astro-tokenkit 1.0.10 → 1.0.12

package/README.md

@@ -61,8 +61,8 @@ Now you can use the `api` client anywhere in your Astro pages or components with
 // src/pages/profile.astro
 import { api } from 'astro-tokenkit';
 
-// No need to pass context, it's handled by middleware!
-const user = await api.get('/me');
+// Request methods return an APIResponse object
+const { data: user } = await api.get('/me');
 ---
 
 <h1>Welcome, {user.name}</h1>
@@ -125,10 +125,15 @@ const specializedClient = createClient({
 | `login` | `string` | Endpoint path for login (POST). |
 | `refresh` | `string` | Endpoint path for token refresh (POST). |
 | `logout` | `string` | Endpoint path for logout (POST). |
-| `fields` | `FieldMapping` | Custom mapping for token fields in API responses. |
+| `contentType` | `'application/json' \| 'application/x-www-form-urlencoded'` | Content type for auth requests (default: `application/json`). |
+| `headers` | `Record<string, string>` | Extra headers for login/refresh requests. |
+| `loginData` | `Record<string, any>` | Extra data to be sent with login request. |
+| `refreshData` | `Record<string, any>` | Extra data to be sent with refresh request. |
+| `refreshRequestField` | `string` | Field name for the refresh token in the refresh request (default: `refreshToken`). |
+| `fields` | `FieldMapping` | Custom mapping for token fields in API responses (`accessToken`, `refreshToken`, `expiresAt`, `expiresIn`, `tokenType`, `sessionPayload`). |
 | `parseLogin` | `Function` | Custom parser for login response: `(body: any) => TokenBundle`. |
 | `parseRefresh`| `Function` | Custom parser for refresh response: `(body: any) => TokenBundle`. |
-| `injectToken` | `Function` | Custom token injection: `(token: string) => string` (default: Bearer). |
+| `injectToken` | `Function` | Custom token injection: `(token: string, type?: string) => string` (default: Bearer). |
 | `cookies` | `CookieConfig` | Configuration for auth cookies. |
 | `policy` | `RefreshPolicy` | Strategy for when to trigger token refresh. |
 
@@ -136,17 +141,34 @@ const specializedClient = createClient({
 
 | Property | Type | Description |
 | :--- | :--- | :--- |
-| `ctx` | `TokenKitContext` | Optional Astro context. |
 | `onLogin` | `Function` | Callback after successful login: `(bundle, body, ctx) => void`. |
+| `onError` | `Function` | Callback after failed login: `(error, ctx) => void`. |
+| `headers` | `Record<string, string>` | Extra headers for this specific login request. |
+| `data` | `Record<string, any>` | Extra data for this specific login request. |
+
+### Request Auth Overrides
+
+When calling `api.get()`, `api.post()`, etc., you can override auth configuration (e.g., for multi-tenancy). Headers provided in the request options are automatically propagated to any automatic token refresh operations:
+
+```typescript
+await api.get('/data', {
+  headers: { 'x-tenant-name': 'lynx' },
+  auth: {
+    data: { extra_refresh_param: 'value' }
+  }
+});
+```
 
 ## Advanced Usage
 
 ### Manual Context
 
-If you prefer not to use middleware, you can pass the Astro context explicitly to any request:
+If you prefer not to use middleware, you can bind the Astro context manually for a specific scope:
 
 ```typescript
-const data = await api.get('/data', { ctx: Astro });
+import { runWithContext } from 'astro-tokenkit';
+
+const { data } = await runWithContext(Astro, () => api.get('/data'));
 ```
 
 ### Interceptors
@@ -169,16 +191,56 @@ const api = createClient({
 
 ```typescript
 // In an API route or server-side component
-await api.login({ username, password }, {
+const { data: bundle } = await api.login({ username, password }, {
   onLogin: (bundle, body, ctx) => {
     // Post-login logic (e.g., sync session to another store)
     console.log('User logged in!', bundle.sessionPayload);
+  },
+  onError: (error, ctx) => {
+    // Handle error (e.g., log it or perform cleanup)
+    console.error('Login failed:', error.message);
   }
 });
 
 await api.logout();
 ```
 
