OMSWallet again.
Read restored session state
OMSWalletSessionState contains completed-session metadata: walletAddress, expiresAt, and authentication metadata in auth. For OIDC, the metadata identifies .idToken or .redirect, the issuer, optional provider details, and an email when OMS returns one.
The request-signing credential is separate. Its non-extractable P-256 private key remains Keychain-managed and is not serialized into OMSWalletSessionState. Restoration succeeds only when the completed metadata is unexpired and its Keychain credential can be restored.
A manual
PendingWalletSelection is not completed session metadata. It remains in memory only until your app activates a wallet.Observe expiration
Expired sessions are not activated. Keep the returned observation alive while you need notifications. The callback runs onMainActor.
List, switch, and create wallets
These operations require the authenticated credential.listWallets() follows all server cursors and returns the complete list.
useWallet and createWallet replace the active wallet while preserving the current session expiry and authentication metadata.
Understand access objects
Keep these three objects distinct:
The OIDC provider ID token used during authentication is a fourth object: it is app-owned identity proof consumed as auth input, not an OMS wallet token.
Request a wallet ID token
CallgetIdToken() only after a wallet is active. Send the returned string to a backend that verifies it using the OMS issuer and JWKS flow described in backend wallet verification.
List and revoke access credentials
UselistAccess() to load all credential pages for account-management UI.
listAccessPage(pageSize:cursor:). Revoke only a credential whose isCaller value is false: