@worldcoin/idkit-core 4.0.16 → 4.1.0

package/dist/index.cjs

@@ -6,9 +6,9 @@ var utils = require('@noble/hashes/utils');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
+var __export = (target, all2) => {
+  for (var name in all2)
+    __defProp(target, name, { get: all2[name], enumerable: true });
 };
 
 // src/types/result.ts
@@ -536,8 +536,8 @@ var IDKitBuilder = class _IDKitBuilder {
    * Builds a v1 (legacy) native payload from a preset (synchronous, no bridge connection).
    *
    * Used by the native transport when the World App only supports verify v1.
-   * Only legacy presets produce valid v1 payloads (constraints always have
-   * `Deprecated` verification level and will fail).
+   * Only legacy presets produce valid v1 payloads (constraint-based requests
+   * default to `Device` level and may not carry the correct action).
    *
    * # Errors
    *
@@ -1396,7 +1396,7 @@ function __wbg_get_imports() {
           const a = state0.a;
           state0.a = 0;
           try {
-            return __wasm_bindgen_func_elem_1421(a, state0.b, arg02, arg12);
+            return __wasm_bindgen_func_elem_1423(a, state0.b, arg02, arg12);
           } finally {
             state0.a = a;
           }
@@ -1576,11 +1576,11 @@ function __wbg_get_imports() {
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000001: function(arg0, arg1) {
-      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_643, __wasm_bindgen_func_elem_644);
+      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_645, __wasm_bindgen_func_elem_646);
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000002: function(arg0, arg1) {
-      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_973, __wasm_bindgen_func_elem_974);
+      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_975, __wasm_bindgen_func_elem_976);
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000003: function(arg0) {
@@ -1616,13 +1616,13 @@ function __wbg_get_imports() {
     "./idkit_wasm_bg.js": import0
   };
 }
-function __wasm_bindgen_func_elem_644(arg0, arg1) {
-  wasm.__wasm_bindgen_func_elem_644(arg0, arg1);
+function __wasm_bindgen_func_elem_646(arg0, arg1) {
+  wasm.__wasm_bindgen_func_elem_646(arg0, arg1);
 }
-function __wasm_bindgen_func_elem_974(arg0, arg1, arg2) {
+function __wasm_bindgen_func_elem_976(arg0, arg1, arg2) {
   try {
     const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-    wasm.__wasm_bindgen_func_elem_974(retptr, arg0, arg1, addHeapObject(arg2));
+    wasm.__wasm_bindgen_func_elem_976(retptr, arg0, arg1, addHeapObject(arg2));
     var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
     var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
     if (r1) {
@@ -1632,8 +1632,8 @@ function __wasm_bindgen_func_elem_974(arg0, arg1, arg2) {
     wasm.__wbindgen_add_to_stack_pointer(16);
   }
 }
-function __wasm_bindgen_func_elem_1421(arg0, arg1, arg2, arg3) {
-  wasm.__wasm_bindgen_func_elem_1421(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wasm_bindgen_func_elem_1423(arg0, arg1, arg2, arg3) {
+  wasm.__wasm_bindgen_func_elem_1423(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 var __wbindgen_enum_RequestCache = ["default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached"];
 var __wbindgen_enum_RequestCredentials = ["omit", "same-origin", "include"];
@@ -1962,6 +1962,16 @@ async function initIDKit() {
   return wasmInitPromise;
 }
 
+// src/lib/debug.ts
+var _debug = false;
+function isDebug() {
+  if (_debug) return true;
+  return typeof window !== "undefined" && Boolean(window.IDKIT_DEBUG);
+}
+function setDebug(enabled) {
+  _debug = enabled;
+}
+
 // src/transports/native.ts
 var MINIAPP_VERIFY_ACTION = "miniapp-verify-action";
 function isInWorldApp() {
@@ -1977,9 +1987,10 @@ var _requestCounter = 0;
 var _activeNativeRequest = null;
 function createNativeRequest(wasmPayload, config, signalHashes = {}, legacySignalHash, version = 2) {
   if (_activeNativeRequest?.isPending()) {
-    console.warn(
-      "IDKit native request already in flight. Reusing active request."
-    );
+    if (isDebug())
+      console.warn(
+        "[IDKit] Native: request already in flight, reusing active request"
+      );
     return _activeNativeRequest;
   }
   const request2 = new NativeIDKitRequest(
@@ -2006,6 +2017,11 @@ var NativeIDKitRequest = class {
       const handleIncomingPayload = (responsePayload) => {
         if (this.completionResult) return;
         if (responsePayload?.status === "error") {
+          if (isDebug())
+            console.warn(
+              "[IDKit] Native: received error response",
+              responsePayload.error_code
+            );
           this.complete({
             success: false,
             error: responsePayload.error_code ?? "generic_error" /* GenericError */
@@ -2039,7 +2055,9 @@ var NativeIDKitRequest = class {
           this.miniKitHandler = miniKitHandler;
           miniKit.subscribe(MINIAPP_VERIFY_ACTION, miniKitHandler);
         }
-      } catch {
+      } catch (err) {
+        if (isDebug())
+          console.warn("[IDKit] Native: MiniKit subscribe failed", err);
       }
       const sendPayload = {
         command: "verify",
@@ -2049,16 +2067,29 @@ var NativeIDKitRequest = class {
       try {
         const w = window;
         if (w.webkit?.messageHandlers?.minikit) {
+          if (isDebug())
+            console.debug(
+              `[IDKit] Native: sending verify command (version=${version}, platform=ios)`
+            );
           w.webkit.messageHandlers.minikit.postMessage(sendPayload);
         } else if (w.Android) {
+          if (isDebug())
+            console.debug(
+              `[IDKit] Native: sending verify command (version=${version}, platform=android)`
+            );
           w.Android.postMessage(JSON.stringify(sendPayload));
         } else {
+          if (isDebug())
+            console.warn(
+              "[IDKit] Native: no native bridge found (no webkit/Android)"
+            );
           this.complete({
             success: false,
             error: "generic_error" /* GenericError */
           });
         }
-      } catch {
+      } catch (err) {
+        if (isDebug()) console.warn("[IDKit] Native: postMessage failed", err);
         this.complete({
           success: false,
           error: "generic_error" /* GenericError */
@@ -2069,6 +2100,11 @@ var NativeIDKitRequest = class {
   // Single entry point for finishing the request. Idempotent — first caller wins.
   complete(result) {
     if (this.completionResult) return;
+    if (isDebug())
+      console.debug(
+        "[IDKit] Native: request completed",
+        result.success ? "success" : `error=${result.error}`
+      );
     this.completionResult = result;
     this.cleanup();
     this.resolveFn?.(result);
@@ -2088,7 +2124,9 @@ var NativeIDKitRequest = class {
       try {
         const miniKit = window.MiniKit;
         miniKit?.unsubscribe?.(MINIAPP_VERIFY_ACTION);
-      } catch {
+      } catch (err) {
+        if (isDebug())
+          console.warn("[IDKit] Native: MiniKit unsubscribe failed", err);
       }
       this.miniKitHandler = null;
     }
@@ -2139,14 +2177,15 @@ var NativeIDKitRequest = class {
 function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHash) {
   const p = payload;
   const rpNonce = config.rp_context?.nonce ?? "";
-  if ("responses" in p && Array.isArray(p.responses)) {
-    const items = p.responses;
-    if (p.session_id) {
+  if ("proof_response" in p && p.proof_response != null) {
+    const proof_response = p.proof_response;
+    const items = proof_response.responses ?? [];
+    if (proof_response.session_id) {
       return {
         protocol_version: "4.0",
-        nonce: p.nonce ?? rpNonce,
-        action_description: p.action_description,
-        session_id: p.session_id,
+        nonce: proof_response.nonce ?? rpNonce,
+        action_description: proof_response.action_description,
+        session_id: proof_response.session_id,
         responses: items.map((item) => ({
           identifier: item.identifier,
           signal_hash: signalHashes[item.identifier],
@@ -2160,9 +2199,9 @@ function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHa
     }
     return {
       protocol_version: "4.0",
-      nonce: p.nonce ?? rpNonce,
-      action: p.action ?? config.action ?? "",
-      action_description: p.action_description,
+      nonce: proof_response.nonce ?? rpNonce,
+      action: proof_response.action ?? config.action ?? "",
+      action_description: proof_response.action_description,
       responses: items.map((item) => ({
         identifier: item.identifier,
         signal_hash: signalHashes[item.identifier],
@@ -2208,6 +2247,7 @@ function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHa
 }
 
 // src/request.ts
+var SESSION_ID_PATTERN = /^session_[0-9a-fA-F]{128}$/;
 var IDKitRequestImpl = class {
   constructor(wasmRequest) {
     this.wasmRequest = wasmRequest;
@@ -2248,6 +2288,23 @@ var IDKitRequestImpl = class {
     }
   }
 };
+function CredentialRequest(credential_type, options) {
+  return {
+    type: credential_type,
+    signal: options?.signal,
+    genesis_issued_at_min: options?.genesis_issued_at_min,
+    expires_at_min: options?.expires_at_min
+  };
+}
+function any(...nodes) {
+  return { any: nodes };
+}
+function all(...nodes) {
+  return { all: nodes };
+}
+function enumerate(...nodes) {
+  return { enumerate: nodes };
+}
 function orbLegacy(opts = {}) {
   return { type: "OrbLegacy", signal: opts.signal };
 }
@@ -2340,7 +2397,7 @@ var IDKitBuilder2 = class {
         wasmResult.payload,
         this.config,
         wasmResult.signal_hashes ?? {},
-        wasmResult.legacy_signal_hash ?? void 0,
+        wasmResult.legacy_signal_hash,
         2
       );
     }
@@ -2366,6 +2423,11 @@ var IDKitBuilder2 = class {
    * ```
    */
   async preset(preset) {
+    if (this.config.type === "createSession" || this.config.type === "proveSession") {
+      throw new Error(
+        "Presets are not supported for session flows. Use .constraints() instead."
+      );
+    }
     await initIDKit();
     if (isInWorldApp()) {
       const verifyVersion = getWorldAppVerifyVersion();
@@ -2376,7 +2438,7 @@ var IDKitBuilder2 = class {
           wasmResult.payload,
           this.config,
           wasmResult.signal_hashes ?? {},
-          wasmResult.legacy_signal_hash ?? void 0,
+          wasmResult.legacy_signal_hash,
           2
         );
       }
@@ -2387,7 +2449,7 @@ var IDKitBuilder2 = class {
           wasmResult.payload,
           this.config,
           wasmResult.signal_hashes ?? {},
-          wasmResult.legacy_signal_hash ?? void 0,
+          wasmResult.legacy_signal_hash,
           1
         );
       } catch (err) {
@@ -2436,22 +2498,70 @@ function createRequest(config) {
     environment: config.environment
   });
 }
+function createSession2(config) {
+  if (!config.app_id) {
+    throw new Error("app_id is required");
+  }
+  if (!config.rp_context) {
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
+  }
+  return new IDKitBuilder2({
+    type: "createSession",
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    return_to: config.return_to,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
+}
+function proveSession2(sessionId, config) {
+  if (!sessionId) {
+    throw new Error("session_id is required");
+  }
+  if (!SESSION_ID_PATTERN.test(sessionId)) {
+    throw new Error(
+      "session_id must be in the format session_<128 hex characters>"
+    );
+  }
+  if (!config.app_id) {
+    throw new Error("app_id is required");
+  }
+  if (!config.rp_context) {
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
+  }
+  return new IDKitBuilder2({
+    type: "proveSession",
+    session_id: sessionId,
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    return_to: config.return_to,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
+}
 var IDKit = {
   /** Create a new verification request */
   request: createRequest,
-  // TODO: Re-enable when World ID 4.0 is live
-  // /** Create a new session (no action, no existing session_id) */
-  // createSession,
-  // /** Prove an existing session (no action, has session_id) */
-  // proveSession,
-  // /** Create a CredentialRequest for a credential type */
-  // CredentialRequest,
-  // /** Create an OR constraint - at least one child must be satisfied */
-  // any,
-  // /** Create an AND constraint - all children must be satisfied */
-  // all,
-  // /** Create an enumerate constraint - all satisfiable children should be selected */
-  // enumerate,
+  /** Create a new session (no action, no existing session_id) */
+  createSession: createSession2,
+  /** Prove an existing session (no action, has session_id) */
+  proveSession: proveSession2,
+  /** Create a CredentialRequest for a credential type */
+  CredentialRequest,
+  /** Create an OR constraint - at least one child must be satisfied */
+  any,
+  /** Create an AND constraint - all children must be satisfied */
+  all,
+  /** Create an enumerate constraint - all satisfiable children should be selected */
+  enumerate,
   /** Create an OrbLegacy preset for World ID 3.0 legacy support */
   orbLegacy,
   /** Create a SecureDocumentLegacy preset for World ID 3.0 legacy support */
@@ -2499,11 +2609,16 @@ Object.defineProperty(exports, "signRequest", {
   enumerable: true,
   get: function () { return idkitServer.signRequest; }
 });
+exports.CredentialRequest = CredentialRequest;
 exports.IDKit = IDKit;
 exports.IDKitErrorCodes = IDKitErrorCodes;
+exports.all = all;
+exports.any = any;
 exports.deviceLegacy = deviceLegacy;
 exports.documentLegacy = documentLegacy;
+exports.enumerate = enumerate;
 exports.hashSignal = hashSignal2;
+exports.isDebug = isDebug;
 exports.isInWorldApp = isInWorldApp;
 exports.isNode = isNode;
 exports.isReactNative = isReactNative;
@@ -2511,3 +2626,4 @@ exports.isWeb = isWeb;
 exports.orbLegacy = orbLegacy;
 exports.secureDocumentLegacy = secureDocumentLegacy;
 exports.selfieCheckLegacy = selfieCheckLegacy;
+exports.setDebug = setDebug;

package/dist/index.d.cts

@@ -173,8 +173,8 @@ interface IDKitResultSession {
     nonce: string;
     /** Action description (only if provided in input) */
     action_description?: string;
-    /** Session ID returned by the World App */
-    session_id: string;
+    /** Opaque session identifier returned by the World App in `session_<hex>` format */
+    session_id: `session_${string}`;
     /** Array of session credential responses */
     responses: ResponseItemSession[];
     /** The environment used for this request ("production" or "staging") */
@@ -297,10 +297,10 @@ declare enum IDKitErrorCodes {
  */
 declare function isInWorldApp(): boolean;
 interface BuilderConfig {
-    type: "request" | "session" | "proveSession";
+    type: "request" | "createSession" | "proveSession";
     app_id: string;
     action?: string;
-    session_id?: string;
+    session_id?: `session_${string}`;
     rp_context?: RpContext;
     action_description?: string;
     bridge_url?: string;
@@ -355,6 +355,74 @@ interface IDKitRequest {
     /** Poll continuously until completion or timeout */
     pollUntilCompletion(options?: WaitOptions): Promise<IDKitCompletionResult>;
 }
+/**
+ * Creates a CredentialRequest for a credential type
+ *
+ * @param credential_type - The type of credential to request (e.g., 'proof_of_human', 'face')
+ * @param options - Optional signal, genesis_issued_at_min, and expires_at_min
+ * @returns A CredentialRequest object
+ *
+ * @example
+ * ```typescript
+ * const orb = CredentialRequest('proof_of_human', { signal: 'user-123' })
+ * const face = CredentialRequest('face')
+ * // Require credential to be valid for at least one year
+ * const withExpiry = CredentialRequest('proof_of_human', { expires_at_min: Date.now() / 1000 + 60 * 60 * 60 * 24 * 365 })
+ * ```
+ */
+declare function CredentialRequest(credential_type: CredentialType, options?: {
+    signal?: string;
+    genesis_issued_at_min?: number;
+    expires_at_min?: number;
+}): CredentialRequestType;
+/**
+ * Creates an OR constraint - at least one child must be satisfied
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "any" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = any(CredentialRequest('proof_of_human'), CredentialRequest('face'))
+ * ```
+ */
+declare function any(...nodes: ConstraintNode[]): {
+    any: ConstraintNode[];
+};
+/**
+ * Creates an AND constraint - all children must be satisfied
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "all" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = all(CredentialRequest('proof_of_human'), any(CredentialRequest('passport'), CredentialRequest('mnc')))
+ * ```
+ */
+declare function all(...nodes: ConstraintNode[]): {
+    all: ConstraintNode[];
+};
+/**
+ * Creates an enumerate constraint - all satisfiable children should be selected
+ *
+ * `enumerate` is satisfied when at least one child is satisfied.
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "enumerate" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = enumerate(
+ *   CredentialRequest('passport'),
+ *   CredentialRequest('mnc'),
+ * )
+ * ```
+ */
+declare function enumerate(...nodes: ConstraintNode[]): {
+    enumerate: ConstraintNode[];
+};
+
 /**
  * Creates an OrbLegacy preset for World ID 3.0 legacy support
  *
@@ -522,6 +590,60 @@ declare class IDKitBuilder {
  * ```
  */
 declare function createRequest(config: IDKitRequestConfig): IDKitBuilder;
+/**
+ * Creates a new session builder (no action, no existing session_id)
+ *
+ * Use this when creating a new session for a user who doesn't have one yet.
+ * The response will include a `session_id` that should be saved for future
+ * session proofs with `proveSession()`.
+ *
+ * @param config - Session configuration (no action field)
+ * @returns IDKitBuilder - A builder instance
+ *
+ * @example
+ * ```typescript
+ * import { IDKit, CredentialRequest, any } from '@worldcoin/idkit-core'
+ *
+ * // Create a new session (user doesn't have session_id yet)
+ * const request = await IDKit.createSession({
+ *   app_id: 'app_staging_xxxxx',
+ *   rp_context: { ... },
+ * }).constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
+ *
+ * // Display QR, wait for proof
+ * const result = await request.pollUntilCompletion();
+ * // result.session_id -> save this for future sessions
+ * // result.responses[0].session_nullifier -> for session tracking
+ * ```
+ */
+declare function createSession(config: IDKitSessionConfig): IDKitBuilder;
+/**
+ * Creates a builder for proving an existing session (no action, has session_id)
+ *
+ * Use this when a returning user needs to prove they own an existing session.
+ * The `sessionId` should be the opaque `session_<hex>` value previously returned
+ * from `createSession()`.
+ *
+ * @param sessionId - The protocol session ID from a previous session creation
+ * @param config - Session configuration (no action field)
+ * @returns IDKitBuilder - A builder instance
+ *
+ * @example
+ * ```typescript
+ * import { IDKit, CredentialRequest, any } from '@worldcoin/idkit-core'
+ *
+ * // Prove an existing session (user returns)
+ * const request = await IDKit.proveSession(savedSessionId, {
+ *   app_id: 'app_staging_xxxxx',
+ *   rp_context: { ... },
+ * }).constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
+ *
+ * const result = await request.pollUntilCompletion();
+ * // result.session_id -> same session
+ * // result.responses[0].session_nullifier -> should match for same user
+ * ```
+ */
+declare function proveSession(sessionId: `session_${string}`, config: IDKitSessionConfig): IDKitBuilder;
 /**
  * IDKit namespace providing the main API entry points
  *
@@ -546,6 +668,18 @@ declare function createRequest(config: IDKitRequestConfig): IDKitBuilder;
 declare const IDKit: {
     /** Create a new verification request */
     request: typeof createRequest;
+    /** Create a new session (no action, no existing session_id) */
+    createSession: typeof createSession;
+    /** Prove an existing session (no action, has session_id) */
+    proveSession: typeof proveSession;
+    /** Create a CredentialRequest for a credential type */
+    CredentialRequest: typeof CredentialRequest;
+    /** Create an OR constraint - at least one child must be satisfied */
+    any: typeof any;
+    /** Create an AND constraint - all children must be satisfied */
+    all: typeof all;
+    /** Create an enumerate constraint - all satisfiable children should be selected */
+    enumerate: typeof enumerate;
     /** Create an OrbLegacy preset for World ID 3.0 legacy support */
     orbLegacy: typeof orbLegacy;
     /** Create a SecureDocumentLegacy preset for World ID 3.0 legacy support */
@@ -580,4 +714,7 @@ declare const isWeb: () => boolean;
  */
 declare const isNode: () => boolean;
 
-export { type AbiEncodedValue, type ConstraintNode, type CredentialRequestType, type CredentialType, type DeviceLegacyPreset, type DocumentLegacyPreset, IDKit, type IDKitCompletionResult, type IDKitErrorCode, IDKitErrorCodes, type IDKitRequest, type IDKitRequestConfig, type IDKitResult, type IDKitResultSession, type IDKitSessionConfig, type OrbLegacyPreset, type Preset, type ResponseItemSession, type ResponseItemV3, type ResponseItemV4, type RpContext, type SecureDocumentLegacyPreset, type SelfieCheckLegacyPreset, type Status$1 as Status, type WaitOptions, deviceLegacy, documentLegacy, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy };
+declare function isDebug(): boolean;
+declare function setDebug(enabled: boolean): void;
+
