npm - despia-native - Versions diffs - 1.0.27 → 1.0.28 - Mend

despia-native 1.0.27 → 1.0.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +286 -712
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,168 +1,125 @@
-# Despia Native
+# [Despia Native](https://despia.com)
-JavaScript SDK for [Despia](https://despia.com). Build with any web framework, access 50+ native device capabilities through a single JavaScript function, and publish to iOS and Android from a browser. No Swift, no Kotlin, no terminal.
+Add 50+ native iOS and Android capabilities to any web app (React, Vue, Angular, Svelte, Next.js, vanilla JS) through a single `despia()` function. Plus native offline support, a local SQLite database, and an on-device streaming CDN, solving 15 years of hybrid-app problems with modern runtime architecture.
 [![npm](https://img.shields.io/npm/v/despia-native)](https://www.npmjs.com/package/despia-native)
-[![license](https://img.shields.io/npm/l/despia-native)](https://github.com/despia-native/despia-native/blob/main/LICENSE)
-**[Documentation](https://setup.despia.com)** | **[AI Agent Index](https://setup.despia.com/llms.txt)** | **[iOS Deployment](https://setup.despia.com/deployment/apple-ios/automatic)** | **[Android Deployment](https://setup.despia.com/deployment/google-android/automatic)**
-Despia is the next generation of web-native development. Unlike earlier hybrid frameworks that routed files through JavaScript, forced Base64 encoding, imposed storage quotas, and ran on insecure `file://` origins, Despia runs your app on a real secure origin (`http://localhost` via Local Server, or your remote URL). Standard web APIs work without restrictions. File operations bypass JavaScript entirely and go directly to the native file system. A 500MB video file uses roughly 100 bytes of JS heap rather than 1.6GB.
-The runtime runs on WKWebView (iOS) and the Chromium-based WebView (Android) with hardware-accelerated compositing, JIT-compiled JavaScript, automatic DOM optimization, smart caching, and GPU-accelerated WebGL and Canvas 2D. CSS animations run on the compositor thread independently of JavaScript. The runtime has been actively maintained by the same core team since 2011, when it shipped as Advanced WebView. It has powered over 7,500 apps and became Despia in 2023. Native capabilities are implemented in Swift and Java and called from JavaScript through a single typed function. See the [changelog](https://setup.despia.com/changelog) for the full history.
+**[Full documentation](https://setup.despia.com)**
 ---
-## MCP Server
-Add the Despia MCP to give your AI assistant full knowledge of the `despia-native` API.
-[![Install in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://despia.com/mcp/cursor)
-[![Install in VS Code](https://img.shields.io/badge/Install_in_VS_Code-007ACC?logo=visualstudiocode&logoColor=white)](https://despia.com/mcp/vs-code)
-The badges use **HTTPS** links on [despia.com](https://despia.com) that redirect to the `cursor://` / `vscode:` installers (plain `cursor://` / `vscode:` links are not allowed as README `href` values on npm and GitHub).
-**[MCP Server setup guide (Cursor, VS Code, and more)](https://setup.despia.com/mcp-server)**
-**Cursor deeplink** (copy the full line):
+## Installation
-```text
-cursor://anysphere.cursor-deeplink/mcp/install?name=Despia&config=eyJ0eXBlIjoiaHR0cCIsInVybCI6Imh0dHBzOi8vc2V0dXAuZGVzcGlhLmNvbS9tY3AifQ==
+```bash
+npm install despia-native
+# pnpm add despia-native
+# yarn add despia-native
 ```
-**VS Code deeplink** (copy the full line):
-```text
-vscode:mcp/install?%7B%22name%22%3A%22Despia%22%2C%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fsetup.despia.com%2Fmcp%22%7D
+```js
+import despia from 'despia-native';
 ```
-**Web-based builders** (Lovable, Bolt, v0, etc.) — paste the MCP URL where your tool asks for it:
+Or via CDN:
-```
-https://setup.despia.com/mcp
+```html
+<!-- UMD -->
+<script src="https://cdn.jsdelivr.net/npm/despia-native/index.min.js"></script>
 ```
-Look for "Add MCP", "MCP Settings", or "Personal Connectors" in your builder. Requires Node.js v18+ for local tools.
+```html
+<!-- ESM -->
+<script type="module">
+  import despia from 'https://cdn.jsdelivr.net/npm/despia-native/+esm';
+</script>
+```
 ---
-## Table of Contents
+## Quick Start
-- [MCP Server](#mcp-server)
-- [Installation](#installation)
-- [Quick Start](#quick-start)
-- [Environment Detection](#environment-detection)
-- [AI Agent Rules](#ai-agent-rules)
-- [API Reference](#api-reference)
-- [Deployment Models](#deployment-models)
-- [Features](#features)
-  - [Haptic Feedback](#haptic-feedback)
-  - [Identity Vault](#identity-vault)
-  - [GPS Location](#gps-location)
-  - [RevenueCat In-App Purchases](#revenuecat-in-app-purchases)
-  - [AppsFlyer Attribution](#appsflyer-attribution)
-  - [Push Notifications](#push-notifications)
-  - [OAuth Authentication](#oauth-authentication)
-  - [Clipboard](#clipboard)
-  - [Contacts](#contacts)
-  - [App Information and Device Data](#app-information-and-device-data)
-  - [UI Controls and Styling](#ui-controls-and-styling)
-  - [File and Media Operations](#file-and-media-operations)
-  - [Apple Health (HealthKit)](#apple-health-healthkit)
-  - [AdMob Inline Ads](#admob-inline-ads)
-  - [Web Payment Request API](#web-payment-request-api)
-  - [Web Storage APIs](#web-storage-apis)
-  - [Local CDN](#local-cdn)
-  - [Local Server](#local-server)
-- [Capability Reference](#capability-reference)
-- [Safe Area](#safe-area)
-- [Extending the Runtime](#extending-the-runtime)
-- [Web Apps vs React Native](#web-apps-vs-react-native)
-- [Publishing to the App Store and Google Play](#publishing-to-the-app-store-and-google-play)
-- [Open Source](#open-source)
-- [Support](#support)
-- [License](#license)
+```js
+import despia from 'despia-native';
----
+// Launch a RevenueCat paywall
+despia(`revenuecat://launchPaywall?external_id=${userId}&offering=default`);
-## Installation
+// Link the device to your user for OneSignal push
+despia(`setonesignalplayerid://?user_id=${userId}`);
-```bash
-npm install despia-native
-# pnpm add despia-native
-# yarn add despia-native
-```
+// Store a session token behind Face ID / Touch ID (survives reinstall)
+await despia('setvault://?key=sessionToken&value=abc123&locked=true');
-```js
-import despia from 'despia-native';
+// Read it back later (prompts biometric)
+const { sessionToken } = await despia('readvault://?key=sessionToken', ['sessionToken']);
 ```
-> CDN alternative: `https://cdn.jsdelivr.net/npm/despia-native/+esm` (ESM) or `https://cdn.jsdelivr.net/npm/despia-native/index.min.js` (UMD, global)
+No initialization. Open your app in the Despia runtime and it works.
 ---
-## Quick Start
+## Why Despia
-```js
-import despia from 'despia-native'; // npm / pnpm / yarn only
+Despia is a hybrid app runtime built on the web platform. The web handles what it's good at (logic, UI, routing, state, storage); everything else (biometrics, push, in-app purchases, background GPS, system pickers) is handed to a native engine via a single `despia()` call.
-despia('successhaptic://');                           // haptic feedback
-const device = await despia('get-uuid://', ['uuid']); // native device ID
-console.log(device.uuid);
-```
+Works with any web codebase. Bring an existing app or start fresh with any framework, any build tool, any host. No framework lock-in, no proprietary hosting, nothing to migrate.
