@vex-chat/libvex 1.0.2 → 2.0.0

package/dist/Client.js

@@ -1,93 +1,42 @@
-// tslint:disable: no-empty-interface
-import { sleep } from "@extrahash/sleep";
-import { xConcat, xConstants, xDH, xEncode, xHMAC, xKDF, XKeyConvert, xMakeNonce, xMnemonic, XUtils, } from "@vex-chat/crypto";
-import { MailType } from "@vex-chat/types";
-import ax, { AxiosError } from "axios";
-import { isBrowser, isNode } from "browser-or-node";
-// btoa is native in browsers and Node 16+
-import pc from "picocolors";
+import { xBoxKeyPair, xBoxKeyPairFromSecret, xConcat, xConstants, xDH, xEncode, xHMAC, xKDF, XKeyConvert, xMakeNonce, xMnemonic, xRandomBytes, xSecretbox, xSecretboxOpen, xSign, xSignKeyPair, xSignKeyPairFromSecret, XUtils, } from "@vex-chat/crypto";
+import { MailType, MailWSSchema, PermissionSchema, WSMessageSchema, } from "@vex-chat/types";
+import axios, { isAxiosError } from "axios";
 import { EventEmitter } from "eventemitter3";
-import { Packr } from "msgpackr";
-// useRecords:false emits standard msgpack (no nonstandard record extension).
-// moreTypes:false keeps the extension set to what every other decoder understands.
-const _packr = new Packr({ useRecords: false, moreTypes: false });
-// Packr.encode() returns a subarray of its internal pool buffer.
-// In browsers, XMLHttpRequest.send() sends the full underlying ArrayBuffer,
-// not just the slice — corrupting the payload (axios issue #4068).
-// Wrap encode to always return a fresh copy.
-const msgpack = {
-    encode: (value) => {
-        const packed = _packr.encode(value);
-        return new Uint8Array(packed.buffer.slice(packed.byteOffset, packed.byteOffset + packed.byteLength));
-    },
-    decode: _packr.decode.bind(_packr),
-};
-import objectHash from "object-hash";
-import nacl from "tweetnacl";
 import * as uuid from "uuid";
-// Storage (Kysely/better-sqlite3) loaded lazily — only when no external storage is provided.
+import { z } from "zod/v4";
+import { WebSocketAdapter } from "./transport/websocket.js";
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+import { msgpack } from "./codec.js";
+import { ActionTokenCodec, AuthResponseCodec, ChannelArrayCodec, ChannelCodec, ConnectResponseCodec, decodeAxios, DeviceArrayCodec, DeviceChallengeCodec, DeviceCodec, EmojiArrayCodec, EmojiCodec, FileSQLCodec, InviteArrayCodec, InviteCodec, KeyBundleCodec, OtkCountCodec, PermissionArrayCodec, PermissionCodec, ServerArrayCodec, ServerCodec, UserArrayCodec, UserCodec, WhoamiCodec, } from "./codecs.js";
 import { capitalize } from "./utils/capitalize.js";
-// createLogger (winston) loaded lazily — only in Node when no adapter logger is provided.
 import { formatBytes } from "./utils/formatBytes.js";
 import { sqlSessionToCrypto } from "./utils/sqlSessionToCrypto.js";
 import { uuidToUint8 } from "./utils/uint8uuid.js";
-ax.defaults.withCredentials = true;
-ax.defaults.responseType = "arraybuffer";
-const protocolMsgRegex = /��\w+:\w+��/g;
-/**
- * Client provides an interface for you to use a vex chat server and
- * send end to end encrypted messages to other users.
- *
- * @example
- * ```ts
- * import { Client } from "@vex-chat/libvex";
- *
- * async function main() {
- *     // generate a secret key to use, save this somewhere permanent
- *     const privateKey = Client.generateSecretKey();
- *
- *     const client = new Client(privateKey);
- *
- *     // the ready event is emitted when init() is finished.
- *     // you must wait until this event fires to perform
- *     // registration or login.
- *     client.on("ready", async () => {
- *         // you must register once before you can log in
- *         await client.register(Client.randomUsername());
- *         await client.login();
- *     })
- *
- *     // The authed event fires when login() successfully completes
- *     // and the server indicates you are authorized. You must wait to
- *     // perform any operations besides register() and login() until
- *     // this occurs.
- *     client.on("authed", async () => {
- *         const me = await client.users.me();
- *
- *         // send a message
- *         await client.messages.send(me.userID, "Hello world!");
- *     })
- *
- *     // Outgoing and incoming messages are emitted here.
- *     client.on("message", (message) => {
- *         console.log("message:", message);
- *     })
- *
- *     // you must call init() to initialize the keyring and
- *     // start the client.
- *     client.init();
- * }
- *
- * main();
- * ```
- */
-export class Client extends EventEmitter {
-    /**
-     * Encrypts a secret key with a password.
-     *
-     * Pass-through utility from `@vex-chat/crypto`.
-     */
-    static encryptKeyData = XUtils.encryptKeyData;
+const _protocolMsgRegex = /��\w+:\w+��/g;
+/** Zod schema matching the {@link Message} interface for forwarded-message decode. */
+const messageSchema = z.object({
+    authorID: z.string(),
+    decrypted: z.boolean(),
+    direction: z.enum(["incoming", "outgoing"]),
+    forward: z.boolean(),
+    group: z.string().nullable(),
+    mailID: z.string(),
+    message: z.string(),
+    nonce: z.string(),
+    readerID: z.string(),
+    recipient: z.string(),
+    sender: z.string(),
+    timestamp: z.string(),
+});
+/** Zod schema for a single inbox entry from getMail: [header, mailBody, timestamp]. */
+const mailInboxEntry = z.tuple([
+    z.custom((val) => val instanceof Uint8Array),
+    MailWSSchema,
+    z.string(),
+]);
+export class Client {
     /**
      * Decrypts a secret key from encrypted data produced by encryptKeyData().
      *
@@ -95,158 +44,68 @@ export class Client extends EventEmitter {
      */
     static decryptKeyData = XUtils.decryptKeyData;
     /**
-     * Creates and initializes a client in one step.
-     *
-     * @param privateKey Optional hex secret key. When omitted, a fresh key is generated.
-     * @param options Runtime options.
-     * @param storage Optional custom storage backend implementing `IStorage`.
-     *
-     * @example
-     * ```ts
-     * const client = await Client.create(privateKey, { host: "api.vex.wtf" });
-     * ```
-     */
-    static create = async (privateKey, options, storage) => {
-        let opts = options;
-        if (!opts?.adapters) {
-            const { default: WebSocket } = await import("ws");
-            const { createLogger: makeLog } = await import("./utils/createLogger.js");
-            opts = {
-                ...opts,
-                adapters: {
-                    logger: makeLog("libvex", opts?.logLevel),
-                    WebSocket: WebSocket,
-                },
-            };
-        }
-        // Lazily create Node Storage only on the Node path (no adapters).
-        // When adapters are provided (browser/RN), the caller must supply storage
-        // via PlatformPreset.createStorage() — there is no Node fallback.
-        let resolvedStorage = storage;
-        if (!resolvedStorage) {
-            if (opts?.adapters) {
-                throw new Error("No storage provided. When using adapters (browser/RN), pass storage from your PlatformPreset.");
-            }
-            const { createNodeStorage } = await import("./storage/node.js");
-            const dbFileName = opts?.inMemoryDb
-                ? ":memory:"
-                : XUtils.encodeHex(nacl.sign.keyPair.fromSecretKey(XUtils.decodeHex(privateKey || "")).publicKey) + ".sqlite";
-            const dbPath = opts?.dbFolder
-                ? opts.dbFolder + "/" + dbFileName
-                : dbFileName;
-            resolvedStorage = createNodeStorage(dbPath, privateKey || XUtils.encodeHex(nacl.sign.keyPair().secretKey));
-        }
-        const client = new Client(privateKey, opts, resolvedStorage);
-        await client.init();
-        return client;
-    };
-    /**
-     * Generates an ed25519 secret key as a hex string.
-     *
-     * @returns - A secret key to use for the client. Save it permanently somewhere safe.
-     */
-    static generateSecretKey() {
-        return XUtils.encodeHex(nacl.sign.keyPair().secretKey);
-    }
-    /**
-     * Generates a random username using bip39.
+     * Encrypts a secret key with a password.
      *
-     * @returns - The username.
+     * Pass-through utility from `@vex-chat/crypto`.
      */
-    static randomUsername() {
-        const IKM = XUtils.decodeHex(XUtils.encodeHex(nacl.randomBytes(16)));
-        const mnemonic = xMnemonic(IKM).split(" ");
-        const addendum = XUtils.uint8ArrToNumber(nacl.randomBytes(1));
-        return (capitalize(mnemonic[0]) +
-            capitalize(mnemonic[1]) +
-            addendum.toString());
-    }
-    static getMnemonic(session) {
-        return xMnemonic(xKDF(XUtils.decodeHex(session.fingerprint)));
-    }
-    static deserializeExtra(type, extra) {
-        switch (type) {
-            case MailType.initial:
-                /* 32 bytes for signkey, 32 bytes for ephemeral key,
-                 68 bytes for AD, 6 bytes for otk index (empty for no otk) */
-                const signKey = extra.slice(0, 32);
-                const ephKey = extra.slice(32, 64);
-                const ad = extra.slice(96, 164);
-                const index = extra.slice(164, 170);
-                return [signKey, ephKey, ad, index];
-            case MailType.subsequent:
-                const publicKey = extra;
-                return [publicKey];
-            default:
-                return [];
-        }
-    }
+    static encryptKeyData = XUtils.encryptKeyData;
+    static NOT_FOUND_TTL = 30 * 60 * 1000;
     /**
-     * User operations.
-     *
-     * @example
-     * ```ts
-     * const [user] = await client.users.retrieve("alice");
-     * const familiarUsers = await client.users.familiars();
-     * ```
+     * Channel operations.
      */
-    users = {
+    channels = {
         /**
-         * Retrieves a user's information by a string identifier.
-         * @param identifier: A userID, hex string public key, or a username.
+         * Creates a new channel in a server.
+         * @param name: The channel name.
+         * @param serverID: The unique serverID to create the channel in.
          *
-         * @returns - The user's IUser object, or null if the user does not exist.
+         * @returns - The created Channel object.
          */
-        retrieve: this.retrieveUserDBEntry.bind(this),
+        create: this.createChannel.bind(this),
         /**
-         * Retrieves the list of users you can currently access, or are already familiar with.
-         *
-         * @returns - The list of IUser objects.
+         * Deletes a channel.
+         * @param channelID: The unique channelID to delete.
          */
-        familiars: this.getFamiliars.bind(this),
-    };
-    /**
-     * Emoji operations.
-     *
-     * @example
-     * ```ts
-     * const emoji = await client.emoji.create(imageBuffer, "party", serverID);
-     * const list = await client.emoji.retrieveList(serverID);
-     * ```
-     */
-    emoji = {
-        create: this.uploadEmoji.bind(this),
-        retrieveList: this.retrieveEmojiList.bind(this),
-        retrieve: this.retrieveEmojiByID.bind(this),
-    };
-    /**
-     * Helpers for information/actions related to the currently authenticated account.
-     */
-    me = {
+        delete: this.deleteChannel.bind(this),
         /**
-         * Retrieves your user information
+         * Retrieves all channels in a server.
          *
-         * @returns - The logged in user's IUser object.
+         * @returns - The list of Channel objects.
          */
-        user: this.getUser.bind(this),
+        retrieve: this.getChannelList.bind(this),
         /**
-         * Retrieves current device details
+         * Retrieves channel details by its unique channelID.
          *
-         * @returns - The logged in device's IDevice object.
+         * @returns - The list of Channel objects.
          */
-        device: this.getDevice.bind(this),
+        retrieveByID: this.getChannelByID.bind(this),
         /**
-         * Changes your avatar.
+         * Retrieves a channel's userlist.
+         * @param channelID: The channelID to retrieve userlist for.
          */
-        setAvatar: this.uploadAvatar.bind(this),
+        userList: this.getUserList.bind(this),
     };
     /**
      * Device management methods.
      */
     devices = {
-        retrieve: this.getDeviceByID.bind(this),
-        register: this.registerDevice.bind(this),
         delete: this.deleteDevice.bind(this),
+        register: this.registerDevice.bind(this),
+        retrieve: this.getDeviceByID.bind(this),
+    };
+    /**
+     * Emoji operations.
+     *
+     * @example
+     * ```ts
+     * const emoji = await client.emoji.create(imageBuffer, "party", serverID);
+     * const list = await client.emoji.retrieveList(serverID);
+     * ```
+     */
+    emoji = {
+        create: this.uploadEmoji.bind(this),
+        retrieve: this.retrieveEmojiByID.bind(this),
+        retrieveList: this.retrieveEmojiList.bind(this),
     };
     /** File upload/download methods. */
     files = {
@@ -260,19 +119,14 @@ export class Client extends EventEmitter {
         retrieve: this.retrieveFile.bind(this),
     };
     /**
-     * Permission-management methods for the current user.
+     * This is true if the client has ever been initialized. You can only initialize
+     * a client once.
      */
-    permissions = {
-        retrieve: this.getPermissions.bind(this),
-        delete: this.deletePermission.bind(this),
-    };
+    hasInit = false;
     /**
-     * Server moderation helper methods.
+     * This is true if the client has ever logged in before. You can only login a client once.
      */
-    moderation = {
-        kick: this.kickUser.bind(this),
-        fetchPermissionList: this.fetchPermissionList.bind(this),
-    };
+    hasLoggedIn = false;
     /**
      * Invite-management methods.
      */
@@ -281,6 +135,27 @@ export class Client extends EventEmitter {
         redeem: this.redeemInvite.bind(this),
         retrieve: this.retrieveInvites.bind(this),
     };
+    /**
+     * Helpers for information/actions related to the currently authenticated account.
+     */
+    me = {
+        /**
+         * Retrieves current device details
+         *
+         * @returns - The logged in device's Device object.
+         */
+        device: this.getDevice.bind(this),
+        /**
+         * Changes your avatar.
+         */
+        setAvatar: this.uploadAvatar.bind(this),
+        /**
+         * Retrieves your user information
+         *
+         * @returns - The logged in user's User object.
+         */
+        user: this.getUser.bind(this),
+    };
     /**
      * Message operations (direct and group).
      *
@@ -292,60 +167,50 @@ export class Client extends EventEmitter {
      * ```
      */
     messages = {
-        /**
-         * Send a direct message.
-         * @param userID: The userID of the user to send a message to.
-         * @param message: The message to send.
-         */
-        send: this.sendMessage.bind(this),
+        delete: this.deleteHistory.bind(this),
         /**
          * Send a group message to a channel.
          * @param channelID: The channelID of the channel to send a message to.
          * @param message: The message to send.
          */
         group: this.sendGroupMessage.bind(this),
+        purge: this.purgeHistory.bind(this),
         /**
          * Gets the message history with a specific userID.
          * @param userID: The userID of the user to retrieve message history for.
          *
-         * @returns - The list of IMessage objects.
+         * @returns - The list of Message objects.
          */
         retrieve: this.getMessageHistory.bind(this),
         /**
          * Gets the group message history with a specific channelID.
          * @param chqnnelID: The channelID of the channel to retrieve message history for.
          *
-         * @returns - The list of IMessage objects.
+         * @returns - The list of Message objects.
          */
         retrieveGroup: this.getGroupHistory.bind(this),
-        delete: this.deleteHistory.bind(this),
-        purge: this.purgeHistory.bind(this),
+        /**
+         * Send a direct message.
+         * @param userID: The userID of the user to send a message to.
+         * @param message: The message to send.
+         */
+        send: this.sendMessage.bind(this),
     };
     /**
-     * Encryption-session helpers.
+     * Server moderation helper methods.
      */
-    sessions = {
-        /**
-         * Gets all encryption sessions.
-         *
-         * @returns - The list of ISession encryption sessions.
-         */
-        retrieve: this.getSessionList.bind(this),
-        /**
-         * Returns a mnemonic for the session, to verify with the other user.
-         * @param session the ISession object to get the mnemonic for.
-         *
-         * @returns - The mnemonic representation of the session.
-         */
-        verify: Client.getMnemonic,
-        /**
-         * Marks a mnemonic verified, implying that the the user has confirmed
-         * that the session mnemonic matches with the other user.
-         * @param sessionID the sessionID of the session to mark.
-         * @param status Optionally, what to mark it as. Defaults to true.
-         */
-        markVerified: this.markSessionVerified.bind(this),
+    moderation = {
+        fetchPermissionList: this.fetchPermissionList.bind(this),
+        kick: this.kickUser.bind(this),
+    };
+    /**
+     * Permission-management methods for the current user.
+     */
+    permissions = {
+        delete: this.deletePermission.bind(this),
+        retrieve: this.getPermissions.bind(this),
     };
+    sending = new Map();
     /**
      * Server operations.
      *
@@ -356,23 +221,11 @@ export class Client extends EventEmitter {
      * ```
      */
     servers = {
-        /**
-         * Retrieves all servers the logged in user has access to.
-         *
-         * @returns - The list of IServer objects.
-         */
-        retrieve: this.getServerList.bind(this),
-        /**
-         * Retrieves server details by its unique serverID.
-         *
-         * @returns - The requested IServer object, or null if the id does not exist.
-         */
-        retrieveByID: this.getServerByID.bind(this),
         /**
          * Creates a new server.
          * @param name: The server name.
          *
-         * @returns - The created IServer object.
+         * @returns - The created Server object.
          */
         create: this.createServer.bind(this),
         /**
@@ -381,92 +234,116 @@ export class Client extends EventEmitter {
          */
         delete: this.deleteServer.bind(this),
         leave: this.leaveServer.bind(this),
-    };
-    /**
-     * Channel operations.
-     */
-    channels = {
         /**
-         * Retrieves all channels in a server.
+         * Retrieves all servers the logged in user has access to.
          *
-         * @returns - The list of IChannel objects.
+         * @returns - The list of Server objects.
          */
-        retrieve: this.getChannelList.bind(this),
+        retrieve: this.getServerList.bind(this),
         /**
-         * Retrieves channel details by its unique channelID.
+         * Retrieves server details by its unique serverID.
          *
-         * @returns - The list of IChannel objects.
+         * @returns - The requested Server object, or null if the id does not exist.
          */
-        retrieveByID: this.getChannelByID.bind(this),
+        retrieveByID: this.getServerByID.bind(this),
+    };
+    /**
+     * Encryption-session helpers.
+     */
+    sessions = {
         /**
-         * Creates a new channel in a server.
-         * @param name: The channel name.
-         * @param serverID: The unique serverID to create the channel in.
-         *
-         * @returns - The created IChannel object.
+         * Marks a mnemonic verified, implying that the the user has confirmed
+         * that the session mnemonic matches with the other user.
+         * @param sessionID the sessionID of the session to mark.
+         * @param status Optionally, what to mark it as. Defaults to true.
          */
-        create: this.createChannel.bind(this),
+        markVerified: this.markSessionVerified.bind(this),
         /**
-         * Deletes a channel.
-         * @param channelID: The unique channelID to delete.
+         * Gets all encryption sessions.
+         *
+         * @returns - The list of Session encryption sessions.
          */
-        delete: this.deleteChannel.bind(this),
+        retrieve: this.getSessionList.bind(this),
         /**
-         * Retrieves a channel's userlist.
-         * @param channelID: The channelID to retrieve userlist for.
+         * Returns a mnemonic for the session, to verify with the other user.
+         * @param session the Session object to get the mnemonic for.
+         *
+         * @returns - The mnemonic representation of the session.
          */
-        userList: this.getUserList.bind(this),
+        verify: (session) => Client.getMnemonic(session),
     };
     /**
-     * This is true if the client has ever been initialized. You can only initialize
-     * a client once.
-     */
-    hasInit = false;
-    /**
-     * This is true if the client has ever logged in before. You can only login a client once.
+     * User operations.
+     *
+     * @example
+     * ```ts
+     * const [user] = await client.users.retrieve("alice");
+     * const familiarUsers = await client.users.familiars();
+     * ```
      */
-    hasLoggedIn = false;
-    sending = {};
+    users = {
+        /**
+         * Retrieves the list of users you can currently access, or are already familiar with.
+         *
+         * @returns - The list of User objects.
+         */
+        familiars: this.getFamiliars.bind(this),
+        /**
+         * Retrieves a user's information by a string identifier.
+         * @param identifier: A userID, hex string public key, or a username.
+         *
+         * @returns - The user's User object, or null if the user does not exist.
+         */
+        retrieve: this.fetchUser.bind(this),
+    };
     database;
     dbPath;
-    conn;
-    host;
-    adapters;
-    firstMailFetch = true;
-    // these are created from one set of sign keys
-    signKeys;
-    idKeys;
-    xKeyRing;
-    user;
     device;
-    userRecords = {};
     deviceRecords = {};
-    sessionRecords = {};
-    isAlive = true;
-    reading = false;
+    // ── Event subscription (composition over inheritance) ───────────────
+    emitter = new EventEmitter();
     fetchingMail = false;
-    cookies = [];
+    firstMailFetch = true;
+    forwarded = new Set();
+    host;
+    http;
+    idKeys;
+    isAlive = true;
     log;
-    pingInterval = null;
     mailInterval;
     manuallyClosing = false;
-    token = null;
-    forwarded = [];
+    /* Retrieves the userID with the user identifier.
+    user identifier is checked for userID, then signkey,
+    and finally falls back to username. */
+    /** Negative cache for user lookups that returned 404. TTL = 30 minutes. */
+    notFoundUsers = new Map();
+    options;
+    pingInterval = null;
     prefixes;
+    reading = false;
+    sessionRecords = {};
+    // these are created from one set of sign keys
+    signKeys;
+    socket;
+    token = null;
+    user;
+    userRecords = {};
+    xKeyRing;
     constructor(privateKey, options, storage) {
-        super();
-        this.log = options?.adapters?.logger ?? {
+        // (no super — composition, not inheritance)
+        this.options = options;
+        this.log = options?.logger ?? {
+            debug() { },
+            error() { },
             info() { },
             warn() { },
-            error() { },
-            debug() { },
         };
         this.prefixes = options?.unsafeHttp
             ? { HTTP: "http://", WS: "ws://" }
             : { HTTP: "https://", WS: "wss://" };
         this.signKeys = privateKey
-            ? nacl.sign.keyPair.fromSecretKey(XUtils.decodeHex(privateKey))
-            : nacl.sign.keyPair();
+            ? xSignKeyPairFromSecret(XUtils.decodeHex(privateKey))
+            : xSignKeyPair();
         this.idKeys = XKeyConvert.convertKeyPair(this.signKeys);
         if (!this.idKeys) {
             throw new Error("Could not convert key to X25519!");
@@ -476,7 +353,7 @@ export class Client extends EventEmitter {
             ? ":memory:"
             : XUtils.encodeHex(this.signKeys.publicKey) + ".sqlite";
         this.dbPath = options?.dbFolder
-            ? options?.dbFolder + "/" + dbFileName
+            ? options.dbFolder + "/" + dbFileName
             : dbFileName;
         if (!storage) {
             throw new Error("No storage provided. Use Client.create() which resolves storage automatically.");
@@ -484,45 +361,117 @@ export class Client extends EventEmitter {
         this.database = storage;
         this.database.on("error", (error) => {
             this.log.error(error.toString());
-            this.close(true);
+            void this.close(true);
         });
-        if (!options?.adapters) {
-            throw new Error("No adapters provided. Use Client.create() which resolves adapters automatically.");
-        }
-        this.adapters = options.adapters;
+        this.http = axios.create({ responseType: "arraybuffer" });
         // Placeholder connection — replaced by initSocket() during connect()
-        this.conn = new this.adapters.WebSocket("ws://localhost:1234");
-        this.conn.onerror = () => { };
+        this.socket = new WebSocketAdapter("ws://localhost:1234");
+        this.socket.onerror = () => { };
+        // Strip the `logger` field before stringifying — when a consumer
+        // passes a Winston logger instance (which has a circular
+        // `_readableState.pipes[0].parent` back-reference from the
+        // underlying file transport), JSON.stringify throws
+        // `TypeError: Converting circular structure to JSON`.
+        const { logger: _logger, ...safeOptions } = options ?? {};
         this.log.info("Client debug information: " +
             JSON.stringify({
-                publicKey: this.getKeys().public,
-                host: this.getHost(),
                 dbPath: this.dbPath,
                 environment: {
-                    isBrowser,
-                    isNode,
+                    platform: this.options?.deviceName ?? "unknown",
                 },
-                options,
+                host: this.getHost(),
+                options: safeOptions,
+                publicKey: this.getKeys().public,
             }, null, 4));
     }
     /**
-     * Returns the current HTTP API origin with protocol.
+     * Creates and initializes a client in one step.
+     *
+     * @param privateKey Optional hex secret key. When omitted, a fresh key is generated.
+     * @param options Runtime options.
+     * @param storage Optional custom storage backend implementing `Storage`.
      *
      * @example
      * ```ts
-     * console.log(client.getHost()); // "https://api.vex.wtf"
+     * const client = await Client.create(privateKey, { host: "api.vex.wtf" });
      * ```
      */
-    getHost() {
-        return this.prefixes.HTTP + this.host;
+    static create = async (privateKey, options, storage) => {
+        let opts = options;
+        if (!opts?.logger) {
+            const { createLogger: makeLog } = await import("./utils/createLogger.js");
+            opts = {
+                ...opts,
+                logger: makeLog("libvex", opts?.logLevel),
+            };
+        }
+        // Lazily create Node Storage only on the Node path (no logger override).
+        // When a logger is provided (browser/RN), the caller must supply storage
+        // via BootstrapConfig.createStorage() — there is no Node fallback.
+        let resolvedStorage = storage;
+        if (!resolvedStorage) {
+            if (opts.logger) {
+                throw new Error("No storage provided. When using a custom logger (browser/RN), pass storage from your BootstrapConfig.");
+            }
+            const { createNodeStorage } = await import("./storage/node.js");
+            const dbFileName = opts.inMemoryDb
+                ? ":memory:"
+                : XUtils.encodeHex(xSignKeyPairFromSecret(XUtils.decodeHex(privateKey || ""))
+                    .publicKey) + ".sqlite";
+            const dbPath = opts.dbFolder
+                ? opts.dbFolder + "/" + dbFileName
+                : dbFileName;
+            resolvedStorage = createNodeStorage(dbPath, privateKey || XUtils.encodeHex(xSignKeyPair().secretKey));
+        }
+        const client = new Client(privateKey, opts, resolvedStorage);
+        await client.init();
+        return client;
+    };
+    /**
+     * Generates an ed25519 secret key as a hex string.
+     *
+     * @returns - A secret key to use for the client. Save it permanently somewhere safe.
+     */
+    static generateSecretKey() {
+        return XUtils.encodeHex(xSignKeyPair().secretKey);
     }
     /**
-     * Manually closes the client. Emits the closed event on successful shutdown.
+     * Generates a random username using bip39.
+     *
+     * @returns - The username.
      */
+    static randomUsername() {
+        const IKM = XUtils.decodeHex(XUtils.encodeHex(xRandomBytes(16)));
+        const mnemonic = xMnemonic(IKM).split(" ");
+        const addendum = XUtils.uint8ArrToNumber(xRandomBytes(1));
+        const word0 = mnemonic[0] ?? "";
+        const word1 = mnemonic[1] ?? "";
+        return capitalize(word0) + capitalize(word1) + addendum.toString();
+    }
+    static deserializeExtra(type, extra) {
+        switch (type) {
+            case MailType.initial:
+                /* 32 bytes for signkey, 32 bytes for ephemeral key,
+                 68 bytes for AD, 6 bytes for otk index (empty for no otk) */
+                const signKey = extra.slice(0, 32);
+                const ephKey = extra.slice(32, 64);
+                const ad = extra.slice(96, 164);
+                const index = extra.slice(164, 170);
+                return [signKey, ephKey, ad, index];
+            case MailType.subsequent:
+                const publicKey = extra;
+                return [publicKey];
+            default:
+                return [];
+        }
+    }
+    static getMnemonic(session) {
+        return xMnemonic(xKDF(XUtils.decodeHex(session.fingerprint)));
+    }
     async close(muteEvent = false) {
         this.manuallyClosing = true;
         this.log.info("Manually closing client.");
-        this.conn.close();
+        this.socket.close();
         await this.database.close();
         if (this.pingInterval) {
             clearInterval(this.pingInterval);
@@ -532,116 +481,155 @@ export class Client extends EventEmitter {
         }
         delete this.xKeyRing;
         if (!muteEvent) {
-            this.emit("closed");
+            this.emitter.emit("closed");
         }
         return;
     }
+    /**
+     * Connects your device to the chat. You must have a valid Bearer token.
+     * You can check whoami() to see before calling connect().
+     */
+    async connect() {
+        const { token, user } = await this.whoami();
+        this.token = token;
+        this.http.defaults.headers.common.Authorization = `Bearer ${token}`;
+        this.setUser(user);
+        this.device = await this.retrieveOrCreateDevice();
+        const connectToken = await this.getToken("connect");
+        if (!connectToken) {
+            throw new Error("Couldn't get connect token.");
+        }
+        const signed = xSign(Uint8Array.from(uuid.parse(connectToken.key)), this.signKeys.secretKey);
+        const res = await this.http.post(this.getHost() + "/device/" + this.device.deviceID + "/connect", msgpack.encode({ signed }), { headers: { "Content-Type": "application/msgpack" } });
+        const { deviceToken } = decodeAxios(ConnectResponseCodec, res.data);
+        this.http.defaults.headers.common["X-Device-Token"] = deviceToken;
+        this.log.info("Starting websocket.");
+        this.initSocket();
+        // Yield the event loop so the WS open callback fires and sends the
+        // auth message before OTK generation blocks for ~5s on mobile.
+        await new Promise((r) => setTimeout(r, 0));
+        await this.negotiateOTK();
+    }
+    /**
+     * Manually closes the client. Emits the closed event on successful shutdown.
+     */
+    /**
+     * Delete all local data — message history, encryption sessions, and prekeys.
+     * Closes the client afterward. Credentials (keychain) must be cleared by the consumer.
+     */
+    async deleteAllData() {
+        await this.database.purgeHistory();
+        await this.database.purgeKeyData();
+        await this.close(true);
+    }
+    /**
+     * Returns the current HTTP API origin with protocol.
+     *
+     * @example
+     * ```ts
+     * console.log(client.getHost()); // "https://api.vex.wtf"
+     * ```
+     */
+    getHost() {
+        return this.prefixes.HTTP + this.host;
+    }
     /**
      * Gets the hex string representations of the public and private keys.
      */
     getKeys() {
         return {
-            public: XUtils.encodeHex(this.signKeys.publicKey),
             private: XUtils.encodeHex(this.signKeys.secretKey),
+            public: XUtils.encodeHex(this.signKeys.publicKey),
         };
     }
     /**
-     * Authenticates with username/password and stores the auth token/cookie.
+     * Authenticates with username/password and stores the Bearer auth token.
      *
      * @param username Account username.
      * @param password Account password.
-     * @returns `null` on success, or the thrown error object on failure.
+     * @returns `{ ok: true }` on success, `{ ok: false, error }` on failure.