+export { type AbiEncodedValue, type ConstraintNode, CredentialRequest, type CredentialRequestType, type CredentialType, type DeviceLegacyPreset, type DocumentLegacyPreset, IDKit, type IDKitCompletionResult, type IDKitErrorCode, IDKitErrorCodes, type IDKitRequest, type IDKitRequestConfig, type IDKitResult, type IDKitResultSession, type IDKitSessionConfig, type OrbLegacyPreset, type Preset, type ResponseItemSession, type ResponseItemV3, type ResponseItemV4, type RpContext, type SecureDocumentLegacyPreset, type SelfieCheckLegacyPreset, type Status$1 as Status, type WaitOptions, all, any, deviceLegacy, documentLegacy, enumerate, isDebug, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy, setDebug };

package/dist/index.d.ts

@@ -173,8 +173,8 @@ interface IDKitResultSession {
     nonce: string;
     /** Action description (only if provided in input) */
     action_description?: string;
-    /** Session ID returned by the World App */
-    session_id: string;
+    /** Opaque session identifier returned by the World App in `session_<hex>` format */
+    session_id: `session_${string}`;
     /** Array of session credential responses */
     responses: ResponseItemSession[];
     /** The environment used for this request ("production" or "staging") */
@@ -297,10 +297,10 @@ declare enum IDKitErrorCodes {
  */
 declare function isInWorldApp(): boolean;
 interface BuilderConfig {
-    type: "request" | "session" | "proveSession";
+    type: "request" | "createSession" | "proveSession";
     app_id: string;
     action?: string;
-    session_id?: string;
+    session_id?: `session_${string}`;
     rp_context?: RpContext;
     action_description?: string;
     bridge_url?: string;
@@ -355,6 +355,74 @@ interface IDKitRequest {
     /** Poll continuously until completion or timeout */
     pollUntilCompletion(options?: WaitOptions): Promise<IDKitCompletionResult>;
 }
+/**
+ * Creates a CredentialRequest for a credential type
+ *
+ * @param credential_type - The type of credential to request (e.g., 'proof_of_human', 'face')
+ * @param options - Optional signal, genesis_issued_at_min, and expires_at_min
+ * @returns A CredentialRequest object
+ *
+ * @example
+ * ```typescript
+ * const orb = CredentialRequest('proof_of_human', { signal: 'user-123' })
+ * const face = CredentialRequest('face')
+ * // Require credential to be valid for at least one year
+ * const withExpiry = CredentialRequest('proof_of_human', { expires_at_min: Date.now() / 1000 + 60 * 60 * 60 * 24 * 365 })
+ * ```
+ */
+declare function CredentialRequest(credential_type: CredentialType, options?: {
+    signal?: string;
+    genesis_issued_at_min?: number;
+    expires_at_min?: number;
+}): CredentialRequestType;
+/**
+ * Creates an OR constraint - at least one child must be satisfied
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "any" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = any(CredentialRequest('proof_of_human'), CredentialRequest('face'))
+ * ```
+ */
+declare function any(...nodes: ConstraintNode[]): {
+    any: ConstraintNode[];
+};
+/**
+ * Creates an AND constraint - all children must be satisfied
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "all" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = all(CredentialRequest('proof_of_human'), any(CredentialRequest('passport'), CredentialRequest('mnc')))
+ * ```
+ */
+declare function all(...nodes: ConstraintNode[]): {
+    all: ConstraintNode[];
+};
+/**
+ * Creates an enumerate constraint - all satisfiable children should be selected
+ *
+ * `enumerate` is satisfied when at least one child is satisfied.
+ *
+ * @param nodes - Constraint nodes (CredentialRequests or nested constraints)
+ * @returns An "enumerate" constraint node
+ *
+ * @example
+ * ```typescript
+ * const constraint = enumerate(
+ *   CredentialRequest('passport'),
+ *   CredentialRequest('mnc'),
+ * )
+ * ```
+ */
+declare function enumerate(...nodes: ConstraintNode[]): {
+    enumerate: ConstraintNode[];
+};
+
 /**
  * Creates an OrbLegacy preset for World ID 3.0 legacy support
  *
@@ -522,6 +590,60 @@ declare class IDKitBuilder {
  * ```
  */
 declare function createRequest(config: IDKitRequestConfig): IDKitBuilder;
+/**
+ * Creates a new session builder (no action, no existing session_id)
+ *
+ * Use this when creating a new session for a user who doesn't have one yet.
+ * The response will include a `session_id` that should be saved for future
+ * session proofs with `proveSession()`.
+ *
+ * @param config - Session configuration (no action field)
+ * @returns IDKitBuilder - A builder instance
+ *
+ * @example
+ * ```typescript
+ * import { IDKit, CredentialRequest, any } from '@worldcoin/idkit-core'
+ *
+ * // Create a new session (user doesn't have session_id yet)
+ * const request = await IDKit.createSession({
+ *   app_id: 'app_staging_xxxxx',
+ *   rp_context: { ... },
+ * }).constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
+ *
+ * // Display QR, wait for proof
+ * const result = await request.pollUntilCompletion();
+ * // result.session_id -> save this for future sessions
+ * // result.responses[0].session_nullifier -> for session tracking
+ * ```
+ */
+declare function createSession(config: IDKitSessionConfig): IDKitBuilder;
+/**
+ * Creates a builder for proving an existing session (no action, has session_id)
+ *
+ * Use this when a returning user needs to prove they own an existing session.
+ * The `sessionId` should be the opaque `session_<hex>` value previously returned
+ * from `createSession()`.
+ *
+ * @param sessionId - The protocol session ID from a previous session creation
+ * @param config - Session configuration (no action field)
+ * @returns IDKitBuilder - A builder instance
+ *
+ * @example
+ * ```typescript
+ * import { IDKit, CredentialRequest, any } from '@worldcoin/idkit-core'
+ *
+ * // Prove an existing session (user returns)
+ * const request = await IDKit.proveSession(savedSessionId, {
+ *   app_id: 'app_staging_xxxxx',
+ *   rp_context: { ... },
+ * }).constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
+ *
+ * const result = await request.pollUntilCompletion();
+ * // result.session_id -> same session
+ * // result.responses[0].session_nullifier -> should match for same user
+ * ```
+ */
+declare function proveSession(sessionId: `session_${string}`, config: IDKitSessionConfig): IDKitBuilder;
 /**
  * IDKit namespace providing the main API entry points
  *
@@ -546,6 +668,18 @@ declare function createRequest(config: IDKitRequestConfig): IDKitBuilder;
 declare const IDKit: {
     /** Create a new verification request */
     request: typeof createRequest;
+    /** Create a new session (no action, no existing session_id) */
+    createSession: typeof createSession;
+    /** Prove an existing session (no action, has session_id) */
+    proveSession: typeof proveSession;
+    /** Create a CredentialRequest for a credential type */
+    CredentialRequest: typeof CredentialRequest;
+    /** Create an OR constraint - at least one child must be satisfied */
+    any: typeof any;
+    /** Create an AND constraint - all children must be satisfied */
+    all: typeof all;
+    /** Create an enumerate constraint - all satisfiable children should be selected */
+    enumerate: typeof enumerate;
     /** Create an OrbLegacy preset for World ID 3.0 legacy support */
     orbLegacy: typeof orbLegacy;
     /** Create a SecureDocumentLegacy preset for World ID 3.0 legacy support */
@@ -580,4 +714,7 @@ declare const isWeb: () => boolean;
  */
 declare const isNode: () => boolean;
 