-No initialization. No setup. Open your app in the Despia runtime and it works.
+Full native offline support. [`@despia/local`](https://www.npmjs.com/package/@despia/local) serves your web build from `http://localhost`, [`@despia/powersync`](https://www.npmjs.com/package/@despia/powersync) adds a native SQLite database that syncs with your backend, and the [Local CDN](https://setup.despia.com/local-cdn) streams cached media from device storage. File transfers stream between native storage and the web layer without loading into the JS heap.
-**How it works under the hood**
+Push, monetization, ads, and attribution are built in: OneSignal, RevenueCat, AdMob, AppsFlyer. Pre-wired into the runtime, configured from the Despia dashboard, called from web code. Builds, signing, and store submission run from the browser. No Xcode, no Android Studio.
-Calling `despia()` sets `window.despia` to the scheme string. On iOS this is intercepted in `WebViewController.swift` via `decidePolicyFor navigationAction`. On Android it is intercepted in `MainActivity.java` via `shouldOverrideUrlLoading`. Results are written back to the WebView as named window variables, which the SDK resolves as a promise.
+---
-```js
-// despia('get-uuid://', ['uuid'])
-// 1. window.despia = 'get-uuid://'        set by SDK
-// 2. window.location.href = 'get-uuid://' intercepted by native layer
-// 3. window.uuid = '<device-uuid>'        written back to WebView
-const device = await despia('get-uuid://', ['uuid']);
-console.log(device.uuid);
-```
+## Contents
-The SDK handles command queuing, promise-based variable watching with a 30-second timeout, and error handling.
+- [Why Despia](#why-despia)
+- [Environment Detection](#environment-detection)
+- [For AI Coding](#for-ai-coding)
+- [API Reference](#api-reference)
+- [Deployment Models](#deployment-models)
+- [Features](#features)
+- [Capability Reference](#capability-reference)
+- [Safe Area](#safe-area)
+- [Extending the Runtime](#extending-the-runtime)
+- [Web Native vs React Native](#web-native-vs-react-native)
+- [Publishing](#publishing)
+- [MCP Server](#mcp-server)
+- [How It Works](#how-it-works)
+- [Support](#support)
 ---
 ## Environment Detection
-The SDK only activates inside the Despia native runtime. Gate native calls using these checks:
+The SDK only activates inside the Despia runtime. Gate native calls:
 ```js
 const isDespia = navigator.userAgent.toLowerCase().includes('despia');
-const isDespiaIOS = isDespia &&
-  (navigator.userAgent.toLowerCase().includes('iphone') ||
-   navigator.userAgent.toLowerCase().includes('ipad'));
+const isDespiaIOS = isDespia && (
+  navigator.userAgent.toLowerCase().includes('iphone') ||
+  navigator.userAgent.toLowerCase().includes('ipad')
+);
-const isDespiaAndroid = isDespia &&
-  navigator.userAgent.toLowerCase().includes('android');
+const isDespiaAndroid = isDespia && navigator.userAgent.toLowerCase().includes('android');
-if (isDespia) {
-  despia('lighthaptic://');
-} else {
-  // Fallback for browser or development environment
-}
+if (isDespia) despia('lighthaptic://');
 ```
 ---
-## AI Agent Rules
+## For AI Coding
-If you are an AI coding agent generating Despia app code, follow these rules:
+Full API context: [`llms.txt`](https://setup.despia.com/llms.txt).
-- Import as a default: `import despia from 'despia-native'`
-- Do not write to `window.despia` directly; it is used internally by the SDK
-- Gate all native calls using the environment checks above
-- For offline (Local Server) apps, bundle the SDK via a package manager so it is available when the app is served from `http://localhost`
-- For Local CDN downloads, do not `await` `localcdn://write` with a watch key; use `window.contentServerChange(item)` or poll with `localcdn://read`
-- For the HTTP upload API, do not hardcode localhost ports; use `const host = window.location.host`
+- Import as default: `import despia from 'despia-native'`
+- Never write `window.despia` directly; the SDK uses it internally
+- There is no `.init()`, `.ready()`, or `.setup()`; the SDK exports a single function with no initialization
+- Do not mock or reimplement the SDK; mock implementations will not trigger the native runtime on real devices
+- Gate native calls with the environment check above
+- For Local Server apps, install via a package manager so the SDK ships with the build
+- Do not `await` `localcdn://write` with a watch key; use `window.contentServerChange`
+- For the upload API, read `window.location.host`; don't hardcode ports
 ---
@@ -170,847 +127,464 @@ If you are an AI coding agent generating Despia app code, follow these rules:
 ### `despia(command, watch?)`
+| Parameter | Type       | Description                                    |
+| --------- | ---------- | ---------------------------------------------- |
+| `command` | `string`   | A Despia protocol URL, e.g. `'lighthaptic://'` |
+| `watch`   | `string[]` | Variable names to wait for                     |
-| Parameter | Type       | Description                                                    |
-| --------- | ---------- | -------------------------------------------------------------- |
-| `command` | `string`   | A Despia protocol URL, e.g. `'lighthaptic://'`                 |
-| `watch`   | `string[]` | Optional. Array of variable names to wait for in the response. |
-Returns a `Promise` that resolves when all watched variables are set by the native runtime.
+Returns a `Promise` that resolves when all watched variables are set, with a 30-second timeout. Long-running work (downloads, purchases, biometric prompts) reports back via global callbacks like `window.onRevenueCatPurchase` or `window.contentServerChange` instead. `despia.variableName` is equivalent to `window.variableName`.
-**Timeout behavior**
-The SDK watches for a single variable for up to 30 seconds. This window applies to the variable watch only, not to the underlying native operation. Long-running operations — file downloads, purchases, biometric prompts — complete in native and deliver their result via a global callback function (e.g. `window.onRevenueCatPurchase`, `window.contentServerChange`) rather than a watched variable, so they are never constrained by this window. If a watched variable is never set, the Promise resolves with `undefined` and logs a timeout to the console.
-**Fresh-data behavior**
-Watched variables are cleared before each call to prevent resolving on stale values.
-- Single variable: `null` is treated as a valid resolved value. Other empty placeholders (`undefined`, `"n/a"`, `{}`, `[]`) are ignored.
-- Multiple variables: all variables must be non-null before the Promise resolves.
-**Direct property access**
-```js
-despia.variableName // Equivalent to window.variableName
-```
-### Protocol format
-```
-feature://action?param1=value1&param2=value2
-```
+Protocol format: `feature://action?param1=value1&param2=value2`
 ---
 ## Deployment Models
-**Remote hydration (default):** The binary ships without embedded web assets. On each launch, Despia fetches the current build from your configured hosting URL. Web content updates do not require App Store or Google Play resubmission.
-**Local Server:** For offline-first apps. Your web build is cached on-device and served from `http://localhost`. After initial hydration the app launches without a network request. See [Local Server](#local-server).
+**Remote hydration (default).** Binary ships without web assets; Despia fetches the current build on launch. Web updates do not require store resubmission.
-**OTA version gating:** Gate features by minimum runtime version using `despia-version-guard`.
+**Local Server.** Build is cached on-device and served from `http://localhost`. See [Local Server](#local-server).