      *
      * @example
      * ```ts
-     * const err = await client.login("alice", "correct horse battery staple");
-     * if (err) console.error(err);
+     * const result = await client.login("alice", "correct horse battery staple");
+     * if (!result.ok) console.error(result.error);
      * ```
      */
     async login(username, password) {
         try {
-            const res = await ax.post(this.getHost() + "/auth", msgpack.encode({
-                username,
+            const res = await this.http.post(this.getHost() + "/auth", msgpack.encode({
                 password,
+                username,
             }), {
                 headers: { "Content-Type": "application/msgpack" },
             });
-            const { user, token } = msgpack.decode(new Uint8Array(res.data));
-            const cookies = res.headers["set-cookie"];
-            if (cookies) {
-                for (const cookie of cookies) {
-                    if (cookie.includes("auth")) {
-                        this.addCookie(cookie);
-                    }
-                }
-            }
+            const { token, user } = decodeAxios(AuthResponseCodec, res.data);
             this.setUser(user);
             this.token = token;
+            this.http.defaults.headers.common.Authorization = `Bearer ${token}`;
+            return { ok: true };
         }
         catch (err) {
-            console.error(err.toString());
-            return err;
+            const error = err instanceof Error ? err.message : String(err);
+            this.log.error("Login failed: " + error);
+            return { error, ok: false };
         }
-        return null;
     }
     /**
-     * Returns the authorization cookie details. Throws if you don't have a
-     * valid authorization cookie.
-     */
-    /**
-     * Returns details about the currently authenticated session.
+     * Authenticates using the device's Ed25519 signing key.
+     * No password needed — proves possession of the private key via
+     * challenge-response. Issues a short-lived (1-hour) JWT.
      *
-     * @returns The authenticated user, token expiry, and active token.
-     *
-     * @example
-     * ```ts
-     * const auth = await client.whoami();
-     * console.log(auth.user.username, new Date(auth.exp));
-     * ```
+     * Used by auto-login when stored credentials have a deviceKey
+     * but no valid session.
      */
-    async whoami() {
-        const res = await ax.post(this.getHost() + "/whoami", null, {
-            withCredentials: true,
-            responseType: "arraybuffer",
-        });
-        const whoami = msgpack.decode(new Uint8Array(res.data));
-        return whoami;
+    async loginWithDeviceKey(deviceID) {
+        try {
+            const id = deviceID ?? this.device?.deviceID;
+            if (!id) {
+                return new Error("No deviceID — pass it or connect first.");
+            }
+            const signKeyHex = XUtils.encodeHex(this.signKeys.publicKey);
+            const challengeRes = await this.http.post(this.getHost() + "/auth/device", msgpack.encode({
+                deviceID: id,
+                signKey: signKeyHex,
+            }), { headers: { "Content-Type": "application/msgpack" } });
+            const { challenge, challengeID } = decodeAxios(DeviceChallengeCodec, challengeRes.data);
+            const signed = XUtils.encodeHex(xSign(XUtils.decodeHex(challenge), this.signKeys.secretKey));
+            const verifyRes = await this.http.post(this.getHost() + "/auth/device/verify", msgpack.encode({ challengeID, signed }), { headers: { "Content-Type": "application/msgpack" } });
+            const { token, user } = decodeAxios(AuthResponseCodec, verifyRes.data);
+            this.setUser(user);
+            this.token = token;
+            this.http.defaults.headers.common.Authorization = `Bearer ${token}`;
+        }
+        catch (err) {
+            const error = err instanceof Error ? err : new Error(String(err));
+            this.log.error("Device-key auth failed: " + error.message);
+            return error;
+        }
+        return null;
     }
     /**
      * Logs out the current authenticated session from the server.
      */
     async logout() {
-        await ax.post(this.getHost() + "/goodbye");
+        await this.http.post(this.getHost() + "/goodbye");
     }
-    /**
-     * Connects your device to the chat. You must have an valid authorization cookie.
-     * You can check whoami() to see before calling connect().
-     */
-    async connect() {
-        const { user, token } = await this.whoami();
-        this.token = token;
-        if (!user || !token) {
-            throw new Error("Auth cookie missing or expired. Log in again.");
-        }
-        this.setUser(user);
-        this.device = await this.retrieveOrCreateDevice();
-        const connectToken = await this.getToken("connect");
-        if (!connectToken) {
-            throw new Error("Couldn't get connect token.");
-        }
-        const signed = nacl.sign(Uint8Array.from(uuid.parse(connectToken.key)), this.signKeys.secretKey);
-        const res = await ax.post(this.getHost() + "/device/" + this.device.deviceID + "/connect", msgpack.encode({ signed }), { headers: { "Content-Type": "application/msgpack" } });
-        const cookies = res.headers["set-cookie"];
-        if (cookies) {
-            for (const cookie of cookies) {
-                if (cookie.includes("device")) {
-                    this.addCookie(cookie);
-                }
-            }
-        }
-        this.log.info("Starting websocket.");
-        this.initSocket();
-        await this.negotiateOTK();
+    off(event, fn, context) {
+        this.emitter.off(event, 
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- ee3 requires generic listener type; E constraint guarantees safety
+        fn, context);
+        return this;
+    }
+    on(event, fn, context) {
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- EventEmitter requires a generic listener type; the generic constraint on E guarantees type safety
+        this.emitter.on(event, fn, context);
+        return this;
+    }
+    once(event, fn, context) {
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion -- EventEmitter requires a generic listener type; the generic constraint on E guarantees type safety
+        this.emitter.once(event, fn, context);
+        return this;
     }
     /**
      * Registers a new account on the server.
@@ -658,357 +646,95 @@ export class Client extends EventEmitter {
         const regKey = await this.getToken("register");
         if (regKey) {
             const signKey = XUtils.encodeHex(this.signKeys.publicKey);
-            const signed = XUtils.encodeHex(nacl.sign(Uint8Array.from(uuid.parse(regKey.key)), this.signKeys.secretKey));
+            const signed = XUtils.encodeHex(xSign(Uint8Array.from(uuid.parse(regKey.key)), this.signKeys.secretKey));
+            const preKeyIndex = this.xKeyRing.preKeys.index;
             const regMsg = {
-                username,
-                signKey,
-                signed,
+                deviceName: this.options?.deviceName ?? "unknown",
+                password,
                 preKey: XUtils.encodeHex(this.xKeyRing.preKeys.keyPair.publicKey),
+                preKeyIndex,
                 preKeySignature: XUtils.encodeHex(this.xKeyRing.preKeys.signature),
-                preKeyIndex: this.xKeyRing.preKeys.index,
-                password,
-                deviceName: typeof navigator !== "undefined"
-                    ? navigator.userAgent.slice(0, 64)
-                    : "node",
+                signed,
+                signKey,
+                username,
             };
             try {
-                const res = await ax.post(this.getHost() + "/register", msgpack.encode(regMsg), { headers: { "Content-Type": "application/msgpack" } });
-                this.setUser(msgpack.decode(new Uint8Array(res.data)));
+                const res = await this.http.post(this.getHost() + "/register", msgpack.encode(regMsg), { headers: { "Content-Type": "application/msgpack" } });
+                this.setUser(decodeAxios(UserCodec, res.data));
                 return [this.getUser(), null];
             }
             catch (err) {
-                if (err.response) {
-                    return [null, new Error(err.response.data.error)];
-                }
-                else {
-                    return [null, err];
+                if (isAxiosError(err) && err.response) {
+                    return [null, new Error(String(err.response.data))];
                 }
+                return [
+                    null,
+                    err instanceof Error ? err : new Error(String(err)),
+                ];
             }
         }
         else {
             return [null, new Error("Couldn't get regkey from server.")];
         }
     }
+    removeAllListeners(event) {
+        this.emitter.removeAllListeners(event);
+        return this;
+    }
     /**
      * Returns a compact `<username><deviceID>` debug label.
      */
     toString() {
-        return this.user?.username + "<" + this.device?.deviceID + ">";
-    }
-    async redeemInvite(inviteID) {
-        const res = await ax.patch(this.getHost() + "/invite/" + inviteID);
-        return msgpack.decode(new Uint8Array(res.data));
+        return ((this.user?.username ?? "") +
+            "<" +
+            (this.device?.deviceID ?? "") +
+            ">");
     }
-    async retrieveInvites(serverID) {
-        const res = await ax.get(this.getHost() + "/server/" + serverID + "/invites");
-        return msgpack.decode(new Uint8Array(res.data));
+    /**
+     * Returns details about the currently authenticated session.
+     *
+     * @returns The authenticated user, token expiry, and active token.
+     *
+     * @example
+     * ```ts
+     * const auth = await client.whoami();
+     * console.log(auth.user.username, new Date(auth.exp));
+     * ```
+     */
+    async whoami() {
+        const res = await this.http.post(this.getHost() + "/whoami");
+        const whoami = decodeAxios(WhoamiCodec, res.data);
+        return whoami;
     }
-    async createInvite(serverID, duration) {
-        const payload = {
-            serverID,
-            duration,
-        };
-        const res = await ax.post(this.getHost() + "/server/" + serverID + "/invites", payload);
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async retrieveEmojiList(serverID) {
-        const res = await ax.get(this.getHost() + "/server/" + serverID + "/emoji");
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async retrieveEmojiByID(emojiID) {
-        const res = await ax.get(this.getHost() + "/emoji/" + emojiID + "/details");
-        // this is actually empty string
-        if (!res.data) {
-            return null;
-        }
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async leaveServer(serverID) {
-        const permissionList = await this.permissions.retrieve();
-        for (const permission of permissionList) {
-            if (permission.resourceID === serverID) {
-                await this.deletePermission(permission.permissionID);
-            }
-        }
-    }
-    async kickUser(userID, serverID) {
-        const permissionList = await this.fetchPermissionList(serverID);
-        for (const permission of permissionList) {
-            if (userID === permission.userID) {
-                await this.deletePermission(permission.permissionID);
-                return;
-            }
-        }
-        throw new Error("Couldn't kick user.");
-    }
-    addCookie(cookie) {
-        if (!this.cookies.includes(cookie)) {
-            this.cookies.push(cookie);
-            this.log.info("cookies changed", this.getCookies());
-            if (isNode) {
-                ax.defaults.headers.cookie = this.cookies.join(";");
-            }
-        }
-    }
-    getCookies() {
-        return this.cookies.join(";");
-    }
-    async uploadEmoji(emoji, name, serverID) {
-        if (typeof FormData !== "undefined") {
-            const fpayload = new FormData();
-            fpayload.set("emoji", new Blob([new Uint8Array(emoji)]));
-            fpayload.set("name", name);
-            try {
-                const res = await ax.post(this.getHost() + "/emoji/" + serverID, fpayload, {
-                    headers: { "Content-Type": "multipart/form-data" },
-                    onUploadProgress: (progressEvent) => {
-                        const percentCompleted = Math.round((progressEvent.loaded * 100) /
-                            (progressEvent.total ?? 1));
-                        const { loaded, total = 0 } = progressEvent;
-                        const progress = {
-                            direction: "upload",
-                            token: name,
-                            progress: percentCompleted,
-                            loaded,
-                            total,
-                        };
-                        this.emit("fileProgress", progress);
-                    },
-                });
-                return msgpack.decode(new Uint8Array(res.data));
-            }
-            catch (err) {
-                return null;
-            }
-        }
-        const payload = {
-            file: XUtils.encodeBase64(emoji),
-            name,
-        };
-        try {
-            const res = await ax.post(this.getHost() + "/emoji/" + serverID + "/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
-            return msgpack.decode(new Uint8Array(res.data));
-        }
-        catch (err) {
-            return null;
-        }
-    }
-    async retrieveOrCreateDevice() {
-        let device;
-        try {
-            const res = await ax.get(this.prefixes.HTTP +
-                this.host +
-                "/device/" +
-                XUtils.encodeHex(this.signKeys.publicKey));
-            device = msgpack.decode(new Uint8Array(res.data));
-        }
-        catch (err) {
-            this.log.error(err.toString());
-            if (err.response?.status === 404) {
-                // just in case
-                await this.database.purgeKeyData();
-                await this.populateKeyRing();
-                this.log.info("Attempting to register device.");
-                const newDevice = await this.registerDevice();
-                if (newDevice) {
-                    device = newDevice;
-                }
-                else {
-                    throw new Error("Error registering device.");
-                }
-            }
-            else {
-                throw err;
-            }
-        }
-        this.log.info("Got device " + JSON.stringify(device, null, 4));
-        return device;
-    }
-    async registerDevice() {
-        while (!this.xKeyRing) {
-            await sleep(100);
-        }
-        const token = await this.getToken("device");
-        const [userDetails, err] = await this.retrieveUserDBEntry(this.user.username);
-        if (!userDetails) {
-            throw new Error("Username not found " + this.user.username);
-        }
-        if (err) {
-            throw err;
-        }
-        if (!token) {
-            throw new Error("Couldn't fetch token.");
-        }
-        const signKey = this.getKeys().public;
-        const signed = XUtils.encodeHex(nacl.sign(Uint8Array.from(uuid.parse(token.key)), this.signKeys.secretKey));
-        const devMsg = {
-            username: userDetails.username,
-            signKey,
-            signed,
-            preKey: XUtils.encodeHex(this.xKeyRing.preKeys.keyPair.publicKey),
-            preKeySignature: XUtils.encodeHex(this.xKeyRing.preKeys.signature),
-            preKeyIndex: this.xKeyRing.preKeys.index,
-            deviceName: typeof navigator !== "undefined"
-                ? navigator.userAgent.slice(0, 64)
-                : "node",
-        };
-        try {
-            const res = await ax.post(this.prefixes.HTTP +
-                this.host +
-                "/user/" +
-                userDetails.userID +
-                "/devices", msgpack.encode(devMsg), { headers: { "Content-Type": "application/msgpack" } });
-            return msgpack.decode(new Uint8Array(res.data));
-        }
-        catch (err) {
-            throw err;
-        }
-    }
-    async getToken(type) {
-        try {
-            const res = await ax.get(this.getHost() + "/token/" + type, {
-                responseType: "arraybuffer",
-            });
-            return msgpack.decode(new Uint8Array(res.data));
-        }
-        catch (err) {
-            this.log.warn(err.toString());
-            return null;
-        }
-    }
-    async uploadAvatar(avatar) {
-        if (typeof FormData !== "undefined") {
-            const fpayload = new FormData();
-            fpayload.set("avatar", new Blob([new Uint8Array(avatar)]));
-            await ax.post(this.prefixes.HTTP +
-                this.host +
-                "/avatar/" +
-                this.me.user().userID, fpayload, {
-                headers: { "Content-Type": "multipart/form-data" },
-                onUploadProgress: (progressEvent) => {
-                    const percentCompleted = Math.round((progressEvent.loaded * 100) /
-                        (progressEvent.total ?? 1));
-                    const { loaded, total = 0 } = progressEvent;
-                    const progress = {
-                        direction: "upload",
-                        token: this.getUser().userID,
-                        progress: percentCompleted,
-                        loaded,
-                        total,
-                    };
-                    this.emit("fileProgress", progress);
-                },
-            });
-            return;
+    censorPreKey(preKey) {
+        if (!preKey.index) {
+            throw new Error("Key index is required.");
         }
-        const payload = {
-            file: XUtils.encodeBase64(avatar),
+        return {
+            deviceID: this.getDevice().deviceID,
+            index: preKey.index,
+            publicKey: XUtils.decodeHex(preKey.publicKey),
+            signature: XUtils.decodeHex(preKey.signature),
         };
-        await ax.post(this.prefixes.HTTP +
-            this.host +
-            "/avatar/" +
-            this.me.user().userID +
-            "/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
-    }
-    /**
-     * Gets a list of permissions for a server.
-     *
-     * @returns - The list of IPermissions objects.
-     */
-    async fetchPermissionList(serverID) {
-        const res = await ax.get(this.prefixes.HTTP +
-            this.host +
-            "/server/" +
-            serverID +
-            "/permissions");
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    /**
-     * Gets all permissions for the logged in user.
-     *
-     * @returns - The list of IPermissions objects.
