From 82c375f6f72e34c4836bcbb21429d0315250cd74 Mon Sep 17 00:00:00 2001
From: Jared Perreault <90656038+jaredperreault-okta@users.noreply.github.com>
Date: Tue, 7 Apr 2026 16:02:07 -0400
Subject: [PATCH 1/5] initial CHANGELOG (#27)

OKTA-1151210 initial CHANGELOG

fixes
---
 CHANGELOG.md | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..e4cab69
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,117 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.7.1] - 2026-04-06
+
+### `@okta/auth-foundation`
+
+#### Added
+- Added `invalidateToken` abstract method to `TokenOrchestrator` ([#26](https://github.com/okta/okta-client-javascript/pull/26))
+
+#### Fixed
+- `FetchClient` will now remove tokens when `401` is received (via `invalidateToken`) ([#26](https://github.com/okta/okta-client-javascript/pull/26))
+
+### `@okta/spa-platform`
+
+#### Added
+- Implements `invalidateToken` within `HostOrchestrator` and `AuthorizationCodeFlowOrchestrator` ([#26](https://github.com/okta/okta-client-javascript/pull/26))
+
+## [0.7.0] - 2026-03-19
+
+### `@okta/auth-foundation`
+
+#### Added
+- Warnings for mismatched `TaskBridge` message versions ([#21](https://github.com/okta/okta-client-javascript/pull/21))
+
+## [0.6.0] - 2026-03-18
+
+### `@okta/auth-foundation`
+
+#### Added
+- Clock synchronization with Authorization Server ([#16](https://github.com/okta/okta-client-javascript/pull/16))
+
+#### Changed
+- Refactored to `PlatformRegistry` pattern ([#18](https://github.com/okta/okta-client-javascript/pull/18))
+
+### `@okta/oauth2-flows`
+
+#### Changed
+- Refactored to `PlatformRegistry` pattern ([#18](https://github.com/okta/okta-client-javascript/pull/18))
+
+### `@okta/spa-platform`
+
+#### Changed
+- Refactored to `PlatformRegistry` pattern ([#18](https://github.com/okta/okta-client-javascript/pull/18))
+
+## [0.5.4] - 2025-12-09
+
+### `@okta/auth-foundation`
+
+#### Fixed
+- Improved `EventEmitter` typing within abstract classes ([#12](https://github.com/okta/okta-client-javascript/pull/12))
+
+### `@okta/oauth2-flows`
+
+#### Fixed
+- Improved `EventEmitter` typing within abstract classes ([#12](https://github.com/okta/okta-client-javascript/pull/12))
+
+### `@okta/spa-platform`
+
+#### Fixed
+- Improved `EventEmitter` typing within abstract classes ([#12](https://github.com/okta/okta-client-javascript/pull/12))
+
+## [0.5.3] - 2025-12-05
+
+### `@okta/auth-foundation`
+
+#### Added
+- Adds object hashing function to produce predictable cache keys ([#11](https://github.com/okta/okta-client-javascript/pull/11))
+
+### `@okta/oauth2-flows`
+
+#### Fixed
+- Added context to errors thrown in `AuthorizationCodeFlow` ([#9](https://github.com/okta/okta-client-javascript/pull/9))
+- Fixed `Token.Metadata` handling in `TokenStorage` ([#10](https://github.com/okta/okta-client-javascript/pull/10))
+
+### `@okta/spa-platform`
+
+#### Fixed
+- Improved local cache in `HostOrchestrator.SubApp` ([#11](https://github.com/okta/okta-client-javascript/pull/11))
+
+## [0.5.2] - 2025-11-25
+
+### `@okta/auth-foundation`
+
+#### Added
+- Adds defaults to Configuration classes ([#8](https://github.com/okta/okta-client-javascript/pull/8))
+
+#### Fixed
+- `APIClient` improvements ([#7](https://github.com/okta/okta-client-javascript/pull/7))
+
+## [0.5.1] - 2025-11-12
+
+### `@okta/auth-foundation`
+
+#### Added
+- Adds `TaskBridge` (bi-directional messaging) class ([#4](https://github.com/okta/okta-client-javascript/pull/4))
+
+#### Fixed
+- Upgraded TypeScript target to `es2022` ([#2](https://github.com/okta/okta-client-javascript/pull/2))
+
+### `@okta/oauth2-flows`
+
+#### Added
+- Adds `LogoutFlow` abstract class ([#1](https://github.com/okta/okta-client-javascript/pull/1))
+
+#### Fixed
+- Upgraded TypeScript target to `es2022` ([#2](https://github.com/okta/okta-client-javascript/pull/2))
+
+### `@okta/spa-platform`
+
+#### Added
+- Adds POST submit for /logout endpoint ([#1](https://github.com/okta/okta-client-javascript/pull/1))
+
+#### Fixed
+- Refactors `HostOrchestrator` to utilize `TaskBridge` ([#4](https://github.com/okta/okta-client-javascript/pull/4))
+- Upgraded TypeScript target to `es2022` ([#2](https://github.com/okta/okta-client-javascript/pull/2))
\ No newline at end of file

From 9f9f053f78e03a4beea45e73dcd40ca9079b2de0 Mon Sep 17 00:00:00 2001
From: Jared Perreault <jared.perreault@okta.com>
Date: Wed, 8 Apr 2026 09:41:54 -0400
Subject: [PATCH 2/5] fix: separates exports so oauth2-flows is optional

---
 packages/spa-platform/src/core.ts             | 53 +++++++++++++++++++
 packages/spa-platform/src/flows.ts            | 13 +++++
 packages/spa-platform/src/index.ts            | 37 +------------
 .../spa-platform/src/orchestrators/index.ts   |  6 ---
 4 files changed, 67 insertions(+), 42 deletions(-)
 create mode 100644 packages/spa-platform/src/core.ts
 create mode 100644 packages/spa-platform/src/flows.ts
 delete mode 100644 packages/spa-platform/src/orchestrators/index.ts

diff --git a/packages/spa-platform/src/core.ts b/packages/spa-platform/src/core.ts
new file mode 100644
index 0000000..ff57218
--- /dev/null
+++ b/packages/spa-platform/src/core.ts
@@ -0,0 +1,53 @@
+/**
+ * @packageDocumentation
+ * @internal
+ * 
+ * NOTE: DO NOT INCLUDE ANY FILES WHICH DEPEND ON `@okta/oauth2-flows`
+ */
+
+// MARK - Update UA
+
+import { addEnv } from '@okta/auth-foundation/internal';
+
+// defined in rollup.config.js
+declare const __PKG_NAME__: string;
+declare const __PKG_VERSION__: string;
+
+addEnv(`${__PKG_NAME__}/${__PKG_VERSION__}`);
+
+// MARK - Re-export auth-foundation
+
+export * from '@okta/auth-foundation/core';
+
+// MARK - Provide browser platform defaults
+
+// eslint-disable-next-line no-restricted-imports
+export * from './platform/defaults.ts';
+
+import { Platform } from '@okta/auth-foundation/core';
+// eslint-disable-next-line no-restricted-imports
+import { PlatformDefaults } from './platform/defaults.ts';
+
+Platform.registerDefaultsLoader(() => PlatformDefaults);
+
+// MARK - Provide browser-specific class overrides
+
+export { Credential } from './Credential/Credential.ts';
+export { CredentialCoordinatorImpl } from './Credential/CredentialCoordinator.ts';
+export { BrowserTokenStorage } from './Credential/TokenStorage.ts';
+export { DefaultCredentialDataSource } from './Credential/CredentialDataSource.ts';
+
+export { FetchClient } from './FetchClient/index.ts';
+
+// MARK - Export orchestrators
+
+export * from './orchestrators/HostOrchestrator/index.ts';
+
+// MARK - Export platform defaults individually
+
+export { DefaultSigningAuthority } from './platform/dpop/authority.ts';
+export { clearDPoPKeyPairs } from './platform/index.ts';
+export { PersistentCache } from './platform/dpop/nonceCache.ts';
+export { OAuth2Client } from './platform/OAuth2Client.ts';
+
+export * from './utils/isModernBrowser.ts';
diff --git a/packages/spa-platform/src/flows.ts b/packages/spa-platform/src/flows.ts
new file mode 100644
index 0000000..580fcaa
--- /dev/null
+++ b/packages/spa-platform/src/flows.ts
@@ -0,0 +1,13 @@
+/**
+ * @packageDocumentation
+ * @internal
+ *
+ * Separate entry point when include `@okta/oauth2-flows`
+ */
+
+// Include all core exports
+export * from './core.ts';
+
+// Include exports which also depend on `@okta/oauth2-flows`
+export * from './orchestrators/AuthorizationCodeFlowOrchestrator.ts';
+export * from './flows/index.ts';
diff --git a/packages/spa-platform/src/index.ts b/packages/spa-platform/src/index.ts
index 439b847..d7da55d 100644
--- a/packages/spa-platform/src/index.ts
+++ b/packages/spa-platform/src/index.ts
@@ -3,39 +3,4 @@
  * @internal
  */
 
-import { addEnv } from '@okta/auth-foundation/internal';
-
-// defined in rollup.config.js
-declare const __PKG_NAME__: string;
-declare const __PKG_VERSION__: string;
-
-addEnv(`${__PKG_NAME__}/${__PKG_VERSION__}`);
-
-// eslint-disable-next-line no-restricted-imports
-export * from './platform/defaults.ts';
-
-export * from '@okta/auth-foundation/core';
-
-import { Platform } from '@okta/auth-foundation/core';
-// eslint-disable-next-line no-restricted-imports
-import { PlatformDefaults } from './platform/defaults.ts';
-
-Platform.registerDefaultsLoader(() => PlatformDefaults);
-
-export { Credential } from './Credential/Credential.ts';
-export { CredentialCoordinatorImpl } from './Credential/CredentialCoordinator.ts';
-export { BrowserTokenStorage } from './Credential/TokenStorage.ts';
-export { DefaultCredentialDataSource } from './Credential/CredentialDataSource.ts';
-
-export { FetchClient } from './FetchClient/index.ts';
-
-export * from './orchestrators/index.ts';
-
-export * from './flows/index.ts';
-
-export { DefaultSigningAuthority } from './platform/dpop/authority.ts';
-export { clearDPoPKeyPairs } from './platform/index.ts';
-export { PersistentCache } from './platform/dpop/nonceCache.ts';
-export { OAuth2Client } from './platform/OAuth2Client.ts';
-
-export * from './utils/isModernBrowser.ts';
+export * from './core.ts';
diff --git a/packages/spa-platform/src/orchestrators/index.ts b/packages/spa-platform/src/orchestrators/index.ts
deleted file mode 100644
index 1227767..0000000
--- a/packages/spa-platform/src/orchestrators/index.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-/**
- * @module TokenOrchestrators
- */
-
-export * from './AuthorizationCodeFlowOrchestrator.ts';
-export * from './HostOrchestrator/index.ts';

From bc5e7a4a26b9ea518a9654e394ff41147a47729a Mon Sep 17 00:00:00 2001
From: Jared Perreault <jared.perreault@okta.com>
Date: Thu, 9 Apr 2026 14:02:59 -0400
Subject: [PATCH 3/5] adds/updates tests

