kentucky-signer-viem 0.1.0 → 0.1.3

package/dist/react/index.mjs

@@ -5,7 +5,8 @@ import {
   useState,
   useCallback,
   useEffect,
-  useMemo
+  useMemo,
+  useRef
 } from "react";
 
 // src/client.ts
@@ -20,7 +21,7 @@ var KentuckySignerError = class extends Error {
 var KentuckySignerClient = class {
   constructor(options) {
     this.baseUrl = options.baseUrl.replace(/\/$/, "");
-    this.fetchImpl = options.fetch ?? globalThis.fetch;
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
     this.timeout = options.timeout ?? 3e4;
   }
   /**
@@ -75,9 +76,831 @@ var KentuckySignerClient = class {
    *
    * @param accountId - Account ID to authenticate
    * @param credential - WebAuthn credential from navigator.credentials.get()
+   * @param ephemeralPublicKey - Optional ephemeral public key for secure mode binding
    * @returns Authentication response with JWT token
    */
+  async authenticatePasskey(accountId, credential, ephemeralPublicKey) {
+    const body = {
+      account_id: accountId,
+      credential_id: credential.credentialId,
+      client_data_json: credential.clientDataJSON,
+      authenticator_data: credential.authenticatorData,
+      signature: credential.signature,
+      user_handle: credential.userHandle
+    };
+    if (ephemeralPublicKey) {
+      body.ephemeral_public_key = ephemeralPublicKey;
+    }
+    return this.request("/api/auth/passkey", {
+      method: "POST",
+      body: JSON.stringify(body)
+    });
+  }
+  /**
+   * Refresh an authentication token
+   *
+   * @param token - Current JWT token
+   * @returns New authentication response with fresh token
+   */
+  async refreshToken(token) {
+    return this.request("/api/auth/refresh", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Logout and invalidate token
+   *
+   * @param token - JWT token to invalidate
+   */
+  async logout(token) {
+    await this.request("/api/auth/logout", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Get account information
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns Account info with addresses and passkeys
+   */
+  async getAccountInfo(accountId, token) {
+    return this.request(`/api/accounts/${accountId}`, {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Check if an account exists
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns True if account exists
+   */
+  async accountExists(accountId, token) {
+    try {
+      await this.request(`/api/accounts/${accountId}`, {
+        method: "HEAD",
+        token
+      });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Sign an EVM transaction hash
+   *
+   * @param request - Sign request with tx_hash and chain_id
+   * @param token - JWT token
+   * @returns Signature response with r, s, v components
+   */
+  async signEvmTransaction(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Sign a raw hash for EVM
+   *
+   * Convenience method that wraps signEvmTransaction.
+   *
+   * @param hash - 32-byte hash to sign (hex encoded with 0x prefix)
+   * @param chainId - Chain ID
+   * @param token - JWT token
+   * @returns Full signature (hex encoded with 0x prefix)
+   */
+  async signHash(hash, chainId, token) {
+    const response = await this.signEvmTransaction(
+      { tx_hash: hash, chain_id: chainId },
+      token
+    );
+    return response.signature.full;
+  }
+  /**
+   * Create a new account with passkey authentication
+   *
+   * @param attestationObject - Base64url encoded attestation object from WebAuthn
+   * @param label - Optional label for the passkey (defaults to "Owner Passkey")
+   * @returns Account creation response with account ID and addresses
+   */
+  async createAccountWithPasskey(attestationObject, label) {
+    const body = {
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
+    return this.request("/api/accounts/create/passkey", {
+      method: "POST",
+      body: JSON.stringify(body)
+    });
+  }
+  /**
+   * Create a new account with password authentication
+   *
+   * @param request - Password and confirmation
+   * @returns Account creation response with account ID and addresses
+   */
+  async createAccountWithPassword(request) {
+    return this.request("/api/accounts/create/password", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Authenticate with password
+   *
+   * @param request - Account ID and password
+   * @returns Authentication response with JWT token
+   */
+  async authenticatePassword(request) {
+    return this.request("/api/auth/password", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Add password authentication to an existing account
+   *
+   * Enables password-based authentication for an account that was created
+   * with passkey-only authentication.
+   *
+   * @param accountId - Account ID
+   * @param request - Password and confirmation
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async addPassword(accountId, request, token) {
+    return this.request(`/api/accounts/${accountId}/password`, {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Get extended account information including auth config
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns Extended account info with auth config and passkey count
+   */
+  async getAccountInfoExtended(accountId, token) {
+    return this.request(`/api/accounts/${accountId}`, {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Add a recovery passkey to an existing account
+   *
+   * @param accountId - Account ID
+   * @param request - Passkey data (COSE public key, credential ID, algorithm, label)
+   * @param token - JWT token
+   * @returns Success response with label
+   */
+  async addPasskey(accountId, request, token) {
+    return this.request(`/api/accounts/${accountId}/passkeys`, {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Remove a passkey from an account
+   *
+   * Note: Cannot remove the owner passkey (index 0)
+   *
+   * @param accountId - Account ID
+   * @param passkeyIndex - Index of passkey to remove (1-3 for recovery passkeys)
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async removePasskey(accountId, passkeyIndex, token) {
+    return this.request(`/api/accounts/${accountId}/passkeys/${passkeyIndex}`, {
+      method: "DELETE",
+      token
+    });
+  }
+  /**
+   * Health check
+   *
+   * @returns True if the API is healthy
+   */
+  async healthCheck() {
+    try {
+      const response = await this.request("/api/health", {
+        method: "GET"
+      });
+      return response.status === "ok";
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get API version
+   *
+   * @returns Version string
+   */
+  async getVersion() {
+    const response = await this.request("/api/version", {
+      method: "GET"
+    });
+    return response.version;
+  }
+  // ============================================================================
+  // Guardian Management
+  // ============================================================================
+  /**
+   * Add a guardian passkey to an account
+   *
+   * Guardians can participate in account recovery but cannot access the wallet.
