Skip to main content
An active session combines a selected wallet with an unexpired OMS credential. The SDK persists completed session metadata and restores it when you create OMSWallet again.

Read restored session state

OMSWalletSessionState contains completed-session metadata: walletAddress, expiresAt, and authentication metadata in auth. For OIDC, the metadata identifies .idToken or .redirect, the issuer, optional provider details, and an email when OMS returns one. The request-signing credential is separate. Its non-extractable P-256 private key remains Keychain-managed and is not serialized into OMSWalletSessionState. Restoration succeeds only when the completed metadata is unexpired and its Keychain credential can be restored.
A manual PendingWalletSelection is not completed session metadata. It remains in memory only until your app activates a wallet.

Observe expiration

Expired sessions are not activated. Keep the returned observation alive while you need notifications. The callback runs on MainActor.
The event retains the expired session snapshot so you can choose the appropriate reauthentication UI.

List, switch, and create wallets

These operations require the authenticated credential. listWallets() follows all server cursors and returns the complete list.
Create and activate another wallet for the same credential when your product requires one.
Both useWallet and createWallet replace the active wallet while preserving the current session expiry and authentication metadata.

Understand access objects

Keep these three objects distinct: The OIDC provider ID token used during authentication is a fourth object: it is app-owned identity proof consumed as auth input, not an OMS wallet token.

Request a wallet ID token

Call getIdToken() only after a wallet is active. Send the returned string to a backend that verifies it using the OMS issuer and JWKS flow described in backend wallet verification.
Custom claims originate in the client. Your backend should not treat them as trusted authorization state unless it controls how they are assigned.

List and revoke access credentials

Use listAccess() to load all credential pages for account-management UI.
Use the async sequence when your UI should process one server page at a time.
You can also request one page with listAccessPage(pageSize:cursor:). Revoke only a credential whose isCaller value is false:
Revocation cannot be undone. Revoking the caller invalidates the credential making the current request and prevents subsequent protected operations from that session. Keep caller revocation out of the normal access-management UI.

Sign out

Signing out clears the completed session, Keychain credential, pending redirect state, and pending wallet selection for this SDK scope. It does not revoke other access credentials on the wallet.