-export { type AbiEncodedValue, type ConstraintNode, type CredentialRequestType, type CredentialType, type DeviceLegacyPreset, type DocumentLegacyPreset, IDKit, type IDKitCompletionResult, type IDKitErrorCode, IDKitErrorCodes, type IDKitRequest, type IDKitRequestConfig, type IDKitResult, type IDKitResultSession, type IDKitSessionConfig, type OrbLegacyPreset, type Preset, type ResponseItemSession, type ResponseItemV3, type ResponseItemV4, type RpContext, type SecureDocumentLegacyPreset, type SelfieCheckLegacyPreset, type Status$1 as Status, type WaitOptions, deviceLegacy, documentLegacy, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy };
+declare function isDebug(): boolean;
+declare function setDebug(enabled: boolean): void;
+
+export { type AbiEncodedValue, type ConstraintNode, CredentialRequest, type CredentialRequestType, type CredentialType, type DeviceLegacyPreset, type DocumentLegacyPreset, IDKit, type IDKitCompletionResult, type IDKitErrorCode, IDKitErrorCodes, type IDKitRequest, type IDKitRequestConfig, type IDKitResult, type IDKitResultSession, type IDKitSessionConfig, type OrbLegacyPreset, type Preset, type ResponseItemSession, type ResponseItemV3, type ResponseItemV4, type RpContext, type SecureDocumentLegacyPreset, type SelfieCheckLegacyPreset, type Status$1 as Status, type WaitOptions, all, any, deviceLegacy, documentLegacy, enumerate, isDebug, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy, setDebug };