+   * An account can have up to 3 guardians (indices 1-3).
+   *
+   * @param request - Guardian data (attestation object and optional label)
+   * @param token - JWT token
+   * @returns Success response with guardian index and count
+   */
+  async addGuardian(request, token) {
+    return this.request("/api/guardians/add", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Remove a guardian passkey from an account
+   *
+   * Cannot remove guardians during an active recovery.
+   *
+   * @param guardianIndex - Index of guardian to remove (1-3)
+   * @param token - JWT token
+   * @returns Success response with remaining guardian count
+   */
+  async removeGuardian(guardianIndex, token) {
+    return this.request("/api/guardians/remove", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ guardian_index: guardianIndex })
+    });
+  }
+  /**
+   * Get guardians for an account
+   *
+   * @param token - JWT token
+   * @returns Guardian list with indices and labels
+   */
+  async getGuardians(token) {
+    return this.request("/api/guardians", {
+      method: "GET",
+      token
+    });
+  }
+  // ============================================================================
+  // Account Recovery
+  // ============================================================================
+  /**
+   * Initiate account recovery
+   *
+   * Call this when you've lost access to your account. You'll need to register
+   * a new passkey which will become the new owner passkey after recovery completes.
+   *
+   * @param accountId - Account ID to recover
+   * @param attestationObject - WebAuthn attestation object for new owner passkey
+   * @param label - Optional label for new owner passkey
+   * @returns Challenges for guardians to sign, threshold, and timelock info
+   */
+  async initiateRecovery(accountId, attestationObject, label) {
+    const body = {
+      account_id: accountId,
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
+    return this.request("/api/recovery/initiate", {
+      method: "POST",
+      body: JSON.stringify(body)
+    });
+  }
+  /**
+   * Submit a guardian signature for recovery
+   *
+   * Each guardian must sign their challenge using their passkey.
+   *
+   * @param request - Guardian signature data
+   * @returns Current verification status
+   */
+  async verifyGuardian(request) {
+    return this.request("/api/recovery/verify", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Get recovery status for an account
+   *
+   * @param accountId - Account ID to check
+   * @returns Recovery status including verification count and timelock
+   */
+  async getRecoveryStatus(accountId) {
+    return this.request("/api/recovery/status", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId })
+    });
+  }
+  /**
+   * Complete account recovery
+   *
+   * Call this after enough guardians have verified and the timelock has expired.
+   * The new owner passkey will replace the old one.
+   *
+   * @param accountId - Account ID to complete recovery for
+   * @returns Success message
+   */
+  async completeRecovery(accountId) {
+    return this.request("/api/recovery/complete", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId })
+    });
+  }
+  /**
+   * Cancel a pending recovery
+   *
+   * Only the current owner (with valid auth) can cancel a recovery.
+   * Use this if you regain access and want to stop an unauthorized recovery.
+   *
+   * @param token - JWT token (must be authenticated as owner)
+   * @returns Success message
+   */
+  async cancelRecovery(token) {
+    return this.request("/api/recovery/cancel", {
+      method: "POST",
+      token
+    });
+  }
+  // ============================================================================
+  // Two-Factor Authentication (2FA)
+  // ============================================================================
+  /**
+   * Get 2FA status for the authenticated account
+   *
+   * @param token - JWT token
+   * @returns 2FA status including TOTP and PIN enablement
+   */
+  async get2FAStatus(token) {
+    return this.request("/api/2fa/status", {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Setup TOTP for the account
+   *
+   * Returns an otpauth:// URI for QR code generation and a base32 secret
+   * for manual entry. After setup, call enableTOTP with a valid code to
+   * complete the setup.
+   *
+   * @param token - JWT token
+   * @returns TOTP setup response with URI and secret
+   */
+  async setupTOTP(token) {
+    return this.request("/api/2fa/totp/setup", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Verify and enable TOTP for the account
+   *
+   * Call this after setupTOTP with a valid code from the authenticator app.
+   *
+   * @param code - 6-digit TOTP code from authenticator app
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async enableTOTP(code, token) {
+    return this.request("/api/2fa/totp/enable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Disable TOTP for the account
+   *
+   * Requires a valid TOTP code for confirmation.
+   *
+   * @param code - Current 6-digit TOTP code
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async disableTOTP(code, token) {
+    return this.request("/api/2fa/totp/disable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Verify a TOTP code
+   *
+   * Use this to verify a TOTP code without performing any other operation.
+   *
+   * @param code - 6-digit TOTP code
+   * @param token - JWT token
+   * @returns Verification result
+   */
+  async verifyTOTP(code, token) {
+    return this.request("/api/2fa/totp/verify", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Setup PIN for the account
+   *
+   * Sets a 4-digit or 6-digit PIN. If a PIN is already set, this replaces it.
+   *
+   * @param pin - 4 or 6 digit PIN
+   * @param token - JWT token
+   * @returns Success response with PIN length
+   */
+  async setupPIN(pin, token) {
+    return this.request("/api/2fa/pin/setup", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Disable PIN for the account
+   *
+   * Requires the current PIN for confirmation.
+   *
+   * @param pin - Current PIN
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async disablePIN(pin, token) {
+    return this.request("/api/2fa/pin/disable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Verify a PIN
+   *
+   * Use this to verify a PIN without performing any other operation.
+   *
+   * @param pin - PIN to verify
+   * @param token - JWT token
+   * @returns Verification result
+   */
+  async verifyPIN(pin, token) {
+    return this.request("/api/2fa/pin/verify", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Sign an EVM transaction with 2FA
+   *
+   * Use this method when 2FA is enabled. If 2FA is not enabled,
+   * you can use the regular signEvmTransaction method instead.