-     */
-    async getPermissions() {
-        const res = await ax.get(this.getHost() + "/user/" + this.getUser().userID + "/permissions");
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async deletePermission(permissionID) {
-        await ax.delete(this.getHost() + "/permission/" + permissionID);
-    }
-    async retrieveFile(fileID, key) {
-        try {
-            const detailsRes = await ax.get(this.getHost() + "/file/" + fileID + "/details");
-            const details = msgpack.decode(new Uint8Array(detailsRes.data));
-            const res = await ax.get(this.getHost() + "/file/" + fileID, {
-                onDownloadProgress: (progressEvent) => {
-                    const percentCompleted = Math.round((progressEvent.loaded * 100) /
-                        (progressEvent.total ?? 1));
-                    const { loaded, total = 0 } = progressEvent;
-                    const progress = {
-                        direction: "download",
-                        token: fileID,
-                        progress: percentCompleted,
-                        loaded,
-                        total,
-                    };
-                    this.emit("fileProgress", progress);
-                },
-            });
-            const fileData = res.data;
-            const decrypted = nacl.secretbox.open(new Uint8Array(fileData), XUtils.decodeHex(details.nonce), XUtils.decodeHex(key));
-            if (decrypted) {
-                const resp = {
-                    details,
-                    data: new Uint8Array(decrypted),
-                };
-                return resp;
-            }
-            throw new Error("Decryption failed.");
-        }
-        catch (err) {
-            throw err;
-        }
-    }
-    async deleteServer(serverID) {
-        await ax.delete(this.getHost() + "/server/" + serverID);
-    }
-    /**
-     * Initializes the keyring. This must be called before anything else.
-     */
-    async init() {
-        if (this.hasInit) {
-            throw new Error("You should only call init() once.");
-        }
-        this.hasInit = true;
-        await this.populateKeyRing();
-        this.on("message", async (message) => {
-            if (message.direction === "outgoing" && !message.forward) {
-                this.forward(message);
-            }
-            if (message.direction === "incoming" &&
-                message.recipient === message.sender) {
-                return;
-            }
-            await this.database.saveMessage(message);
-        });
-        this.emit("ready");
     }
-    async deleteChannel(channelID) {
-        await ax.delete(this.getHost() + "/channel/" + channelID);
+    async createChannel(name, serverID) {
+        const body = { name };
+        const res = await this.http.post(this.getHost() + "/server/" + serverID + "/channels", msgpack.encode(body), { headers: { "Content-Type": "application/msgpack" } });
+        return decodeAxios(ChannelCodec, res.data);
     }
     // returns the file details and the encryption key
     async createFile(file) {
         this.log.info("Creating file, size: " + formatBytes(file.byteLength));
         const nonce = xMakeNonce();
-        const key = nacl.box.keyPair();
-        const box = nacl.secretbox(Uint8Array.from(file), nonce, key.secretKey);
+        const key = xBoxKeyPair();
+        const box = xSecretbox(Uint8Array.from(file), nonce, key.secretKey);
         this.log.info("Encrypted size: " + formatBytes(box.byteLength));
         if (typeof FormData !== "undefined") {
             const fpayload = new FormData();
             fpayload.set("owner", this.getDevice().deviceID);
             fpayload.set("nonce", XUtils.encodeHex(nonce));
             fpayload.set("file", new Blob([new Uint8Array(box)]));
-            const fres = await ax.post(this.getHost() + "/file", fpayload, {
+            const fres = await this.http.post(this.getHost() + "/file", fpayload, {
                 headers: { "Content-Type": "multipart/form-data" },
                 onUploadProgress: (progressEvent) => {
                     const percentCompleted = Math.round((progressEvent.loaded * 100) /
@@ -1016,337 +742,301 @@ export class Client extends EventEmitter {
                     const { loaded, total = 0 } = progressEvent;
                     const progress = {
                         direction: "upload",
-                        token: XUtils.encodeHex(nonce),
-                        progress: percentCompleted,
                         loaded,
+                        progress: percentCompleted,
+                        token: XUtils.encodeHex(nonce),
                         total,
                     };
-                    this.emit("fileProgress", progress);
+                    this.emitter.emit("fileProgress", progress);
                 },
             });
-            const fcreatedFile = msgpack.decode(new Uint8Array(fres.data));
+            const fcreatedFile = decodeAxios(FileSQLCodec, fres.data);
             return [fcreatedFile, XUtils.encodeHex(key.secretKey)];
         }
         const payload = {
-            owner: this.getDevice().deviceID,
-            nonce: XUtils.encodeHex(nonce),
             file: XUtils.encodeBase64(box),
+            nonce: XUtils.encodeHex(nonce),
+            owner: this.getDevice().deviceID,
         };
-        const res = await ax.post(this.getHost() + "/file/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
-        const createdFile = msgpack.decode(new Uint8Array(res.data));
+        const res = await this.http.post(this.getHost() + "/file/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
+        const createdFile = decodeAxios(FileSQLCodec, res.data);
         return [createdFile, XUtils.encodeHex(key.secretKey)];
     }
-    async getUserList(channelID) {
-        const res = await ax.post(this.getHost() + "/userList/" + channelID);
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async markSessionVerified(sessionID) {
-        return this.database.markSessionVerified(sessionID);
-    }
-    async getGroupHistory(channelID) {
-        const messages = await this.database.getGroupHistory(channelID);
-        return messages;
+    async createInvite(serverID, duration) {
+        const payload = {
+            duration,
+            serverID,
+        };
+        const res = await this.http.post(this.getHost() + "/server/" + serverID + "/invites", payload);
+        return decodeAxios(InviteCodec, res.data);
     }
-    async deleteHistory(channelOrUserID, olderThan) {
-        await this.database.deleteHistory(channelOrUserID, olderThan);
+    createPreKey() {
+        const preKeyPair = xBoxKeyPair();
+        return {
+            keyPair: preKeyPair,
+            signature: xSign(xEncode(xConstants.CURVE, preKeyPair.publicKey), this.signKeys.secretKey),
+        };
     }
-    async purgeHistory() {
-        await this.database.purgeHistory();
+    async createServer(name) {
+        const res = await this.http.post(this.getHost() + "/server/" + globalThis.btoa(name));
+        return decodeAxios(ServerCodec, res.data);
     }
-    async getMessageHistory(userID) {
-        const messages = await this.database.getMessageHistory(userID);
-        return messages;
-    }
-    async sendMessage(userID, message) {
+    async createSession(device, user, message, group, 
+    /* this is passed through if the first message is
+    part of a group message */
+    mailID, forward) {
+        let keyBundle;
+        this.log.info("Requesting key bundle for device: " +
+            JSON.stringify(device, null, 4));
         try {
-            const [userEntry, err] = await this.retrieveUserDBEntry(userID);
-            if (err) {
-                throw err;
-            }
-            if (!userEntry) {
-                throw new Error("Couldn't get user entry.");
-            }
-            let deviceList = await this.getUserDeviceList(userID);
-            if (!deviceList) {
-                let retries = 0;
-                while (!deviceList) {
-                    deviceList = await this.getUserDeviceList(userID);
-                    retries++;
-                    if (retries > 3) {
-                        throw new Error("Couldn't get device list.");
-                    }
-                }
-            }
-            const mailID = uuid.v4();
-            const promises = [];
-            for (const device of deviceList) {
-                promises.push(this.sendMail(device, userEntry, XUtils.decodeUTF8(message), null, mailID, false));
-            }
-            Promise.allSettled(promises).then((results) => {
-                for (const result of results) {
-                    const { status } = result;
-                    if (status === "rejected") {
-                        this.log.warn("Message failed.");
-                        this.log.warn(JSON.stringify(result));
-                    }
-                }
-            });
+            keyBundle = await this.retrieveKeyBundle(device.deviceID);
         }
         catch (err) {
-            this.log.error("Message " + (err.message?.mailID || "") + " threw exception.");
-            this.log.error(err.toString());
-            if (err.message?.mailID) {
-                await this.database.deleteMessage(err.message.mailID);
-            }
-            throw err;
-        }
-    }
-    async sendGroupMessage(channelID, message) {
-        const userList = await this.getUserList(channelID);
-        for (const user of userList) {
-            this.userRecords[user.userID] = user;
-        }
-        this.log.info("Sending to userlist:\n" + JSON.stringify(userList, null, 4));
-        const mailID = uuid.v4();
-        const promises = [];
-        const userIDs = [...new Set(userList.map((user) => user.userID))];
-        const devices = await this.getMultiUserDeviceList(userIDs);
-        this.log.info("Retrieved devicelist:\n" + JSON.stringify(devices, null, 4));
-        for (const device of devices) {
-            promises.push(this.sendMail(device, this.userRecords[device.owner], XUtils.decodeUTF8(message), uuidToUint8(channelID), mailID, false));
-        }
-        Promise.allSettled(promises).then((results) => {
-            for (const result of results) {
-                const { status } = result;
-                if (status === "rejected") {
-                    this.log.warn("Message failed.");
-                    this.log.warn(JSON.stringify(result));
-                }
-            }
-        });
-    }
-    async createServer(name) {
-        const res = await ax.post(this.getHost() + "/server/" + globalThis.btoa(name));
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async forward(message) {
-        const copy = { ...message };
-        if (this.forwarded.includes(copy.mailID)) {
-            return;
-        }
-        this.forwarded.push(copy.mailID);
-        if (this.forwarded.length > 1000) {
-            this.forwarded.shift();
-        }
-        const msgBytes = Uint8Array.from(msgpack.encode(copy));
-        const devices = await this.getUserDeviceList(this.getUser().userID);
-        this.log.info("Forwarding to my other devices, deviceList length is " +
-            devices?.length);
-        if (!devices) {
-            throw new Error("Couldn't get own devices.");
-        }
-        const promises = [];
-        for (const device of devices) {
-            if (device.deviceID !== this.getDevice().deviceID) {
-                promises.push(this.sendMail(device, this.getUser(), msgBytes, null, copy.mailID, true));
-            }
-        }
-        Promise.allSettled(promises).then((results) => {
-            for (const result of results) {
-                const { status } = result;
-                if (status === "rejected") {
-                    this.log.warn("Message failed.");
-                    this.log.warn(JSON.stringify(result));
-                }
-            }
-        });
-    }
-    /* Sends encrypted mail to a user. */
-    async sendMail(device, user, msg, group, mailID, forward, retry = false) {
-        while (this.sending[device.deviceID] !== undefined) {
-            this.log.warn("Sending in progress to device ID " +
-                device.deviceID +
-                ", waiting.");
-            await sleep(100);
-        }
-        this.log.info("Sending mail to user: \n" + JSON.stringify(user, null, 4));
-        this.log.info("Sending mail to device:\n " +
-            JSON.stringify(device.deviceID, null, 4));
-        this.sending[device.deviceID] = device;
-        const session = await this.database.getSessionByDeviceID(device.deviceID);
-        if (!session || retry) {
-            this.log.info("Creating new session for " + device.deviceID);
-            await this.createSession(device, user, msg, group, mailID, forward);
+            this.log.warn("Couldn't get key bundle:", err instanceof Error ? err.message : String(err));
             return;
         }
-        else {
-            this.log.info("Found existing session for " + device.deviceID);
+        this.log.warn(this.toString() +
+            " retrieved keybundle #" +
+            String(keyBundle.otk?.index ?? "none") +
+            " for " +
+            device.deviceID);
+        if (!this.xKeyRing) {
+            throw new Error("Key ring not initialized.");
         }
+        // my keys
+        const IK_A = this.xKeyRing.identityKeys.secretKey;
+        const IK_AP = this.xKeyRing.identityKeys.publicKey;
+        const EK_A = this.xKeyRing.ephemeralKeys.secretKey;
+        // their keys
+        const IK_B_raw = XKeyConvert.convertPublicKey(new Uint8Array(keyBundle.signKey));
+        if (!IK_B_raw) {
+            throw new Error("Could not convert sign key to X25519.");
+        }
+        const IK_B = IK_B_raw;
+        const SPK_B = new Uint8Array(keyBundle.preKey.publicKey);
+        const OPK_B = keyBundle.otk
+            ? new Uint8Array(keyBundle.otk.publicKey)
+            : null;
+        // diffie hellman functions
+        const DH1 = xDH(new Uint8Array(IK_A), SPK_B);
+        const DH2 = xDH(new Uint8Array(EK_A), IK_B);
+        const DH3 = xDH(new Uint8Array(EK_A), SPK_B);
+        const DH4 = OPK_B ? xDH(new Uint8Array(EK_A), OPK_B) : null;
+        // initial key material
+        const IKM = DH4 ? xConcat(DH1, DH2, DH3, DH4) : xConcat(DH1, DH2, DH3);
+        // one time key index
+        const IDX = keyBundle.otk
+            ? XUtils.numberToUint8Arr(keyBundle.otk.index ?? 0)
+            : XUtils.numberToUint8Arr(0);
+        // shared secret key
+        const SK = xKDF(IKM);
+        this.log.info("Obtained SK, " + XUtils.encodeHex(SK));
+        const PK = xBoxKeyPairFromSecret(SK).publicKey;
+        this.log.info(this.toString() +
+            " Obtained PK for " +
+            device.deviceID +
+            " " +
+            XUtils.encodeHex(PK));
+        const AD = xConcat(xEncode(xConstants.CURVE, IK_AP), xEncode(xConstants.CURVE, IK_B));
         const nonce = xMakeNonce();
-        const cipher = nacl.secretbox(msg, nonce, session.SK);
-        const extra = session.publicKey;
+        const cipher = xSecretbox(message, nonce, SK);
+        this.log.info("Encrypted ciphertext.");
+        /* 32 bytes for signkey, 32 bytes for ephemeral key,
+        68 bytes for AD, 6 bytes for otk index (empty for no otk) */
+        const extra = xConcat(this.signKeys.publicKey, this.xKeyRing.ephemeralKeys.publicKey, PK, AD, IDX);
         const mail = {
-            mailType: MailType.subsequent,
-            mailID: mailID || uuid.v4(),
-            recipient: device.deviceID,
+            authorID: this.getUser().userID,
             cipher,
-            nonce,
             extra,
-            sender: this.getDevice().deviceID,
-            group,
             forward,
-            authorID: this.getUser().userID,
-            readerID: session.userID,
+            group,
+            mailID: mailID || uuid.v4(),
+            mailType: MailType.initial,
+            nonce,
+            readerID: user.userID,
+            recipient: device.deviceID,
+            sender: this.getDevice().deviceID,
         };
-        const msgb = {
-            transmissionID: uuid.v4(),
-            type: "resource",
-            resourceType: "mail",
+        const hmac = xHMAC(mail, SK);
+        this.log.info("Mail hash: " + JSON.stringify(mail));
+        this.log.info("Generated hmac: " + XUtils.encodeHex(hmac));
+        const msg = {
             action: "CREATE",
             data: mail,
+            resourceType: "mail",
+            transmissionID: uuid.v4(),
+            type: "resource",
         };
-        const hmac = xHMAC(mail, session.SK);
-        this.log.info("Mail hash: " + objectHash(mail));
-        this.log.info("Calculated hmac: " + XUtils.encodeHex(hmac));
-        const outMsg = forward
-            ? { ...msgpack.decode(msg), forward: true }
+        // discard the ephemeral keys
+        this.newEphemeralKeys();
+        // save the encryption session
+        this.log.info("Saving new session.");
+        const sessionEntry = {
+            deviceID: device.deviceID,
+            fingerprint: XUtils.encodeHex(AD),
+            lastUsed: new Date().toISOString(),
+            mode: "initiator",
+            publicKey: XUtils.encodeHex(PK),
+            sessionID: uuid.v4(),
+            SK: XUtils.encodeHex(SK),
+            userID: user.userID,
+            verified: false,
+        };
+        await this.database.saveSession(sessionEntry);
+        this.emitter.emit("session", sessionEntry, user);
+        // emit the message
+        const forwardedMsg = forward
+            ? messageSchema.parse(msgpack.decode(message))
+            : null;
+        const emitMsg = forwardedMsg
+            ? { ...forwardedMsg, forward: true }
             : {
-                mailID: mail.mailID,
-                sender: mail.sender,
-                recipient: mail.recipient,
-                nonce: XUtils.encodeHex(mail.nonce),
-                message: XUtils.encodeUTF8(msg),
-                direction: "outgoing",
-                timestamp: new Date(Date.now()),
+                authorID: mail.authorID,
                 decrypted: true,
-                group: mail.group ? uuid.stringify(mail.group) : null,
+                direction: "outgoing",
                 forward: mail.forward,
-                authorID: mail.authorID,
+                group: mail.group ? uuid.stringify(mail.group) : null,
+                mailID: mail.mailID,
+                message: XUtils.encodeUTF8(message),
+                nonce: XUtils.encodeHex(new Uint8Array(mail.nonce)),
                 readerID: mail.readerID,
+                recipient: mail.recipient,
+                sender: mail.sender,
+                timestamp: new Date().toISOString(),
             };
-        this.emit("message", outMsg);
+        this.emitter.emit("message", emitMsg);
+        // send mail and wait for response
         await new Promise((res, rej) => {
-            const callback = async (packedMsg) => {
-                const [header, receivedMsg] = XUtils.unpackMessage(packedMsg);
-                if (receivedMsg.transmissionID === msgb.transmissionID) {
-                    this.conn.off("message", callback);
-                    if (receivedMsg.type === "success") {
-                        res(receivedMsg.data);
+            const callback = (packedMsg) => {
+                const [_header, receivedMsg] = XUtils.unpackMessage(packedMsg);
+                if (receivedMsg.transmissionID === msg.transmissionID) {
+                    this.socket.off("message", callback);
+                    const parsed = WSMessageSchema.safeParse(receivedMsg);
+                    if (parsed.success && parsed.data.type === "success") {
+                        res(parsed.data.data);
                     }
                     else {
-                        rej({
-                            error: receivedMsg,
-                            message: outMsg,
-                        });
+                        rej(new Error("Mail delivery failed: " +
+                            JSON.stringify(receivedMsg)));
                     }
                 }
             };
-            this.conn.on("message", callback);
-            this.send(msgb, hmac);
+            this.socket.on("message", callback);
+            void this.send(msg, hmac);
+            this.log.info("Mail sent.");
         });
-        delete this.sending[device.deviceID];
-    }
-    async getSessionList() {
-        return this.database.getAllSessions();
-    }
-    async getServerList() {
-        const res = await ax.get(this.getHost() + "/user/" + this.getUser().userID + "/servers");
-        return msgpack.decode(new Uint8Array(res.data));
+        this.sending.delete(device.deviceID);
     }
-    async createChannel(name, serverID) {
-        const body = { name };
-        const res = await ax.post(this.getHost() + "/server/" + serverID + "/channels", msgpack.encode(body), { headers: { "Content-Type": "application/msgpack" } });
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    async getDeviceByID(deviceID) {
-        if (this.deviceRecords[deviceID]) {
-            this.log.info("Found device in local cache.");
-            return this.deviceRecords[deviceID];
-        }
-        const device = await this.database.getDevice(deviceID);
-        if (device) {
-            this.log.info("Found device in local db.");
-            this.deviceRecords[deviceID] = device;
-            return device;
-        }
-        try {
-            const res = await ax.get(this.getHost() + "/device/" + deviceID);
-            this.log.info("Retrieved device from server.");
-            const fetchedDevice = msgpack.decode(new Uint8Array(res.data));
-            this.deviceRecords[deviceID] = fetchedDevice;
-            await this.database.saveDevice(fetchedDevice);
-            return fetchedDevice;
-        }
-        catch (err) {
-            return null;
-        }
+    async deleteChannel(channelID) {
+        await this.http.delete(this.getHost() + "/channel/" + channelID);
     }
     async deleteDevice(deviceID) {
         if (deviceID === this.getDevice().deviceID) {
             throw new Error("You can't delete the device you're logged in to.");
         }
-        await ax.delete(this.prefixes.HTTP +
+        await this.http.delete(this.prefixes.HTTP +
             this.host +
             "/user/" +
             this.getUser().userID +
             "/devices/" +
             deviceID);
     }
-    async getMultiUserDeviceList(userIDs) {
+    async deleteHistory(channelOrUserID) {
+        await this.database.deleteHistory(channelOrUserID);
+    }
+    async deletePermission(permissionID) {
+        await this.http.delete(this.getHost() + "/permission/" + permissionID);
+    }
+    async deleteServer(serverID) {
+        await this.http.delete(this.getHost() + "/server/" + serverID);
+    }
+    /**
+     * Gets a list of permissions for a server.