---
 .../apps/orchestrators/pages/ProxyHost.tsx    |  6 +-
 .../src/apps/orchestrators/pages/Redirect.tsx |  6 +-
 .../src/apps/orchestrators/pages/Silent.tsx   |  6 +-
 e2e/apps/redirect-model/src/auth.tsx          |  3 +-
 e2e/apps/token-broker/src/auth.tsx            |  3 +-
 package.json                                  |  2 +-
 packages/auth-foundation/package.json         |  2 +-
 packages/oauth2-flows/package.json            |  2 +-
 packages/spa-platform/package.json            |  6 +-
 packages/spa-platform/rollup.config.mjs       |  1 +
 .../spa-platform/test/spec/exports.spec.ts    | 57 +++++++++++++++++++
 11 files changed, 78 insertions(+), 16 deletions(-)
 create mode 100644 packages/spa-platform/test/spec/exports.spec.ts

diff --git a/e2e/apps/redirect-model/src/apps/orchestrators/pages/ProxyHost.tsx b/e2e/apps/redirect-model/src/apps/orchestrators/pages/ProxyHost.tsx
index 43ee860..2d850c9 100644
--- a/e2e/apps/redirect-model/src/apps/orchestrators/pages/ProxyHost.tsx
+++ b/e2e/apps/redirect-model/src/apps/orchestrators/pages/ProxyHost.tsx
@@ -1,9 +1,11 @@
 import {
-  AuthorizationCodeFlow,
-  AuthorizationCodeFlowOrchestrator,
   HostOrchestrator,
   FetchClient
 } from '@okta/spa-platform';
+import {
+  AuthorizationCodeFlow,
+  AuthorizationCodeFlowOrchestrator
+} from '@okta/spa-platform/flows';
 import { client } from '@/auth';
 import { createMessageComponent } from '../createMessageComponent';
 
diff --git a/e2e/apps/redirect-model/src/apps/orchestrators/pages/Redirect.tsx b/e2e/apps/redirect-model/src/apps/orchestrators/pages/Redirect.tsx
index b3f59af..4c15da5 100644
--- a/e2e/apps/redirect-model/src/apps/orchestrators/pages/Redirect.tsx
+++ b/e2e/apps/redirect-model/src/apps/orchestrators/pages/Redirect.tsx
@@ -1,10 +1,10 @@
 import { useEffect, useState } from 'react';
 import { useNavigate } from 'react-router';
+import { FetchClient } from '@okta/spa-platform';
 import {
   AuthorizationCodeFlow,
-  AuthorizationCodeFlowOrchestrator,
-  FetchClient
-} from '@okta/spa-platform';
+  AuthorizationCodeFlowOrchestrator
+} from '@okta/spa-platform/flows';
 import { client } from '@/auth';
 import { Loading } from '@/component/Loading';
 import { createMessageComponent } from '../createMessageComponent';
diff --git a/e2e/apps/redirect-model/src/apps/orchestrators/pages/Silent.tsx b/e2e/apps/redirect-model/src/apps/orchestrators/pages/Silent.tsx
index 09c9002..711cf38 100644
--- a/e2e/apps/redirect-model/src/apps/orchestrators/pages/Silent.tsx
+++ b/e2e/apps/redirect-model/src/apps/orchestrators/pages/Silent.tsx
@@ -1,8 +1,8 @@
+import { FetchClient } from '@okta/spa-platform';
 import {
   AuthorizationCodeFlow,
-  AuthorizationCodeFlowOrchestrator,
-  FetchClient
-} from '@okta/spa-platform';
+  AuthorizationCodeFlowOrchestrator
+} from '@okta/spa-platform/flows';
 import { client } from '@/auth';
 import { createMessageComponent } from '../createMessageComponent';
 
diff --git a/e2e/apps/redirect-model/src/auth.tsx b/e2e/apps/redirect-model/src/auth.tsx
index d644afd..adc2335 100644
--- a/e2e/apps/redirect-model/src/auth.tsx
+++ b/e2e/apps/redirect-model/src/auth.tsx
@@ -2,9 +2,8 @@ import {
   Credential,
   OAuth2Client,
   clearDPoPKeyPairs,
-  AuthorizationCodeFlow,
-  SessionLogoutFlow
 } from '@okta/spa-platform';
+import { AuthorizationCodeFlow, SessionLogoutFlow } from '@okta/spa-platform/flows';
 