+   *
+   * @param request - Sign request including tx_hash, chain_id, and optional 2FA codes
+   * @param token - JWT token
+   * @returns Signature response with r, s, v components
+   */
+  async signEvmTransactionWith2FA(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+};
+
+// src/utils.ts
+function base64UrlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binary = Array.from(data).map((byte) => String.fromCharCode(byte)).join("");
+    base64 = btoa(binary);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(str) {
+  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = (4 - base64.length % 4) % 4;
+  base64 += "=".repeat(padding);
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+}
+
+// src/ephemeral.ts
+function isWebCryptoAvailable() {
+  return typeof crypto !== "undefined" && typeof crypto.subtle !== "undefined" && typeof crypto.getRandomValues !== "undefined";
+}
+async function generateEphemeralKeyPair() {
+  if (!isWebCryptoAvailable()) {
+    throw new Error("WebCrypto is not available in this environment");
+  }
+  const keyPair = await crypto.subtle.generateKey(
+    {
+      name: "ECDSA",
+      namedCurve: "P-256"
+    },
+    true,
+    // extractable (only for public key export)
+    ["sign", "verify"]
+  );
+  const publicKeyBuffer = await crypto.subtle.exportKey("spki", keyPair.publicKey);
+  const publicKeyBase64 = base64UrlEncode(new Uint8Array(publicKeyBuffer));
+  return {
+    publicKey: publicKeyBase64,
+    privateKey: keyPair.privateKey,
+    algorithm: "ES256",
+    createdAt: Date.now()
+  };
+}
+async function signPayload(payload, keyPair) {
+  const payloadString = typeof payload === "string" ? payload : JSON.stringify(payload);
+  const timestamp = Date.now();
+  const message = `${timestamp}.${payloadString}`;
+  const messageBytes = new TextEncoder().encode(message);
+  const signatureBuffer = await crypto.subtle.sign(
+    {
+      name: "ECDSA",
+      hash: "SHA-256"
+    },
+    keyPair.privateKey,
+    messageBytes
+  );
+  const signatureBase64 = base64UrlEncode(new Uint8Array(signatureBuffer));
+  return {
+    payload: payloadString,
+    signature: signatureBase64,
+    timestamp
+  };
+}
+var EPHEMERAL_KEY_STORAGE_KEY = "kentucky_signer_ephemeral";
+var MemoryEphemeralKeyStorage = class {
+  constructor() {
+    this.keyPair = null;
+  }
+  async save(keyPair) {
+    this.keyPair = keyPair;
+  }
+  async load() {
+    return this.keyPair;
+  }
+  async clear() {
+    this.keyPair = null;
+  }
+};
+var IndexedDBEphemeralKeyStorage = class {
+  constructor() {
+    this.dbName = "kentucky_signer_ephemeral_keys";
+    this.storeName = "keys";
+  }
+  async getDB() {
+    return new Promise((resolve, reject) => {
+      const request = indexedDB.open(this.dbName, 1);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve(request.result);
+      request.onupgradeneeded = () => {
+        const db = request.result;
+        if (!db.objectStoreNames.contains(this.storeName)) {
+          db.createObjectStore(this.storeName);
+        }
+      };
+    });
+  }
+  async save(keyPair) {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readwrite");
+      const store = tx.objectStore(this.storeName);
+      const data = {
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        algorithm: keyPair.algorithm,
+        createdAt: keyPair.createdAt
+      };
+      const request = store.put(data, EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve();
+    });
+  }
+  async load() {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readonly");
+      const store = tx.objectStore(this.storeName);
+      const request = store.get(EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => {
+        if (request.result) {
+          resolve({
+            publicKey: request.result.publicKey,
+            privateKey: request.result.privateKey,
+            algorithm: request.result.algorithm,
+            createdAt: request.result.createdAt
+          });
+        } else {
+          resolve(null);
+        }
+      };
+    });
+  }
+  async clear() {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readwrite");
+      const store = tx.objectStore(this.storeName);
+      const request = store.delete(EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve();
+    });
+  }
+};
+var EphemeralKeyManager = class {
+  constructor(storage) {
+    this.keyPair = null;
+    this.storage = storage ?? new MemoryEphemeralKeyStorage();
+  }
+  /**
+   * Get or generate ephemeral key pair
+   */
+  async getKeyPair() {
+    if (!this.keyPair) {
+      this.keyPair = await this.storage.load();
+    }
+    if (!this.keyPair) {
+      this.keyPair = await generateEphemeralKeyPair();
+      await this.storage.save(this.keyPair);
+    }
+    return this.keyPair;
+  }
+  /**
+   * Get the public key for authentication
+   */
+  async getPublicKey() {
+    const keyPair = await this.getKeyPair();
+    return keyPair.publicKey;
+  }
+  /**
+   * Sign a request payload
+   */
+  async signPayload(payload) {
+    const keyPair = await this.getKeyPair();
+    return signPayload(payload, keyPair);
+  }
+  /**
+   * Rotate the key pair (generate new keys)
+   */
+  async rotate() {
+    await this.storage.clear();
+    this.keyPair = await generateEphemeralKeyPair();
+    await this.storage.save(this.keyPair);
+    return this.keyPair;
+  }
+  /**
+   * Clear the key pair (logout)
+   */
+  async clear() {
+    await this.storage.clear();
+    this.keyPair = null;
+  }
+  /**
+   * Check if a key pair exists
+   */
+  async hasKeyPair() {
+    if (this.keyPair) return true;
+    const loaded = await this.storage.load();
+    return loaded !== null;
+  }
+  /**
+   * Migrate key pair to a new storage backend
+   *
+   * This preserves the existing key pair while switching storage.
+   * The key is saved to the new storage and removed from the old storage.
