.config.organizationId,
+                    organizationId: params?.organizationId ?? this.config.organizationId,
                     expirationSeconds,
-                }, base.StamperType.Passkey);
+                }, auth.StamperType.Passkey);
                 await this.storeSession({
                     sessionToken: sessionResponse.session,
                     sessionKey,
@@ -195,13 +198,14 @@ class TurnkeyClient {
          * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
          * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
          * @param params.challenge - challenge string to use for passkey registration. If not provided, a new challenge will be generated.
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to a {@link PasskeyAuthResult}, which includes:
          *          - `sessionToken`: the signed JWT session token.
          *          - `credentialId`: the credential ID associated with the passkey created.
          * @throws {TurnkeyError} If there is an error during passkey creation, sub-organization creation, or session storage.
          */
         this.signUpWithPasskey = async (params) => {
-            const { createSubOrgParams, passkeyDisplayName, sessionKey = base.SessionKey.DefaultSessionkey, expirationSeconds = base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, } = params || {};
+            const { createSubOrgParams, passkeyDisplayName, sessionKey = auth.SessionKey.DefaultSessionkey, expirationSeconds = auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, organizationId, } = params || {};
             let generatedPublicKey = undefined;
             return utils.withTurnkeyErrorHandling(async () => {
                 generatedPublicKey = await this.apiKeyStamper?.createKeyPair();
@@ -244,7 +248,7 @@ class TurnkeyClient {
                 this.apiKeyStamper?.setTemporaryPublicKey(generatedPublicKey);
                 const sessionResponse = await this.httpClient.stampLogin({
                     publicKey: newGeneratedKeyPair,
-                    organizationId: this.config.organizationId,
+                    organizationId: organizationId ?? this.config.organizationId,
                     expirationSeconds,
                 });
                 await this.apiKeyStamper?.deleteKeyPair(generatedPublicKey);
@@ -301,7 +305,7 @@ class TurnkeyClient {
          * - Requires the wallet manager and its connector to be initialized.
          *
          * @param walletProvider - wallet provider to connect.
-         * @returns A promise that resolves once the wallet account is connected.
+         * @returns A promise that resolves with the connected wallet's address.
          * @throws {TurnkeyError} If the wallet manager is uninitialized or the connection fails.
          */
         this.connectWalletAccount = async (walletProvider) => {
@@ -309,7 +313,7 @@ class TurnkeyClient {
                 if (!this.walletManager?.connector) {
                     throw new sdkTypes.TurnkeyError("Wallet connector is not initialized", sdkTypes.TurnkeyErrorCodes.WALLET_MANAGER_COMPONENT_NOT_INITIALIZED);
                 }
-                await this.walletManager.connector.connectWalletAccount(walletProvider);
+                return await this.walletManager.connector.connectWalletAccount(walletProvider);
             }, {
                 errorMessage: "Unable to connect wallet account",
                 errorCode: sdkTypes.TurnkeyErrorCodes.CONNECT_WALLET_ACCOUNT_ERROR,
@@ -357,7 +361,7 @@ class TurnkeyClient {
                 if (!this.walletManager?.connector) {
                     throw new sdkTypes.TurnkeyError("Wallet connector is not initialized", sdkTypes.TurnkeyErrorCodes.WALLET_MANAGER_COMPONENT_NOT_INITIALIZED);
                 }
-                if (walletAccount.source === base.WalletSource.Embedded) {
+                if (walletAccount.source === externalWallets.WalletSource.Embedded) {
                     throw new sdkTypes.TurnkeyError("You can only switch chains for connected wallet accounts", sdkTypes.TurnkeyErrorCodes.NOT_FOUND);
                 }
                 const providers = walletProviders ?? (await this.fetchWalletProviders());
@@ -388,6 +392,7 @@ class TurnkeyClient {
          * @param params.publicKey - optional public key to associate with the session (generated if not provided).
          * @param params.sessionKey - optional key to store the session under (defaults to the default session key).
          * @param params.expirationSeconds - optional session expiration time in seconds (defaults to the configured default).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to a {@link WalletAuthResult}, which includes:
          *          - `sessionToken`: the signed JWT session token.
          *          - `address`: the authenticated wallet address.
@@ -399,18 +404,18 @@ class TurnkeyClient {
                 if (!this.walletManager?.stamper) {
                     throw new sdkTypes.TurnkeyError("Wallet stamper is not initialized", sdkTypes.TurnkeyErrorCodes.WALLET_MANAGER_COMPONENT_NOT_INITIALIZED);
                 }
-                const sessionKey = params.sessionKey || base.SessionKey.DefaultSessionkey;
+                const sessionKey = params.sessionKey || auth.SessionKey.DefaultSessionkey;
                 const walletProvider = params.walletProvider;
-                const expirationSeconds = params?.expirationSeconds || base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
+                const expirationSeconds = params?.expirationSeconds || auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
                 if (!publicKey) {
                     throw new sdkTypes.TurnkeyError("A publickey could not be found or generated.", sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
                 }
                 this.walletManager.stamper.setProvider(walletProvider.interfaceType, walletProvider);
                 const sessionResponse = await this.httpClient.stampLogin({
                     publicKey,
-                    organizationId: this.config.organizationId,
+                    organizationId: params?.organizationId ?? this.config.organizationId,
                     expirationSeconds,
-                }, base.StamperType.Wallet);
+                }, auth.StamperType.Wallet);
                 await this.storeSession({
                     sessionToken: sessionResponse.session,
                     sessionKey,
@@ -452,13 +457,14 @@ class TurnkeyClient {
          * @param params.createSubOrgParams - parameters for creating a sub-organization (e.g., authenticators, user metadata).
          * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
          * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to a {@link WalletAuthResult}, which includes:
          *          - `sessionToken`: the signed JWT session token.
          *          - `address`: the authenticated wallet address.
          * @throws {TurnkeyError} If there is an error during wallet authentication, sub-organization creation, session storage, or cleanup.
          */
         this.signUpWithWallet = async (params) => {
-            const { walletProvider, createSubOrgParams, sessionKey = base.SessionKey.DefaultSessionkey, expirationSeconds = base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, } = params;
+            const { walletProvider, createSubOrgParams, sessionKey = auth.SessionKey.DefaultSessionkey, expirationSeconds = auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, } = params;
             let generatedPublicKey = undefined;
             return utils.withTurnkeyErrorHandling(async () => {
                 if (!this.walletManager?.stamper) {
@@ -543,6 +549,7 @@ class TurnkeyClient {
          * @param params.createSubOrgParams - optional parameters for creating a sub-organization (e.g., authenticators, user metadata).
          * @param params.sessionKey - session key to use for storing the session (defaults to the default session key).
          * @param params.expirationSeconds - session expiration time in seconds (defaults to the configured default).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to an object containing:
          *          - `sessionToken`: the signed JWT session token.
          *          - `address`: the authenticated wallet address.