+     *
+     * @returns - The list of Permissions objects.
+     */
+    async fetchPermissionList(serverID) {
+        const res = await this.http.get(this.prefixes.HTTP +
+            this.host +
+            "/server/" +
+            serverID +
+            "/permissions");
+        return decodeAxios(PermissionArrayCodec, res.data);
+    }
+    async fetchUser(userIdentifier) {
+        // Positive cache
+        if (userIdentifier in this.userRecords) {
+            return [this.userRecords[userIdentifier] ?? null, null];
+        }
+        // Negative cache — skip users we know don't exist (TTL-based)
+        const notFoundAt = this.notFoundUsers.get(userIdentifier);
+        if (notFoundAt && Date.now() - notFoundAt < Client.NOT_FOUND_TTL) {
+            return [null, null];
+        }
         try {
-            const res = await ax.post(this.getHost() + "/deviceList", msgpack.encode(userIDs), { headers: { "Content-Type": "application/msgpack" } });
-            const devices = msgpack.decode(new Uint8Array(res.data));
-            for (const device of devices) {
-                this.deviceRecords[device.deviceID] = device;
-            }
-            return devices;
+            const res = await this.http.get(this.getHost() + "/user/" + userIdentifier);
+            const userRecord = decodeAxios(UserCodec, res.data);
+            this.userRecords[userIdentifier] = userRecord;
+            this.notFoundUsers.delete(userIdentifier);
+            return [userRecord, null];
         }
         catch (err) {
-            return [];
+            if (isAxiosError(err) && err.response?.status === 404) {
+                // Definitive: user doesn't exist — cache and don't retry
+                this.notFoundUsers.set(userIdentifier, Date.now());
+                return [null, err];
+            }
+            // Transient (5xx, network error) — don't cache, caller can retry
+            return [null, isAxiosError(err) ? err : null];
         }
     }
-    async getUserDeviceList(userID) {
-        try {
-            const res = await ax.get(this.getHost() + "/user/" + userID + "/devices");
-            const devices = msgpack.decode(new Uint8Array(res.data));
-            for (const device of devices) {
-                this.deviceRecords[device.deviceID] = device;
-            }
-            return devices;
+    async forward(message) {
+        const copy = { ...message };
+        if (this.forwarded.has(copy.mailID)) {
+            return;
         }
-        catch (err) {
-            return null;
+        this.forwarded.add(copy.mailID);
+        if (this.forwarded.size > 1000) {
+            // Remove oldest entry
+            const first = this.forwarded.values().next().value;
+            if (first !== undefined)
+                this.forwarded.delete(first);
         }
-    }
-    async getServerByID(serverID) {
-        try {
-            const res = await ax.get(this.getHost() + "/server/" + serverID);
-            return msgpack.decode(new Uint8Array(res.data));
+        const msgBytes = Uint8Array.from(msgpack.encode(copy));
+        const devices = await this.getUserDeviceList(this.getUser().userID);
+        this.log.info("Forwarding to my other devices, deviceList length is " +
+            String(devices?.length ?? 0));
+        if (!devices) {
+            throw new Error("Couldn't get own devices.");
         }
-        catch (err) {
-            return null;
+        const promises = [];
+        for (const device of devices) {
+            if (device.deviceID !== this.getDevice().deviceID) {
+                promises.push(this.sendMail(device, this.getUser(), msgBytes, null, copy.mailID, true));
+            }
         }
+        void Promise.allSettled(promises).then((results) => {
+            for (const result of results) {
+                const { status } = result;
+                if (status === "rejected") {
+                    this.log.warn("Message failed.");
+                    this.log.warn(JSON.stringify(result));
+                }
+            }
+        });
     }
     async getChannelByID(channelID) {
         try {
-            const res = await ax.get(this.getHost() + "/channel/" + channelID);
-            return msgpack.decode(new Uint8Array(res.data));
+            const res = await this.http.get(this.getHost() + "/channel/" + channelID);
+            return decodeAxios(ChannelCodec, res.data);
         }
-        catch (err) {
+        catch (_err) {
             return null;
         }
     }
     async getChannelList(serverID) {
-        const res = await ax.get(this.getHost() + "/server/" + serverID + "/channels");
-        return msgpack.decode(new Uint8Array(res.data));
-    }
-    /* Get the currently logged in user. You cannot call this until
-    after the auth event is emitted. */
-    getUser() {
-        if (!this.user) {
-            throw new Error("You must wait until the auth event is emitted before fetching user details.");
-        }
-        return this.user;
+        const res = await this.http.get(this.getHost() + "/server/" + serverID + "/channels");
+        return decodeAxios(ChannelArrayCodec, res.data);
     }
     getDevice() {
         if (!this.device) {
@@ -1354,24 +1044,27 @@ export class Client extends EventEmitter {
         }
         return this.device;
     }
-    setUser(user) {
-        this.user = user;
-    }
-    /* Retrieves the userID with the user identifier.
-    user identifier is checked for userID, then signkey,
-    and finally falls back to username. */
-    async retrieveUserDBEntry(userIdentifier) {
-        if (this.userRecords[userIdentifier]) {
-            return [this.userRecords[userIdentifier], null];
+    async getDeviceByID(deviceID) {
+        if (deviceID in this.deviceRecords) {
+            this.log.info("Found device in local cache.");
+            return this.deviceRecords[deviceID] ?? null;
+        }
+        const device = await this.database.getDevice(deviceID);
+        if (device) {
+            this.log.info("Found device in local db.");
+            this.deviceRecords[deviceID] = device;
+            return device;
         }
         try {
-            const res = await ax.get(this.getHost() + "/user/" + userIdentifier);
-            const userRecord = msgpack.decode(new Uint8Array(res.data));
-            this.userRecords[userIdentifier] = userRecord;
-            return [userRecord, null];
+            const res = await this.http.get(this.getHost() + "/device/" + deviceID);
+            this.log.info("Retrieved device from server.");
+            const fetchedDevice = decodeAxios(DeviceCodec, res.data);
+            this.deviceRecords[deviceID] = fetchedDevice;
+            await this.database.saveDevice(fetchedDevice);
+            return fetchedDevice;
         }
-        catch (err) {
-            return [null, err];
+        catch (_err) {
+            return null;
         }
     }
     /* Retrieves the current list of users you have sessions with. */
@@ -1379,159 +1072,105 @@ export class Client extends EventEmitter {
         const sessions = await this.database.getAllSessions();
         const familiars = [];
         for (const session of sessions) {
-            const [user, err] = await this.retrieveUserDBEntry(session.userID);
+            const [user, _err] = await this.fetchUser(session.userID);
             if (user) {
                 familiars.push(user);
             }
         }
         return familiars;
     }
-    async createSession(device, user, message, group, 
-    /* this is passed through if the first message is
-    part of a group message */
-    mailID, forward) {
-        let keyBundle;
-        this.log.info("Requesting key bundle for device: " +
-            JSON.stringify(device, null, 4));
+    async getGroupHistory(channelID) {
+        const messages = await this.database.getGroupHistory(channelID);
+        return messages;
+    }
+    async getMail() {
+        while (this.fetchingMail) {
+            await sleep(500);
+        }
+        this.fetchingMail = true;
+        let firstFetch = false;
+        if (this.firstMailFetch) {
+            firstFetch = true;
+            this.firstMailFetch = false;
+        }
+        if (firstFetch) {
+            this.emitter.emit("decryptingMail");
+        }
+        this.log.info("fetching mail for device " + this.getDevice().deviceID);
         try {
-            keyBundle = await this.retrieveKeyBundle(device.deviceID);
+            const res = await this.http.post(this.getHost() +
+                "/device/" +
+                this.getDevice().deviceID +
+                "/mail");
+            const mailBuffer = new Uint8Array(res.data);
+            const rawInbox = z
+                .array(mailInboxEntry)
+                .parse(msgpack.decode(mailBuffer));
+            const inbox = rawInbox.sort((a, b) => b[2].localeCompare(a[2]));
+            for (const mailDetails of inbox) {
+                const [mailHeader, mailBody, timestamp] = mailDetails;
+                try {
+                    await this.readMail(mailHeader, mailBody, timestamp);
+                }
+                catch (err) {
+                    console.warn(String(err));
+                }
+            }
         }
         catch (err) {
-            this.log.warn("Couldn't get key bundle:", err);
-            return;
+            console.warn(String(err));
         }
-        this.log.warn(this.toString() +
-            " retrieved keybundle #" +
-            keyBundle.otk?.index.toString() +
-            " for " +
-            device.deviceID);
-        // my keys
-        const IK_A = this.xKeyRing.identityKeys.secretKey;
-        const IK_AP = this.xKeyRing.identityKeys.publicKey;
-        const EK_A = this.xKeyRing.ephemeralKeys.secretKey;
-        // their keys
-        const IK_B = XKeyConvert.convertPublicKey(keyBundle.signKey);
-        const SPK_B = keyBundle.preKey.publicKey;
-        const OPK_B = keyBundle.otk ? keyBundle.otk.publicKey : null;
-        // diffie hellman functions
-        const DH1 = xDH(IK_A, SPK_B);
-        const DH2 = xDH(EK_A, IK_B);
-        const DH3 = xDH(EK_A, SPK_B);
-        const DH4 = OPK_B ? xDH(EK_A, OPK_B) : null;
-        // initial key material
-        const IKM = DH4 ? xConcat(DH1, DH2, DH3, DH4) : xConcat(DH1, DH2, DH3);
-        // one time key index
-        const IDX = keyBundle.otk
-            ? XUtils.numberToUint8Arr(keyBundle.otk.index)
-            : XUtils.numberToUint8Arr(0);
-        // shared secret key
-        const SK = xKDF(IKM);
-        this.log.info("Obtained SK, " + XUtils.encodeHex(SK));
-        const PK = nacl.box.keyPair.fromSecretKey(SK).publicKey;
-        this.log.info(this.toString() +
-            " Obtained PK for " +
-            device.deviceID +
-            " " +
-            XUtils.encodeHex(PK));
-        const AD = xConcat(xEncode(xConstants.CURVE, IK_AP), xEncode(xConstants.CURVE, IK_B));
-        const nonce = xMakeNonce();
-        const cipher = nacl.secretbox(message, nonce, SK);
-        this.log.info("Encrypted ciphertext.");
-        /* 32 bytes for signkey, 32 bytes for ephemeral key,
-        68 bytes for AD, 6 bytes for otk index (empty for no otk) */
-        const extra = xConcat(this.signKeys.publicKey, this.xKeyRing.ephemeralKeys.publicKey, PK, AD, IDX);
-        const mail = {
-            mailType: MailType.initial,
-            mailID: mailID || uuid.v4(),
-            recipient: device.deviceID,
-            cipher,
-            nonce,
-            extra,
-            sender: this.getDevice().deviceID,
-            group,
-            forward,
-            authorID: this.getUser().userID,
-            readerID: user.userID,
-        };
-        const hmac = xHMAC(mail, SK);
-        this.log.info("Mail hash: " + objectHash(mail));
-        this.log.info("Generated hmac: " + XUtils.encodeHex(hmac));
-        const msg = {
-            transmissionID: uuid.v4(),
-            type: "resource",
-            resourceType: "mail",
-            action: "CREATE",
-            data: mail,
-        };
-        // discard the ephemeral keys
-        this.newEphemeralKeys();
-        // save the encryption session
-        this.log.info("Saving new session.");
-        const sessionEntry = {
-            verified: false,
-            sessionID: uuid.v4(),
-            userID: user.userID,
-            mode: "initiator",
-            SK: XUtils.encodeHex(SK),
-            publicKey: XUtils.encodeHex(PK),
-            lastUsed: new Date(Date.now()),
-            fingerprint: XUtils.encodeHex(AD),
-            deviceID: device.deviceID,
-        };
-        await this.database.saveSession(sessionEntry);
-        this.emit("session", sessionEntry, user);
-        // emit the message
-        const emitMsg = forward
-            ? { ...msgpack.decode(message), forward: true }
-            : {
-                nonce: XUtils.encodeHex(mail.nonce),
-                mailID: mail.mailID,
-                sender: mail.sender,
-                recipient: mail.recipient,
-                message: XUtils.encodeUTF8(message),
-                direction: "outgoing",
-                timestamp: new Date(Date.now()),
-                decrypted: true,
-                group: mail.group ? uuid.stringify(mail.group) : null,
-                forward: mail.forward,
-                authorID: mail.authorID,
-                readerID: mail.readerID,
-            };
-        this.emit("message", emitMsg);
-        // send mail and wait for response
-        await new Promise((res, rej) => {
-            const callback = (packedMsg) => {
-                const [header, receivedMsg] = XUtils.unpackMessage(packedMsg);
-                if (receivedMsg.transmissionID === msg.transmissionID) {
-                    this.conn.off("message", callback);
-                    if (receivedMsg.type === "success") {
-                        res(receivedMsg.data);
-                    }
-                    else {
-                        rej({
-                            error: receivedMsg,
-                            message: emitMsg,
-                        });
-                    }
-                }
-            };
-            this.conn.on("message", callback);
-            this.send(msg, hmac);
-            this.log.info("Mail sent.");
-        });
-        delete this.sending[device.deviceID];
+        this.fetchingMail = false;
     }
-    sendReceipt(nonce) {
-        const receipt = {
-            type: "receipt",
-            transmissionID: uuid.v4(),
-            nonce,
-        };
-        this.send(receipt);
+    async getMessageHistory(userID) {
+        const messages = await this.database.getMessageHistory(userID);
+        return messages;
+    }
+    async getMultiUserDeviceList(userIDs) {
+        try {
+            const res = await this.http.post(this.getHost() + "/deviceList", msgpack.encode(userIDs), { headers: { "Content-Type": "application/msgpack" } });
+            const devices = decodeAxios(DeviceArrayCodec, res.data);
+            for (const device of devices) {
+                this.deviceRecords[device.deviceID] = device;
+            }
+            return devices;
+        }
+        catch (_err) {
+            return [];
+        }
+    }
+    async getOTKCount() {
+        const res = await this.http.get(this.getHost() +
+            "/device/" +
+            this.getDevice().deviceID +
+            "/otk/count");
+        return decodeAxios(OtkCountCodec, res.data).count;
+    }
+    /**
+     * Gets all permissions for the logged in user.