+   *
+   * @param newStorage - The new storage backend to migrate to
+   */
+  async migrateStorage(newStorage) {
+    const currentKeyPair = this.keyPair ?? await this.storage.load();
+    await this.storage.clear();
+    this.storage = newStorage;
+    if (currentKeyPair) {
+      await this.storage.save(currentKeyPair);
+      this.keyPair = currentKeyPair;
+    }
+  }
+  /**
+   * Get the current storage backend
+   */
+  getStorage() {
+    return this.storage;
+  }
+};
+
+// src/secure-client.ts
+var SecureKentuckySignerClient = class {
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
+    this.timeout = options.timeout ?? 3e4;
+    this.keyManager = options.ephemeralKeyManager ?? new EphemeralKeyManager(
+      options.ephemeralKeyStorage ?? new MemoryEphemeralKeyStorage()
+    );
+    this.requireSigning = options.requireEphemeralSigning ?? true;
+  }
+  /**
+   * Get the ephemeral key manager for advanced usage
+   */
+  getKeyManager() {
+    return this.keyManager;
+  }
+  /**
+   * Make a signed request to the API
+   */
+  async request(path, options = {}) {
+    const { token, skipSigning, ...fetchOptions } = options;
+    const headers = {
+      "Content-Type": "application/json",
+      ...options.headers
+    };
+    if (token) {
+      ;
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    let body = options.body;
+    if (token && !skipSigning && this.requireSigning && body) {
+      const signedPayload = await this.keyManager.signPayload(body);
+      headers["X-Ephemeral-Signature"] = signedPayload.signature;
+      headers["X-Ephemeral-Timestamp"] = signedPayload.timestamp.toString();
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    try {
+      const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+        ...fetchOptions,
+        headers,
+        body,
+        signal: controller.signal
+      });
+      const data = await response.json();
+      if (!response.ok || data.success === false) {
+        const error = data;
+        throw new KentuckySignerError(
+          error.error?.message ?? "Unknown error",
+          error.error?.code ?? "UNKNOWN_ERROR",
+          error.error?.details
+        );
+      }
+      return data;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Get a challenge for passkey authentication
+   */
+  async getChallenge(accountId) {
+    return this.request("/api/auth/challenge", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId }),
+      skipSigning: true
+      // No token yet
+    });
+  }
+  /**
+   * Authenticate with a passkey credential
+   *
+   * Automatically sends the ephemeral public key for binding.
+   */
   async authenticatePasskey(accountId, credential) {
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
     return this.request("/api/auth/passkey", {
       method: "POST",
       body: JSON.stringify({
@@ -86,70 +909,86 @@ var KentuckySignerClient = class {
         client_data_json: credential.clientDataJSON,
         authenticator_data: credential.authenticatorData,
         signature: credential.signature,
-        user_handle: credential.userHandle
-      })
+        user_handle: credential.userHandle,
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // No token yet
+    });
+  }
+  /**
+   * Authenticate with password
+   *
+   * Automatically sends the ephemeral public key for binding.
+   */
+  async authenticatePassword(request) {
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
+    return this.request("/api/auth/password", {
+      method: "POST",
+      body: JSON.stringify({
+        ...request,
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // No token yet
     });
   }
   /**
    * Refresh an authentication token
    *
-   * @param token - Current JWT token
-   * @returns New authentication response with fresh token
+   * Generates a new ephemeral key pair and binds it to the new token.
    */
   async refreshToken(token) {
+    await this.keyManager.rotate();
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
     return this.request("/api/auth/refresh", {
       method: "POST",
-      token
+      token,
+      body: JSON.stringify({
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // Use old token, but send new key
     });
   }
   /**
    * Logout and invalidate token
    *
-   * @param token - JWT token to invalidate
+   * Clears the ephemeral key pair.
    */
   async logout(token) {
     await this.request("/api/auth/logout", {
       method: "POST",
-      token
+      token,
+      skipSigning: true
     });
+    await this.keyManager.clear();
   }
   /**
-   * Get account information
-   *
-   * @param accountId - Account ID
-   * @param token - JWT token
-   * @returns Account info with addresses and passkeys
+   * Get account information (signed request)
    */
   async getAccountInfo(accountId, token) {
     return this.request(`/api/accounts/${accountId}`, {
       method: "GET",
-      token
+      token,
+      skipSigning: true
     });
   }
   /**
-   * Check if an account exists
-   *
-   * @param accountId - Account ID
-   * @param token - JWT token
-   * @returns True if account exists
+   * Get extended account information (signed request)
    */
-  async accountExists(accountId, token) {
-    try {
-      await this.request(`/api/accounts/${accountId}`, {
-        method: "HEAD",
-        token
-      });
-      return true;
-    } catch {
-      return false;
-    }
+  async getAccountInfoExtended(accountId, token) {
+    return this.request(
+      `/api/accounts/${accountId}`,
+      {
+        method: "GET",
+        token,
+        skipSigning: true
+      }
+    );
   }
   /**
-   * Sign an EVM transaction hash
-   *
-   * @param request - Sign request with tx_hash and chain_id
-   * @param token - JWT token
-   * @returns Signature response with r, s, v components
+   * Sign an EVM transaction hash (signed request)
    */
   async signEvmTransaction(request, token) {
     return this.request("/api/sign/evm", {
@@ -159,14 +998,17 @@ var KentuckySignerClient = class {
     });
   }
   /**
-   * Sign a raw hash for EVM
-   *
-   * Convenience method that wraps signEvmTransaction.