@@ -551,9 +558,9 @@ class TurnkeyClient {
          */
         this.loginOrSignupWithWallet = async (params) => {
             const createSubOrgParams = params.createSubOrgParams;
-            const sessionKey = params.sessionKey || base.SessionKey.DefaultSessionkey;
+            const sessionKey = params.sessionKey || auth.SessionKey.DefaultSessionkey;
             const walletProvider = params.walletProvider;
-            const expirationSeconds = params.expirationSeconds || base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
+            const expirationSeconds = params.expirationSeconds || auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS;
             let generatedPublicKey = undefined;
             return utils.withTurnkeyErrorHandling(async () => {
                 if (!this.walletManager?.stamper) {
@@ -569,11 +576,15 @@ class TurnkeyClient {
                         publicKey: generatedPublicKey,
                         organizationId: this.config.organizationId,
                         expirationSeconds,
-                    }, base.StamperType.Wallet);
+                    }, auth.StamperType.Wallet);
                 }, {
                     errorMessage: "Failed to create stamped request for wallet login",
                     errorCode: sdkTypes.TurnkeyErrorCodes.WALLET_LOGIN_OR_SIGNUP_ERROR,
                     customErrorsByMessages: {
+                        "WalletConnect: The connection request has expired. Please scan the QR code again.": {
+                            message: "Your WalletConnect session expired. Please scan the QR code again.",
+                            code: sdkTypes.TurnkeyErrorCodes.WALLET_CONNECT_EXPIRED,
+                        },
                         "Failed to sign the message": {
                             message: "Wallet auth was cancelled by the user.",
                             code: sdkTypes.TurnkeyErrorCodes.CONNECT_WALLET_CANCELLED,
@@ -585,13 +596,13 @@ class TurnkeyClient {
                 }
                 let publicKey;
                 switch (walletProvider.chainInfo.namespace) {
-                    case base.Chain.Ethereum: {
+                    case externalWallets.Chain.Ethereum: {
                         // for Ethereum, there is no way to get the public key from the wallet address
                         // so we derive it from the signed request
                         publicKey = utils.getPublicKeyFromStampHeader(signedRequest.stamp.stampHeaderValue);
                         break;
                     }
-                    case base.Chain.Solana: {
+                    case externalWallets.Chain.Solana: {
                         // for Solana, we can get the public key from the wallet address
                         // since the wallet address is the public key
                         // this doesn't require any action from the user as long as the wallet is connected
@@ -605,7 +616,7 @@ class TurnkeyClient {
                 // here we check if the subOrg exists and create one
                 // then we send off the stamped request to Turnkey
                 const accountRes = await this.httpClient.proxyGetAccount({
-                    filterType: base.FilterType.PublicKey,
+                    filterType: auth.FilterType.PublicKey,
                     filterValue: publicKey,
                 });
                 if (!accountRes) {
@@ -684,6 +695,7 @@ class TurnkeyClient {
          *
          * @param params.otpType - type of OTP to initialize (OtpType.Email or OtpType.Sms).
          * @param params.contact - contact information for the user (e.g., email address or phone number).
+         * @param params.organizationId - optional organization ID to target (defaults to the session's organization ID or the parent organization ID).
          * @returns A promise that resolves to the OTP ID required for verification.
          * @throws {TurnkeyError} If there is an error during the OTP initialization process or if the maximum number of OTPs has been reached.
          */
@@ -733,7 +745,7 @@ class TurnkeyClient {
                     throw new sdkTypes.TurnkeyError(`OTP verification failed`, sdkTypes.TurnkeyErrorCodes.INTERNAL_ERROR);
                 }
                 const accountRes = await this.httpClient.proxyGetAccount({
-                    filterType: base.OtpTypeToFilterTypeMap[otpType],
+                    filterType: auth.OtpTypeToFilterTypeMap[otpType],
                     filterValue: contact,
                 });
                 if (!accountRes) {
@@ -773,7 +785,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during the OTP login process or if key pair cleanup fails.
          */
         this.loginWithOtp = async (params) => {
-            const { verificationToken, invalidateExisting = false, publicKey = await this.apiKeyStamper?.createKeyPair(), sessionKey = base.SessionKey.DefaultSessionkey, } = params;
+            const { verificationToken, invalidateExisting = false, publicKey = await this.apiKeyStamper?.createKeyPair(), sessionKey = auth.SessionKey.DefaultSessionkey, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.proxyOtpLogin({
                     verificationToken,
@@ -834,7 +846,7 @@ class TurnkeyClient {
             const signUpBody = utils.buildSignUpBody({
                 createSubOrgParams: {
                     ...createSubOrgParams,
-                    ...(otpType === base.OtpType.Email
+                    ...(otpType === auth.OtpType.Email
                         ? { userEmail: contact }
                         : { userPhoneNumber: contact }),
                     verificationToken,
@@ -946,7 +958,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during the OAuth completion process, such as account lookup, sign-up, or login.
          */
         this.completeOauth = async (params) => {
-            const { oidcToken, publicKey, createSubOrgParams, providerName = "OpenID Connect Provider" + " " + Date.now(), sessionKey = base.SessionKey.DefaultSessionkey, invalidateExisting = false, } = params;
+            const { oidcToken, publicKey, createSubOrgParams, providerName = "OpenID Connect Provider" + " " + Date.now(), sessionKey = auth.SessionKey.DefaultSessionkey, invalidateExisting = false, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
                 const accountRes = await this.httpClient.proxyGetAccount({
                     filterType: "OIDC_TOKEN",
@@ -1005,7 +1017,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error during the OAuth login process or if key pair cleanup fails.
          */
         this.loginWithOauth = async (params) => {
-            const { oidcToken, invalidateExisting = false, publicKey, sessionKey = base.SessionKey.DefaultSessionkey, } = params;
+            const { oidcToken, invalidateExisting = false, publicKey, sessionKey = auth.SessionKey.DefaultSessionkey, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
                 if (!publicKey) {
                     throw new sdkTypes.TurnkeyError("Public key must be provided to log in with OAuth. Please create a key pair first.", sdkTypes.TurnkeyErrorCodes.MISSING_PARAMS);
@@ -1102,36 +1114,61 @@ class TurnkeyClient {
          * - Returns both embedded and connected wallets in a single array, each with their respective accounts populated.
          * - Optionally allows stamping the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          *
-         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @param params.walletProviders - array of wallet providers to use for fetching wallets.
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
+         * @param params.userId - user ID to target (defaults to the session's user ID).
+         * @param params.connectedOnly - if true, fetches only connected wallets; if false or undefined, fetches both embedded and connected wallets.
+         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @returns A promise that resolves to an array of `Wallet` objects.
          * @throws {TurnkeyError} If no active session is found or if there is an error fetching wallets.
          */
         this.fetchWallets = async (params) => {
-            const { stampWith, walletProviders } = params || {};
+            const { walletProviders, organizationId: organizationIdFromParams, userId: userIdFromParams, connectedOnly, stampWith, } = params || {};
             const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            if (!session && !connectedOnly) {
+                throw new sdkTypes.TurnkeyError("No active session found. Fetching embedded wallets requires a valid session. If you only need connected wallets, set the 'connectedOnly' parameter to true.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            }
+            // if `connectedOnly` is true, we need to make sure the walletManager is initialized
+            // or else we can't fetch connected wallets, and we throw an error
+            if (connectedOnly && !this.walletManager?.connector) {
+                throw new sdkTypes.TurnkeyError("Wallet connector is not initialized", sdkTypes.TurnkeyErrorCodes.WALLET_MANAGER_COMPONENT_NOT_INITIALIZED);
             }
             return utils.withTurnkeyErrorHandling(async () => {
-                const res = await this.httpClient.getWallets({ organizationId: session.organizationId }, stampWith);
-                if (!res || !res.wallets) {
-                    throw new sdkTypes.TurnkeyError("No wallets found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
-                }
-                const embedded = await Promise.all(res.wallets.map(async (wallet) => {
-                    const embeddedWallet = {
-                        ...wallet,
-                        source: base.WalletSource.Embedded,
-                        accounts: [],
-                    };
-                    const accounts = await this.fetchWalletAccounts({
-                        wallet: embeddedWallet,
-                        ...(stampWith !== undefined && { stampWith }),
-                    });
-                    embeddedWallet.accounts = accounts;
-                    return embeddedWallet;
-                }));
+                let embedded = [];
+                // if connectedOnly is true, we skip fetching embedded wallets
+                if (!connectedOnly) {
+                    const organizationId = organizationIdFromParams || session?.organizationId;
+                    if (!organizationId) {
+                        throw new sdkTypes.TurnkeyError("No organization ID provided and no active session found. Please log in first or pass in an organization ID.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
+                    const userId = userIdFromParams || session?.userId;
+                    if (!userId) {
+                        throw new sdkTypes.TurnkeyError("No user ID provided and no active session found. Please log in first or pass in a user ID.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
+                    const res = await this.httpClient.getWalletAccounts({
+                        organizationId,
+                        includeWalletDetails: true,
+                    }, stampWith);
+                    const walletsRes = await this.httpClient.getWallets({
+                        organizationId,
+                    }, stampWith);
+                    if (!res || !res.accounts) {
+                        throw new sdkTypes.TurnkeyError("No wallet accounts found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
+                    }
+                    // create a map of walletId to EmbeddedWallet for easy lookup
+                    const walletMap = new Map(walletsRes.wallets.map((wallet) => [
+                        wallet.walletId,
+                        {
+                            ...wallet,
+                            source: externalWallets.WalletSource.Embedded,
+                            accounts: [],
+                        },
+                    ]));
+                    // map the accounts to their respective wallets
+                    embedded = utils.mapAccountsToWallet(res.accounts, walletMap);
+                }
                 // if wallet connecting is disabled we return only embedded wallets
+                // this will never be hit if `connectedOnly` is true because of the check above
                 if (!this.walletManager?.connector)
                     return embedded;
                 const providers = walletProviders ?? (await this.fetchWalletProviders());
@@ -1145,10 +1182,14 @@ class TurnkeyClient {
                     group.push(provider);
                     groupedProviders.set(walletId, group);
                 }
-                const connected = (await Promise.all(Array.from(groupedProviders.entries()).map(async ([walletId, grouped]) => {
+                // has to be done in a for of loop so we can await each fetchWalletAccounts call individually
+                // otherwise await Promise.all would cause them all to fire at once breaking passkey only set ups
+                // (multiple wallet fetches at once causing "OperationError: A request is already pending.")