+     *
+     * @returns - The list of Permissions objects.
+     */
+    async getPermissions() {
+        const res = await this.http.get(this.getHost() + "/user/" + this.getUser().userID + "/permissions");
+        return decodeAxios(PermissionArrayCodec, res.data);
+    }
+    async getServerByID(serverID) {
+        try {
+            const res = await this.http.get(this.getHost() + "/server/" + serverID);
+            return decodeAxios(ServerCodec, res.data);
+        }
+        catch (_err) {
+            return null;
+        }
+    }
+    async getServerList() {
+        const res = await this.http.get(this.getHost() + "/user/" + this.getUser().userID + "/servers");
+        return decodeAxios(ServerArrayCodec, res.data);
     }
     async getSessionByPubkey(publicKey) {
         const strPubKey = XUtils.encodeHex(publicKey);
-        if (this.sessionRecords[strPubKey]) {
+        if (strPubKey in this.sessionRecords) {
             return this.sessionRecords[strPubKey];
         }
         const session = await this.database.getSessionByPublicKey(publicKey);
@@ -1540,119 +1179,304 @@ export class Client extends EventEmitter {
         }
         return session;
     }
-    async readMail(header, mail, timestamp) {
-        this.sendReceipt(mail.nonce);
-        let timeout = 1;
-        while (this.reading) {
-            await sleep(timeout);
-            timeout *= 2;
+    async getSessionList() {
+        return this.database.getAllSessions();
+    }
+    async getToken(type) {
+        try {
+            const res = await this.http.get(this.getHost() + "/token/" + type, {
+                responseType: "arraybuffer",
+            });
+            return decodeAxios(ActionTokenCodec, res.data);
         }
-        this.reading = true;
+        catch (err) {
+            this.log.warn(String(err));
+            return null;
+        }
+    }
+    /* Get the currently logged in user. You cannot call this until
+    after the auth event is emitted. */
+    getUser() {
+        if (!this.user) {
+            throw new Error("You must wait until the auth event is emitted before fetching user details.");
+        }
+        return this.user;
+    }
+    async getUserDeviceList(userID) {
+        try {
+            const res = await this.http.get(this.getHost() + "/user/" + userID + "/devices");
+            const devices = decodeAxios(DeviceArrayCodec, res.data);
+            for (const device of devices) {
+                this.deviceRecords[device.deviceID] = device;
+            }
+            return devices;
+        }
+        catch (_err) {
+            return null;
+        }
+    }
+    async getUserList(channelID) {
+        const res = await this.http.post(this.getHost() + "/userList/" + channelID);
+        return decodeAxios(UserArrayCodec, res.data);
+    }
+    async handleNotify(msg) {
+        switch (msg.event) {
+            case "mail":
+                this.log.info("Server has informed us of new mail.");
+                await this.getMail();
+                this.fetchingMail = false;
+                break;
+            case "permission":
+                this.emitter.emit("permission", PermissionSchema.parse(msg.data));
+                break;
+            case "retryRequest":
+                // msg.data is the messageID for retry
+                break;
+            default:
+                this.log.info("Unsupported notification event " + msg.event);
+                break;
+        }
+    }
+    /**
+     * Initializes the keyring. This must be called before anything else.
+     */
+    async init() {
+        if (this.hasInit) {
+            throw new Error("You should only call init() once.");
+        }
+        this.hasInit = true;
+        await this.populateKeyRing();
+        this.emitter.on("message", (message) => {
+            if (message.direction === "outgoing" && !message.forward) {
+                void this.forward(message);
+            }
+            if (message.direction === "incoming" &&
+                message.recipient === message.sender) {
+                return;
+            }
+            void this.database.saveMessage(message);
+        });
+        this.emitter.emit("ready");
+    }
+    initSocket() {
+        try {
+            if (!this.token) {
+                throw new Error("No token found, did you call login()?");
+            }
+            const wsUrl = this.prefixes.WS + this.host + "/socket";
+            // Auth sent as first message after open
+            this.socket = new WebSocketAdapter(wsUrl);
+            this.socket.on("open", () => {
+                this.log.info("Connection opened.");
+                // Send auth as first message (encoded to bytes — protocol is binary).
+                const authMsg = JSON.stringify({
+                    token: this.token,
+                    type: "auth",
+                });
+                this.socket.send(new TextEncoder().encode(authMsg));
+                this.pingInterval = setInterval(this.ping.bind(this), 15000);
+            });
+            this.socket.on("close", () => {
+                this.log.info("Connection closed.");
+                if (this.pingInterval) {
+                    clearInterval(this.pingInterval);
+                    this.pingInterval = null;
+                }
+                if (!this.manuallyClosing) {
+                    this.emitter.emit("disconnect");
+                }
+            });
+            this.socket.on("error", (error) => {
+                throw error;
+            });
+            this.socket.on("message", (message) => {
+                const [header, raw] = XUtils.unpackMessage(message);
+                this.log.debug("INH " + XUtils.encodeHex(header));
+                this.log.debug("IN " + JSON.stringify(raw, null, 4));
+                const parseResult = WSMessageSchema.safeParse(raw);
+                if (!parseResult.success) {
+                    this.log.warn("Unknown WS message: " + JSON.stringify(raw));
+                    return;
+                }
+                const msg = parseResult.data;
+                switch (msg.type) {
+                    case "challenge":
+                        this.log.info("Received challenge from server.");
+                        this.respond(msg);
+                        break;
+                    case "error":
+                        this.log.warn(JSON.stringify(msg));
+                        break;
+                    case "notify":
+                        void this.handleNotify(msg);
+                        break;
+                    case "ping":
+                        this.pong(msg.transmissionID);
+                        break;
+                    case "pong":
+                        this.setAlive(true);
+                        break;
+                    case "success":
+                        break;
+                    case "unauthorized":
+                        throw new Error("Received unauthorized message from server.");
+                    case "authorized":
+                        this.log.info("Authenticated with userID " +
+                            (this.user?.userID ?? "unknown"));
+                        this.emitter.emit("connected");
+                        void this.postAuth();
+                        break;
+                    default:
+                        this.log.info("Unsupported message " + msg.type);
+                        break;
+                }
+            });
+        }
+        catch (err) {
+            throw new Error("Error initiating websocket connection " + String(err));
+        }
+    }
+    async kickUser(userID, serverID) {
+        const permissionList = await this.fetchPermissionList(serverID);
+        for (const permission of permissionList) {
+            if (userID === permission.userID) {
+                await this.deletePermission(permission.permissionID);
+                return;
+            }
+        }
+        throw new Error("Couldn't kick user.");
+    }
+    async leaveServer(serverID) {
+        const permissionList = await this.permissions.retrieve();
+        for (const permission of permissionList) {
+            if (permission.resourceID === serverID) {
+                await this.deletePermission(permission.permissionID);
+            }
+        }
+    }
+    async markSessionVerified(sessionID) {
+        return this.database.markSessionVerified(sessionID);
+    }
+    async negotiateOTK() {
+        const otkCount = await this.getOTKCount();
+        this.log.info("Server reported OTK: " + otkCount.toString());
+        const needs = xConstants.MIN_OTK_SUPPLY - otkCount;
+        if (needs === 0) {
+            this.log.info("Server otk supply full.");
+            return;
+        }
+        await this.submitOTK(needs);
+    }
+    newEphemeralKeys() {
+        if (!this.xKeyRing) {
+            throw new Error("Key ring not initialized.");
+        }
+        this.xKeyRing.ephemeralKeys = xBoxKeyPair();
+    }
+    ping() {
+        if (!this.isAlive) {
+            this.log.warn("Ping failed.");
+        }
+        this.setAlive(false);
+        void this.send({ transmissionID: uuid.v4(), type: "ping" });
+    }
+    pong(transmissionID) {
+        void this.send({ transmissionID, type: "pong" });
+    }
+    async populateKeyRing() {
+        // we've checked in the constructor that these exist
+        if (!this.idKeys) {
+            throw new Error("Identity keys are missing.");
+        }
+        const identityKeys = this.idKeys;
+        const existingPreKeys = await this.database.getPreKeys();
+        const preKeys = existingPreKeys ??
+            (await (async () => {
+                this.log.warn("No prekeys found in database, creating a new one.");
+                const unsaved = this.createPreKey();
+                const [saved] = await this.database.savePreKeys([unsaved], false);
+                if (!saved || saved.index == null)
+                    throw new Error("Failed to save prekey — no index returned.");
+                return { ...unsaved, index: saved.index };
+            })());
+        const sessions = await this.database.getAllSessions();
+        for (const session of sessions) {
+            this.sessionRecords[session.publicKey] =
+                sqlSessionToCrypto(session);
+        }
+        const ephemeralKeys = xBoxKeyPair();
+        this.xKeyRing = {
+            ephemeralKeys,
+            identityKeys,
+            preKeys,
+        };
+        this.log.info("Keyring populated:\n" +
+            JSON.stringify({
+                ephemeralKey: XUtils.encodeHex(ephemeralKeys.publicKey),
+                preKey: XUtils.encodeHex(preKeys.keyPair.publicKey),
+                signKey: XUtils.encodeHex(this.signKeys.publicKey),
+            }, null, 4));
+    }
+    async postAuth() {
+        let count = 0;
+        for (;;) {
+            try {
+                await this.getMail();
+                count++;
+                this.fetchingMail = false;
+                if (count > 10) {
+                    void this.negotiateOTK();
+                    count = 0;
+                }
+            }
+            catch (err) {
+                this.log.warn("Problem fetching mail" + String(err));
+            }
+            await sleep(1000 * 60);
+        }
+    }
+    async purgeHistory() {
+        await this.database.purgeHistory();
+    }
+    async readMail(header, mail, timestamp) {
+        this.sendReceipt(new Uint8Array(mail.nonce));
+        let timeout = 1;
+        while (this.reading) {
+            await sleep(timeout);
+            timeout *= 2;
+        }
+        this.reading = true;
         try {
             const healSession = async () => {
                 this.log.info("Requesting retry of " + mail.mailID);
                 const deviceEntry = await this.getDeviceByID(mail.sender);
-                const [user, err] = await this.retrieveUserDBEntry(mail.authorID);
+                const [user, _err] = await this.fetchUser(mail.authorID);
                 if (deviceEntry && user) {
-                    this.createSession(deviceEntry, user, XUtils.decodeUTF8(`��RETRY_REQUEST:${mail.mailID}��`), mail.group, uuid.v4(), false);
+                    void this.createSession(deviceEntry, user, XUtils.decodeUTF8(`��RETRY_REQUEST:${mail.mailID}��`), mail.group, uuid.v4(), false);
                 }
             };
             this.log.info("Received mail from " + mail.sender);
             switch (mail.mailType) {
-                case MailType.subsequent:
-                    const [publicKey] = Client.deserializeExtra(mail.mailType, mail.extra);
-                    let session = await this.getSessionByPubkey(publicKey);
-                    let retries = 0;
-                    while (!session) {
-                        if (retries > 3) {
-                            break;
-                        }
-                        session = await this.getSessionByPubkey(publicKey);
-                        retries++;
-                        return;
-                    }
-                    if (!session) {
-                        this.log.warn("Couldn't find session public key " +
-                            XUtils.encodeHex(publicKey));
-                        healSession();
-                        return;
-                    }
-                    this.log.info("Session found for " + mail.sender);
-                    this.log.info("Mail nonce " + XUtils.encodeHex(mail.nonce));
-                    const HMAC = xHMAC(mail, session.SK);
-                    this.log.info("Mail hash: " + objectHash(mail));
-                    this.log.info("Calculated hmac: " + XUtils.encodeHex(HMAC));
-                    if (!XUtils.bytesEqual(HMAC, header)) {
-                        this.log.warn("Message authentication failed (HMAC does not match).");
-                        healSession();
-                        return;
-                    }
-                    const decrypted = nacl.secretbox.open(mail.cipher, mail.nonce, session.SK);
-                    if (decrypted) {
-                        this.log.info("Decryption successful.");
-                        let plaintext = "";
-                        if (!mail.forward) {
-                            plaintext = XUtils.encodeUTF8(decrypted);
-                        }
-                        // emit the message
-                        const message = mail.forward
-                            ? {
-                                ...msgpack.decode(decrypted),
-                                forward: true,
-                            }
-                            : {
-                                nonce: XUtils.encodeHex(mail.nonce),
-                                mailID: mail.mailID,
-                                sender: mail.sender,
-                                recipient: mail.recipient,
-                                message: XUtils.encodeUTF8(decrypted),
-                                direction: "incoming",
-                                timestamp: new Date(timestamp),
-                                decrypted: true,
-                                group: mail.group
-                                    ? uuid.stringify(mail.group)
-                                    : null,
-                                forward: mail.forward,
-                                authorID: mail.authorID,
-                                readerID: mail.readerID,
-                            };
-                        this.emit("message", message);
-                        this.database.markSessionUsed(session.sessionID);
-                    }
-                    else {
-                        this.log.info("Decryption failed.");
-                        healSession();
-                        // emit the message
-                        const message = {
-                            nonce: XUtils.encodeHex(mail.nonce),
-                            mailID: mail.mailID,
-                            sender: mail.sender,
-                            recipient: mail.recipient,
-                            message: "",
-                            direction: "incoming",
-                            timestamp: new Date(timestamp),
-                            decrypted: false,
-                            group: mail.group
-                                ? uuid.stringify(mail.group)
-                                : null,
-                            forward: mail.forward,
-                            authorID: mail.authorID,
-                            readerID: mail.readerID,
-                        };
-                        this.emit("message", message);
-                    }
-                    break;
                 case MailType.initial:
                     this.log.info("Initiating new session.");
-                    const [signKey, ephKey, assocData, indexBytes] = Client.deserializeExtra(MailType.initial, mail.extra);