-   *
-   * @param hash - 32-byte hash to sign (hex encoded with 0x prefix)
-   * @param chainId - Chain ID
-   * @param token - JWT token
-   * @returns Full signature (hex encoded with 0x prefix)
+   * Sign an EVM transaction hash with 2FA (signed request)
+   */
+  async signEvmTransactionWith2FA(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Sign a raw hash for EVM (signed request)
    */
   async signHash(hash, chainId, token) {
     const response = await this.signEvmTransaction(
@@ -176,101 +1018,86 @@ var KentuckySignerClient = class {
     return response.signature.full;
   }
   /**
-   * Create a new account with passkey authentication
-   *
-   * @param credential - WebAuthn credential from navigator.credentials.create()
-   * @returns Account creation response with account ID and addresses
+   * Add password to account (signed request)
    */
-  async createAccountWithPasskey(credential) {
-    return this.request("/api/accounts/create/passkey", {
-      method: "POST",
-      body: JSON.stringify({
-        credential_id: credential.credentialId,
-        public_key: credential.publicKey,
-        client_data_json: credential.clientDataJSON,
-        authenticator_data: credential.authenticatorData
-      })
-    });
+  async addPassword(accountId, request, token) {
+    return this.request(
+      `/api/accounts/${accountId}/password`,
+      {
+        method: "POST",
+        token,
+        body: JSON.stringify(request)
+      }
+    );
   }
   /**
-   * Create a new account with password authentication
-   *
-   * @param request - Password and confirmation
-   * @returns Account creation response with account ID and addresses
+   * Add passkey to account (signed request)
    */
-  async createAccountWithPassword(request) {
-    return this.request("/api/accounts/create/password", {
+  async addPasskey(accountId, request, token) {
+    return this.request(
+      `/api/accounts/${accountId}/passkeys`,
+      {
+        method: "POST",
+        token,
+        body: JSON.stringify(request)
+      }
+    );
+  }
+  /**
+   * Remove passkey from account (signed request)
+   */
+  async removePasskey(accountId, passkeyIndex, token) {
+    return this.request(
+      `/api/accounts/${accountId}/passkeys/${passkeyIndex}`,
+      {
+        method: "DELETE",
+        token,
+        body: JSON.stringify({ passkey_index: passkeyIndex })
+      }
+    );
+  }
+  /**
+   * Create account with passkey (public endpoint, no signing)
+   */
+  async createAccountWithPasskey(attestationObject, label) {
+    const body = {
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
+    return this.request("/api/accounts/create/passkey", {
       method: "POST",
-      body: JSON.stringify(request)
+      body: JSON.stringify(body),
+      skipSigning: true
     });
   }
   /**
-   * Authenticate with password
-   *
-   * @param request - Account ID and password
-   * @returns Authentication response with JWT token
+   * Create account with password (public endpoint, no signing)
    */
-  async authenticatePassword(request) {
-    return this.request("/api/auth/password", {
+  async createAccountWithPassword(request) {
+    return this.request("/api/accounts/create/password", {
       method: "POST",
-      body: JSON.stringify(request)
+      body: JSON.stringify(request),
+      skipSigning: true
     });
   }
   /**
-   * Health check
-   *
-   * @returns True if the API is healthy
+   * Health check (public endpoint)
    */
   async healthCheck() {
     try {
       const response = await this.request("/api/health", {
-        method: "GET"
+        method: "GET",
+        skipSigning: true
       });
       return response.status === "ok";
     } catch {
       return false;
     }
   }
-  /**
-   * Get API version
-   *
-   * @returns Version string
-   */
-  async getVersion() {
-    const response = await this.request("/api/version", {
-      method: "GET"
-    });
-    return response.version;
-  }
 };
 
-// src/utils.ts
-function base64UrlEncode(data) {
-  let base64;
-  if (typeof Buffer !== "undefined") {
-    base64 = Buffer.from(data).toString("base64");
-  } else {
-    const binary = Array.from(data).map((byte) => String.fromCharCode(byte)).join("");
-    base64 = btoa(binary);
-  }
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
-function base64UrlDecode(str) {
-  let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
-  const padding = (4 - base64.length % 4) % 4;
-  base64 += "=".repeat(padding);
-  if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(base64, "base64"));
-  } else {
-    const binary = atob(base64);
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-  }
-}
-
 // src/auth.ts
 function isWebAuthnAvailable() {
   return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
@@ -345,7 +1172,8 @@ async function authenticateWithPasskey(options) {
   const passkeyCredential = credentialToPasskey(credential);
   const authResponse = await client.authenticatePasskey(
     options.accountId,
-    passkeyCredential
+    passkeyCredential,
+    options.ephemeralPublicKey
   );
   const accountInfo = await client.getAccountInfo(
     options.accountId,
@@ -376,6 +1204,30 @@ async function refreshSessionIfNeeded(session, baseUrl, bufferMs = 6e4) {
     expiresAt: Date.now() + authResponse.expires_in * 1e3
   };
 }
+async function authenticateWithPassword(options) {
+  const client = new KentuckySignerClient({ baseUrl: options.baseUrl });
+  const authRequest = {
+    account_id: options.accountId,
+    password: options.password
+  };
+  if (options.ephemeralPublicKey) {
+    authRequest.ephemeral_public_key = options.ephemeralPublicKey;
+  }
+  const authResponse = await client.authenticatePassword(authRequest);
+  const accountInfo = await client.getAccountInfo(
+    options.accountId,
+    authResponse.token
+  );
+  const expiresAt = Date.now() + authResponse.expires_in * 1e3;
+  return {
+    token: authResponse.token,
+    accountId: options.accountId,
+    evmAddress: accountInfo.addresses.evm,
+    btcAddress: accountInfo.addresses.bitcoin,
+    solAddress: accountInfo.addresses.solana,