+                let connected = [];
+                for (const [walletId, grouped] of groupedProviders.entries()) {
                     const timestamp = utils.toExternalTimestamp();
                     const wallet = {
-                        source: base.WalletSource.Connected,
+                        source: externalWallets.WalletSource.Connected,
                         walletId,
                         walletName: grouped[0]?.info?.name ?? "Unknown",
                         createdAt: timestamp,
@@ -1161,10 +1202,16 @@ class TurnkeyClient {
                         wallet,
                         walletProviders: grouped,
                         ...(stampWith !== undefined && { stampWith }),
+                        ...(organizationIdFromParams !== undefined && {
+                            organizationId: organizationIdFromParams,
+                        }),
+                        ...(userIdFromParams !== undefined && { userId: userIdFromParams }),
                     });
                     wallet.accounts = accounts;
-                    return wallet;
-                }))).filter((wallet) => wallet.accounts.length > 0);
+                    if (wallet.accounts.length > 0) {
+                        connected.push(wallet);
+                    }
+                }
                 return [...embedded, ...connected];
             }, {
                 errorMessage: "Failed to fetch wallets",
@@ -1184,22 +1231,30 @@ class TurnkeyClient {
          * @param params.walletProviders - list of wallet providers to filter by (used for connected wallets).
          * @param params.paginationOptions - pagination options for embedded wallets.
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
+         * @param params.userId - user ID to target (defaults to the session's user ID).
+         *
          * @returns A promise that resolves to an array of `v1WalletAccount` objects.
          * @throws {TurnkeyError} If no active session is found or if there is an error fetching wallet accounts.
          */
         this.fetchWalletAccounts = async (params) => {
             const { wallet, stampWith, walletProviders, paginationOptions } = params;
             const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-            }
+            const organizationId = params?.organizationId || session?.organizationId;
+            const userId = params?.userId || session?.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 // this is an embedded wallet so we fetch accounts from Turnkey
-                if (wallet.source === base.WalletSource.Embedded) {
+                if (wallet.source === externalWallets.WalletSource.Embedded) {
                     const embedded = [];
+                    if (!organizationId) {
+                        throw new sdkTypes.TurnkeyError("No organization ID provided and no active session found. Please log in first or pass in an organization ID.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
+                    if (!userId) {
+                        throw new sdkTypes.TurnkeyError("No user ID provided and no active session found. Please log in first or pass in a user ID.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                    }
                     const res = await this.httpClient.getWalletAccounts({
                         walletId: wallet.walletId,
-                        organizationId: session.organizationId,
+                        organizationId,
                         paginationOptions: paginationOptions || { limit: "100" },
                     }, stampWith);
                     if (!res || !res.accounts) {
@@ -1208,7 +1263,7 @@ class TurnkeyClient {
                     for (const account of res.accounts) {
                         embedded.push({
                             ...account,
-                            source: base.WalletSource.Embedded,
+                            source: externalWallets.WalletSource.Embedded,
                         });
                     }
                     return embedded;
@@ -1230,31 +1285,40 @@ class TurnkeyClient {
                 const matching = providers.filter((p) => p.info?.name?.toLowerCase().replace(/\s+/g, "-") ===
                     wallet.walletId && p.connectedAddresses.length > 0);
                 const sign = this.walletManager.connector.sign.bind(this.walletManager.connector);
-                const user = await this.fetchUser({
-                    stampWith,
-                });
-                const { ethereum: ethereumAddresses, solana: solanaAddresses } = utils.getAuthenticatorAddresses(user);
+                let ethereumAddresses = [];
+                let solanaAddresses = [];
+                // we only fetch the user if we have to the organizationId and userId
+                // if not that means `isAuthenticator` will always be false
+                if (organizationId && userId) {
+                    const user = await this.fetchUser({
+                        userId,
+                        organizationId,
+                        stampWith,
+                    });
+                    ({ ethereum: ethereumAddresses, solana: solanaAddresses } =
+                        utils.getAuthenticatorAddresses(user));
+                }
                 for (const provider of matching) {
                     const timestamp = utils.toExternalTimestamp();
                     for (const address of provider.connectedAddresses) {
                         if (utils.isEthereumProvider(provider)) {
                             const evmAccount = {
                                 walletAccountId: `${wallet.walletId}-${provider.interfaceType}-${address}`,
-                                organizationId: session.organizationId,
+                                organizationId: organizationId ?? "",
                                 walletId: wallet.walletId,
                                 pathFormat: "PATH_FORMAT_BIP32",
-                                path: base.WalletSource.Connected,
-                                source: base.WalletSource.Connected,
+                                path: externalWallets.WalletSource.Connected,
+                                source: externalWallets.WalletSource.Connected,
                                 address,
                                 createdAt: timestamp,
                                 updatedAt: timestamp,
                                 // ethereum specific
-                                curve: base.Curve.SECP256K1,
+                                curve: externalWallets.Curve.SECP256K1,
                                 addressFormat: "ADDRESS_FORMAT_ETHEREUM",
                                 chainInfo: provider.chainInfo,
                                 isAuthenticator: ethereumAddresses.includes(address.toLowerCase()),
-                                signMessage: (msg) => sign(msg, provider, base.SignIntent.SignMessage),
-                                signAndSendTransaction: (tx) => sign(tx, provider, base.SignIntent.SignAndSendTransaction),
+                                signMessage: (msg) => sign(msg, provider, externalWallets.SignIntent.SignMessage),
+                                signAndSendTransaction: (tx) => sign(tx, provider, externalWallets.SignIntent.SignAndSendTransaction),
                             };
                             connected.push(evmAccount);
                             continue;
@@ -1262,22 +1326,22 @@ class TurnkeyClient {
                         if (utils.isSolanaProvider(provider)) {
                             const solAccount = {
                                 walletAccountId: `${wallet.walletId}-${provider.interfaceType}-${address}`,
-                                organizationId: session.organizationId,
+                                organizationId: organizationId ?? "",
                                 walletId: wallet.walletId,
                                 pathFormat: "PATH_FORMAT_BIP32",
-                                path: base.WalletSource.Connected,
-                                source: base.WalletSource.Connected,
+                                path: externalWallets.WalletSource.Connected,
+                                source: externalWallets.WalletSource.Connected,
                                 address,
                                 createdAt: timestamp,
                                 updatedAt: timestamp,
                                 // solana specific
                                 publicKey: address,
-                                curve: base.Curve.ED25519,
+                                curve: externalWallets.Curve.ED25519,
                                 addressFormat: "ADDRESS_FORMAT_SOLANA",
                                 chainInfo: provider.chainInfo,
                                 isAuthenticator: solanaAddresses.includes(address),
-                                signMessage: (msg) => sign(msg, provider, base.SignIntent.SignMessage),
-                                signTransaction: (tx) => sign(tx, provider, base.SignIntent.SignTransaction),
+                                signMessage: (msg) => sign(msg, provider, externalWallets.SignIntent.SignMessage),
+                                signTransaction: (tx) => sign(tx, provider, externalWallets.SignIntent.SignTransaction),
                             };
                             connected.push(solAccount);
                             continue;
@@ -1298,17 +1362,19 @@ class TurnkeyClient {
          * - Supports stamping the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          *
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
          * @returns A promise that resolves to an array of `v1PrivateKey` objects.
          * @throws {TurnkeyError} If no active session is found or if there is an error fetching private keys.