-```bash
-npm install despia-version-guard
-```
+**Version gating.** Use [`despia-version-guard`](https://www.npmjs.com/package/despia-version-guard) to gate features by minimum runtime version:
 ```jsx
 import { VersionGuard } from 'despia-version-guard';
-const MyApp = () => (
-  <div>
-    <StableFeature />
-    <VersionGuard min_version="21.0.3">
-      <NewFeature />
-    </VersionGuard>
-  </div>
-);
+<VersionGuard min_version="21.0.3">
+  <NewFeature />
+</VersionGuard>
 ```
 ---
 ## Features
-### Haptic Feedback
-```js
-despia('lighthaptic://');   // Subtle vibration
-despia('heavyhaptic://');   // Strong vibration
-despia('successhaptic://'); // Positive confirmation
-despia('warninghaptic://'); // Attention alert
-despia('errorhaptic://');   // Negative feedback
-```
-[Read Full Documentation](https://setup.despia.com/native-features/haptic-feedback)
----
-### Identity Vault
-Encrypted key-value storage backed by iCloud KV on iOS and Android App Backup on Android. Persists across uninstalls and reinstalls. Data syncs automatically across all devices sharing the same Apple ID or Google account.
-Set `locked=true` on any key to require Face ID or Touch ID before the value can be read back. Because the vault stores the actual value server-side and only returns it after biometric success, you can store real JWT tokens, session cookies, and API keys behind biometrics. This is a hardware-enforced security guarantee, not a client-side check that can be bypassed.
-```js
-// Store a JWT token (reading it back requires Face ID / Touch ID)
-await despia('setvault://?key=sessionToken&value=abc123&locked=true');
-// Read triggers the biometric prompt; token is only returned on success
-const data  = await despia('readvault://?key=sessionToken', ['sessionToken']);
-const token = data.sessionToken;
-```
-If the key does not exist, `readvault://` throws. Wrap in try/catch to handle first-time users.
-| Parameter | Description                                                      |
-| --------- | ---------------------------------------------------------------- |
-| `key`     | Storage key, e.g. `"userId"` or `"sessionToken"`                 |
-| `value`   | String value to store                                            |
-| `locked`  | `"true"` requires biometrics on read. `"false"` for open access. |
-**Store a value without biometric protection**
-```js
-await despia('setvault://?key=userId&value=user123&locked=false');
-const { userId } = await despia('readvault://?key=userId', ['userId']);
-```
-**Protect a sensitive action with Face ID**
-```js
-async function confirmWithBiometrics() {
-  await despia('setvault://?key=confirm&value=yes&locked=true');
-  try {
-    const data = await despia('readvault://?key=confirm', ['confirm']);
-    if (data.confirm === 'yes') {
-      await performSensitiveAction();
-      await despia('setvault://?key=confirm&value=&locked=false');
-    }
-  } catch {
-    // User cancelled or biometric failed
-  }
-}
-```
-**Prevent free trial abuse**
-```js
-async function checkTrialEligibility() {
-  try {
-    const data = await despia('readvault://?key=hasUsedTrial', ['hasUsedTrial']);
-    return data.hasUsedTrial !== 'yes';
-  } catch {
-    // Key not found, first-time user
-    await despia('setvault://?key=hasUsedTrial&value=yes&locked=false');
-    return true;
-  }
-}
-```
-[Read Full Documentation](https://setup.despia.com/native-features/storage-vault) + [Read Full Documentation](https://setup.despia.com/native-features/biometrics)
----
-### GPS Location
-```js
-// Set up the live update callback
-window.onLocationChange = (data) => {
-  if (!data.active) return;
-  console.log(data.latitude, data.longitude, data.horizontalAccuracy);
-};
-// Start tracking (buffer in seconds, movement threshold in centimetres)
-despia('location://?buffer=60&movement=100');
-// Stop tracking and retrieve the session
-const { locationSession } = await despia('stoplocation://', ['locationSession']);
-```
-**Server delivery**
-When `server` is set, each GPS point is POSTed to your endpoint as it is recorded. Server delivery, `window.onLocationChange`, and local session storage all run simultaneously and independently. Loss of network does not affect local storage or frontend callbacks.
-```js
-despia('location://?server=https://api.example.com/track?user=USER_ID&buffer=30&movement=100');
-```
-Each POST body matches the location object shape returned by `stoplocation://`.
-[Read Full Documentation](https://setup.despia.com/native-features/gps-location)
----
 ### RevenueCat In-App Purchases
-**Launch a paywall**
 ```js
+// Paywall
 despia(`revenuecat://launchPaywall?external_id=${userId}&offering=default`);
-```
-| Parameter     | Required | Description                                                        |
-| ------------- | -------- | ------------------------------------------------------------------ |
-| `external_id` | Yes      | Your user ID in RevenueCat                                         |
-| `offering`    | Yes      | RevenueCat offering ID. Use `"default"` for your default offering. |
-**Direct purchase without paywall UI**
-```js
-// iOS
+// Direct purchase
 despia(`revenuecat://purchase?external_id=${userId}&product=monthly_premium_ios`);
-// Android
-despia(`revenuecat://purchase?external_id=${userId}&product=premium:monthly_premium_android`);
 ```
-**Handle purchase success**
-The Despia runtime calls `window.onRevenueCatPurchase()` immediately when the store confirms a transaction. This is a global function, not an event listener — part of how the bridge is designed to stay lightweight and offload heavy operations to the native layer.
-This callback is a signal that a transaction occurred, not confirmation that access should be granted. If you have a backend, the callback fires before your server has received and processed the RevenueCat webhook. Always wait for your backend to confirm before unlocking features.
-If you have no backend, use `getpurchasehistory://` inside the callback to check entitlements directly from the store:
+`window.onRevenueCatPurchase()` fires when the store confirms a transaction. Verify entitlement before unlocking (via your backend webhook, or by reading the store directly):
 ```js
 window.onRevenueCatPurchase = async () => {
   const { restoredData } = await despia('getpurchasehistory://', ['restoredData']);
-  const active = (restoredData ?? []).filter(p => p.isActive);
-  if (active.some(p => p.entitlementId === 'premium')) unlockPremium();
-  if (active.some(p => p.entitlementId === 'no_ads'))  removeAds();
+  if (restoredData.some(p => p.isActive && p.entitlementId === 'premium')) unlockPremium();
 };
 ```
-**Restore purchases**
-```js
-const { restoredData } = await despia('getpurchasehistory://', ['restoredData']);
-const hasPremium = restoredData
-  .filter(p => p.isActive)
-  .some(p => p.entitlementId === 'premium');
-```
-Each purchase object includes `transactionId`, `productId`, `type`, `entitlementId`, `isActive`, `willRenew`, `purchaseDate`, `expirationDate`, `store`, `receipt`, and more. The response shape is normalized across iOS and Android.
-**Web fallback**
-Neither `launchPaywall` nor `purchase` work in a standard browser. Gate behind the environment check and fall back to a RevenueCat Web Purchase Link:
-```js
-if (isDespia) {
-  despia(`revenuecat://launchPaywall?external_id=${userId}&offering=default`);
-} else {
-  window.location.href = `https://pay.rev.cat/<your_token>/${encodeURIComponent(userId)}`;
-}
-```
+In the browser, fall back to a RevenueCat Web Purchase Link.
-[Read Full Documentation](https://setup.despia.com/native-features/revenuecat/introduction) + [API reference](https://setup.despia.com/native-features/revenuecat/reference)
+[Intro](https://setup.despia.com/native-features/revenuecat/introduction) · [Reference](https://setup.despia.com/native-features/revenuecat/reference)
 ---
-### AppsFlyer Attribution
-Attribution data is recorded at install time by the native AppsFlyer SDK, cached on-device, and injected into the web layer on every page load. No requests, no waiting. Currently available on iOS, with Android coming soon.
-AppsFlyer must be enabled in **Despia > App > Settings > Integrations > AppsFlyer** with your dev key configured.