+### Using Promises (.then, .catch, .finally)
+
+All API methods return a Promise that resolves to an `APIResponse` object. You can use traditional promise chaining:
+
+```typescript
+// Example with GET request
+api.get('/me')
+  .then(({ data: user, status }) => {
+    console.log(`User ${user.name} fetched with status ${status}`);
+  })
+  .catch(err => {
+    console.error('Failed to fetch user:', err.message);
+  })
+  .finally(() => {
+    console.log('Request finished');
+  });
+
+// Example with login
+api.login(credentials)
+  .then(({ data: token }) => {
+    console.log('Successfully logged in!', token.accessToken);
+  })
+  .catch(err => {
+    if (err instanceof AuthError) {
+      console.error('Authentication failed:', err.message);
+    } else {
+      console.error('An unexpected error occurred:', err.message);
+    }
+  })
+  .finally(() => {
+    // E.g. stop loading state
+  });
+```
+
+> **Note:** Since all methods return an `APIResponse` object, you can use destructuring in `.then()` to access the data directly, which allows for clean syntax like `.then(({ data: token }) => ... )`.
+
 ## License
 
 MIT © [oamm](https://github.com/oamm)

package/dist/auth/detector.js

@@ -35,6 +35,13 @@ const EXPIRES_IN_FIELDS = [
     'expiresIn',
     'ttl',
 ];
+/**
+ * Common field names for token type
+ */
+const TOKEN_TYPE_FIELDS = [
+    'token_type',
+    'tokenType',
+];
 /**
  * Common field names for session payload
  */
@@ -97,10 +104,13 @@ export function autoDetectFields(body, fieldMapping) {
     }
     // Detect session payload (optional)
     const sessionPayload = findField(SESSION_PAYLOAD_FIELDS, fieldMapping === null || fieldMapping === void 0 ? void 0 : fieldMapping.sessionPayload);
+    // Detect token type (optional)
+    const tokenType = findField(TOKEN_TYPE_FIELDS, fieldMapping === null || fieldMapping === void 0 ? void 0 : fieldMapping.tokenType);
     return {
         accessToken,
         refreshToken,
         accessExpiresAt,
+        tokenType: tokenType || undefined,
         sessionPayload: sessionPayload || undefined,
     };
 }
@@ -114,6 +124,10 @@ export function parseJWTPayload(token) {
             return null;
         }
         const payload = parts[1];
+        // Better UTF-8 support for environments with Buffer (like Node.js/Astro)
+        if (typeof Buffer !== 'undefined') {
+            return JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
+        }
         const decoded = atob(payload.replace(/-/g, '+').replace(/_/g, '/'));
         return JSON.parse(decoded);
     }

package/dist/auth/manager.d.ts

@@ -1,4 +1,5 @@
-import type { TokenBundle, Session, AuthConfig, TokenKitContext, OnLoginCallback } from '../types';
+import { APIResponse } from '../types';
+import type { TokenBundle, Session, AuthConfig, TokenKitContext, AuthOptions, LoginOptions } from '../types';
 /**
  * Token Manager handles all token operations
  */
@@ -10,11 +11,11 @@ export declare class TokenManager {
     /**
      * Perform login
      */
-    login(ctx: TokenKitContext, credentials: any, onLogin?: OnLoginCallback): Promise<TokenBundle>;
+    login(ctx: TokenKitContext, credentials: any, options?: LoginOptions): Promise<APIResponse<TokenBundle>>;
     /**
      * Perform token refresh
      */
-    refresh(ctx: TokenKitContext, refreshToken: string): Promise<TokenBundle | null>;
+    refresh(ctx: TokenKitContext, refreshToken: string, options?: AuthOptions, headers?: Record<string, string>): Promise<TokenBundle | null>;
     /**
      * Internal refresh implementation
      */
@@ -22,7 +23,7 @@ export declare class TokenManager {
     /**
      * Ensure valid tokens (with automatic refresh)
      */
-    ensure(ctx: TokenKitContext): Promise<Session | null>;
+    ensure(ctx: TokenKitContext, options?: AuthOptions, headers?: Record<string, string>): Promise<Session | null>;
     /**
      * Logout (clear tokens)
      */
@@ -39,4 +40,8 @@ export declare class TokenManager {
      * Create flight key for single-flight deduplication
      */
     private createFlightKey;
+    /**
+     * Join base URL and path safely
+     */
+    private joinURL;
 }