+    expiresAt
+  };
+}
 
 // src/account.ts
 import {
@@ -386,9 +1238,9 @@ import {
 } from "viem";
 import { toAccount } from "viem/accounts";
 function createKentuckySignerAccount(options) {
-  const { config, defaultChainId = 1, onSessionExpired } = options;
+  const { config, defaultChainId = 1, onSessionExpired, secureClient, on2FARequired } = options;
   let session = options.session;
-  const client = new KentuckySignerClient({ baseUrl: config.baseUrl });
+  const client = secureClient ?? new KentuckySignerClient({ baseUrl: config.baseUrl });
   async function getToken() {
     if (Date.now() + 6e4 >= session.expiresAt) {
       if (onSessionExpired) {
@@ -405,17 +1257,63 @@ function createKentuckySignerAccount(options) {
   }
   async function signHash(hash, chainId) {
     const token = await getToken();
-    const response = await client.signEvmTransaction(
-      { tx_hash: hash, chain_id: chainId },
-      token
-    );
-    return response.signature.full;
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      );
+      return response.signature.full;
+    } catch (err) {
+      if (err instanceof KentuckySignerError && err.code === "2FA_REQUIRED" && on2FARequired) {
+        const totpRequired = err.message.includes("TOTP") || (err.details?.includes("totp_code") ?? false);
+        const pinRequired = err.message.includes("PIN") || (err.details?.includes("pin") ?? false);
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)[1]) : 6;
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength });
+        if (!codes) {
+          throw new KentuckySignerError("2FA verification cancelled", "2FA_CANCELLED", "User cancelled 2FA input");
+        }
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        );
+        return response.signature.full;
+      }
+      throw err;
+    }
   }
-  function parseSignature(signature) {
-    const r = `0x${signature.slice(2, 66)}`;
-    const s = `0x${signature.slice(66, 130)}`;
-    const v = BigInt(`0x${signature.slice(130, 132)}`);
-    return { r, s, v };
+  async function signHashWithComponents(hash, chainId) {
+    const token = await getToken();
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      );
+      return {
+        r: response.signature.r,
+        s: response.signature.s,
+        v: response.signature.v
+      };
+    } catch (err) {
+      if (err instanceof KentuckySignerError && err.code === "2FA_REQUIRED" && on2FARequired) {
+        const totpRequired = err.message.includes("TOTP") || (err.details?.includes("totp_code") ?? false);
+        const pinRequired = err.message.includes("PIN") || (err.details?.includes("pin") ?? false);
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)[1]) : 6;
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength });
+        if (!codes) {
+          throw new KentuckySignerError("2FA verification cancelled", "2FA_CANCELLED", "User cancelled 2FA input");
+        }
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        );
+        return {
+          r: response.signature.r,
+          s: response.signature.s,
+          v: response.signature.v
+        };
+      }
+      throw err;
+    }
   }
   const account = toAccount({
     address: session.evmAddress,
@@ -438,13 +1336,12 @@ function createKentuckySignerAccount(options) {
       const chainId = transaction.chainId ?? defaultChainId;
       const serializedUnsigned = serializeTransaction(transaction);
       const txHash = keccak256(serializedUnsigned);
-      const signature = await signHash(txHash, chainId);
-      const { r, s, v } = parseSignature(signature);
+      const { r, s, v } = await signHashWithComponents(txHash, chainId);
       let yParity;
       if (transaction.type === "eip1559" || transaction.type === "eip2930" || transaction.type === "eip4844" || transaction.type === "eip7702") {
-        yParity = Number(v) - 27;
+        yParity = v >= 27 ? v - 27 : v;
       } else {
-        yParity = Number(v);
+        yParity = v;
       }
       const serializedSigned = serializeTransaction(transaction, {
         r,
@@ -483,29 +1380,91 @@ function KentuckySignerProvider({
   defaultChainId = 1,
   storageKeyPrefix = "kentucky_signer",
   persistSession = true,
+  useEphemeralKeys = false,
   children
 }) {
+  const getInitialPersistSetting = () => {
+    if (typeof localStorage !== "undefined") {
+      const saved = localStorage.getItem(`${storageKeyPrefix}_persist_ephemeral_keys`);
+      if (saved !== null) {
+        return saved === "true";
+      }
+    }
+    return typeof indexedDB !== "undefined";
+  };
+  const getInitialSecureModeSetting = () => {
+    if (typeof localStorage !== "undefined") {
+      const saved = localStorage.getItem(`${storageKeyPrefix}_secure_mode`);
+      if (saved !== null) {
+        return saved === "true";
+      }
+    }
+    return useEphemeralKeys;
+  };
+  const defaultTwoFactorPrompt = {
+    isVisible: false,
+    totpRequired: false,
+    pinRequired: false,
+    pinLength: 6
+  };
   const [state, setState] = useState({
     isAuthenticating: false,
     isAuthenticated: false,
     session: null,
     account: null,
-    error: null
+    error: null,
+    ephemeralKeyBound: false,
+    secureMode: getInitialSecureModeSetting(),
+    persistEphemeralKeys: getInitialPersistSetting(),
+    twoFactorPrompt: defaultTwoFactorPrompt
   });
+  const indexedDBStorage = useMemo(
+    () => typeof indexedDB !== "undefined" ? new IndexedDBEphemeralKeyStorage() : null,
+    []
+  );
+  const memoryStorage = useMemo(() => new MemoryEphemeralKeyStorage(), []);
+  const ephemeralKeyStorage = state.persistEphemeralKeys && indexedDBStorage ? indexedDBStorage : memoryStorage;
+  const ephemeralKeyManagerRef = useRef(null);
+  if (!ephemeralKeyManagerRef.current) {
+    ephemeralKeyManagerRef.current = new EphemeralKeyManager(ephemeralKeyStorage);
+  }
+  const ephemeralKeyManager = ephemeralKeyManagerRef.current;
   const client = useMemo(
     () => new KentuckySignerClient({ baseUrl }),
     [baseUrl]
   );
+  const secureClient = useMemo(
+    () => new SecureKentuckySignerClient({