+                    const extraParts = Client.deserializeExtra(MailType.initial, new Uint8Array(mail.extra));
+                    const signKey = extraParts[0];
+                    const ephKey = extraParts[1];
+                    const indexBytes = extraParts[3];
+                    if (!signKey || !ephKey || !indexBytes) {
+                        throw new Error("Malformed initial mail extra: missing signKey, ephKey, or indexBytes");
+                    }
                     const preKeyIndex = XUtils.uint8ArrToNumber(indexBytes);
-                    this.log.info(this.toString() + " otk #" + preKeyIndex + " indicated");
+                    this.log.info(this.toString() +
+                        " otk #" +
+                        String(preKeyIndex) +
+                        " indicated");
                     const otk = preKeyIndex === 0
                         ? null
                         : await this.database.getOneTimeKey(preKeyIndex);
                     if (otk) {
                         this.log.info("otk #" +
-                            JSON.stringify(otk?.index) +
+                            JSON.stringify(otk.index) +
                             " retrieved from database.");
                     }
                     this.log.info("signKey: " + XUtils.encodeHex(signKey));
@@ -1668,8 +1492,16 @@ export class Client extends EventEmitter {
                         return;
                     }
                     // their public keys
-                    const IK_A = XKeyConvert.convertPublicKey(signKey);
+                    const IK_A_raw = XKeyConvert.convertPublicKey(signKey);
+                    if (!IK_A_raw) {
+                        this.log.warn("Could not convert sign key to X25519.");
+                        return;
+                    }
+                    const IK_A = IK_A_raw;
                     const EK_A = ephKey;
+                    if (!this.xKeyRing) {
+                        throw new Error("Key ring not initialized.");
+                    }
                     // my private keys
                     const IK_B = this.xKeyRing.identityKeys.secretKey;
                     const IK_BP = this.xKeyRing.identityKeys.publicKey;
@@ -1691,14 +1523,14 @@ export class Client extends EventEmitter {
                         ", " +
                         XUtils.encodeHex(SK));
                     // shared public key
-                    const PK = nacl.box.keyPair.fromSecretKey(SK).publicKey;
+                    const PK = xBoxKeyPairFromSecret(SK).publicKey;
                     this.log.info(this.toString() +
                         "Obtained PK for " +
                         mail.sender +
                         " " +
                         XUtils.encodeHex(PK));
                     const hmac = xHMAC(mail, SK);
-                    this.log.info("Mail hash: " + objectHash(mail));
+                    this.log.info("Mail hash: " + JSON.stringify(mail));
                     this.log.info("Calculated hmac: " + XUtils.encodeHex(hmac));
                     // associated data
                     const AD = xConcat(xEncode(xConstants.CURVE, IK_A), xEncode(xConstants.CURVE, IK_BP));
@@ -1708,7 +1540,7 @@ export class Client extends EventEmitter {
                         return;
                     }
                     this.log.info("Mail authenticated successfully.");
-                    const unsealed = nacl.secretbox.open(mail.cipher, mail.nonce, SK);
+                    const unsealed = xSecretboxOpen(new Uint8Array(mail.cipher), new Uint8Array(mail.nonce), SK);
                     if (unsealed) {
                         this.log.info("Decryption successful.");
                         let plaintext = "";
@@ -1716,32 +1548,35 @@ export class Client extends EventEmitter {
                             plaintext = XUtils.encodeUTF8(unsealed);
                         }
                         // emit the message
-                        const message = mail.forward
-                            ? { ...msgpack.decode(unsealed), forward: true }
+                        const fwdMsg1 = mail.forward
+                            ? messageSchema.parse(msgpack.decode(unsealed))
+                            : null;
+                        const message = fwdMsg1
+                            ? { ...fwdMsg1, forward: true }
                             : {
-                                nonce: XUtils.encodeHex(mail.nonce),
-                                mailID: mail.mailID,
-                                sender: mail.sender,
-                                recipient: mail.recipient,
-                                message: plaintext,
-                                direction: "incoming",
-                                timestamp: new Date(timestamp),
+                                authorID: mail.authorID,
                                 decrypted: true,
+                                direction: "incoming",
+                                forward: mail.forward,
                                 group: mail.group
                                     ? uuid.stringify(mail.group)
                                     : null,
-                                forward: mail.forward,
-                                authorID: mail.authorID,
+                                mailID: mail.mailID,
+                                message: plaintext,
+                                nonce: XUtils.encodeHex(new Uint8Array(mail.nonce)),
                                 readerID: mail.readerID,
+                                recipient: mail.recipient,
+                                sender: mail.sender,
+                                timestamp: timestamp,
                             };
-                        this.emit("message", message);
+                        this.emitter.emit("message", message);
                         // discard onetimekey
                         await this.database.deleteOneTimeKey(preKeyIndex);
                         const deviceEntry = await this.getDeviceByID(mail.sender);
                         if (!deviceEntry) {
                             throw new Error("Couldn't get device entry.");
                         }
-                        const [userEntry, userErr] = await this.retrieveUserDBEntry(deviceEntry.owner);
+                        const [userEntry, _userErr] = await this.fetchUser(deviceEntry.owner);
                         if (!userEntry) {
                             throw new Error("Couldn't get user entry.");
                         }
@@ -1749,38 +1584,115 @@ export class Client extends EventEmitter {
                         this.deviceRecords[deviceEntry.deviceID] = deviceEntry;
                         // save session
                         const newSession = {
-                            verified: false,
-                            sessionID: uuid.v4(),
-                            userID: userEntry.userID,
+                            deviceID: mail.sender,
+                            fingerprint: XUtils.encodeHex(AD),
+                            lastUsed: new Date().toISOString(),
                             mode: "receiver",
-                            SK: XUtils.encodeHex(SK),
                             publicKey: XUtils.encodeHex(PK),
-                            lastUsed: new Date(Date.now()),
-                            fingerprint: XUtils.encodeHex(AD),
-                            deviceID: mail.sender,
+                            sessionID: uuid.v4(),
+                            SK: XUtils.encodeHex(SK),
+                            userID: userEntry.userID,
+                            verified: false,
                         };
                         await this.database.saveSession(newSession);
-                        let [user, err] = await this.retrieveUserDBEntry(newSession.userID);
+                        const [user] = await this.fetchUser(newSession.userID);
                         if (user) {
-                            this.emit("session", newSession, user);
+                            this.emitter.emit("session", newSession, user);
                         }
                         else {
-                            let failed = 1;
-                            // retry a couple times
-                            while (!user) {
-                                [user, err] = await this.retrieveUserDBEntry(newSession.userID);
-                                failed++;
-                                if (failed > 3) {
-                                    this.log.warn("Couldn't retrieve user entry.");
-                                    break;
-                                }
-                            }
+                            this.log.warn("Couldn't retrieve user " + newSession.userID);
                         }
                     }
                     else {
                         this.log.warn("Mail decryption failed.");
                     }
                     break;
+                case MailType.subsequent:
+                    const publicKey = Client.deserializeExtra(mail.mailType, new Uint8Array(mail.extra))[0];
+                    if (!publicKey) {
+                        throw new Error("Malformed subsequent mail extra: missing publicKey");
+                    }
+                    let session = await this.getSessionByPubkey(publicKey);
+                    let retries = 0;
+                    while (!session) {
+                        if (retries > 3) {
+                            break;
+                        }
+                        session = await this.getSessionByPubkey(publicKey);
+                        retries++;
+                        return;
+                    }
+                    if (!session) {
+                        this.log.warn("Couldn't find session public key " +
+                            XUtils.encodeHex(publicKey));
+                        void healSession();
+                        return;
+                    }
+                    this.log.info("Session found for " + mail.sender);
+                    this.log.info("Mail nonce " +
+                        XUtils.encodeHex(new Uint8Array(mail.nonce)));
+                    const HMAC = xHMAC(mail, session.SK);
+                    this.log.info("Mail hash: " + JSON.stringify(mail));
+                    this.log.info("Calculated hmac: " + XUtils.encodeHex(HMAC));
+                    if (!XUtils.bytesEqual(HMAC, header)) {
+                        this.log.warn("Message authentication failed (HMAC does not match).");
+                        void healSession();
+                        return;
+                    }
+                    const decrypted = xSecretboxOpen(new Uint8Array(mail.cipher), new Uint8Array(mail.nonce), session.SK);
+                    if (decrypted) {
+                        this.log.info("Decryption successful.");
+                        // emit the message
+                        const fwdMsg2 = mail.forward
+                            ? messageSchema.parse(msgpack.decode(decrypted))
+                            : null;
+                        const message = fwdMsg2
+                            ? {
+                                ...fwdMsg2,
+                                forward: true,
+                            }
+                            : {
+                                authorID: mail.authorID,
+                                decrypted: true,
+                                direction: "incoming",
+                                forward: mail.forward,
+                                group: mail.group
+                                    ? uuid.stringify(mail.group)
+                                    : null,
+                                mailID: mail.mailID,
+                                message: XUtils.encodeUTF8(decrypted),
+                                nonce: XUtils.encodeHex(new Uint8Array(mail.nonce)),
+                                readerID: mail.readerID,
+                                recipient: mail.recipient,
+                                sender: mail.sender,
+                                timestamp: timestamp,
+                            };
+                        this.emitter.emit("message", message);
+                        void this.database.markSessionUsed(session.sessionID);
+                    }
+                    else {
+                        this.log.info("Decryption failed.");
+                        void healSession();
+                        // emit the message
+                        const message = {
+                            authorID: mail.authorID,
+                            decrypted: false,
+                            direction: "incoming",
+                            forward: mail.forward,
+                            group: mail.group
+                                ? uuid.stringify(mail.group)
+                                : null,
+                            mailID: mail.mailID,
+                            message: "",
+                            nonce: XUtils.encodeHex(new Uint8Array(mail.nonce)),
+                            readerID: mail.readerID,
+                            recipient: mail.recipient,
+                            sender: mail.sender,
+                            timestamp: timestamp,
+                        };
+                        this.emitter.emit("message", message);
+                    }
+                    break;
                 default:
                     this.log.warn("Unsupported MailType:", mail.mailType);
                     break;
@@ -1790,213 +1702,320 @@ export class Client extends EventEmitter {
             this.reading = false;
         }
     }
-    newEphemeralKeys() {
-        this.xKeyRing.ephemeralKeys = nacl.box.keyPair();
-    }
-    createPreKey() {
-        const preKeyPair = nacl.box.keyPair();
-        const preKeys = {
-            keyPair: preKeyPair,
-            signature: nacl.sign(xEncode(xConstants.CURVE, preKeyPair.publicKey), this.signKeys.secretKey),
-        };
-        return preKeys;
+    async redeemInvite(inviteID) {
+        const res = await this.http.patch(this.getHost() + "/invite/" + inviteID);
+        return decodeAxios(PermissionCodec, res.data);
     }
-    async handleNotify(msg) {
-        switch (msg.event) {
-            case "mail":
-                this.log.info("Server has informed us of new mail.");
-                await this.getMail();
-                this.fetchingMail = false;
-                break;
-            case "permission":
-                this.emit("permission", msg.data);
-                break;
-            case "retryRequest":
-                const messageID = msg.data;
-                break;
-            default:
-                this.log.info("Unsupported notification event " + msg.event);
-                break;
+    async registerDevice() {
+        while (!this.xKeyRing) {
+            await sleep(100);
         }
-    }
-    async populateKeyRing() {
-        // we've checked in the constructor that these exist
-        const identityKeys = this.idKeys;
-        let preKeys = await this.database.getPreKeys();
-        if (!preKeys) {
-            this.log.warn("No prekeys found in database, creating a new one.");
-            preKeys = this.createPreKey();
-            await this.database.savePreKeys([preKeys], false);
+        const token = await this.getToken("device");
+        const username = this.user?.username;
+        if (!username) {
+            throw new Error("No user set — log in first.");
         }
-        const sessions = await this.database.getAllSessions();
-        for (const session of sessions) {
-            this.sessionRecords[session.publicKey] =
-                sqlSessionToCrypto(session);
+        const [userDetails, err] = await this.fetchUser(username);
+        if (!userDetails) {
+            throw new Error("Username not found " + username);
         }
-        const ephemeralKeys = nacl.box.keyPair();
-        this.xKeyRing = {
-            identityKeys,
-            preKeys,
-            ephemeralKeys,
-        };
-        this.log.info("Keyring populated:\n" +
-            JSON.stringify({
-                signKey: XUtils.encodeHex(this.signKeys.publicKey),
-                preKey: XUtils.encodeHex(preKeys.keyPair.publicKey),
-                ephemeralKey: XUtils.encodeHex(ephemeralKeys.publicKey),
-            }, null, 4));
-    }
-    initSocket() {
-        try {
-            if (!this.token) {
-                throw new Error("No token found, did you call login()?");
-            }
-            const wsUrl = this.prefixes.WS + this.host + "/socket";
-            // Pass cookie as option — Node ws forwards it as an upgrade header.
-            // Browser/RN WebSocket ignores the options object entirely,
-            // so the cookie never reaches the server on those platforms.