package/dist/index.js

@@ -3,9 +3,9 @@ import { keccak_256 } from '@noble/hashes/sha3';
 import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
 
 var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
+var __export = (target, all2) => {
+  for (var name in all2)
+    __defProp(target, name, { get: all2[name], enumerable: true });
 };
 
 // src/types/result.ts
@@ -533,8 +533,8 @@ var IDKitBuilder = class _IDKitBuilder {
    * Builds a v1 (legacy) native payload from a preset (synchronous, no bridge connection).
    *
    * Used by the native transport when the World App only supports verify v1.
-   * Only legacy presets produce valid v1 payloads (constraints always have
-   * `Deprecated` verification level and will fail).
+   * Only legacy presets produce valid v1 payloads (constraint-based requests
+   * default to `Device` level and may not carry the correct action).
    *
    * # Errors
    *
@@ -1393,7 +1393,7 @@ function __wbg_get_imports() {
           const a = state0.a;
           state0.a = 0;
           try {
-            return __wasm_bindgen_func_elem_1421(a, state0.b, arg02, arg12);
+            return __wasm_bindgen_func_elem_1423(a, state0.b, arg02, arg12);
           } finally {
             state0.a = a;
           }
@@ -1573,11 +1573,11 @@ function __wbg_get_imports() {
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000001: function(arg0, arg1) {
-      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_643, __wasm_bindgen_func_elem_644);
+      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_645, __wasm_bindgen_func_elem_646);
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000002: function(arg0, arg1) {
-      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_973, __wasm_bindgen_func_elem_974);
+      const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_975, __wasm_bindgen_func_elem_976);
       return addHeapObject(ret);
     },
     __wbindgen_cast_0000000000000003: function(arg0) {
@@ -1613,13 +1613,13 @@ function __wbg_get_imports() {
     "./idkit_wasm_bg.js": import0
   };
 }
-function __wasm_bindgen_func_elem_644(arg0, arg1) {
-  wasm.__wasm_bindgen_func_elem_644(arg0, arg1);
+function __wasm_bindgen_func_elem_646(arg0, arg1) {
+  wasm.__wasm_bindgen_func_elem_646(arg0, arg1);
 }
-function __wasm_bindgen_func_elem_974(arg0, arg1, arg2) {
+function __wasm_bindgen_func_elem_976(arg0, arg1, arg2) {
   try {
     const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-    wasm.__wasm_bindgen_func_elem_974(retptr, arg0, arg1, addHeapObject(arg2));
+    wasm.__wasm_bindgen_func_elem_976(retptr, arg0, arg1, addHeapObject(arg2));
     var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
     var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
     if (r1) {
@@ -1629,8 +1629,8 @@ function __wasm_bindgen_func_elem_974(arg0, arg1, arg2) {
     wasm.__wbindgen_add_to_stack_pointer(16);
   }
 }
-function __wasm_bindgen_func_elem_1421(arg0, arg1, arg2, arg3) {
-  wasm.__wasm_bindgen_func_elem_1421(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wasm_bindgen_func_elem_1423(arg0, arg1, arg2, arg3) {
+  wasm.__wasm_bindgen_func_elem_1423(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 var __wbindgen_enum_RequestCache = ["default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached"];
 var __wbindgen_enum_RequestCredentials = ["omit", "same-origin", "include"];
@@ -1959,6 +1959,16 @@ async function initIDKit() {
   return wasmInitPromise;
 }
 