+      baseUrl,
+      ephemeralKeyManager
+    }),
+    [baseUrl, ephemeralKeyManager]
+  );
   const storage = useMemo(
     () => persistSession ? new LocalStorageTokenStorage(storageKeyPrefix) : null,
     [persistSession, storageKeyPrefix]
   );
+  const handle2FARequired = useCallback(async (requirements) => {
+    return new Promise((resolve) => {
+      setState((s) => ({
+        ...s,
+        twoFactorPrompt: {
+          isVisible: true,
+          totpRequired: requirements.totpRequired,
+          pinRequired: requirements.pinRequired,
+          pinLength: requirements.pinLength,
+          resolve
+        }
+      }));
+    });
+  }, []);
   const createAccount = useCallback(
-    (session) => {
+    (session, useSecureClient = false) => {
       return createKentuckySignerAccount({
         config: { baseUrl, accountId: session.accountId },
         session,
         defaultChainId,
+        secureClient: useSecureClient ? secureClient : void 0,
         onSessionExpired: async () => {
           const newSession = await refreshSessionIfNeeded(session, baseUrl, 0);
           setState((s) => ({
@@ -514,10 +1473,11 @@ function KentuckySignerProvider({
             account: s.account ? { ...s.account, session: newSession } : null
           }));
           return newSession;
-        }
+        },
+        on2FARequired: handle2FARequired
       });
     },
-    [baseUrl, defaultChainId]
+    [baseUrl, defaultChainId, secureClient, handle2FARequired]
   );
   useEffect(() => {
     async function restoreSession() {
@@ -529,30 +1489,42 @@ function KentuckySignerProvider({
         if (!isSessionValid(session)) {
           try {
             const refreshed = await refreshSessionIfNeeded(session, baseUrl, 0);
-            const account2 = createAccount(refreshed);
             localStorage.setItem(
               `${storageKeyPrefix}_session`,
               JSON.stringify(refreshed)
             );
-            setState({
-              isAuthenticating: false,
-              isAuthenticated: true,
-              session: refreshed,
-              account: account2,
-              error: null
+            setState((s) => {
+              const account = createAccount(refreshed, s.secureMode);
+              return {
+                isAuthenticating: false,
+                isAuthenticated: true,
+                session: refreshed,
+                account,
+                error: null,
+                ephemeralKeyBound: false,
+                secureMode: s.secureMode,
+                persistEphemeralKeys: s.persistEphemeralKeys,
+                twoFactorPrompt: s.twoFactorPrompt
+              };
             });
           } catch {
             localStorage.removeItem(`${storageKeyPrefix}_session`);
           }
           return;
         }
-        const account = createAccount(session);
-        setState({
-          isAuthenticating: false,
-          isAuthenticated: true,
-          session,
-          account,
-          error: null
+        setState((s) => {
+          const account = createAccount(session, s.secureMode);
+          return {
+            isAuthenticating: false,
+            isAuthenticated: true,
+            session,
+            account,
+            error: null,
+            ephemeralKeyBound: false,
+            secureMode: s.secureMode,
+            persistEphemeralKeys: s.persistEphemeralKeys,
+            twoFactorPrompt: s.twoFactorPrompt
+          };
         });
       } catch {
         localStorage.removeItem(`${storageKeyPrefix}_session`);
@@ -564,24 +1536,42 @@ function KentuckySignerProvider({
     async (accountId, options) => {
       setState((s) => ({ ...s, isAuthenticating: true, error: null }));
       try {
-        const session = await authenticateWithPasskey({
-          baseUrl,
-          accountId,
-          rpId: options?.rpId
-        });
-        const account = createAccount(session);
+        let session;
+        let ephemeralKeyBound = false;
+        if (options?.session) {
+          session = options.session;
+        } else {
+          let ephemeralPublicKey;
+          if (state.secureMode) {
+            ephemeralPublicKey = await ephemeralKeyManager.getPublicKey();
+          }
+          session = await authenticateWithPasskey({
+            baseUrl,
+            accountId,
+            rpId: options?.rpId,
+            ephemeralPublicKey
+          });
+          ephemeralKeyBound = !!ephemeralPublicKey;
+        }
         if (storage) {
           localStorage.setItem(
             `${storageKeyPrefix}_session`,
             JSON.stringify(session)
           );
         }
-        setState({
-          isAuthenticating: false,
-          isAuthenticated: true,
-          session,
-          account,
-          error: null
+        setState((s) => {
+          const account = createAccount(session, s.secureMode);
+          return {
+            isAuthenticating: false,
+            isAuthenticated: true,
+            session,
+            account,
+            error: null,
+            ephemeralKeyBound,
+            secureMode: s.secureMode,
+            persistEphemeralKeys: s.persistEphemeralKeys,
+            twoFactorPrompt: s.twoFactorPrompt
+          };
         });
       } catch (error) {
         setState((s) => ({
@@ -592,7 +1582,7 @@ function KentuckySignerProvider({
         throw error;
       }
     },
-    [baseUrl, createAccount, storage, storageKeyPrefix]
+    [baseUrl, createAccount, storage, storageKeyPrefix, state.secureMode, ephemeralKeyManager]
   );
   const logout = useCallback(async () => {
     try {
@@ -604,31 +1594,40 @@ function KentuckySignerProvider({
     if (storage) {
       localStorage.removeItem(`${storageKeyPrefix}_session`);
     }
-    setState({
+    if (ephemeralKeyManager) {
+      await ephemeralKeyManager.clear();
+    }
+    setState((s) => ({
       isAuthenticating: false,
       isAuthenticated: false,
       session: null,
       account: null,
-      error: null
-    });
-  }, [client, state.session, storage, storageKeyPrefix]);
+      error: null,