package/dist/auth/manager.js

@@ -52,18 +52,38 @@ export class TokenManager {
     /**
      * Perform login
      */
-    login(ctx, credentials, onLogin) {
+    login(ctx, credentials, options) {
         return __awaiter(this, void 0, void 0, function* () {
-            const url = this.baseURL + this.config.login;
-            const response = yield fetch(url, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify(credentials),
-            }).catch(error => {
-                throw new AuthError(`Login request failed: ${error.message}`);
-            });
+            const url = this.joinURL(this.baseURL, this.config.login);
+            const contentType = this.config.contentType || 'application/json';
+            const headers = Object.assign(Object.assign({ 'Content-Type': contentType }, this.config.headers), options === null || options === void 0 ? void 0 : options.headers);
+            const data = Object.assign(Object.assign(Object.assign({}, this.config.loginData), options === null || options === void 0 ? void 0 : options.data), credentials);
+            let requestBody;
+            if (contentType === 'application/x-www-form-urlencoded') {
+                requestBody = new URLSearchParams(data).toString();
+            }
+            else {
+                requestBody = JSON.stringify(data);
+            }
+            let response;
+            try {
+                response = yield fetch(url, {
+                    method: 'POST',
+                    headers,
+                    body: requestBody,
+                });
+            }
+            catch (error) {
+                const authError = new AuthError(`Login request failed: ${error.message}`);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
+            }
             if (!response.ok) {
-                throw new AuthError(`Login failed: ${response.status} ${response.statusText}`, response.status, response);
+                const authError = new AuthError(`Login failed: ${response.status} ${response.statusText}`, response.status, response);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
             }
             const body = yield response.json().catch(() => ({}));
             // Parse response
@@ -74,24 +94,34 @@ export class TokenManager {
                     : autoDetectFields(body, this.config.fields);
             }
             catch (error) {
-                throw new AuthError(`Invalid login response: ${error.message}`, response.status, response);
+                const authError = new AuthError(`Invalid login response: ${error.message}`, response.status, response);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
             }
             // Store in cookies
             storeTokens(ctx, bundle, this.config.cookies);
             // Call onLogin callback if provided
-            if (onLogin) {
-                yield onLogin(bundle, body, ctx);
+            if (options === null || options === void 0 ? void 0 : options.onLogin) {
+                yield options.onLogin(bundle, body, ctx);
             }
-            return bundle;
+            return {
+                data: bundle,
+                status: response.status,
+                statusText: response.statusText,
+                headers: response.headers,
+                url: response.url,
+                ok: response.ok,
+            };
         });
     }
     /**
      * Perform token refresh
      */
-    refresh(ctx, refreshToken) {
+    refresh(ctx, refreshToken, options, headers) {
         return __awaiter(this, void 0, void 0, function* () {
             try {
-                return yield this.performRefresh(ctx, refreshToken);
+                return yield this.performRefresh(ctx, refreshToken, options, headers);
             }
             catch (error) {
                 clearTokens(ctx, this.config.cookies);
@@ -102,16 +132,31 @@ export class TokenManager {
     /**
      * Internal refresh implementation
      */
-    performRefresh(ctx, refreshToken) {
+    performRefresh(ctx, refreshToken, options, extraHeaders) {
         return __awaiter(this, void 0, void 0, function* () {
-            const url = this.baseURL + this.config.refresh;
-            const response = yield fetch(url, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ refreshToken }),
-            }).catch(error => {
+            const url = this.joinURL(this.baseURL, this.config.refresh);
+            const contentType = this.config.contentType || 'application/json';
+            const headers = Object.assign(Object.assign({ 'Content-Type': contentType }, this.config.headers), extraHeaders);
+            const refreshField = this.config.refreshRequestField || 'refreshToken';
+            const data = Object.assign(Object.assign(Object.assign({}, this.config.refreshData), options === null || options === void 0 ? void 0 : options.data), { [refreshField]: refreshToken });
+            let requestBody;
+            if (contentType === 'application/x-www-form-urlencoded') {
+                requestBody = new URLSearchParams(data).toString();
+            }
+            else {
+                requestBody = JSON.stringify(data);
+            }
+            let response;
+            try {
+                response = yield fetch(url, {
+                    method: 'POST',
+                    headers,
+                    body: requestBody,
+                });
+            }
+            catch (error) {
                 throw new AuthError(`Refresh request failed: ${error.message}`);
-            });
+            }
             if (!response.ok) {
                 // 401/403 = invalid refresh token
                 if (response.status === 401 || response.status === 403) {
@@ -143,9 +188,9 @@ export class TokenManager {