-**Attribution variables (injected on every page load)**
-```js
-despia.appsFlyerAttribution // full attribution object (campaign, ad set, UTM params, etc.)
-despia.appsFlyerReferrer    // normalized source: "tiktok_ad", "facebook_organic", "organic", etc.
-despia.appsFlyerUID         // unique AppsFlyer user ID
-```
-**User identification (call after login)**
-```js
-despia('appsflyer://set_user_id?customer_user_id=' + encodeURIComponent(userId));
-despia('appsflyer://set_email?email=' + encodeURIComponent(email));
-despia('appsflyer://set_phone?phone=' + encodeURIComponent(phone)); // hashed with SHA256 automatically
-```
-**GDPR consent**
-```js
-// User accepted
-despia('appsflyer://set_consent?is_gdpr=true&has_consent=true');
-// User declined
-despia('appsflyer://set_consent?is_gdpr=true&has_consent=false');
-```
-**Log in-app events**
+### Push Notifications
-Standard `af_` prefixed events map automatically to Meta and TikTok conversion events. Custom events appear in AppsFlyer for funnel and retention analysis.
+Permission and OneSignal registration happen automatically at launch. Link the device to your user on every authenticated load:
 ```js
-// af_purchase maps to Meta Purchase and TikTok CompletePayment
-const purchase = { af_revenue: 9.99, af_currency: 'USD', af_content_id: 'pro_plan' };
-despia('appsflyer://log_event?event_name=af_purchase&event_values=' + encodeURIComponent(JSON.stringify(purchase)));
+despia(`setonesignalplayerid://?user_id=${userId}`);
-// af_complete_registration maps to Meta CompleteRegistration
-const reg = { af_registration_method: 'email' };
-despia('appsflyer://log_event?event_name=af_complete_registration&event_values=' + encodeURIComponent(JSON.stringify(reg)));
+// Check permission
+const { nativePushEnabled } = await despia('checkNativePushPermissions://', ['nativePushEnabled']);
+if (!nativePushEnabled) despia('settingsapp://');
-// Custom event (AppsFlyer only)
-const onboarding = { step: 1, name: 'select_interests' };
-despia('appsflyer://log_event?event_name=onboarding_step&event_values=' + encodeURIComponent(JSON.stringify(onboarding)));
+// Local scheduled notification
+despia('sendlocalpushmsg://push.send?s=60&msg=Hello&!#Title&!#https://myapp.com');
 ```
-`event_values` must always be `JSON.stringify()`ed and `encodeURIComponent()`ed. Event names are case-sensitive, lowercase alphanumeric and underscores only, max 300 unique names per day.
+Configure OneSignal with **Native iOS** and **Native Android** as platforms, then send remote pushes from your backend with the OneSignal REST API.
-[Read Full Documentation](https://setup.despia.com/analytics/appsflyer/introduction) + [Read Full Documentation](https://setup.despia.com/analytics/appsflyer/attribution)
+[Intro](https://setup.despia.com/native-features/onesignal/introduction) · [Reference](https://setup.despia.com/native-features/onesignal/reference)
 ---
-### Push Notifications
+### Identity Vault
-Despia requests push permission and registers the device with OneSignal automatically at app launch. Call `setonesignalplayerid://` on every authenticated load to link the device to your user.
+Encrypted key-value storage backed by iCloud KV (iOS) and Android App Backup. Values survive uninstall and sync across a user's own devices. Set `locked=true` to require Face ID, Touch ID, or fingerprint on read.
 ```js
-// Link device to your user (call on every authenticated app load)
-despia(`setonesignalplayerid://?user_id=${userId}`);
-// Send a local scheduled notification (fires after 60 seconds)
-despia('sendlocalpushmsg://push.send?s=60&msg=Hello&!#New Message&!#https://myapp.com');
+// Write
+await despia('setvault://?key=sessionToken&value=abc123&locked=true');
-// Check push permission status
-const result = await despia('checkNativePushPermissions://', ['nativePushEnabled']);
-if (!result.nativePushEnabled) {
-  // Direct user to settings to enable notifications
-  despia('settingsapp://');
-}
+// Read (prompts biometric if locked)
+const { sessionToken } = await despia('readvault://?key=sessionToken', ['sessionToken']);
 ```
-**Send to a specific user from your backend**
+`readvault://` throws if the key doesn't exist. Wrap in try/catch.
-```js
-await fetch('https://onesignal.com/api/v1/notifications', {
-  method: 'POST',
-  headers: {
-    'Content-Type':  'application/json',
-    'Authorization': 'Basic YOUR_REST_API_KEY',
-  },
-  body: JSON.stringify({
-    app_id: 'ONESIGNAL-APP-ID',
-    include_external_user_ids: [externalUserId],
-    headings: { en: title },
-    contents: { en: message },
-    data: { url: 'https://yourapp.com/messages/123' } // navigate WebView on tap
-  }),
-});
-```
-When configuring OneSignal, select **Native iOS** and **Native Android** as the platforms. See [Read Full Documentation](https://setup.despia.com/native-features/onesignal/introduction) + [API reference](https://setup.despia.com/native-features/onesignal/reference) for setup, critical alerts (including Time Sensitive / Do Not Disturb), schemes, backend delivery, and targeting.
+[Docs](https://setup.despia.com/native-features/storage-vault)
 ---
 ### OAuth Authentication
-The flow uses two Despia URL protocols. `oauth://` opens a secure browser session (ASWebAuthenticationSession on iOS, Chrome Custom Tabs on Android). The `{scheme}://oauth/` prefix on the return deeplink tells Despia to close that session and navigate your WebView to the path that follows.
-When running in Despia, use a native-specific redirect URI pointing to `/native-callback.html` rather than your regular web auth callback. This is a different redirect URI from your web flow. Register both with your OAuth provider.
+Opens a secure browser session (`ASWebAuthenticationSession` / Chrome Custom Tabs). A deeplink with the `oauth/` prefix closes the session and returns to your WebView.
 ```js
-const isDespia = navigator.userAgent.toLowerCase().includes('despia');
 const redirectUri = isDespia
   ? 'https://yourapp.com/native-callback.html'
   : 'https://yourapp.com/auth/callback';
-const oauthUrl = `https://provider.com/oauth/authorize?client_id=xxx&redirect_uri=${encodeURIComponent(redirectUri)}`;
+const authUrl = `https://provider.com/oauth/authorize?client_id=xxx&redirect_uri=${encodeURIComponent(redirectUri)}`;
 if (isDespia) {
-  // Step 1: open a secure native browser session
-  despia(`oauth://?url=${encodeURIComponent(oauthUrl)}`);
+  despia(`oauth://?url=${encodeURIComponent(authUrl)}`);
 } else {
-  // Regular web flow
-  window.location.href = oauthUrl;
+  window.location.href = authUrl;
 }
 ```
-`/native-callback.html` runs inside the secure browser session. It receives the tokens or authorization code from the provider, handles the exchange if needed, then fires the deeplink to close the session and return to the app:
-```js
-// Step 2: from inside the callback page, fire the deeplink to return to your app
-window.location.href = `{yourscheme}://oauth/auth?access_token=${token}`;
-```
-Despia intercepts the deeplink, closes the browser session, and navigates your WebView to `/auth?access_token=xxx`.
-Deeplink format: `{yourscheme}://oauth/{path}?params`
-Your deeplink scheme is your app name in lowercase with no spaces (e.g. `myapp://`), or a custom Despialink set in the Despia editor.