 
 const USE_DPOP = __USE_DPOP__ === "true";
diff --git a/e2e/apps/token-broker/src/auth.tsx b/e2e/apps/token-broker/src/auth.tsx
index 7f7e35d..538e391 100644
--- a/e2e/apps/token-broker/src/auth.tsx
+++ b/e2e/apps/token-broker/src/auth.tsx
@@ -2,12 +2,11 @@ import {
   Credential,
   OAuth2Client,
   clearDPoPKeyPairs,
-  AuthorizationCodeFlow,
-  SessionLogoutFlow,
   type AcrValues,
   type JsonRecord,
   isOAuth2ErrorResponse,
 } from '@okta/spa-platform';
+import { AuthorizationCodeFlow, SessionLogoutFlow } from '@okta/spa-platform/flows';
 
 
 const ADMIN_SPA_REFRESH_TOKEN_TAG = 'admin-spa:mordor-token';
diff --git a/package.json b/package.json
index 7e1f500..375a76e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@okta/okta-client-js",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "private": true,
   "packageManager": "yarn@1.22.19",
   "engines": {
diff --git a/packages/auth-foundation/package.json b/packages/auth-foundation/package.json
index d4f3136..db16017 100644
--- a/packages/auth-foundation/package.json
+++ b/packages/auth-foundation/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@okta/auth-foundation",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "type": "module",
   "main": "dist/esm/index.js",
   "module": "dist/esm/index.js",
diff --git a/packages/oauth2-flows/package.json b/packages/oauth2-flows/package.json
index 2cbc6ee..72b47f3 100644
--- a/packages/oauth2-flows/package.json
+++ b/packages/oauth2-flows/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@okta/oauth2-flows",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "type": "module",
   "main": "dist/esm/index.js",
   "module": "dist/esm/index.js",
diff --git a/packages/spa-platform/package.json b/packages/spa-platform/package.json
index 344810a..1af964c 100644
--- a/packages/spa-platform/package.json
+++ b/packages/spa-platform/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@okta/spa-platform",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "type": "module",
   "main": "dist/esm/index.js",
   "module": "dist/esm/index.js",
@@ -18,6 +18,10 @@
       "types": "./dist/types/index.d.ts",
       "import": "./dist/esm/index.js"
     },
+    "./flows" : {
+      "types": "./dist/types/flows.d.ts",
+      "import": "./dist/esm/flows.js"
+    },
     "./package.json": "./package.json"
   },
   "scripts": {
diff --git a/packages/spa-platform/rollup.config.mjs b/packages/spa-platform/rollup.config.mjs
index fe4cce7..1aabee3 100644
--- a/packages/spa-platform/rollup.config.mjs
+++ b/packages/spa-platform/rollup.config.mjs
@@ -6,6 +6,7 @@ const base = baseConfig(ts, pkg);
 