          */
         this.fetchPrivateKeys = async (params) => {
             const { stampWith } = params || {};
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = params?.organizationId || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("No organization ID provided and no active session found. Please log in first or pass in an organization ID.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
-                const res = await this.httpClient.getPrivateKeys({ organizationId: session.organizationId }, stampWith);
+                const res = await this.httpClient.getPrivateKeys({ organizationId }, stampWith);
                 if (!res) {
                     throw new sdkTypes.TurnkeyError("Failed to fetch private keys", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
                 }
@@ -1321,61 +1387,77 @@ class TurnkeyClient {
         /**
          * Signs a message using the specified wallet account.
          *
-         * - Supports both embedded and connected wallets.
-         * - For **connected wallets**:
+         * Behavior differs depending on the wallet type:
+         *
+         * - **Connected wallets**
          *   - Delegates signing to the wallet provider’s native signing method.
-         *   - **Important:** For Ethereum wallets (e.g., MetaMask), signatures follow [EIP-191](https://eips.ethereum.org/EIPS/eip-191).
-         *     The message is automatically prefixed with `"\x19Ethereum Signed Message:\n" + message length`
-         *     before signing. As a result, this signature **cannot be used as a raw transaction signature**
-         *     or broadcast on-chain.
-         * - For **embedded wallets**, uses the Turnkey API to sign the message directly.
-         * - Automatically handles message encoding and hashing based on the wallet account’s address format,
+         *   - *Ethereum*: signatures always follow [EIP-191](https://eips.ethereum.org/EIPS/eip-191).
+         *     - The wallet automatically prefixes messages with
+         *       `"\x19Ethereum Signed Message:\n" + message length` before signing.
+         *     - As a result, these signatures cannot be used as raw transaction signatures or broadcast on-chain.
+         *     - If `addEthereumPrefix` is set to `false`, an error is thrown because connected Ethereum wallets always prefix.
+         *   - *Other chains*: follows the native connected wallet behavior.
+         *
+         * - **Embedded wallets**
+         *   - Uses the Turnkey API to sign the message directly.
+         *   - Supports optional `addEthereumPrefix`:
+         *     - If `true` (default for Ethereum), the message is prefixed before signing.
+         *     - If `false`, the raw message is signed without any prefix.
+         *
+         * Additional details:
+         * - Automatically handles encoding and hashing based on the wallet account’s address format,
          *   unless explicitly overridden.
+         * - Optionally allows stamping with a specific stamper
+         *   (`StamperType.Passkey`, `StamperType.ApiKey`, or `StamperType.Wallet`).
          *
-         * @param params.message - message to sign.
+         * @param params.message - plaintext (UTF-8) message to sign.
          * @param params.walletAccount - wallet account to use for signing.
-         * @param params.encoding - override for the payload encoding (defaults to the encoding appropriate for the address type).
-         * @param params.hashFunction - override for the hash function (defaults to the hash function appropriate for the address type).
-         * @param params.stampWith - stamper to tag the signing request (e.g., Passkey, ApiKey, or Wallet).
-         * @param params.addEthereumPrefix - whether to prefix the message with Ethereum's `"\x19Ethereum Signed Message:\n"` string.
-         *   - If `true` (default for Ethereum), the message is prefixed before signing.
-         *   - If `false`:
-         *     - Connected wallets will throw an error because they always prefix automatically.
-         *     - Embedded wallets will sign the raw message without any prefix.
-         *
-         * @returns A promise resolving to a `v1SignRawPayloadResult` containing the signature and metadata.
-         * @throws {TurnkeyError} If signing fails, if the wallet account does not support signing, or if the response is invalid.
+         * @param params.encoding - override for payload encoding (defaults to the encoding appropriate for the address format).
+         * @param params.hashFunction - override for hash function (defaults to the function appropriate for the address format).
+         * @param params.stampWith - optional stamper for the signing request.
+         * @param params.addEthereumPrefix - whether to prefix the message with Ethereum’s
+         *   `"\x19Ethereum Signed Message:\n"` string (default: `true` for Ethereum).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
+         *
+         * @returns A promise that resolves to a `v1SignRawPayloadResult` containing the signature and metadata.
+         * @throws {TurnkeyError} If signing fails, the wallet type does not support message signing, or the response is invalid.
          */
         this.signMessage = async (params) => {
-            const { message, walletAccount, stampWith, addEthereumPrefix } = params;
+            const { message, walletAccount, stampWith, addEthereumPrefix, organizationId, } = params;
             const hashFunction = params.hashFunction || utils.getHashFunction(walletAccount.addressFormat);
             const payloadEncoding = params.encoding || utils.getEncodingType(walletAccount.addressFormat);
             return utils.withTurnkeyErrorHandling(async () => {
                 const isEthereum = walletAccount.addressFormat === "ADDRESS_FORMAT_ETHEREUM";
-                if (walletAccount.source === base.WalletSource.Connected) {
+                if (walletAccount.source === externalWallets.WalletSource.Connected) {
                     // this is a connected wallet
                     if (!addEthereumPrefix && isEthereum) {
                         throw new sdkTypes.TurnkeyError("Connected Ethereum wallets automatically prefix messages. Use `addEthereumPrefix: true`.", sdkTypes.TurnkeyErrorCodes.SIGN_MESSAGE_ERROR);
                     }
                     let encodedMessage = message;
                     if (isEthereum) {
-                        encodedMessage = utils.getEncodedMessage(walletAccount.addressFormat, message);
+                        const msgBytes = ethers.toUtf8Bytes(message);
+                        encodedMessage = utils.getEncodedMessage(payloadEncoding, msgBytes);
                     }
                     const sigHex = await walletAccount.signMessage(encodedMessage);
                     return utils.splitSignature(sigHex, walletAccount.addressFormat);
                 }
                 // this is an embedded wallet
-                let messageToEncode = message;
+                let msgBytes = ethers.toUtf8Bytes(message);
                 if (addEthereumPrefix && isEthereum) {
-                    const prefix = `\x19Ethereum Signed Message:\n${ethers.toUtf8Bytes(message).length}`;
-                    messageToEncode = prefix + message;
-                }
-                const encodedMessage = utils.getEncodedMessage(walletAccount.addressFormat, messageToEncode);
+                    const prefix = `\x19Ethereum Signed Message:\n${msgBytes.length}`;
+                    const prefixBytes = ethers.toUtf8Bytes(prefix);
+                    const combined = new Uint8Array(prefixBytes.length + msgBytes.length);
+                    combined.set(prefixBytes, 0);
+                    combined.set(msgBytes, prefixBytes.length);
+                    msgBytes = combined;
+                }
+                const encodedMessage = utils.getEncodedMessage(payloadEncoding, msgBytes);
                 const response = await this.httpClient.signRawPayload({
                     signWith: walletAccount.address,
                     payload: encodedMessage,
                     encoding: payloadEncoding,
                     hashFunction,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (response.activity.failure) {
                     throw new sdkTypes.TurnkeyError("Failed to sign message, no signed payload returned", sdkTypes.TurnkeyErrorCodes.SIGN_MESSAGE_ERROR);
@@ -1390,27 +1472,35 @@ class TurnkeyClient {
         /**
          * Signs a transaction using the specified wallet account.
          *
-         * - This function signs a blockchain transaction using the provided wallet address and transaction data.
-         * - Supports all Turnkey-supported blockchain networks (e.g., Ethereum, Solana, Tron).
-         * - Automatically determines the appropriate signing method based on the transaction type.
-         * - Delegates signing to the Turnkey API, which returns the signed transaction and related metadata.
-         * - Optionally allows stamping the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * Behavior differs depending on the type of wallet:
+         *
+         * - **Connected wallets**
+         *   - Ethereum: does not support raw transaction signing. Calling this function will throw an error instructing you to use `signAndSendTransaction` instead.
+         *   - Solana: supports raw transaction signing via the connected wallet provider.
+         *   - Other chains: not supported; will throw an error.
          *
-         * @param params.walletAccount - wallet account to use for signing the transaction.
-         * @param params.unsignedTransaction - unsigned transaction data (serialized as a string) to be signed.
+         * - **Embedded wallets**
+         *   - Delegates signing to the Turnkey API, which returns the signed transaction.
+         *   - Supports all Turnkey-supported transaction types (e.g., Ethereum, Solana, Tron).
+         *   - Optionally allows stamping with a specific stamper (`StamperType.Passkey`, `StamperType.ApiKey`, or `StamperType.Wallet`).