-| Deeplink                                     | Result                                                        |
-| -------------------------------------------- | ------------------------------------------------------------- |
-| `{yourscheme}://oauth/auth?access_token=xxx` | Browser closes, WebView navigates to `/auth?access_token=xxx` |
-| `{yourscheme}://oauth/home`                  | Browser closes, WebView navigates to `/home`                  |
-| `{yourscheme}://auth?access_token=xxx`       | Browser stays open, user is stuck                             |
-**Callback page**
-Use a plain HTML file at `public/native-callback.html` rather than a React or Vue route. React Router can strip the `#access_token` hash fragment during a route change, causing tokens to disappear before your callback logic runs. A plain HTML file bypasses the router entirely and reads the hash directly from the browser.
+In `public/native-callback.html` (plain HTML, not a framework route, so the hash isn't stripped on navigation):
 ```html
-<!-- public/native-callback.html -->
 <script>
-  var params      = new URLSearchParams(window.location.search);
-  var hash        = new URLSearchParams(window.location.hash.substring(1));
-  var code        = params.get('code');        // authorization code flow
-  var accessToken = hash.get('access_token');  // implicit flow
-  if (code) {
-    // exchange code via your backend, then fire deeplink with tokens
-  } else if (accessToken) {
-    window.location.href = '{yourscheme}://oauth/auth?access_token=' + encodeURIComponent(accessToken);
-  }
+  var hash  = new URLSearchParams(window.location.hash.substring(1));
+  var token = hash.get('access_token');
+  if (token) window.location.href = '{yourscheme}://oauth/auth?access_token=' + encodeURIComponent(token);
 </script>
 ```
-**Already-mounted `/auth` page**
+Deeplink format: `{yourscheme}://oauth/{path}?params`. Without the `oauth/` prefix the browser session stays open.
-When Despia navigates the WebView to `/auth`, if that route is already active your framework does not remount the component. Token-reading logic that only runs on mount will not fire again. Fix per framework:
-- React: include `searchParams` in your `useEffect` dependency array
-- Vue: use `watch: { '$route.query': { immediate: true, handler } }` instead of reading params in `mounted()`
-- Vanilla JS: call your handler on load and add `window.addEventListener('popstate', handler)`
-[Read Full Documentation](https://setup.despia.com/native-features/oauth/introduction)
+[Docs](https://setup.despia.com/native-features/oauth/introduction)
 ---
-### Clipboard
-```js
-const { clipboarddata } = await despia('getclipboard://', ['clipboarddata']);
-```
+### AppsFlyer Attribution
-[Read Full Documentation](https://setup.despia.com/native-features/clipboard)
+iOS today, Android soon. Enable in **Despia > App > Settings > Integrations > AppsFlyer** with your dev key.
----
+```js
+// Attribution available on every launch
+despia.appsFlyerAttribution
+despia.appsFlyerReferrer
+despia.appsFlyerUID
-### Contacts
+// After login
+despia('appsflyer://set_user_id?customer_user_id=' + encodeURIComponent(userId));
-```js
-const { contacts } = await despia('readcontacts://', ['contacts']);
+// Log an event (af_-prefixed events map to Meta and TikTok automatically)
+const values = { af_revenue: 9.99, af_currency: 'USD' };
+despia('appsflyer://log_event?event_name=af_purchase&event_values=' + encodeURIComponent(JSON.stringify(values)));
 ```
-[Read Full Documentation](https://setup.despia.com/native-features/contact-access)
+[Intro](https://setup.despia.com/analytics/appsflyer/introduction) · [Attribution](https://setup.despia.com/analytics/appsflyer/attribution)
 ---
-### App Information and Device Data
+### GPS Location
 ```js
-const { versionNumber, bundleNumber } = await despia('getappversion://', ['versionNumber', 'bundleNumber']);
-const { uuid }             = await despia('get-uuid://',              ['uuid']);
-const { storeLocation }    = await despia('getstorelocation://',      ['storeLocation']);
-const { trackingDisabled } = await despia('user-disable-tracking://', ['trackingDisabled']);
+window.onLocationChange = (data) => {
+  if (data.active) console.log(data.latitude, data.longitude);
+};
+// buffer in seconds, movement threshold in centimetres
+despia('location://?buffer=60&movement=100');
+const { locationSession } = await despia('stoplocation://', ['locationSession']);
 ```
-[Read Full Documentation](https://setup.despia.com/native-features/device-indexing) + [Read Full Documentation](https://setup.despia.com/native-features/store-location) + [Read Full Documentation](https://setup.despia.com/native-features/app-privacy)
+Add `&server=https://api.example.com/track` to POST each point as it's recorded.
+[Docs](https://setup.despia.com/native-features/gps-location)
 ---
-### UI Controls and Styling
+### Apple Health (HealthKit)
+iOS only. Gate behind `isDespiaIOS`. Permissions are requested on first call per identifier.
 ```js
-despia('spinneron://');                     // Show loading spinner
-despia('spinneroff://');                    // Hide loading spinner
-despia('hidebars://on');                    // Hide status bar (full screen)
-despia('hidebars://off');                   // Restore status bar
-despia('statusbarcolor://{255, 255, 255}'); // Set status bar background (RGB)
-despia('statusbartextcolor://{black}');     // Set status bar text color: black | white
-despia('settingsapp://');                   // Open native app settings
-despia('reset://');                         // Reset the app
+// Read
+const { healthkitResponse } = await despia(
+  'readhealthkit://HKQuantityTypeIdentifierStepCount?days=7',
+  ['healthkitResponse']
+);
+// Write
+despia('writehealthkit://HKQuantityTypeIdentifierBodyMass//74.5');
+// Observe and POST to your backend on change
+despia('healthkit://observe?types=HKQuantityTypeIdentifierStepCount&frequency=hourly&server=https://api.example.com/webhook');
 ```
-[Read Full Documentation](https://setup.despia.com/native-features/safe-areas) + [Read Full Documentation](https://setup.despia.com/native-features/app-settings)
+Any `HKQuantityTypeIdentifier`, `HKCategoryTypeIdentifier`, `HKWorkoutTypeIdentifier`, or `HKCharacteristicTypeIdentifier` works.
+[Docs](https://setup.despia.com/health-data/apple-health)
 ---
 ### File and Media Operations
-Despia automatically intercepts standard HTML file inputs and routes them to native UI. No Base64 blobs, no memory issues. File events are injected back into the standard HTML file input.
+Standard HTML file inputs route to native UI with events delivered back to the input:
 ```html
-<!-- Opens a native action sheet with camera, document scanner, and media library -->
-<input type="file">
-<!-- Opens native media gallery for images -->
-<input type="file" accept="image/*">
-<!-- Opens native media gallery for video -->
-<input type="file" accept="video/*">
-<!-- Opens native camera directly -->
-<input type="file" accept="image/*" capture="environment">
+<input type="file">                                       <!-- Action sheet -->
+<input type="file" accept="image/*">                      <!-- Image gallery -->
+<input type="file" accept="video/*">                      <!-- Video gallery -->
+<input type="file" accept="image/*" capture="environment"><!-- Camera -->
 ```
-Additional file and media commands:
 ```js
 despia('takescreenshot://');
 despia('savethisimage://?url=https://example.com/image.jpg');
 despia('file://https://example.com/document.pdf');
-despia('shareapp://message?=Check%20out%20this%20app&url=https://myapp.com');
-despia('scanningmode://auto'); // auto | on | off
-```
-[Read Full Documentation](https://setup.despia.com/native-features/file-sharing) + [Read Full Documentation](https://setup.despia.com/native-features/camera-roll)
----
-### Apple Health (HealthKit)
-iOS only. Always gate behind `isDespiaIOS`. Despia requests permissions on the first call for each identifier.
