bigmoves · trezy · Jan 23, 2026 · Jan 23, 2026 · Jan 24, 2026 · Jan 24, 2026
diff --git a/quickslice-client-js/dist/auth/oauth.d.ts b/quickslice-client-js/dist/auth/oauth.d.ts
@@ -1,4 +1,5 @@
 import { Storage } from '../storage/storage';
+import { SessionInfo } from './session';
 export interface LoginOptions {
     handle?: string;
     redirectUri?: string;
@@ -9,13 +10,13 @@ export interface LoginOptions {
  */
 export declare function initiateLogin(storage: Storage, authorizeUrl: string, clientId: string, options?: LoginOptions): Promise<void>;
 /**
- * Handle OAuth callback - exchange code for tokens
- * Returns true if callback was handled, false if not a callback
+ * Handle OAuth callback - exchange code for tokens and create session
+ * Returns session info if callback was handled, null if not a callback
  */
-export declare function handleOAuthCallback(storage: Storage, namespace: string, tokenUrl: string): Promise<boolean>;
+export declare function handleOAuthCallback(storage: Storage, namespace: string, tokenUrl: string, serverUrl: string): Promise<SessionInfo | null>;
 /**
- * Logout - clear all stored data
+ * Logout - destroy session and clear local data
  */
-export declare function logout(storage: Storage, namespace: string, options?: {
+export declare function logout(storage: Storage, namespace: string, serverUrl: string, options?: {
     reload?: boolean;
 }): Promise<void>;
diff --git a/quickslice-client-js/dist/auth/session.d.ts b/quickslice-client-js/dist/auth/session.d.ts
@@ -0,0 +1,36 @@
+/**
+ * Session management for cookie-based authentication
+ *
+ * Handles server-side session creation and management via HTTP-only cookies.
+ * DPoP keys remain client-side for ATProto compatibility.
+ */
+export interface SessionInfo {
+    authenticated: boolean;
+    did: string | null;
+    handle: string | null;
+}
+export interface CreateSessionOptions {
+    clientId: string;
+    userDid?: string;
+    atpSessionId?: string;
+}
+/**
+ * Create a new session on the server after OAuth callback
+ *
+ * This is called after the OAuth token exchange to establish a cookie-based session.
+ * The server stores the tokens and returns a session cookie.
+ */
+export declare function createSession(serverUrl: string, namespace: string, options: CreateSessionOptions): Promise<SessionInfo>;
+/**
+ * Get current session status from the server
+ *
+ * Returns session info if a valid session cookie exists, otherwise returns
+ * an unauthenticated session info.
+ */
+export declare function getSession(serverUrl: string): Promise<SessionInfo>;
+/**
+ * Destroy the current session (logout)
+ *
+ * Clears the session cookie and server-side session data.
+ */
+export declare function destroySession(serverUrl: string): Promise<void>;
diff --git a/quickslice-client-js/dist/client.d.ts b/quickslice-client-js/dist/client.d.ts
@@ -1,4 +1,5 @@
 import { LoginOptions } from './auth/oauth';
+import { SessionInfo } from './auth/session';
 export interface QuicksliceClientOptions {
     server: string;
     clientId: string;
@@ -7,6 +8,10 @@ export interface QuicksliceClientOptions {
 }
 export interface User {
     did: string;
+    handle?: string;
+}
+export interface QueryOptions {
+    signal?: AbortSignal;
 }
 export declare class QuicksliceClient {
     private server;
@@ -19,6 +24,7 @@ export declare class QuicksliceClient {
     private initialized;
     private namespace;
     private storage;
+    private cachedSession;
     constructor(options: QuicksliceClientOptions);
     /**
      * Initialize the client - must be called before other methods
@@ -31,9 +37,9 @@ export declare class QuicksliceClient {
     loginWithRedirect(options?: LoginOptions): Promise<void>;
     /**
      * Handle OAuth callback after redirect
-     * Returns true if callback was handled
+     * Returns the session info if callback was handled, null otherwise
      */
-    handleRedirectCallback(): Promise<boolean>;
+    handleRedirectCallback(): Promise<SessionInfo | null>;
     /**
      * Logout and clear all stored data
      */
@@ -42,27 +48,25 @@ export declare class QuicksliceClient {
     }): Promise<void>;
     /**
      * Check if user is authenticated
+     * Queries the server to verify session is valid
      */
     isAuthenticated(): Promise<boolean>;
     /**
-     * Get current user's DID (from stored token data)
+     * Get current user info from session
      * For richer profile info, use client.query() with your own schema
      */
     getUser(): Promise<User | null>;
-    /**
-     * Get access token (auto-refreshes if needed)
-     */
-    getAccessToken(): Promise<string>;
     /**
      * Execute a GraphQL query (authenticated)
+     * Uses session cookie for auth - no client-side token management
      */
-    query<T = unknown>(query: string, variables?: Record<string, unknown>): Promise<T>;
+    query<T = unknown>(query: string, variables?: Record<string, unknown>, options?: QueryOptions): Promise<T>;
     /**
      * Execute a GraphQL mutation (authenticated)
      */
-    mutate<T = unknown>(mutation: string, variables?: Record<string, unknown>): Promise<T>;
+    mutate<T = unknown>(mutation: string, variables?: Record<string, unknown>, options?: QueryOptions): Promise<T>;
     /**
      * Execute a public GraphQL query (no auth)
      */
-    publicQuery<T = unknown>(query: string, variables?: Record<string, unknown>): Promise<T>;
+    publicQuery<T = unknown>(query: string, variables?: Record<string, unknown>, options?: QueryOptions): Promise<T>;
 }
diff --git a/quickslice-client-js/dist/graphql.d.ts b/quickslice-client-js/dist/graphql.d.ts
@@ -1,4 +1,3 @@
-import { Storage } from './storage/storage';
 export interface GraphQLResponse<T = unknown> {
     data?: T;
     errors?: Array<{
@@ -8,5 +7,8 @@ export interface GraphQLResponse<T = unknown> {
 }
 /**
  * Execute a GraphQL query or mutation
+ *
+ * With cookie-based auth, the session cookie is automatically included
+ * via credentials: 'include'. DPoP proof is still added for request binding.
  */
-export declare function graphqlRequest<T = unknown>(storage: Storage, namespace: string, graphqlUrl: string, tokenUrl: string, query: string, variables?: Record<string, unknown>, requireAuth?: boolean): Promise<T>;
+export declare function graphqlRequest<T = unknown>(namespace: string, graphqlUrl: string, query: string, variables?: Record<string, unknown>, requireAuth?: boolean, signal?: AbortSignal): Promise<T>;
diff --git a/quickslice-client-js/dist/index.d.ts b/quickslice-client-js/dist/index.d.ts
@@ -1,4 +1,5 @@
-export { QuicksliceClient, QuicksliceClientOptions, User } from './client';
+export { QuicksliceClient, QuicksliceClientOptions, QueryOptions, User } from './client';
+export { SessionInfo } from './auth/session';
 export { QuicksliceError, LoginRequiredError, NetworkError, OAuthError, } from './errors';
 import { QuicksliceClient, QuicksliceClientOptions } from './client';
 /**