+         *
+         * @param params.walletAccount - wallet account to use for signing.
+         * @param params.unsignedTransaction - unsigned transaction data as a serialized
+         *   string in the canonical encoding for the given `transactionType`.
          * @param params.transactionType - type of transaction (e.g., "TRANSACTION_TYPE_ETHEREUM", "TRANSACTION_TYPE_SOLANA", "TRANSACTION_TYPE_TRON").
-         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
-         * @returns A promise that resolves to a `TSignTransactionResponse` object containing the signed transaction and any additional signing metadata.
-         * @throws {TurnkeyError} If there is an error signing the transaction or if the response is invalid.
+         * @param params.stampWith - stamper to use for signing (`StamperType.Passkey`, `StamperType.ApiKey`, or `StamperType.Wallet`).
+         * @param params.organizationId - organization ID to target (defaults to the session's organization ID).
+         * @returns A promise that resolves to the signed transaction string.
+         * @throws {TurnkeyError} If the wallet type is unsupported, signing fails, or the response is invalid.
          */
         this.signTransaction = async (params) => {
-            const { walletAccount, unsignedTransaction, transactionType, stampWith } = params;
+            const { walletAccount, unsignedTransaction, transactionType, stampWith, organizationId, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
-                if (walletAccount.source === base.WalletSource.Connected) {
+                if (walletAccount.source === externalWallets.WalletSource.Connected) {
                     switch (walletAccount.chainInfo.namespace) {
-                        case base.Chain.Ethereum:
+                        case externalWallets.Chain.Ethereum:
                             throw new sdkTypes.TurnkeyError("Ethereum connected wallets do not support raw transaction signing. Use signAndSendTransaction instead.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
-                        case base.Chain.Solana:
+                        case externalWallets.Chain.Solana:
                             // not sure why typescript isn't inferring the type here
                             // if namespace is Chain.Solana, then it must be a ConnectedSolanaWalletAccount
                             return walletAccount.signTransaction(unsignedTransaction);
@@ -1423,6 +1513,7 @@ class TurnkeyClient {
                     signWith: walletAccount.address,
                     unsignedTransaction,
                     type: transactionType,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 return signTransaction.signedTransaction;
             }, {
@@ -1433,34 +1524,41 @@ class TurnkeyClient {
         /**
          * Signs and broadcasts a transaction using the specified wallet account.
          *
-         * - For **connected wallets**:
-         *   - Calls the wallet’s native `signAndSendTransaction` method.
-         *   - Does **not** require an `rpcUrl`.
+         * Behavior differs depending on the type of wallet:
+         *
+         * - **Connected wallets**
+         *   - *Ethereum*: delegates to the wallet’s native `signAndSendTransaction` method.
+         *     - Does **not** require an `rpcUrl` (the wallet handles broadcasting).
+         *   - *Solana*: signs the transaction locally with the connected wallet, but requires an `rpcUrl` to broadcast it.
+         *   - Other chains: not supported; will throw an error.
          *
-         * - For **embedded wallets**:
+         * - **Embedded wallets**
          *   - Signs the transaction using the Turnkey API.
-         *   - Requires an `rpcUrl` to broadcast the transaction.
-         *   - Broadcasts the transaction using a JSON-RPC client.
-         *
-         * @param params.walletAccount - wallet account to use for signing and sending.
-         * @param params.unsignedTransaction - unsigned transaction (serialized string).
-         * @param params.transactionType - transaction type (e.g., "TRANSACTION_TYPE_SOLANA").
-         * @param params.rpcUrl - required for embedded wallets to broadcast the signed transaction.
-         * @param params.stampWith - optional stamper to tag the signing request.
+         *   - Requires an `rpcUrl` to broadcast the signed transaction, since Turnkey does not broadcast directly.
+         *   - Broadcasts the transaction using a JSON-RPC client and returns the resulting transaction hash/signature.
+         *   - Optionally allows stamping with a specific stamper (`StamperType.Passkey`, `StamperType.ApiKey`, or `StamperType.Wallet`).
+         *
+         * @param params.walletAccount - wallet account to use for signing and broadcasting.
+         * @param params.unsignedTransaction - unsigned transaction data as a serialized
+         *   string in the canonical encoding for the given `transactionType`.
+         * @param params.transactionType - type of transaction (e.g., `"TRANSACTION_TYPE_SOLANA"`, `"TRANSACTION_TYPE_ETHEREUM"`).
+         * @param params.rpcUrl - JSON-RPC endpoint used for broadcasting (required for Solana connected wallets and all embedded wallets).
+         * @param params.stampWith - optional stamper to use when signing (`StamperType.Passkey`, `StamperType.ApiKey`, or `StamperType.Wallet`).
+         * @param params.organizationId - **Only for Turnkey embedded wallets**: organization ID to target (defaults to the session's organization ID).
          * @returns A promise that resolves to a transaction signature or hash.
-         * @throws {TurnkeyError} If signing or broadcasting fails.
+         * @throws {TurnkeyError} If the wallet type is unsupported, or if signing/broadcasting fails.
          */
         this.signAndSendTransaction = async (params) => {
-            const { walletAccount, unsignedTransaction, transactionType, rpcUrl, stampWith, } = params;
+            const { walletAccount, unsignedTransaction, transactionType, rpcUrl, stampWith, organizationId, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
-                if (walletAccount.source === base.WalletSource.Connected) {
+                if (walletAccount.source === externalWallets.WalletSource.Connected) {
                     // this is a connected wallet account
                     switch (walletAccount.chainInfo.namespace) {
-                        case base.Chain.Ethereum:
+                        case externalWallets.Chain.Ethereum:
                             // not sure why typescript isn't inferring the type here
                             // if namespace is Chain.Ethereum, then it must be a ConnectedEthereumWalletAccount
                             return await walletAccount.signAndSendTransaction(unsignedTransaction);
-                        case base.Chain.Solana:
+                        case externalWallets.Chain.Solana:
                             if (!rpcUrl) {
                                 throw new sdkTypes.TurnkeyError("Missing rpcUrl: connected Solana wallets require an RPC URL to broadcast transactions.", sdkTypes.TurnkeyErrorCodes.SIGN_AND_SEND_TRANSACTION_ERROR);
                             }
@@ -1486,6 +1584,7 @@ class TurnkeyClient {
                     signWith: walletAccount.address,
                     unsignedTransaction,
                     type: transactionType,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 const signedTx = signTransactionResponse.signedTransaction;
                 const txHash = await utils.broadcastTransaction({
@@ -1515,16 +1614,16 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is no active session, if there is no userId, or if there is an error fetching user details.
          */
         this.fetchUser = async (params) => {
-            const { stampWith } = params || {};
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-            }
-            const userId = params?.userId || session.userId;
+            const { organizationId: organizationIdFromParams, userId: userIdFromParams, stampWith, } = params || {};
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = userIdFromParams || session?.userId;
             if (!userId) {
                 throw new sdkTypes.TurnkeyError("User ID must be provided to fetch user", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const organizationId = params?.organizationId || session.organizationId;
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to fetch user", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+            }
             return utils.withTurnkeyErrorHandling(async () => {
                 const userResponse = await this.httpClient.getUser({ organizationId, userId }, stampWith);
                 if (!userResponse || !userResponse.user) {
@@ -1547,24 +1646,26 @@ class TurnkeyClient {
          * @param params.publicKey - the P-256 public key to use for lookup and creation.
          * @param params.createParams.userName - optional username to assign if creating a new user (defaults to `"Public Key User"`).
          * @param params.createParams.apiKeyName - optional API key name to assign if creating a new API key (defaults to `public-key-user-${publicKey}`).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
+         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @returns A promise that resolves to the existing or newly created {@link v1User}.
          * @throws {TurnkeyError} If there is no active session, if the input is invalid, if user retrieval fails, or if user creation fails.