+// src/lib/debug.ts
+var _debug = false;
+function isDebug() {
+  if (_debug) return true;
+  return typeof window !== "undefined" && Boolean(window.IDKIT_DEBUG);
+}
+function setDebug(enabled) {
+  _debug = enabled;
+}
+
 // src/transports/native.ts
 var MINIAPP_VERIFY_ACTION = "miniapp-verify-action";
 function isInWorldApp() {
@@ -1974,9 +1984,10 @@ var _requestCounter = 0;
 var _activeNativeRequest = null;
 function createNativeRequest(wasmPayload, config, signalHashes = {}, legacySignalHash, version = 2) {
   if (_activeNativeRequest?.isPending()) {
-    console.warn(
-      "IDKit native request already in flight. Reusing active request."
-    );
+    if (isDebug())
+      console.warn(
+        "[IDKit] Native: request already in flight, reusing active request"
+      );
     return _activeNativeRequest;
   }
   const request2 = new NativeIDKitRequest(
@@ -2003,6 +2014,11 @@ var NativeIDKitRequest = class {
       const handleIncomingPayload = (responsePayload) => {
         if (this.completionResult) return;
         if (responsePayload?.status === "error") {
+          if (isDebug())
+            console.warn(
+              "[IDKit] Native: received error response",
+              responsePayload.error_code
+            );
           this.complete({
             success: false,
             error: responsePayload.error_code ?? "generic_error" /* GenericError */
@@ -2036,7 +2052,9 @@ var NativeIDKitRequest = class {
           this.miniKitHandler = miniKitHandler;
           miniKit.subscribe(MINIAPP_VERIFY_ACTION, miniKitHandler);
         }
-      } catch {
+      } catch (err) {
+        if (isDebug())
+          console.warn("[IDKit] Native: MiniKit subscribe failed", err);
       }
       const sendPayload = {
         command: "verify",
@@ -2046,16 +2064,29 @@ var NativeIDKitRequest = class {
       try {
         const w = window;
         if (w.webkit?.messageHandlers?.minikit) {
+          if (isDebug())
+            console.debug(
+              `[IDKit] Native: sending verify command (version=${version}, platform=ios)`
+            );
           w.webkit.messageHandlers.minikit.postMessage(sendPayload);
         } else if (w.Android) {
+          if (isDebug())
+            console.debug(
+              `[IDKit] Native: sending verify command (version=${version}, platform=android)`
+            );
           w.Android.postMessage(JSON.stringify(sendPayload));
         } else {
+          if (isDebug())
+            console.warn(
+              "[IDKit] Native: no native bridge found (no webkit/Android)"
+            );
           this.complete({
             success: false,
             error: "generic_error" /* GenericError */
           });
         }
-      } catch {
+      } catch (err) {
+        if (isDebug()) console.warn("[IDKit] Native: postMessage failed", err);
         this.complete({
           success: false,
           error: "generic_error" /* GenericError */
@@ -2066,6 +2097,11 @@ var NativeIDKitRequest = class {
   // Single entry point for finishing the request. Idempotent — first caller wins.
   complete(result) {
     if (this.completionResult) return;
+    if (isDebug())
+      console.debug(
+        "[IDKit] Native: request completed",
+        result.success ? "success" : `error=${result.error}`
+      );
     this.completionResult = result;
     this.cleanup();
     this.resolveFn?.(result);
@@ -2085,7 +2121,9 @@ var NativeIDKitRequest = class {
       try {
         const miniKit = window.MiniKit;
         miniKit?.unsubscribe?.(MINIAPP_VERIFY_ACTION);
-      } catch {
+      } catch (err) {
+        if (isDebug())
+          console.warn("[IDKit] Native: MiniKit unsubscribe failed", err);
       }
       this.miniKitHandler = null;
     }
@@ -2136,14 +2174,15 @@ var NativeIDKitRequest = class {
 function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHash) {
   const p = payload;
   const rpNonce = config.rp_context?.nonce ?? "";
-  if ("responses" in p && Array.isArray(p.responses)) {
-    const items = p.responses;
-    if (p.session_id) {
+  if ("proof_response" in p && p.proof_response != null) {
+    const proof_response = p.proof_response;
+    const items = proof_response.responses ?? [];
+    if (proof_response.session_id) {
       return {
         protocol_version: "4.0",
-        nonce: p.nonce ?? rpNonce,
-        action_description: p.action_description,
-        session_id: p.session_id,
+        nonce: proof_response.nonce ?? rpNonce,
+        action_description: proof_response.action_description,
+        session_id: proof_response.session_id,
         responses: items.map((item) => ({
           identifier: item.identifier,
           signal_hash: signalHashes[item.identifier],
@@ -2157,9 +2196,9 @@ function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHa
     }
     return {
       protocol_version: "4.0",
-      nonce: p.nonce ?? rpNonce,
-      action: p.action ?? config.action ?? "",
-      action_description: p.action_description,
+      nonce: proof_response.nonce ?? rpNonce,
+      action: proof_response.action ?? config.action ?? "",
+      action_description: proof_response.action_description,
       responses: items.map((item) => ({
         identifier: item.identifier,
         signal_hash: signalHashes[item.identifier],
@@ -2205,6 +2244,7 @@ function nativeResultToIDKitResult(payload, config, signalHashes, legacySignalHa
 }
 