     /**
      * Ensure valid tokens (with automatic refresh)
      */
-    ensure(ctx) {
+    ensure(ctx, options, headers) {
         return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e;
+            var _a, _b, _c, _d, _e, _f;
             const now = Math.floor(Date.now() / 1000);
             const tokens = retrieveTokens(ctx, this.config.cookies);
             // No tokens
@@ -155,23 +200,25 @@ export class TokenManager {
             // Token expired
             if (isExpired(tokens.expiresAt, now, this.config.policy)) {
                 const flightKey = this.createFlightKey(tokens.refreshToken);
-                const bundle = yield this.singleFlight.execute(flightKey, () => this.refresh(ctx, tokens.refreshToken));
+                const bundle = yield this.singleFlight.execute(flightKey, () => this.refresh(ctx, tokens.refreshToken, options, headers));
                 if (!bundle)
                     return null;
                 return {
                     accessToken: bundle.accessToken,
                     expiresAt: bundle.accessExpiresAt,
+                    tokenType: bundle.tokenType,
                     payload: (_b = (_a = bundle.sessionPayload) !== null && _a !== void 0 ? _a : parseJWTPayload(bundle.accessToken)) !== null && _b !== void 0 ? _b : undefined,
                 };
             }
             // Proactive refresh
             if (shouldRefresh(tokens.expiresAt, now, tokens.lastRefreshAt, this.config.policy)) {
                 const flightKey = this.createFlightKey(tokens.refreshToken);
-                const bundle = yield this.singleFlight.execute(flightKey, () => this.refresh(ctx, tokens.refreshToken));
+                const bundle = yield this.singleFlight.execute(flightKey, () => this.refresh(ctx, tokens.refreshToken, options, headers));
                 if (bundle) {
                     return {
                         accessToken: bundle.accessToken,
                         expiresAt: bundle.accessExpiresAt,
+                        tokenType: bundle.tokenType,
                         payload: (_d = (_c = bundle.sessionPayload) !== null && _c !== void 0 ? _c : parseJWTPayload(bundle.accessToken)) !== null && _d !== void 0 ? _d : undefined,
                     };
                 }
@@ -185,7 +232,8 @@ export class TokenManager {
             return {
                 accessToken: tokens.accessToken,
                 expiresAt: tokens.expiresAt,
-                payload: (_e = parseJWTPayload(tokens.accessToken)) !== null && _e !== void 0 ? _e : undefined,
+                tokenType: (_e = tokens.tokenType) !== null && _e !== void 0 ? _e : undefined,
+                payload: (_f = parseJWTPayload(tokens.accessToken)) !== null && _f !== void 0 ? _f : undefined,
             };
         });
     }
@@ -194,15 +242,22 @@ export class TokenManager {
      */
     logout(ctx) {
         return __awaiter(this, void 0, void 0, function* () {
+            var _a;
             // Optionally call logout endpoint
             if (this.config.logout) {
                 try {
-                    const url = this.baseURL + this.config.logout;
-                    yield fetch(url, { method: 'POST' });
+                    const url = this.joinURL(this.baseURL, this.config.logout);
+                    const session = this.getSession(ctx);
+                    const headers = {};
+                    if (session === null || session === void 0 ? void 0 : session.accessToken) {
+                        const injectFn = (_a = this.config.injectToken) !== null && _a !== void 0 ? _a : ((token, type) => `${type !== null && type !== void 0 ? type : 'Bearer'} ${token}`);
+                        headers['Authorization'] = injectFn(session.accessToken, session.tokenType);
+                    }
+                    yield fetch(url, { method: 'POST', headers });
                 }
                 catch (error) {
                     // Ignore logout endpoint errors
-                    console.warn('Logout endpoint failed:', error);
+                    console.warn('[TokenKit] Logout endpoint failed:', error);
                 }
             }
             clearTokens(ctx, this.config.cookies);
@@ -212,7 +267,7 @@ export class TokenManager {
      * Get current session (no refresh)
      */
     getSession(ctx) {
-        var _a;
+        var _a, _b;
         const tokens = retrieveTokens(ctx, this.config.cookies);
         if (!tokens.accessToken || !tokens.expiresAt) {
             return null;
@@ -220,7 +275,8 @@ export class TokenManager {
         return {
             accessToken: tokens.accessToken,
             expiresAt: tokens.expiresAt,
-            payload: (_a = parseJWTPayload(tokens.accessToken)) !== null && _a !== void 0 ? _a : undefined,
+            tokenType: (_a = tokens.tokenType) !== null && _a !== void 0 ? _a : undefined,
+            payload: (_b = parseJWTPayload(tokens.accessToken)) !== null && _b !== void 0 ? _b : undefined,
         };
     }
     /**
@@ -234,12 +290,15 @@ export class TokenManager {
      * Create flight key for single-flight deduplication
      */
     createFlightKey(token) {
-        let hash = 0;
-        for (let i = 0; i < token.length; i++) {
-            const char = token.charCodeAt(i);
-            hash = ((hash << 5) - hash) + char;
-            hash = hash & hash;
-        }
-        return `flight_${Math.abs(hash).toString(36)}`;
+        // Avoid weak hashing of sensitive tokens
+        return `refresh_${token}`;
+    }
+    /**
+     * Join base URL and path safely
+     */
+    joinURL(base, path) {
+        const b = base.endsWith('/') ? base : base + '/';
+        const p = path.startsWith('/') ? path.slice(1) : path;
+        return b + p;
     }
 }