-```js
-// Read historical data
-const data  = await despia('readhealthkit://HKQuantityTypeIdentifierStepCount?days=7', ['healthkitResponse']);
-const steps = data.healthkitResponse.HKQuantityTypeIdentifierStepCount;
-// [{ date: "2025-11-17", value: 9820, unit: "count" }, ...]
-// Write a value back to HealthKit
-despia('writehealthkit://HKQuantityTypeIdentifierBodyMass//74.5');
-// Observe changes and POST to your server whenever HealthKit updates
-despia('healthkit://observe?types=HKQuantityTypeIdentifierStepCount&frequency=hourly&server=https://api.example.com/webhook?user=USER_ID');
+despia('shareapp://message?=Check%20this%20out&url=https://myapp.com');
 ```
-Pass any valid `HKQuantityTypeIdentifier`, `HKCategoryTypeIdentifier`, `HKWorkoutTypeIdentifier`, or `HKCharacteristicTypeIdentifier` directly. Sleep, workouts, heart rate, body mass, and all other HealthKit types are supported. [Read Full Documentation](https://setup.despia.com/health-data/apple-health).
+[File sharing](https://setup.despia.com/native-features/file-sharing) · [Camera roll](https://setup.despia.com/native-features/camera-roll)
 ---
 ### AdMob Inline Ads
-Despia implements Google's WebView API for Ads on both platforms, connecting the Mobile Ads SDK directly to the WebView so AdMob ads render as real DOM elements inside your web UI, not as native overlays. Enabled from **Despia > App > Settings > AdMob**. Requires a rebuild after enabling.
-Once enabled, serve ads using standard AdSense, Google Publisher Tag, or IMA for HTML5 tags. No Despia SDK calls needed on the web side.
-```html
-<!-- AdSense banner -->
-<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"
-    data-ad-client="ca-pub-XXXXXXXXXXXXXXXX"></script>
-<ins class="adsbygoogle"
-     style="display:block"
-     data-ad-client="ca-pub-XXXXXXXXXXXXXXXX"
-     data-ad-slot="YYYYYYYYYY"
-     data-ad-format="auto"
-     data-full-width-responsive="true"></ins>
-<script>(adsbygoogle = window.adsbygoogle || []).push({});</script>
-```
-Because ads are real DOM elements, placements that are impossible with native overlay ads — banners between feed cards, mid-article units, rewarded content gates, pre-roll video — are straightforward CSS and JavaScript.
+Ads render as real DOM elements via Google's WebView API for Ads. Enable in **Despia > App > Settings > AdMob**, then use standard AdSense, Google Publisher Tag, or IMA tags. No SDK calls from web.
-Google WebView API for Ads references: [iOS](https://developers.google.com/admob/ios/browser/webview/api-for-ads) | [Android](https://developers.google.com/admob/android/browser/webview/api-for-ads) | [Read Full Documentation](https://setup.despia.com/native-features/admob/inline-ads) + [Read Full Documentation](https://setup.despia.com/native-features/admob/rewarded-ads)
+[Inline ads](https://setup.despia.com/native-features/admob/inline-ads) · [Rewarded](https://setup.despia.com/native-features/admob/rewarded-ads)
 ---
 ### Web Payment Request API
-Despia polyfills support for the Web Payment Request API, enabling native Apple Pay on iOS and Google Pay on Android directly from your web UI. This is a known pain point with standard WebViews — Despia handles it by importing WebKit's Payment Request support on Android (`androidx.webkit:webkit:1.14.0` with `WebSettingsCompat.setPaymentRequestEnabled`) and the required Google Pay intent queries, and on iOS via WKWebView's built-in Apple Pay support.
+Apple Pay and Google Pay work through the standard Payment Request API with no Despia-specific calls.
 ```js
-// Standard Web Payment Request API — works in Despia without any native code changes
 const request = new PaymentRequest(
-  [{ supportedMethods: 'https://apple.com/apple-pay' }], // or Google Pay method
-  {
-    total: { label: 'Total', amount: { currency: 'USD', value: '9.99' } }
-  }
+  [{ supportedMethods: 'https://apple.com/apple-pay' }],
+  { total: { label: 'Total', amount: { currency: 'USD', value: '9.99' } } }
 );
-const result = await request.show();
-await result.complete('success');
+await (await request.show()).complete('success');
 ```
-Apple Pay on iOS and Google Pay on Android both work via the standard Web Payment Request API. No Despia-specific calls required. [Read Full Documentation](https://setup.despia.com/native-features/external-links) + [Google Pay in Android WebView](https://developers.google.com/pay/api/android/guides/recipes/using-android-webview)
+[Docs](https://setup.despia.com/native-features/external-links)
 ---
-### Web Storage APIs
+### Local Server
-Despia runs your app on a secure origin (`http://localhost` via Local Server, or your remote URL). This means all standard web storage APIs work without any restrictions or workarounds, unlike other hybrid frameworks that require hacks or fall back to `file://` origins:
+Caches the web build on-device and serves it from `http://localhost` for offline launch. Updates are detected and swapped atomically on the next launch.
+```bash
+npm install --save-dev @despia/local
+```
 ```js
-// localStorage works normally
-localStorage.setItem('userId', 'user123');
-const userId = localStorage.getItem('userId');
-// IndexedDB works normally
-const db = await indexedDB.open('myapp', 1);
-// Web Crypto works normally
-const key = await crypto.subtle.generateKey(
-  { name: 'AES-GCM', length: 256 },
-  true,
-  ['encrypt', 'decrypt']
-);
+// vite.config.js (also Webpack, Rollup, Nuxt, SvelteKit, Astro, Remix, esbuild)
+import { despiaLocalPlugin } from '@despia/local/vite';
+export default {
+  plugins: [despiaLocalPlugin({ outDir: 'dist', entryHtml: 'index.html' })],
+};
 ```
-For data that needs to survive uninstall and reinstall, or be locked behind Face ID, use [Identity Vault](#identity-vault) instead.
+Or run `npx despia-local dist` after any build. Deploy as normal.
-[Read Full Documentation](https://setup.despia.com/local-server/introduction) + [Read Full Documentation](https://setup.despia.com/native-features/simple-storage)
+[Intro](https://setup.despia.com/local-server/introduction) · [Reference](https://setup.despia.com/local-server/reference)
 ---
-### Local Server
-> **Built-in OTA updates. True offline support. Host with your existing web hosting. No proprietary infrastructure required.**
+### Local CDN
-No service workers. No workarounds. The Local Server downloads your complete web build to the device and serves it from a native on-device HTTP server at `http://localhost`. The app loads from device storage at native speed and works completely offline from the first launch after hydration.
+Cache remote files on-device for offline playback and background downloads. Transfers use `NSURLSession` / `WorkManager` and continue when the app is closed, with Live Activity (iOS) or system tray (Android) progress.
-When the user has a connection, Despia checks for updates in the background by comparing the `deployed_at` timestamp in your manifest. If a new build is available it downloads silently while the user continues using the app. The update applies on the next launch. If the connection is not stable, the locally cached version is served without interruption.
+```js
+// Called on download complete
+window.contentServerChange = (item) => {
+  // item.local_cdn, item.cdn, item.index, item.size, item.status, item.local_path
+};
-You host the manifest and assets on your own infrastructure — Netlify, Vercel, AWS, your own server, anywhere. No proprietary hosting, no per-MAU fees, no vendor lock-in on your delivery pipeline.
+// Start a download. Do NOT await with a watch key.