 // src/request.ts
+var SESSION_ID_PATTERN = /^session_[0-9a-fA-F]{128}$/;
 var IDKitRequestImpl = class {
   constructor(wasmRequest) {
     this.wasmRequest = wasmRequest;
@@ -2245,6 +2285,23 @@ var IDKitRequestImpl = class {
     }
   }
 };
+function CredentialRequest(credential_type, options) {
+  return {
+    type: credential_type,
+    signal: options?.signal,
+    genesis_issued_at_min: options?.genesis_issued_at_min,
+    expires_at_min: options?.expires_at_min
+  };
+}
+function any(...nodes) {
+  return { any: nodes };
+}
+function all(...nodes) {
+  return { all: nodes };
+}
+function enumerate(...nodes) {
+  return { enumerate: nodes };
+}
 function orbLegacy(opts = {}) {
   return { type: "OrbLegacy", signal: opts.signal };
 }
@@ -2337,7 +2394,7 @@ var IDKitBuilder2 = class {
         wasmResult.payload,
         this.config,
         wasmResult.signal_hashes ?? {},
-        wasmResult.legacy_signal_hash ?? void 0,
+        wasmResult.legacy_signal_hash,
         2
       );
     }
@@ -2363,6 +2420,11 @@ var IDKitBuilder2 = class {
    * ```
    */
   async preset(preset) {
+    if (this.config.type === "createSession" || this.config.type === "proveSession") {
+      throw new Error(
+        "Presets are not supported for session flows. Use .constraints() instead."
+      );
+    }
     await initIDKit();
     if (isInWorldApp()) {
       const verifyVersion = getWorldAppVerifyVersion();
@@ -2373,7 +2435,7 @@ var IDKitBuilder2 = class {
           wasmResult.payload,
           this.config,
           wasmResult.signal_hashes ?? {},
-          wasmResult.legacy_signal_hash ?? void 0,
+          wasmResult.legacy_signal_hash,
           2
         );
       }
@@ -2384,7 +2446,7 @@ var IDKitBuilder2 = class {
           wasmResult.payload,
           this.config,
           wasmResult.signal_hashes ?? {},
-          wasmResult.legacy_signal_hash ?? void 0,
+          wasmResult.legacy_signal_hash,
           1
         );
       } catch (err) {
@@ -2433,22 +2495,70 @@ function createRequest(config) {
     environment: config.environment
   });
 }
+function createSession2(config) {
+  if (!config.app_id) {
+    throw new Error("app_id is required");
+  }
+  if (!config.rp_context) {
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
+  }
+  return new IDKitBuilder2({
+    type: "createSession",
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    return_to: config.return_to,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
+}
+function proveSession2(sessionId, config) {
+  if (!sessionId) {
+    throw new Error("session_id is required");
+  }
+  if (!SESSION_ID_PATTERN.test(sessionId)) {
+    throw new Error(
+      "session_id must be in the format session_<128 hex characters>"
+    );
+  }
+  if (!config.app_id) {
+    throw new Error("app_id is required");
+  }
+  if (!config.rp_context) {
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
+  }
+  return new IDKitBuilder2({
+    type: "proveSession",
+    session_id: sessionId,
+    app_id: config.app_id,
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    return_to: config.return_to,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
+}
 var IDKit = {
   /** Create a new verification request */
   request: createRequest,
-  // TODO: Re-enable when World ID 4.0 is live
-  // /** Create a new session (no action, no existing session_id) */
-  // createSession,
-  // /** Prove an existing session (no action, has session_id) */
-  // proveSession,
-  // /** Create a CredentialRequest for a credential type */
-  // CredentialRequest,
-  // /** Create an OR constraint - at least one child must be satisfied */
-  // any,
-  // /** Create an AND constraint - all children must be satisfied */
-  // all,
-  // /** Create an enumerate constraint - all satisfiable children should be selected */
-  // enumerate,
+  /** Create a new session (no action, no existing session_id) */
+  createSession: createSession2,
+  /** Prove an existing session (no action, has session_id) */
+  proveSession: proveSession2,
+  /** Create a CredentialRequest for a credential type */
+  CredentialRequest,
+  /** Create an OR constraint - at least one child must be satisfied */
+  any,
+  /** Create an AND constraint - all children must be satisfied */
+  all,
+  /** Create an enumerate constraint - all satisfiable children should be selected */
+  enumerate,
   /** Create an OrbLegacy preset for World ID 3.0 legacy support */
   orbLegacy,
   /** Create a SecureDocumentLegacy preset for World ID 3.0 legacy support */
@@ -2492,4 +2602,4 @@ function isValidHex(s) {
   return /^[0-9a-fA-F]+$/.test(s);
 }
 
-export { IDKit, IDKitErrorCodes, deviceLegacy, documentLegacy, hashSignal2 as hashSignal, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy };
+export { CredentialRequest, IDKit, IDKitErrorCodes, all, any, deviceLegacy, documentLegacy, enumerate, hashSignal2 as hashSignal, isDebug, isInWorldApp, isNode, isReactNative, isWeb, orbLegacy, secureDocumentLegacy, selfieCheckLegacy, setDebug };

package/dist/session.cjs

@@ -0,0 +1,10 @@
+'use strict';
+
+var idkitServer = require('@worldcoin/idkit-server');
+
+
+
+Object.defineProperty(exports, "getSessionCommitment", {
+  enumerable: true,
+  get: function () { return idkitServer.getSessionCommitment; }
+});

package/dist/session.d.cts

@@ -0,0 +1 @@
+export { getSessionCommitment } from '@worldcoin/idkit-server';

package/dist/session.d.ts

@@ -0,0 +1 @@
+export { getSessionCommitment } from '@worldcoin/idkit-server';

package/dist/session.js

@@ -0,0 +1 @@
+export { getSessionCommitment } from '@worldcoin/idkit-server';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@worldcoin/idkit-core",
-  "version": "4.0.16",
+  "version": "4.1.0",
   "description": "Core IDKit SDK for World ID - Pure TypeScript, no dependencies",
   "type": "module",
   "main": "./dist/index.cjs",
@@ -21,6 +21,11 @@
       "types": "./dist/hashing.d.ts",
       "import": "./dist/hashing.js",
       "require": "./dist/hashing.cjs"
+    },
+    "./session": {
+      "types": "./dist/session.d.ts",
+      "import": "./dist/session.js",
+      "require": "./dist/session.cjs"
     }
   },
   "files": [
@@ -52,7 +57,7 @@
   },
   "dependencies": {
     "@noble/hashes": "^1.7.2",
-    "@worldcoin/idkit-server": "1.0.0"
+    "@worldcoin/idkit-server": "1.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.19.30",