-            this.conn = new this.adapters.WebSocket(wsUrl, {
-                headers: { Cookie: "auth=" + this.token },
-            });
-            this.conn.on("open", () => {
-                this.log.info("Connection opened.");
-                this.pingInterval = setInterval(this.ping.bind(this), 15000);
-            });
-            this.conn.on("close", () => {
-                this.log.info("Connection closed.");
-                if (this.pingInterval) {
-                    clearInterval(this.pingInterval);
-                    this.pingInterval = null;
-                }
-                if (!this.manuallyClosing) {
-                    this.emit("disconnect");
-                }
-            });
-            this.conn.on("error", (error) => {
-                throw error;
-            });
-            this.conn.on("message", async (message) => {
-                const [header, msg] = XUtils.unpackMessage(message);
-                this.log.debug(pc.red(pc.bold("INH ") + XUtils.encodeHex(header)));
-                this.log.debug(pc.red(pc.bold("IN ") + JSON.stringify(msg, null, 4)));
-                switch (msg.type) {
-                    case "ping":
-                        this.pong(msg.transmissionID);
-                        break;
-                    case "pong":
-                        this.setAlive(true);
-                        break;
-                    case "challenge":
-                        this.log.info("Received challenge from server.");
-                        this.respond(msg);
-                        break;
-                    case "unauthorized":
-                        throw new Error("Received unauthorized message from server.");
-                    case "authorized":
-                        this.log.info("Authenticated with userID " + this.user.userID);
-                        this.emit("connected");
-                        this.postAuth();
-                        break;
-                    case "success":
-                        break;
-                    case "error":
-                        this.log.warn(JSON.stringify(msg));
-                        break;
-                    case "notify":
-                        this.handleNotify(msg);
-                        break;
-                    default:
-                        this.log.info("Unsupported message " + msg.type);
-                        break;
-                }
-            });
+        if (err) {
+            throw err;
         }
-        catch (err) {
-            throw new Error("Error initiating websocket connection " + err.toString());
+        if (!token) {
+            throw new Error("Couldn't fetch token.");
         }
+        const signKey = this.getKeys().public;
+        const signed = XUtils.encodeHex(xSign(Uint8Array.from(uuid.parse(token.key)), this.signKeys.secretKey));
+        const devPreKeyIndex = this.xKeyRing.preKeys.index;
+        const devMsg = {
+            deviceName: this.options?.deviceName ?? "unknown",
+            preKey: XUtils.encodeHex(this.xKeyRing.preKeys.keyPair.publicKey),
+            preKeyIndex: devPreKeyIndex,
+            preKeySignature: XUtils.encodeHex(this.xKeyRing.preKeys.signature),
+            signed,
+            signKey,
+            username: userDetails.username,
+        };
+        const res = await this.http.post(this.prefixes.HTTP +
+            this.host +
+            "/user/" +
+            userDetails.userID +
+            "/devices", msgpack.encode(devMsg), { headers: { "Content-Type": "application/msgpack" } });
+        return decodeAxios(DeviceCodec, res.data);
     }
-    setAlive(status) {
-        this.isAlive = status;
+    respond(msg) {
+        const response = {
+            signed: xSign(new Uint8Array(msg.challenge), this.signKeys.secretKey),
+            transmissionID: msg.transmissionID,
+            type: "response",
+        };
+        void this.send(response);
     }
-    async postAuth() {
-        let count = 0;
-        while (true) {
-            try {
-                await this.getMail();
-                count++;
-                this.fetchingMail = false;
-                if (count > 10) {
-                    this.negotiateOTK();
-                    count = 0;
-                }
-            }
-            catch (err) {
-                this.log.warn("Problem fetching mail" + err.toString());
-            }
-            await sleep(1000 * 60);
+    async retrieveEmojiByID(emojiID) {
+        const res = await this.http.get(this.getHost() + "/emoji/" + emojiID + "/details");
+        if (!res.data) {
+            return null;
         }
+        return decodeAxios(EmojiCodec, res.data);
     }
-    async getMail() {
-        while (this.fetchingMail) {
-            await sleep(500);
-        }
-        this.fetchingMail = true;
-        let firstFetch = false;
-        if (this.firstMailFetch) {
-            firstFetch = true;
-            this.firstMailFetch = false;
-        }
-        if (firstFetch) {
-            this.emit("decryptingMail");
+    async retrieveEmojiList(serverID) {
+        const res = await this.http.get(this.getHost() + "/server/" + serverID + "/emoji");
+        return decodeAxios(EmojiArrayCodec, res.data);
+    }
+    async retrieveFile(fileID, key) {
+        const detailsRes = await this.http.get(this.getHost() + "/file/" + fileID + "/details");
+        const details = decodeAxios(FileSQLCodec, detailsRes.data);
+        const res = await this.http.get(this.getHost() + "/file/" + fileID, {
+            onDownloadProgress: (progressEvent) => {
+                const percentCompleted = Math.round((progressEvent.loaded * 100) /
+                    (progressEvent.total ?? 1));
+                const { loaded, total = 0 } = progressEvent;
+                const progress = {
+                    direction: "download",
+                    loaded,
+                    progress: percentCompleted,
+                    token: fileID,
+                    total,
+                };
+                this.emitter.emit("fileProgress", progress);
+            },
+        });
+        const fileData = res.data;
+        const decrypted = xSecretboxOpen(new Uint8Array(fileData), XUtils.decodeHex(details.nonce), XUtils.decodeHex(key));
+        if (decrypted) {
+            return {
+                data: new Uint8Array(decrypted),
+                details,
+            };
         }
-        this.log.info("fetching mail for device " + this.getDevice().deviceID);
+        throw new Error("Decryption failed.");
+    }
+    async retrieveInvites(serverID) {
+        const res = await this.http.get(this.getHost() + "/server/" + serverID + "/invites");
+        return decodeAxios(InviteArrayCodec, res.data);
+    }
+    async retrieveKeyBundle(deviceID) {
+        const res = await this.http.post(this.getHost() + "/device/" + deviceID + "/keyBundle");
+        return decodeAxios(KeyBundleCodec, res.data);
+    }
+    async retrieveOrCreateDevice() {
+        let device;
         try {
-            const res = await ax.post(this.getHost() +
+            const res = await this.http.get(this.prefixes.HTTP +
+                this.host +
                 "/device/" +
-                this.getDevice().deviceID +
-                "/mail");
-            const inbox = msgpack
-                .decode(new Uint8Array(res.data))
-                .sort((a, b) => b[2].getTime() - a[2].getTime());
-            for (const mailDetails of inbox) {
-                const [mailHeader, mailBody, timestamp] = mailDetails;
-                try {
-                    await this.readMail(mailHeader, mailBody, timestamp.toString());
+                XUtils.encodeHex(this.signKeys.publicKey));
+            device = decodeAxios(DeviceCodec, res.data);
+        }
+        catch (err) {
+            this.log.error(err instanceof Error ? err.message : String(err));
+            if (isAxiosError(err) && err.response?.status === 404) {
+                // just in case
+                await this.database.purgeKeyData();
+                await this.populateKeyRing();
+                this.log.info("Attempting to register device.");
+                const newDevice = await this.registerDevice();
+                if (newDevice) {
+                    device = newDevice;
                 }
-                catch (err) {
-                    console.warn(err.toString());
+                else {
+                    throw new Error("Error registering device.");
                 }
             }
+            else {
+                throw err;
+            }
         }
-        catch (err) {
-            console.warn(err.toString());
-        }
-        this.fetchingMail = false;
+        this.log.info("Got device " + JSON.stringify(device, null, 4));
+        return device;
     }
     /* header is 32 bytes and is either empty
     or contains an HMAC of the message with
     a derived SK */
     async send(msg, header) {
         let i = 0;
-        while (this.conn.readyState !== 1) {
+        while (this.socket.readyState !== 1) {
             await sleep(i);
             i *= 2;
         }
-        this.log.debug(pc.red(pc.bold("OUTH ") +
-            XUtils.encodeHex(header || XUtils.emptyHeader())));
-        this.log.debug(pc.red(pc.bold("OUT ") + JSON.stringify(msg, null, 4)));
-        this.conn.send(XUtils.packMessage(msg, header));
+        this.log.debug("OUTH " + XUtils.encodeHex(header || XUtils.emptyHeader()));
+        this.log.debug("OUT " + JSON.stringify(msg, null, 4));
+        this.socket.send(XUtils.packMessage(msg, header));
     }
-    async retrieveKeyBundle(deviceID) {
-        const res = await ax.post(this.getHost() + "/device/" + deviceID + "/keyBundle");
-        return msgpack.decode(new Uint8Array(res.data));
+    async sendGroupMessage(channelID, message) {
+        const userList = await this.getUserList(channelID);
+        for (const user of userList) {
+            this.userRecords[user.userID] = user;
+        }
+        this.log.info("Sending to userlist:\n" + JSON.stringify(userList, null, 4));
+        const mailID = uuid.v4();
+        const promises = [];
+        const userIDs = [...new Set(userList.map((user) => user.userID))];
+        const devices = await this.getMultiUserDeviceList(userIDs);
+        this.log.info("Retrieved devicelist:\n" + JSON.stringify(devices, null, 4));
+        for (const device of devices) {
+            const ownerRecord = this.userRecords[device.owner];
+            if (!ownerRecord) {
+                this.log.warn("Skipping device " +
+                    device.deviceID +
+                    ": no user record for owner " +
+                    device.owner);
+                continue;
+            }
+            promises.push(this.sendMail(device, ownerRecord, XUtils.decodeUTF8(message), uuidToUint8(channelID), mailID, false));
+        }
+        void Promise.allSettled(promises).then((results) => {
+            for (const result of results) {
+                const { status } = result;
+                if (status === "rejected") {
+                    this.log.warn("Message failed.");
+                    this.log.warn(JSON.stringify(result));
+                }
+            }
+        });
     }
-    async getOTKCount() {
-        const res = await ax.get(this.getHost() +
-            "/device/" +
-            this.getDevice().deviceID +
-            "/otk/count");
-        return msgpack.decode(new Uint8Array(res.data)).count;
+    /* Sends encrypted mail to a user. */
+    async sendMail(device, user, msg, group, mailID, forward, retry = false) {
+        while (this.sending.has(device.deviceID)) {
+            this.log.warn("Sending in progress to device ID " +
+                device.deviceID +
+                ", waiting.");
+            await sleep(100);
+        }
+        this.log.info("Sending mail to user: \n" + JSON.stringify(user, null, 4));
+        this.log.info("Sending mail to device:\n " +
+            JSON.stringify(device.deviceID, null, 4));
+        this.sending.set(device.deviceID, device);
+        const session = await this.database.getSessionByDeviceID(device.deviceID);
+        if (!session || retry) {
+            this.log.info("Creating new session for " + device.deviceID);
+            await this.createSession(device, user, msg, group, mailID, forward);
+            return;
+        }
+        else {
+            this.log.info("Found existing session for " + device.deviceID);
+        }
+        const nonce = xMakeNonce();
+        const cipher = xSecretbox(msg, nonce, session.SK);
+        const extra = session.publicKey;
+        const mail = {
+            authorID: this.getUser().userID,
+            cipher,
+            extra,
+            forward,
+            group,
+            mailID: mailID || uuid.v4(),
+            mailType: MailType.subsequent,
+            nonce,
+            readerID: session.userID,
+            recipient: device.deviceID,
+            sender: this.getDevice().deviceID,
+        };
+        const msgb = {
+            action: "CREATE",
+            data: mail,
+            resourceType: "mail",
+            transmissionID: uuid.v4(),
+            type: "resource",
+        };
+        const hmac = xHMAC(mail, session.SK);
+        this.log.info("Mail hash: " + JSON.stringify(mail));
+        this.log.info("Calculated hmac: " + XUtils.encodeHex(hmac));
+        const fwdOut = forward
+            ? messageSchema.parse(msgpack.decode(msg))
+            : null;
+        const outMsg = fwdOut
+            ? { ...fwdOut, forward: true }
+            : {
+                authorID: mail.authorID,
+                decrypted: true,
+                direction: "outgoing",
+                forward: mail.forward,
+                group: mail.group ? uuid.stringify(mail.group) : null,
+                mailID: mail.mailID,
+                message: XUtils.encodeUTF8(msg),
+                nonce: XUtils.encodeHex(new Uint8Array(mail.nonce)),
+                readerID: mail.readerID,
+                recipient: mail.recipient,
+                sender: mail.sender,
+                timestamp: new Date().toISOString(),
+            };
+        this.emitter.emit("message", outMsg);
+        await new Promise((res, rej) => {
+            const callback = (packedMsg) => {
+                const [_header, receivedMsg] = XUtils.unpackMessage(packedMsg);
+                if (receivedMsg.transmissionID === msgb.transmissionID) {
+                    this.socket.off("message", callback);
+                    const parsed = WSMessageSchema.safeParse(receivedMsg);
+                    if (parsed.success && parsed.data.type === "success") {
+                        res(parsed.data.data);
+                    }
+                    else {
+                        rej(new Error("Mail delivery failed: " +
+                            JSON.stringify(receivedMsg)));
+                    }
+                }
+            };
+            this.socket.on("message", callback);
+            void this.send(msgb, hmac);
+        });
+        this.sending.delete(device.deviceID);
+    }
+    async sendMessage(userID, message) {
+        try {
+            const [userEntry, err] = await this.fetchUser(userID);
+            if (err) {
+                throw err;
+            }
+            if (!userEntry) {
+                throw new Error("Couldn't get user entry.");
+            }
+            let deviceList = await this.getUserDeviceList(userID);
+            if (!deviceList) {
+                let retries = 0;
+                while (!deviceList) {
+                    deviceList = await this.getUserDeviceList(userID);
+                    retries++;
+                    if (retries > 3) {
+                        throw new Error("Couldn't get device list.");
+                    }
+                }
+            }
+            const mailID = uuid.v4();
+            const promises = [];
+            for (const device of deviceList) {
+                promises.push(this.sendMail(device, userEntry, XUtils.decodeUTF8(message), null, mailID, false));
+            }
+            void Promise.allSettled(promises).then((results) => {
+                for (const result of results) {
+                    const { status } = result;
+                    if (status === "rejected") {
+                        this.log.warn("Message failed.");
+                        this.log.warn(JSON.stringify(result));
+                    }
+                }
+            });
+        }
+        catch (err) {
+            this.log.error("Message threw exception.");
+            this.log.error(err instanceof Error ? err.message : String(err));
+            throw err;
+        }
+    }
+    sendReceipt(nonce) {
+        const receipt = {
+            nonce,
+            transmissionID: uuid.v4(),
+            type: "receipt",
+        };
+        void this.send(receipt);
+    }
+    setAlive(status) {
+        this.isAlive = status;
+    }
+    setUser(user) {
+        this.user = user;
     }
     async submitOTK(amount) {
         const otks = [];
@@ -2005,50 +2024,89 @@ export class Client extends EventEmitter {
             otks[i] = this.createPreKey();
         }
         const t1 = performance.now();
-        this.log.info("Generated " + amount + " one time keys in " + (t1 - t0) + " ms.");
+        this.log.info("Generated " +
+            String(amount) +
+            " one time keys in " +
+            String(t1 - t0) +
+            " ms.");
         const savedKeys = await this.database.savePreKeys(otks, true);
-        await ax.post(this.getHost() + "/device/" + this.getDevice().deviceID + "/otk", msgpack.encode(savedKeys.map((key) => this.censorPreKey(key))), {
+        await this.http.post(this.getHost() + "/device/" + this.getDevice().deviceID + "/otk", msgpack.encode(savedKeys.map((key) => this.censorPreKey(key))), {
             headers: { "Content-Type": "application/msgpack" },
         });
     }
-    async negotiateOTK() {
-        const otkCount = await this.getOTKCount();
-        this.log.info("Server reported OTK: " + otkCount.toString());
-        const needs = xConstants.MIN_OTK_SUPPLY - otkCount;
-        if (needs === 0) {
-            this.log.info("Server otk supply full.");
+    async uploadAvatar(avatar) {
+        if (typeof FormData !== "undefined") {
+            const fpayload = new FormData();
+            fpayload.set("avatar", new Blob([new Uint8Array(avatar)]));
+            await this.http.post(this.prefixes.HTTP +
+                this.host +
+                "/avatar/" +
+                this.me.user().userID, fpayload, {
+                headers: { "Content-Type": "multipart/form-data" },
+                onUploadProgress: (progressEvent) => {
+                    const percentCompleted = Math.round((progressEvent.loaded * 100) /
+                        (progressEvent.total ?? 1));
+                    const { loaded, total = 0 } = progressEvent;
+                    const progress = {
+                        direction: "upload",
+                        loaded,
+                        progress: percentCompleted,
+                        token: this.getUser().userID,
+                        total,
+                    };
+                    this.emitter.emit("fileProgress", progress);
+                },
+            });
             return;
         }
-        await this.submitOTK(needs);
-    }
-    respond(msg) {
-        const response = {
-            transmissionID: msg.transmissionID,
-            type: "response",
-            signed: nacl.sign(msg.challenge, this.signKeys.secretKey),
+        const payload = {
+            file: XUtils.encodeBase64(avatar),
         };
-        this.send(response);
-    }
-    pong(transmissionID) {
-        this.send({ transmissionID, type: "pong" });
-    }
-    async ping() {
-        if (!this.isAlive) {
-            this.log.warn("Ping failed.");
-        }
-        this.setAlive(false);
-        this.send({ transmissionID: uuid.v4(), type: "ping" });
+        await this.http.post(this.prefixes.HTTP +
+            this.host +
+            "/avatar/" +
+            this.me.user().userID +
+            "/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
     }
-    censorPreKey(preKey) {
-        if (!preKey.index) {
-            throw new Error("Key index is required.");
+    async uploadEmoji(emoji, name, serverID) {
+        if (typeof FormData !== "undefined") {
+            const fpayload = new FormData();
+            fpayload.set("emoji", new Blob([new Uint8Array(emoji)]));
+            fpayload.set("name", name);
+            try {
+                const res = await this.http.post(this.getHost() + "/emoji/" + serverID, fpayload, {
+                    headers: { "Content-Type": "multipart/form-data" },
+                    onUploadProgress: (progressEvent) => {
+                        const percentCompleted = Math.round((progressEvent.loaded * 100) /
+                            (progressEvent.total ?? 1));
+                        const { loaded, total = 0 } = progressEvent;
+                        const progress = {
+                            direction: "upload",
+                            loaded,
+                            progress: percentCompleted,
+                            token: name,
+                            total,
+                        };
+                        this.emitter.emit("fileProgress", progress);
+                    },
+                });
+                return decodeAxios(EmojiCodec, res.data);
+            }
+            catch (_err) {
+                return null;
+            }
         }
-        return {
-            publicKey: XUtils.decodeHex(preKey.publicKey),
-            signature: XUtils.decodeHex(preKey.signature),
-            index: preKey.index,
-            deviceID: this.getDevice().deviceID,
+        const payload = {
+            file: XUtils.encodeBase64(emoji),
+            name,
         };
+        try {
+            const res = await this.http.post(this.getHost() + "/emoji/" + serverID + "/json", msgpack.encode(payload), { headers: { "Content-Type": "application/msgpack" } });
+            return decodeAxios(EmojiCodec, res.data);
+        }
+        catch (_err) {
+            return null;
+        }
     }
 }
 //# sourceMappingURL=Client.js.map