          */
         this.fetchOrCreateP256ApiKeyUser = async (params) => {
-            const { publicKey, createParams } = params;
+            const { publicKey, createParams, stampWith, organizationId: organizationIdFromParams, } = params;
             return utils.withTurnkeyErrorHandling(async () => {
-                const session = await this.storageManager.getActiveSession();
-                if (!session) {
-                    throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+                const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+                const organizationId = organizationIdFromParams || session?.organizationId;
+                if (!organizationId) {
+                    throw new sdkTypes.TurnkeyError("Organization ID is required to fetch or create P-256 API key user.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
                 }
-                const organizationId = session.organizationId;
                 // we validate their input
                 if (!publicKey?.trim()) {
                     throw new sdkTypes.TurnkeyError("'publicKey' is required and cannot be empty.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
                 }
                 const usersResponse = await this.httpClient.getUsers({
                     organizationId,
-                });
+                }, stampWith);
                 if (!usersResponse || !usersResponse.users) {
                     throw new sdkTypes.TurnkeyError("No users found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
                 }
@@ -1594,7 +1695,7 @@ class TurnkeyClient {
                             oauthProviders: [],
                         },
                     ],
-                });
+                }, stampWith);
                 if (!createUserResp?.userIds ||
                     createUserResp.userIds.length === 0 ||
                     !createUserResp.userIds[0]) {
@@ -1604,6 +1705,7 @@ class TurnkeyClient {
                 return await this.fetchUser({
                     organizationId,
                     userId: newUserId,
+                    stampWith,
                 });
             }, {
                 errorMessage: "Failed to get or create P-256 API key user",
@@ -1619,6 +1721,8 @@ class TurnkeyClient {
          *   - If it does not exist, it is created and returned with its new `policyId`.
          *
          * @param params.policies - the list of policies to fetch or create.
+         * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to an array of objects, each containing:
          *          - `policyId`: the unique identifier of the policy.
          *          - `policyName`: human-readable name of the policy.
@@ -1630,20 +1734,20 @@ class TurnkeyClient {
          *                        if fetching policies fails, or if creating policies fails.
          */
         this.fetchOrCreatePolicies = async (params) => {
-            const { policies } = params;
+            const { policies, stampWith } = params;
             return await utils.withTurnkeyErrorHandling(async () => {
-                const session = await this.storageManager.getActiveSession();
-                if (!session) {
-                    throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-                }
+                const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
                 if (!Array.isArray(policies) || policies.length === 0) {
                     throw new sdkTypes.TurnkeyError("'policies' must be a non-empty array of policy definitions.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
                 }
-                const organizationId = session.organizationId;
+                const organizationId = params?.organizationId ?? session?.organizationId;
+                if (!organizationId) {
+                    throw new sdkTypes.TurnkeyError("Organization ID is required to fetch or create policies.", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                }
                 // we first fetch existing policies
                 const existingPoliciesResponse = await this.httpClient.getPolicies({
                     organizationId,
-                });
+                }, stampWith);
                 const existingPolicies = existingPoliciesResponse.policies || [];
                 // we create a map of existing policies by their signature
                 // where the policySignature maps to its policyId
@@ -1676,10 +1780,10 @@ class TurnkeyClient {
                 const createPoliciesResponse = await this.httpClient.createPolicies({
                     organizationId,
                     policies: missingPolicies,
-                });
+                }, stampWith);
                 // assign returned IDs back to the missing ones in order
                 if (!createPoliciesResponse || !createPoliciesResponse.policyIds) {
-                    throw new sdkTypes.TurnkeyError("Failed to create missing delegated access policies", sdkTypes.TurnkeyErrorCodes.CREATE_POLICY_ERROR);
+                    throw new sdkTypes.TurnkeyError("Failed to create missing policies", sdkTypes.TurnkeyErrorCodes.CREATE_POLICY_ERROR);
                 }
                 const newlyCreatedPolicies = missingPolicies.map((p, idx) => ({
                     ...p,
@@ -1691,7 +1795,7 @@ class TurnkeyClient {
                 // which includes each of their respective IDs
                 return [...alreadyExistingPolicies, ...newlyCreatedPolicies];
             }, {
-                errorMessage: "Failed to get or create delegated access policies",
+                errorMessage: "Failed to get or create policies",
                 errorCode: sdkTypes.TurnkeyErrorCodes.CREATE_USERS_ERROR,
             });
         };
@@ -1708,19 +1812,20 @@ class TurnkeyClient {
          * @param params.verificationToken - verification token from OTP email verification (required if verifying the email).
          * @param params.userId - user ID to update a specific user's email (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to the userId of the updated user.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error updating or verifying the user email.
          */
         this.updateUserEmail = async (params) => {
-            const { verificationToken, email, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { verificationToken, email, stampWith, organizationId } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to update user email", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const existingUser = await this.httpClient.proxyGetAccount({
-                    filterType: base.FilterType.Email,
+                    filterType: auth.FilterType.Email,
                     filterValue: email,
                 });
                 if (existingUser.organizationId) {
@@ -1730,6 +1835,7 @@ class TurnkeyClient {
                     userId: userId,
                     userEmail: email,
                     ...(verificationToken && { verificationToken }),
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res || !res.userId) {
                     throw new sdkTypes.TurnkeyError("No user ID found in the update user email response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -1750,20 +1856,22 @@ class TurnkeyClient {
          *
          * @param params.userId - user ID to remove a specific user's email address (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to the userId of the user whose email was removed.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error removing the user email.
          */
         this.removeUserEmail = async (params) => {
-            const { stampWith } = params || {};
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-            }
+            const { stampWith, organizationId } = params || {};
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
             return utils.withTurnkeyErrorHandling(async () => {
-                const userId = params?.userId || session.userId;
+                const userId = params?.userId || session?.userId;
+                if (!userId) {
+                    throw new sdkTypes.TurnkeyError("User ID must be provided to remove user email", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                }
                 const res = await this.httpClient.updateUserEmail({
                     userId: userId,
                     userEmail: "",
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res || !res.userId) {
                     throw new sdkTypes.TurnkeyError("No user ID found in the remove user email response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -1787,21 +1895,23 @@ class TurnkeyClient {
          * @param params.verificationToken - verification token from OTP phone verification (required if verifying the phone number).
          * @param params.userId - user ID to update a specific user's phone number (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to the userId of the updated user.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error updating or verifying the user phone number.
          */
         this.updateUserPhoneNumber = async (params) => {
-            const { verificationToken, phoneNumber, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { verificationToken, phoneNumber, stampWith, organizationId } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to update user phone number", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.updateUserPhoneNumber({
                     userId,
                     userPhoneNumber: phoneNumber,
                     ...(verificationToken && { verificationToken }),
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res || !res.userId) {
                     throw new sdkTypes.TurnkeyError("Failed to update user phone number", sdkTypes.TurnkeyErrorCodes.UPDATE_USER_PHONE_NUMBER_ERROR);
@@ -1822,20 +1932,22 @@ class TurnkeyClient {
          *
          * @param params.userId - user ID to remove a specific user's phone number (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to the userId of the user whose phone number was removed.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error removing the user phone number.
          */
         this.removeUserPhoneNumber = async (params) => {
-            const { stampWith } = params || {};
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { stampWith, organizationId } = params || {};
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to remove user phone number", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.updateUserPhoneNumber({
                     userId,
                     userPhoneNumber: "",
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res || !res.userId) {
                     throw new sdkTypes.TurnkeyError("Failed to remove user phone number", sdkTypes.TurnkeyErrorCodes.UPDATE_USER_PHONE_NUMBER_ERROR);
@@ -1858,20 +1970,22 @@ class TurnkeyClient {
          * @param params.userName - new name to set for the user.
          * @param params.userId - user ID to update a specific user's name (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to the userId of the updated user.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error updating the user name.
          */
         this.updateUserName = async (params) => {
-            const { userName, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { userName, stampWith, organizationId } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to update user name", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.updateUserName({
                     userId,
                     userName,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res || !res.userId) {
                     throw new sdkTypes.TurnkeyError("No user ID found in the update user name response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -1894,6 +2008,7 @@ class TurnkeyClient {
          *
          * @param params.providerName - name of the OAuth provider to add (e.g., "Google", "Apple").
          * @param params.oidcToken - OIDC token for the OAuth provider.
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @param params.userId - user ID to add the provider for a specific user (defaults to current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @returns A promise that resolves to an array of provider IDs associated with the user.