 export default {
   ...base,
+  input: [base.input, 'src/flows.ts'],
   external: [
     ...Object.keys(pkg.peerDependencies),
     '@okta/auth-foundation/core',
diff --git a/packages/spa-platform/test/spec/exports.spec.ts b/packages/spa-platform/test/spec/exports.spec.ts
new file mode 100644
index 0000000..a073bbf
--- /dev/null
+++ b/packages/spa-platform/test/spec/exports.spec.ts
@@ -0,0 +1,57 @@
+describe('Exports ', () => {
+  beforeEach(() => {
+    jest.resetModules();
+  });
+
+  afterEach(() => {
+    jest.unmock('@okta/oauth2-flows');
+  });
+
+  it('core exports work without oauth2-flows installed', async () => {
+    // Mock the missing optional dependency
+    jest.doMock('@okta/oauth2-flows', () => {
+      throw new Error('Cannot find module @okta/oauth2-flows');
+    });
+
+    const coreModule = await import('../../src/core');
+    expect(coreModule).toBeDefined();
+    expect(coreModule.OAuth2Client).toBeDefined();
+    expect(coreModule.FetchClient).toBeDefined();
+  });
+  
+  it('flows export requires oauth2-flows', async () => {
+    // mocks missing optional dependency
+    jest.doMock('@okta/oauth2-flows', () => {
+      throw new Error('Cannot find module @okta/oauth2-flows');
+    });
+
+    await expect(import('../../src/flows')).rejects.toThrow(/Cannot find module @okta\/oauth2-flows/);
+  });
+
+  it('flows export works when oauth2-flows is installed', async () => {
+    jest.resetModules();
+
+    jest.doMock('@okta/oauth2-flows', () => {
+      return jest.requireActual('@okta/oauth2-flows');
+    });
+
+    const flowsModule = await import('../../src/flows');
+    expect(flowsModule).toBeDefined();
+
+    expect(flowsModule.OAuth2Client).toBeDefined();
+    expect(flowsModule.FetchClient).toBeDefined();
+    expect(flowsModule.AuthorizationCodeFlowOrchestrator).toBeDefined();
+  });
+
+  it('default export (index) works without oauth2-flows installed', async () => {
+    jest.doMock('@okta/oauth2-flows', () => {
+      throw new Error('Cannot find module @okta/oauth2-flows');
+    });
+
+    const indexModule = await import('../../src/index');
+    expect(indexModule).toBeDefined();
+    expect(indexModule.OAuth2Client).toBeDefined();
+    expect(indexModule.FetchClient).toBeDefined();
+    expect((indexModule as any).AuthorizationCodeFlowOrchestrator).toBeUndefined();
+  });
+});
\ No newline at end of file

From bb750ae65d46251c74a4c617e643680a2b10ccff Mon Sep 17 00:00:00 2001
From: Jared Perreault <jared.perreault@okta.com>
Date: Thu, 9 Apr 2026 14:08:47 -0400
Subject: [PATCH 4/5] CHLOG

---
 CHANGELOG.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4cab69..27a9cbb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.7.2] - 2026-04-09
+
+### `@okta/spa-platform`
+
+#### Fixed
+- Fixes package exports to ensure `@okta/oauth2-flows` is truly an _optional_ dependency ([#28](https://github.com/okta/okta-client-javascript/pull/28))
+
 ## [0.7.1] - 2026-04-06
 
 ### `@okta/auth-foundation`

From f59c423df755b8af785f381c6bd68f65bc15bed1 Mon Sep 17 00:00:00 2001
From: Jared Perreault <jared.perreault@okta.com>
Date: Thu, 9 Apr 2026 14:32:37 -0400
Subject: [PATCH 5/5] fixes unit test

---
 .../orchestrators/AuthorizationCodeFlowOrchestrator.spec.ts     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/spa-platform/test/spec/orchestrators/AuthorizationCodeFlowOrchestrator.spec.ts b/packages/spa-platform/test/spec/orchestrators/AuthorizationCodeFlowOrchestrator.spec.ts
index 504231d..ab8bae7 100644
--- a/packages/spa-platform/test/spec/orchestrators/AuthorizationCodeFlowOrchestrator.spec.ts
+++ b/packages/spa-platform/test/spec/orchestrators/AuthorizationCodeFlowOrchestrator.spec.ts
@@ -1,7 +1,7 @@
 import { Token, TokenOrchestratorError, OAuth2Error } from '@okta/auth-foundation';
 import { Credential } from 'src/Credential';
 import { AuthorizationCodeFlow } from 'src/flows/AuthorizationCodeFlow';
-import { AuthorizationCodeFlowOrchestrator } from 'src/orchestrators';
+import { AuthorizationCodeFlowOrchestrator } from 'src/orchestrators/AuthorizationCodeFlowOrchestrator';
 import { oauthClient, makeTestToken } from '../../helpers/makeTestResource';