+      ephemeralKeyBound: false,
+      secureMode: s.secureMode,
+      persistEphemeralKeys: s.persistEphemeralKeys,
+      twoFactorPrompt: defaultTwoFactorPrompt
+    }));
+  }, [client, state.session, storage, storageKeyPrefix, ephemeralKeyManager]);
   const refreshSession = useCallback(async () => {
     if (!state.session) return;
     try {
       const refreshed = await refreshSessionIfNeeded(state.session, baseUrl);
       if (refreshed !== state.session) {
-        const account = createAccount(refreshed);
         if (storage) {
           localStorage.setItem(
             `${storageKeyPrefix}_session`,
             JSON.stringify(refreshed)
           );
         }
-        setState((s) => ({
-          ...s,
-          session: refreshed,
-          account
-        }));
+        setState((s) => {
+          const account = createAccount(refreshed, s.secureMode);
+          return {
+            ...s,
+            session: refreshed,
+            account
+          };
+        });
       }
     } catch (error) {
       setState((s) => ({ ...s, error }));
@@ -637,15 +1636,119 @@ function KentuckySignerProvider({
   const clearError = useCallback(() => {
     setState((s) => ({ ...s, error: null }));
   }, []);
+  const setSecureMode = useCallback((enabled) => {
+    if (typeof localStorage !== "undefined") {
+      localStorage.setItem(`${storageKeyPrefix}_secure_mode`, String(enabled));
+    }
+    setState((s) => {
+      const newAccount = s.session ? createAccount(s.session, enabled) : null;
+      return {
+        ...s,
+        secureMode: enabled,
+        account: newAccount
+      };
+    });
+  }, [createAccount, storageKeyPrefix]);
+  const setPersistEphemeralKeys = useCallback(async (enabled) => {
+    const newStorage = enabled && indexedDBStorage ? indexedDBStorage : memoryStorage;
+    await ephemeralKeyManager.migrateStorage(newStorage);
+    if (typeof localStorage !== "undefined") {
+      localStorage.setItem(`${storageKeyPrefix}_persist_ephemeral_keys`, String(enabled));
+    }
+    setState((s) => ({
+      ...s,
+      persistEphemeralKeys: enabled
+    }));
+  }, [ephemeralKeyManager, storageKeyPrefix, indexedDBStorage, memoryStorage]);
+  const getEphemeralPublicKey = useCallback(async () => {
+    if (!state.secureMode) {
+      return void 0;
+    }
+    return ephemeralKeyManager.getPublicKey();
+  }, [state.secureMode, ephemeralKeyManager]);
+  const authenticatePassword = useCallback(
+    async (accountId, password) => {
+      setState((s) => ({ ...s, isAuthenticating: true, error: null }));
+      try {
+        let ephemeralPublicKey;
+        console.log("[KentuckySigner] authenticatePassword - secureMode:", state.secureMode);
+        if (state.secureMode) {
+          ephemeralPublicKey = await ephemeralKeyManager.getPublicKey();
+          console.log("[KentuckySigner] Got ephemeral public key for binding:", ephemeralPublicKey?.substring(0, 50) + "...");
+        }
+        const session = await authenticateWithPassword({
+          baseUrl,
+          accountId,
+          password,
+          ephemeralPublicKey
+        });
+        const ephemeralKeyBound = !!ephemeralPublicKey;
+        if (storage) {
+          localStorage.setItem(
+            `${storageKeyPrefix}_session`,
+            JSON.stringify(session)
+          );
+        }
+        setState((s) => {
+          const account = createAccount(session, s.secureMode);
+          return {
+            isAuthenticating: false,
+            isAuthenticated: true,
+            session,
+            account,
+            error: null,
+            ephemeralKeyBound,
+            secureMode: s.secureMode,
+            persistEphemeralKeys: s.persistEphemeralKeys,
+            twoFactorPrompt: s.twoFactorPrompt
+          };
+        });
+      } catch (error) {
+        setState((s) => ({
+          ...s,
+          isAuthenticating: false,
+          error
+        }));
+        throw error;
+      }
+    },
+    [baseUrl, createAccount, storage, storageKeyPrefix, state.secureMode, ephemeralKeyManager]
+  );
+  const submit2FA = useCallback((codes) => {
+    const { resolve } = state.twoFactorPrompt;
+    if (resolve) {
+      resolve(codes);
+    }
+    setState((s) => ({
+      ...s,
+      twoFactorPrompt: defaultTwoFactorPrompt
+    }));
+  }, [state.twoFactorPrompt]);
+  const cancel2FA = useCallback(() => {
+    const { resolve } = state.twoFactorPrompt;
+    if (resolve) {
+      resolve(null);
+    }
+    setState((s) => ({
+      ...s,
+      twoFactorPrompt: defaultTwoFactorPrompt
+    }));
+  }, [state.twoFactorPrompt]);
   const value = useMemo(
     () => ({
       ...state,
       authenticate,
+      authenticatePassword,
       logout,
       refreshSession,
-      clearError
+      clearError,
+      setSecureMode,
+      setPersistEphemeralKeys,
+      getEphemeralPublicKey,
+      submit2FA,
+      cancel2FA
     }),
-    [state, authenticate, logout, refreshSession, clearError]
+    [state, authenticate, authenticatePassword, logout, refreshSession, clearError, setSecureMode, setPersistEphemeralKeys, getEphemeralPublicKey, submit2FA, cancel2FA]
   );
   return /* @__PURE__ */ jsx(KentuckySignerContext.Provider, { value, children });
 }
@@ -670,10 +1773,21 @@ function useKentuckySigner() {
     session: context.session,
     account: context.account,
     error: context.error,
+    ephemeralKeyBound: context.ephemeralKeyBound,
     authenticate: context.authenticate,
+    authenticatePassword: context.authenticatePassword,
     logout: context.logout,
     refreshSession: context.refreshSession,
-    clearError: context.clearError
+    clearError: context.clearError,
+    secureMode: context.secureMode,
+    setSecureMode: context.setSecureMode,
+    persistEphemeralKeys: context.persistEphemeralKeys,
+    setPersistEphemeralKeys: context.setPersistEphemeralKeys,
+    getEphemeralPublicKey: context.getEphemeralPublicKey,
+    // 2FA support
+    twoFactorPrompt: context.twoFactorPrompt,
+    submit2FA: context.submit2FA,
+    cancel2FA: context.cancel2FA
   };
 }
 function useKentuckySignerAccount() {