package/dist/auth/policy.js

@@ -62,5 +62,6 @@ export function isExpired(expiresAt, now, policy = {}) {
     const clockSkew = typeof normalized.clockSkew === 'number'
         ? normalized.clockSkew
         : parseTime(normalized.clockSkew);
-    return now > expiresAt + clockSkew;
+    // Pessimistic: consider it expired if current time + skew is past expiration
+    return now + clockSkew > expiresAt;
 }

package/dist/auth/storage.d.ts

@@ -7,6 +7,7 @@ export interface CookieNames {
     refreshToken: string;
     expiresAt: string;
     lastRefreshAt: string;
+    tokenType: string;
 }
 /**
  * Get cookie names with optional prefix
@@ -33,6 +34,7 @@ export declare function retrieveTokens(ctx: TokenKitContext, cookieConfig?: Cook
     refreshToken: string | null;
     expiresAt: number | null;
     lastRefreshAt: number | null;
+    tokenType: string | null;
 };
 /**
  * Clear all auth cookies

package/dist/auth/storage.js

@@ -9,6 +9,7 @@ export function getCookieNames(prefix) {
         refreshToken: `${p}refresh_token`,
         expiresAt: `${p}access_expires_at`,
         lastRefreshAt: `${p}last_refresh_at`,
+        tokenType: `${p}token_type`,
     };
 }
 /**
@@ -44,20 +45,25 @@ export function storeTokens(ctx, bundle, cookieConfig = {}) {
     ctx.cookies.set(names.expiresAt, bundle.accessExpiresAt.toString(), Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
     // Set last refresh timestamp
     ctx.cookies.set(names.lastRefreshAt, now.toString(), Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
+    // Set token type if available
+    if (bundle.tokenType) {
+        ctx.cookies.set(names.tokenType, bundle.tokenType, Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
+    }
 }
 /**
  * Retrieve tokens from cookies
  */
 export function retrieveTokens(ctx, cookieConfig = {}) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     const names = getCookieNames(cookieConfig.prefix);
     const accessToken = ((_a = ctx.cookies.get(names.accessToken)) === null || _a === void 0 ? void 0 : _a.value) || null;
     const refreshToken = ((_b = ctx.cookies.get(names.refreshToken)) === null || _b === void 0 ? void 0 : _b.value) || null;
-    const expiresAtStr = (_c = ctx.cookies.get(names.expiresAt)) === null || _c === void 0 ? void 0 : _c.value;
+    const tokenType = ((_c = ctx.cookies.get(names.tokenType)) === null || _c === void 0 ? void 0 : _c.value) || null;
+    const expiresAtStr = (_d = ctx.cookies.get(names.expiresAt)) === null || _d === void 0 ? void 0 : _d.value;
     const expiresAt = expiresAtStr ? parseInt(expiresAtStr, 10) : null;
-    const lastRefreshAtStr = (_d = ctx.cookies.get(names.lastRefreshAt)) === null || _d === void 0 ? void 0 : _d.value;
+    const lastRefreshAtStr = (_e = ctx.cookies.get(names.lastRefreshAt)) === null || _e === void 0 ? void 0 : _e.value;
     const lastRefreshAt = lastRefreshAtStr ? parseInt(lastRefreshAtStr, 10) : null;
-    return { accessToken, refreshToken, expiresAt, lastRefreshAt };