+despia(`localcdn://write?url=${remoteUrl}&filename=videos/clip.mp4&index=clip_1`);
-```bash
-npm install --save-dev @despia/local
+// Query cache
+const { cdnItems } = await despia('localcdn://query', ['cdnItems']);
 ```
-```js
-// vite.config.js (also available for Webpack, Rollup, Nuxt, SvelteKit, Astro, Remix, esbuild)
-import { defineConfig } from 'vite';
-import { despiaLocalPlugin } from '@despia/local/vite';
+Play cached media from the `local_cdn` URL. For uploads, POST to `http://${window.location.host}/api/upload` (Local Server only).
-export default defineConfig({
-  plugins: [
-    despiaLocalPlugin({
-      outDir: 'dist',
-      entryHtml: 'index.html'
-    })
-  ]
-});
-```
+[Intro](https://setup.despia.com/local-cdn/introduction) · [Reference](https://setup.despia.com/local-cdn/reference)
-Or run via CLI after any build:
+---
-```bash
-npx despia-local dist
-```
+### Web Storage APIs
-The plugin generates `despia/local.json` in your output directory alongside your assets. Deploy both to your existing web host. That is the entire setup.
+The app runs on a real origin, so `localStorage`, `IndexedDB`, and Web Crypto work normally. For data that must survive uninstall or be locked behind biometrics, use [Identity Vault](#identity-vault).
-```json
-{
-  "entry": "/index.html",
-  "deployed_at": "1737225600000",
-  "assets": [
-    "/index.html",
-    "/assets/app.abc123.css",
-    "/assets/app.def456.js"
-  ]
-}
+---
+### Haptic Feedback
+```js
+despia('lighthaptic://');   // Subtle
+despia('heavyhaptic://');   // Strong
+despia('successhaptic://'); // Success
+despia('warninghaptic://'); // Warning
+despia('errorhaptic://');   // Error
 ```
-[Read Full Documentation](https://setup.despia.com/local-server/introduction) + [API reference](https://setup.despia.com/local-server/reference)
+[Docs](https://setup.despia.com/native-features/haptic-feedback)
 ---
-### Local CDN
-Cache individual remote files on-device for offline playback and background downloads. Downloads use native OS transfer APIs (NSURLSession on iOS, WorkManager on Android) and continue when the app is closed, with automatic retry on network failure. On iOS a Live Activity shows real-time download progress. On Android a native notification appears in the system tray. Both require no setup.
+### UI Controls and Styling
 ```js
-// Called by the native runtime when a download completes.
-// This is a global function, not an event listener.
-window.contentServerChange = (item) => {
-  // item.local_cdn  - localhost URL to use for playback
-  // item.cdn        - original remote URL
-  // item.index      - the uniqueId you passed to the write call
-  // item.size       - file size in bytes
-  // item.status     - "cached" when complete
-  // item.local_path - absolute path on the device
-  console.log('Cached:', item.index, item.local_cdn);
-  addToDownloadsList(item);
-};
+despia('spinneron://');
+despia('spinneroff://');
+despia('hidebars://on');                     // Hide status bar
+despia('hidebars://off');
+despia('statusbarcolor://{255, 255, 255}');  // RGB
+despia('statusbartextcolor://{black}');      // black | white
+despia('settingsapp://');                    // Open native app settings
+despia('reset://');
+```
-// Fire and forget. Do not await with a watch key; large downloads take longer than the SDK's
-// 30-second variable-watch window. Use window.contentServerChange to receive the result instead.
-despia(
-  `localcdn://write?url=${remoteUrl}&filename=videos/clip.mp4&index=clip_1&push=true&pushmessage="Download complete"`
-);
+[Safe areas](https://setup.despia.com/native-features/safe-areas) · [App settings](https://setup.despia.com/native-features/app-settings)
-// Read cached items by ID
-const { cdnItems } = await despia(
-  `localcdn://read?index=${encodeURIComponent(JSON.stringify(['clip_1']))}`,
-  ['cdnItems']
-);
+---
+### App Information and Device Data
-// Or query everything in the cache
-const { cdnItems: all } = await despia('localcdn://query', ['cdnItems']);
+```js
+const { versionNumber, bundleNumber } = await despia('getappversion://', ['versionNumber', 'bundleNumber']);
+const { uuid }             = await despia('get-uuid://',              ['uuid']);
+const { storeLocation }    = await despia('getstorelocation://',      ['storeLocation']);
+const { trackingDisabled } = await despia('user-disable-tracking://', ['trackingDisabled']);
 ```
-Use the `local_cdn` URL for playback:
+[Device indexing](https://setup.despia.com/native-features/device-indexing) · [Store location](https://setup.despia.com/native-features/store-location) · [App privacy](https://setup.despia.com/native-features/app-privacy)
-```html
-<video src="http://localhost:7777/localcdn/videos/clip.mp4" controls></video>
-```
+---
-**HTTP upload API** (Local Server only)
+### Clipboard
 ```js
-const host = window.location.host; // Do not hardcode the port; it rotates per session
-const fd = new FormData();
-fd.append('file', fileInput.files[0]);
-const res  = await fetch(`http://${host}/api/upload`, { method: 'POST', body: fd });
-const data = await res.json();
-// { success: true, fileName: "video.mp4", url: "http://localhost:7777/files/video.mp4" }
+const { clipboarddata } = await despia('getclipboard://', ['clipboarddata']);
 ```
+[Docs](https://setup.despia.com/native-features/clipboard)
+---
-| Method             | Storage Path | URL Pattern                            |
-| ------------------ | ------------ | -------------------------------------- |
-| `localcdn://write` | `/localcdn/` | `localhost:{PORT}/localcdn/{filepath}` |
-| `/api/upload`      | `/files/`    | `localhost:{PORT}/files/{filename}`    |
+### Contacts
+```js
+const { contacts } = await despia('readcontacts://', ['contacts']);
+```
-[Read Full Documentation](https://setup.despia.com/local-cdn/introduction) + [API reference](https://setup.despia.com/local-cdn/reference)
+[Docs](https://setup.despia.com/native-features/contact-access)
 ---
 ## Capability Reference
-A full index of native capabilities built into Despia.
-**Core runtime:** Hardware-backed Identity Vault, Face ID / Touch ID / fingerprint biometrics, background GPS (including Samsung, Huawei, Xiaomi, and OnePlus), contacts, clipboard, haptics (5 types), native file system access, image saving, background audio, local push notifications, status bar controls, safe area CSS variables, device orientation per device class, prevent zoom, prevent sleep, fullscreen mode, splash screen, iOS Home Widgets, Siri Shortcuts, native share dialog, AirPrint, screen shield, PkPass for iOS and Android mobile wallets.
+**Core.** Identity Vault, Face ID / Touch ID / fingerprint, background GPS, contacts, clipboard, haptics, native file system, image saving, background audio, local push, status bar controls, safe area CSS variables, device orientation, zoom lock, sleep lock, fullscreen, splash screen, iOS Home Widgets, Siri Shortcuts, native share, AirPrint, screen shield, PkPass for mobile wallets.
-**Integrated SDK bridges:** RevenueCat (purchases, subscriptions, restore, paywalls), OneSignal (remote push with external user ID mapping), AppsFlyer (attribution, deep linking, event tracking), AdMob (advertising), HealthKit (all major health identifiers).
+**SDK bridges.** RevenueCat, OneSignal, AppsFlyer, AdMob, HealthKit.
-**Infrastructure:** ATT compliance, vendor ID tracking, device ID tracking via iCloud KV and Android App Backup, store location access, jailbreak detection with configurable blocking, App Clips, Share Extensions, and Home Widget management from the Despia editor.