@@ -1901,29 +2016,34 @@ class TurnkeyClient {
          */
         this.addOauthProvider = async (params) => {
             const { providerName, oidcToken, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-            }
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
             return utils.withTurnkeyErrorHandling(async () => {
                 const accountRes = await this.httpClient.proxyGetAccount({
                     filterType: "OIDC_TOKEN",
                     filterValue: oidcToken,
                 });
                 if (!accountRes) {
-                    throw new sdkTypes.TurnkeyError(`Account fetch failed}`, sdkTypes.TurnkeyErrorCodes.ACCOUNT_FETCH_ERROR);
+                    throw new sdkTypes.TurnkeyError(`Account fetch failed`, sdkTypes.TurnkeyErrorCodes.ACCOUNT_FETCH_ERROR);
                 }
                 if (accountRes.organizationId) {
                     throw new sdkTypes.TurnkeyError("Account already exists with this OIDC token", sdkTypes.TurnkeyErrorCodes.ACCOUNT_ALREADY_EXISTS);
                 }
-                const userId = params?.userId || session.userId;
-                const { email: oidcEmail, iss } = jwtDecode.jwtDecode(oidcToken) || {}; // Parse the oidc token so we can get the email. Pass it in to updateUser then call createOauthProviders. This will be verified by Turnkey.
+                const userId = params?.userId || session?.userId;
+                if (!userId) {
+                    throw new sdkTypes.TurnkeyError("User ID must be provided to add OAuth provider", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                }
+                const organizationId = params?.organizationId ?? session?.organizationId;
+                if (!organizationId) {
+                    throw new sdkTypes.TurnkeyError("Organization ID is required to add OAuth provider", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+                }
+                // parse the oidc token so we can get the email. Pass it in to updateUser then call createOauthProviders. This will be verified by Turnkey.
+                const { email: oidcEmail, iss } = jwtDecode.jwtDecode(oidcToken) || {};
                 if (iss === utils.googleISS) {
                     const verifiedSuborg = await this.httpClient.proxyGetAccount({
                         filterType: "EMAIL",
                         filterValue: oidcEmail,
                     });
-                    const isVerified = verifiedSuborg.organizationId === session.organizationId;
+                    const isVerified = verifiedSuborg.organizationId === organizationId;
                     const user = await this.fetchUser({
                         userId,
                         stampWith,
@@ -1966,20 +2086,22 @@ class TurnkeyClient {
          * @param params.providerIds - IDs of the OAuth providers to remove.
          * @param params.userId - user ID to remove the provider for a specific user (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to an array of provider IDs that were removed.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error removing the OAuth provider.
          */
         this.removeOauthProviders = async (params) => {
-            const { providerIds, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { providerIds, stampWith, organizationId } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to remove OAuth provider", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.deleteOauthProviders({
                     userId,
                     providerIds,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res) {
                     throw new sdkTypes.TurnkeyError("Failed to remove OAuth provider", sdkTypes.TurnkeyErrorCodes.REMOVE_OAUTH_PROVIDER_ERROR);
@@ -2003,21 +2125,21 @@ class TurnkeyClient {
          * @param params.displayName - display name of the passkey (defaults to the value of `name`).
          * @param params.userId - user ID to add the passkey for a specific user (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to an array of authenticator IDs for the newly added passkey(s).
          * @throws {TurnkeyError} If there is no active session, if passkey creation fails, or if there is an error adding the passkey.
          */
         this.addPasskey = async (params) => {
-            const { stampWith } = params || {};
+            const { stampWith, organizationId } = params || {};
             const name = params?.name || `Turnkey Passkey-${Date.now()}`;
             return utils.withTurnkeyErrorHandling(async () => {
-                const session = await this.storageManager.getActiveSession();
-                if (!session) {
-                    throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+                const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+                const userId = params?.userId || session?.userId;
+                if (!userId) {
+                    throw new sdkTypes.TurnkeyError("User ID must be provided to add passkey", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
                 }
-                const userId = params?.userId || session.userId;
                 const { encodedChallenge, attestation } = await this.createPasskey({
                     name,
-                    ...(stampWith && { stampWith }),
                 });
                 if (!attestation || !encodedChallenge) {
                     throw new sdkTypes.TurnkeyError("Failed to create passkey challenge and attestation", sdkTypes.TurnkeyErrorCodes.CREATE_PASSKEY_ERROR);
@@ -2031,6 +2153,7 @@ class TurnkeyClient {
                             attestation,
                         },
                     ],
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 return res?.authenticatorIds || [];
             }, {
@@ -2050,20 +2173,22 @@ class TurnkeyClient {
          * @param params.authenticatorIds - IDs of the authenticators (passkeys) to remove.
          * @param params.userId - user ID to remove the passkeys for a specific user (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
+         * @param params.organizationId - organization ID to specify the sub-organization (defaults to the current session's organizationId).
          * @returns A promise that resolves to an array of authenticator IDs that were removed.
          * @throws {TurnkeyError} If there is no active session, if the userId is missing, or if there is an error removing the passkeys.
          */
         this.removePasskeys = async (params) => {
-            const { authenticatorIds, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { authenticatorIds, stampWith, organizationId } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const userId = params?.userId || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to remove passkey", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
-            const userId = params?.userId || session.userId;
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.deleteAuthenticators({
                     userId,
                     authenticatorIds,
+                    ...(organizationId && { organizationId }),
                 }, stampWith);
                 if (!res) {
                     throw new sdkTypes.TurnkeyError("No response found in the remove passkey response", sdkTypes.TurnkeyErrorCodes.REMOVE_PASSKEY_ERROR);
@@ -2094,10 +2219,11 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is no active session or if there is an error creating the wallet.
          */
         this.createWallet = async (params) => {
-            const { walletName, accounts, organizationId, mnemonicLength, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { walletName, accounts, organizationId: organizationIdFromParams, mnemonicLength, stampWith, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to create wallet", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             let walletAccounts = [];
             if (accounts && !utils.isWalletAccountArray(accounts)) {
@@ -2113,7 +2239,7 @@ class TurnkeyClient {
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.createWallet({
-                    organizationId: organizationId || session.organizationId,
+                    organizationId: organizationId,
                     walletName,
                     accounts: walletAccounts,
                     mnemonicLength: mnemonicLength || 12,
@@ -2145,10 +2271,11 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is no active session, if the wallet does not exist, or if there is an error creating the wallet accounts.
          */
         this.createWalletAccounts = async (params) => {
-            const { accounts, walletId, organizationId, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { accounts, walletId, organizationId: organizationIdFromParams, stampWith, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to create wallet accounts", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 let walletAccounts = [];
@@ -2156,7 +2283,7 @@ class TurnkeyClient {
                     // Query existing wallet accounts to avoid duplicates
                     const existingWalletAccounts = await this.httpClient.getWalletAccounts({
                         walletId,
-                        organizationId: organizationId || session.organizationId,
+                        organizationId: organizationId,
                         paginationOptions: { limit: "100" },
                     }, stampWith);
                     walletAccounts = utils.generateWalletAccountsFromAddressFormat({
@@ -2168,7 +2295,7 @@ class TurnkeyClient {
                     walletAccounts = accounts;
                 }
                 const res = await this.httpClient.createWalletAccounts({
-                    organizationId: organizationId || session.organizationId,
+                    organizationId: organizationId,
                     walletId,
                     accounts: walletAccounts,
                 }, stampWith);
@@ -2199,16 +2326,17 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is no active session, if the targetPublicKey is missing, or if there is an error exporting the wallet.
          */
         this.exportWallet = async (params) => {
-            const { walletId, targetPublicKey, stampWith, organizationId } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { walletId, targetPublicKey, stampWith, organizationId: organizationIdFromParams, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to export wallet", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.exportWallet({
                     walletId,
                     targetPublicKey,
-                    organizationId: organizationId || session.organizationId,
+                    organizationId: organizationId,
                 }, stampWith);
                 if (!res.exportBundle) {
                     throw new sdkTypes.TurnkeyError("No export bundle found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -2236,16 +2364,17 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is no active session, if the targetPublicKey is missing, or if there is an error exporting the private key.