+    return { accessToken, refreshToken, expiresAt, lastRefreshAt, tokenType };
 }
 /**
  * Clear all auth cookies
@@ -69,4 +75,5 @@ export function clearTokens(ctx, cookieConfig = {}) {
     ctx.cookies.delete(names.refreshToken, Object.assign(Object.assign({}, options), { path: '/' }));
     ctx.cookies.delete(names.expiresAt, Object.assign(Object.assign({}, options), { path: '/' }));
     ctx.cookies.delete(names.lastRefreshAt, Object.assign(Object.assign({}, options), { path: '/' }));
+    ctx.cookies.delete(names.tokenType, Object.assign(Object.assign({}, options), { path: '/' }));
 }

package/dist/client/client.d.ts

@@ -1,4 +1,4 @@
-import type { ClientConfig, RequestConfig, RequestOptions, Session, TokenKitContext, TokenKitConfig, LoginOptions } from '../types';
+import type { APIResponse, ClientConfig, RequestConfig, RequestOptions, Session, TokenKitConfig, LoginOptions, TokenBundle } from '../types';
 import { TokenManager } from '../auth/manager';
 /**
  * API Client
@@ -25,27 +25,27 @@ export declare class APIClient {
     /**
      * GET request
      */
-    get<T = any>(url: string, options?: RequestOptions): Promise<T>;
+    get<T = any>(url: string, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * POST request
      */
-    post<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    post<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * PUT request
      */
-    put<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    put<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * PATCH request
      */
-    patch<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    patch<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * DELETE request
      */
-    delete<T = any>(url: string, options?: RequestOptions): Promise<T>;
+    delete<T = any>(url: string, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * Generic request method
      */
-    request<T = any>(config: RequestConfig): Promise<T>;
+    request<T = any>(config: RequestConfig): Promise<APIResponse<T>>;
     /**
      * Execute single request
      */
@@ -62,22 +62,26 @@ export declare class APIClient {
      * Build request headers
      */
     private buildHeaders;
+    /**
+     * Check if a URL is safe for token injection (same origin as baseURL)
+     */
+    private isSafeURL;
     /**
      * Login
      */
-    login(credentials: any, options?: LoginOptions | TokenKitContext): Promise<void>;
+    login(credentials: any, options?: LoginOptions): Promise<APIResponse<TokenBundle>>;
     /**
      * Logout
      */
-    logout(ctx?: TokenKitContext): Promise<void>;
+    logout(): Promise<void>;
     /**
      * Check if authenticated
      */
-    isAuthenticated(ctx?: TokenKitContext): boolean;
+    isAuthenticated(): boolean;
     /**
      * Get current session
      */
-    getSession(ctx?: TokenKitContext): Session | null;
+    getSession(): Session | null;
 }
 /**
  * Global API client instance.