+**Infrastructure.** ATT compliance, vendor ID, store location, jailbreak detection, App Clips, Share Extensions, Home Widget configuration.
-**Native web interception:** `<input type="file">` routes to a native action sheet. The `capture` attribute opens the native camera. `accept="image/*"` or `accept="video/*"` opens the native media gallery. Deeplinks and HTTPS deeplinks are handled natively.
+**Web interception.** `<input type="file">` routes to the native action sheet; `capture` opens the camera; `accept` filters to media gallery. Deeplinks and HTTPS deeplinks are handled natively.
 ---
 ## Safe Area
-Despia exposes top and bottom safe area insets as CSS custom properties set by the native runtime.
+Top and bottom safe area insets are exposed as CSS custom properties:
 ```css
-.header {
-  padding-top: var(--safe-area-top);
-}
-.footer {
-  padding-bottom: var(--safe-area-bottom);
-}
-.full-height {
-  height: calc(100vh - var(--safe-area-top) - var(--safe-area-bottom));
-}
+.header { padding-top: var(--safe-area-top); }
+.footer { padding-bottom: var(--safe-area-bottom); }
 ```
-Note: left and right safe area variables are not available.
+Left and right insets are not exposed.
-[Read Full Documentation](https://setup.despia.com/native-features/safe-areas)
+[Docs](https://setup.despia.com/native-features/safe-areas)
 ---
 ## Extending the Runtime
-A common concern when adopting any hybrid framework is lock-in: can you escape the custom protocol API later?
-The bridge pattern is consistent across both platforms and fully open. You can intercept any custom scheme in `WebViewController.swift` on iOS or `MainActivity.java` on Android, run native code, and write the result back to the WebView. The SDK resolves custom bridges identically to built-in capabilities. No special registration or plugin system required.
-**On the bridge architecture**
-The scheme bridge is simple by design and has been running in production since 2011. A command goes in as a plain string, the native layer acts on it, and the result is written back as a named window variable. No serialization, no abstraction layers. Input is sanitized on the native side.
-For file uploads, streaming, and binary data, Despia uses the on-device HTTP server at `http://localhost` rather than the scheme bridge. The two channels handle what each is suited for.
-A typed plugin system for community contributions and custom native development is in progress, alongside the open source Extension system planned for mid/late 2026.
-**iOS: WebViewController.swift**
+Intercept any custom scheme in `WebViewController.swift` (iOS) or `MainActivity.java` (Android), run native code, write the result back as a window variable. The SDK resolves it the same way as built-in schemes.
 ```swift
+// iOS
 if requestURL.absoluteString.hasPrefix("mycustom://") {
-    let result = runMyNativeCode()
-    webView.evaluateJavaScript("window.myResult = '\(result)';")
+    webView.evaluateJavaScript("window.myResult = '\(runMyNativeCode())';")
     decisionHandler(.cancel)
     return
 }
 ```
-**Android: MainActivity.java**
 ```java
+// Android
 if (url.startsWith("mycustom://")) {
-    String result = runMyNativeCode();
-    webView.evaluateJavascript("window.myResult = '" + result + "';", null);
+    webView.evaluateJavascript("window.myResult = '" + runMyNativeCode() + "';", null);
     return true;
 }
 ```
-**Call it from your web app**
 ```js
-import despia from 'despia-native';
-const data = await despia('mycustom://', ['myResult']);
-console.log(data.myResult);
+// Web
+const { myResult } = await despia('mycustom://', ['myResult']);
 ```
-Adding custom native code requires exporting the project and deploying outside of Despia's hosted CI/CD pipeline. Despia offers full Xcode and Android Studio project export for developers who need it. You own the code and can build and ship entirely independently at any point.
+Full Xcode and Android Studio project export is available for custom native code.
-Each lifetime Despia license applies to one specific Despia project bound to one bundle ID, and grants export, editing, self-hosting, and custom CI/CD rights for that project only. Associated repositories must remain private. Reuse beyond that scope requires separate licensing or white-label terms.
+---
-Projects and their licensing rights can be transferred between Despia accounts. Contact [license@despia.com](mailto:license@despia.com) for transfers or licensing questions, and [whitelabel@despia.com](mailto:whitelabel@despia.com) for white-label use cases.
+## Web Native vs React Native
-> **Coming mid/late 2026:** An official open source Despia Extension system is currently in active development. It will allow developers to build and distribute custom native capabilities that work directly within the Despia editor, with no Xcode or Android Studio required.
+This SDK is for web-native apps (React, Vue, Angular, Svelte, Next.js, Vite, Nuxt, vanilla JS) running inside the Despia runtime. It is not for React Native, Expo, or native mobile development.
 ---
-## Web Apps vs React Native
+## Publishing
-This SDK is for web apps running inside the Despia runtime: React, Vue, Angular, Svelte, Next.js, Vite, Nuxt, and vanilla JavaScript.
+iOS and Android store deployment runs from the web editor. Cloud Mac Mini infrastructure handles code signing, provisioning, and submission.
-It is not for React Native, Expo, or native mobile development.
+[iOS](https://setup.despia.com/deployment/apple-ios/automatic) · [Android](https://setup.despia.com/deployment/google-android/automatic)
 ---
-## Publishing to the App Store and Google Play
+## MCP Server
-Despia provides fully automated iOS and Android store deployment from the web editor. No Mac required. One-click deployment spins up Mac Mini build infrastructure in the cloud, handles code signing, provisioning, and submits to both the App Store and Google Play — entirely from a browser.
+Point your AI assistant at the Despia MCP for the full `despia-native` API.
-[Read Full Documentation](https://setup.despia.com/deployment/apple-ios/automatic) + [Read Full Documentation](https://setup.despia.com/deployment/google-android/automatic)
+[![Install in Cursor](https://cursor.com/deeplink/mcp-install-dark.svg)](https://despia.com/mcp/cursor)
+[![Install in VS Code](https://img.shields.io/badge/Install_in_VS_Code-007ACC?logo=visualstudiocode&logoColor=white)](https://despia.com/mcp/vs-code)
----
+For web builders (Lovable, Bolt, v0), paste: `https://setup.despia.com/mcp`.
-## Open Source
+[Setup guide](https://setup.despia.com/mcp-server)
+---
-| Package                                                                    | Description           | License |
-| -------------------------------------------------------------------------- | --------------------- | ------- |
-| [despia-native](https://www.npmjs.com/package/despia-native)               | JavaScript SDK        | MIT     |
-| [@despia/local](https://www.npmjs.com/package/@despia/local)               | Offline asset bundler | MIT     |
-| [despia-version-guard](https://www.npmjs.com/package/despia-version-guard) | OTA version gating    | MIT     |
+## How It Works
+The SDK is a thin wrapper over a setter-based protocol bridge. Calling `despia()` assigns the scheme string to `window.despia`, which the native layer intercepts:
-Native capability implementations are written in Swift and Java and included in full on project export.
+```js
+// When you call:
+despia('lighthaptic://');
----
+// the SDK does:
+window.despia = 'lighthaptic://';
+```
-## Support
+iOS intercepts the assignment in `WebViewController.swift`; Android intercepts it in `MainActivity.java`. Results come back as named window variables, which the SDK resolves as a promise via the optional `watch` array. For long-running work (downloads, purchases, biometric prompts), the native layer calls back via global functions like `window.onRevenueCatPurchase` or `window.contentServerChange` instead.
-For questions or concerns regarding this package, contact the Despia team at [npm@despia.com](mailto:npm@despia.com).
+No dependencies, no initialization, no lifecycle to manage.
 ---
-## License
+## Support
-MIT
+[npm@despia.com](mailto:npm@despia.com)