          */
         this.exportPrivateKey = async (params) => {
-            const { privateKeyId, targetPublicKey, stampWith, organizationId } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { privateKeyId, targetPublicKey, stampWith, organizationId: organizationIdFromParams, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to export private key", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.exportPrivateKey({
                     privateKeyId,
                     targetPublicKey,
-                    organizationId: organizationId || session.organizationId,
+                    organizationId: organizationId,
                 }, stampWith);
                 if (!res.exportBundle) {
                     throw new sdkTypes.TurnkeyError("No export bundle found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -2274,16 +2403,17 @@ class TurnkeyClient {
          *
          */
         this.exportWalletAccount = async (params) => {
-            const { address, targetPublicKey, stampWith, organizationId } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { address, targetPublicKey, stampWith, organizationId: organizationIdFromParams, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to export wallet account", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.exportWalletAccount({
                     address,
                     targetPublicKey,
-                    organizationId: organizationId || session.organizationId,
+                    organizationId: organizationId,
                 }, stampWith);
                 if (!res.exportBundle) {
                     throw new sdkTypes.TurnkeyError("No export bundle found in the response", sdkTypes.TurnkeyErrorCodes.BAD_RESPONSE);
@@ -2307,21 +2437,27 @@ class TurnkeyClient {
          * @param params.encryptedBundle - encrypted bundle containing the wallet seed phrase and metadata.
          * @param params.walletName - name of the wallet to create upon import.
          * @param params.accounts - array of account parameters to create in the imported wallet (defaults to standard Ethereum and Solana accounts).
+         * @param params.organizationId - organization ID to import the wallet under a specific sub-organization (wallet will be associated with the sub-organization).
          * @param params.userId - user ID to import the wallet for a specific user (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @returns A promise that resolves to the ID of the imported wallet.
          * @throws {TurnkeyError} If there is no active session, if the encrypted bundle is invalid, or if there is an error importing the wallet.
          */
         this.importWallet = async (params) => {
-            const { encryptedBundle, accounts, walletName, userId, stampWith } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { encryptedBundle, accounts, walletName, organizationId: organizationIdFromParams, userId: userIdFromParams, stampWith, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to import wallet", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+            }
+            const userId = userIdFromParams || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to import wallet", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.importWallet({
-                    organizationId: session.organizationId,
-                    userId: userId || session.userId,
+                    organizationId: organizationId,
+                    userId: userId,
                     encryptedBundle,
                     walletName,
                     accounts: accounts || [
@@ -2359,21 +2495,27 @@ class TurnkeyClient {
          * @param params.privateKeyName - name of the private key to create upon import.
          * @param params.curve - the cryptographic curve used to generate a given private key
          * @param params.addressFormat - address format of the private key to import.
+         * @param params.organizationId - organization ID to import the private key under a specific sub-organization (private key will be associated with the sub-organization).
          * @param params.userId - user ID to import the wallet for a specific user (defaults to the current session's userId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          * @returns A promise that resolves to the ID of the imported wallet.
          * @throws {TurnkeyError} If there is no active session, if the encrypted bundle is invalid, or if there is an error importing the wallet.
          */
         this.importPrivateKey = async (params) => {
-            const { encryptedBundle, privateKeyName, addressFormats, curve, userId, stampWith, } = params;
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
+            const { encryptedBundle, privateKeyName, addressFormats, curve, organizationId: organizationIdFromParams, userId: userIdFromParams, stampWith, } = params;
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
+            if (!organizationId) {
+                throw new sdkTypes.TurnkeyError("Organization ID must be provided to import private key", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
+            }
+            const userId = userIdFromParams || session?.userId;
+            if (!userId) {
+                throw new sdkTypes.TurnkeyError("User ID must be provided to import private key", sdkTypes.TurnkeyErrorCodes.INVALID_REQUEST);
             }
             return utils.withTurnkeyErrorHandling(async () => {
                 const res = await this.httpClient.importPrivateKey({
-                    organizationId: session.organizationId,
-                    userId: userId || session.userId,
+                    organizationId,
+                    userId,
                     encryptedBundle,
                     privateKeyName,
                     curve,
@@ -2404,18 +2546,17 @@ class TurnkeyClient {
          * - Optionally allows stamping the request with a specific stamper (StamperType.Passkey, StamperType.ApiKey, or StamperType.Wallet).
          *
          * @param params.deleteWithoutExport - flag to delete the sub-organization without requiring all wallets to be exported first (defaults to false).
+         * @param params.organizationId - organization ID to delete a specific sub-organization (defaults to the current session's organizationId).
          * @param params.stampWith - parameter to stamp the request with a specific stamper.
          * @returns A promise that resolves to a `TDeleteSubOrganizationResponse` object containing the result of the deletion.
          * @throws {TurnkeyError} If there is no active session or if there is an error deleting the sub-organization.
          */
         this.deleteSubOrganization = async (params) => {
-            const { deleteWithoutExport = false, stampWith } = params || {};
-            const session = await this.storageManager.getActiveSession();
-            if (!session) {
-                throw new sdkTypes.TurnkeyError("No active session found. Please log in first.", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
-            }
+            const { deleteWithoutExport = false, organizationId: organizationIdFromParams, stampWith, } = params || {};
+            const session = await utils.getActiveSessionOrThrowIfRequired(stampWith, this.storageManager.getActiveSession);
+            const organizationId = organizationIdFromParams || session?.organizationId;
             return utils.withTurnkeyErrorHandling(async () => {
-                return await this.httpClient.deleteSubOrganization({ deleteWithoutExport }, stampWith);
+                return await this.httpClient.deleteSubOrganization({ deleteWithoutExport, ...(organizationId && { organizationId }) }, stampWith);
             }, {
                 errorMessage: "Failed to delete sub-organization",
                 errorCode: sdkTypes.TurnkeyErrorCodes.DELETE_SUB_ORGANIZATION_ERROR,
@@ -2436,7 +2577,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If there is an error storing the session or cleaning up key pairs.
          */
         this.storeSession = async (params) => {
-            const { sessionToken, sessionKey = base.SessionKey.DefaultSessionkey } = params;
+            const { sessionToken, sessionKey = auth.SessionKey.DefaultSessionkey } = params;
             if (!sessionToken)
                 return;
             utils.withTurnkeyErrorHandling(async () => {
@@ -2461,7 +2602,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If the session does not exist or if there is an error clearing the session.
          */
         this.clearSession = async (params) => {
-            const { sessionKey = base.SessionKey.DefaultSessionkey } = params || {};
+            const { sessionKey = auth.SessionKey.DefaultSessionkey } = params || {};
             utils.withTurnkeyErrorHandling(async () => {
                 const session = await this.storageManager.getSession(sessionKey);
                 if (session) {
@@ -2519,7 +2660,7 @@ class TurnkeyClient {
          * @throws {TurnkeyError} If the session key does not exist, if there is no active session, or if there is an error refreshing the session.
          */
         this.refreshSession = async (params) => {
-            const { sessionKey = await this.storageManager.getActiveSessionKey(), expirationSeconds = base.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, publicKey, invalidateExisitng = false, } = params || {};
+            const { sessionKey = await this.storageManager.getActiveSessionKey(), expirationSeconds = auth.DEFAULT_SESSION_EXPIRATION_IN_SECONDS, publicKey, invalidateExisitng = false, } = params || {};
             if (!sessionKey) {
                 throw new sdkTypes.TurnkeyError("No session key provided or active session to refresh session", sdkTypes.TurnkeyErrorCodes.NO_SESSION_FOUND);
             }
@@ -2750,17 +2891,17 @@ class TurnkeyClient {
     async init() {
         // Initialize storage manager
         // TODO (Amir): StorageManager should be a class that extends StorageBase and has an init method
-        this.storageManager = await base$1.createStorageManager();
+        this.storageManager = await base.createStorageManager();
         // Initialize the API key stamper
-        this.apiKeyStamper = new base$2.CrossPlatformApiKeyStamper(this.storageManager);
+        this.apiKeyStamper = new base$1.CrossPlatformApiKeyStamper(this.storageManager);
         await this.apiKeyStamper.init();
         if (this.config.passkeyConfig) {
-            this.passkeyStamper = new base$3.CrossPlatformPasskeyStamper(this.config.passkeyConfig);
+            this.passkeyStamper = new base$2.CrossPlatformPasskeyStamper(this.config.passkeyConfig);
             await this.passkeyStamper.init();
         }
         if (this.config.walletConfig?.features?.auth ||
             this.config.walletConfig?.features?.connecting) {
-            this.walletManager = await base$4.createWalletManager(this.config.walletConfig);
+            this.walletManager = await base$3.createWalletManager(this.config.walletConfig);
         }
         // We can comfortably default to the prod urls here
         const apiBaseUrl = this.config.apiBaseUrl || "https://api.turnkey.com";