mikusnuz
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/js/dist/index.cjs‎
Lines changed: 12 additions & 0 deletions b/‎packages/js/dist/index.cjs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/js/dist/index.cjs.map‎
Lines changed: 1 addition & 1 deletion b/‎packages/js/dist/index.cjs.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/js/dist/index.js‎
Lines changed: 12 additions & 0 deletions b/‎packages/js/dist/index.js‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/js/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion b/‎packages/js/dist/index.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/js/package.json‎
Lines changed: 1 addition & 1 deletion b/‎packages/js/package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/js/src/session.ts‎
Lines changed: 16 additions & 0 deletions b/‎packages/js/src/session.ts‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎swift/Sources/Authon/SessionManager.swift‎
Lines changed: 33 additions & 18 deletions b/‎swift/Sources/Authon/SessionManager.swift‎
Lines changed: 33 additions & 18 deletions
@@ -12,7 +12,7 @@ Official SDKs for [Authon](https://authon.dev) — a modern authentication platf
 | Package | Version | Description | npm |
 |---------|---------|-------------|-----|
 | [`@authon/shared`](./packages/shared) | 0.3.0 | Shared types and constants for all Authon SDKs | [npm](https://www.npmjs.com/package/@authon/shared) |
-| [`@authon/js`](./packages/js) | 0.7.10 | Core browser SDK — ShadowDOM modal, OAuth, sessions, CAPTCHA, i18n (21 languages) | [npm](https://www.npmjs.com/package/@authon/js) |
+| [`@authon/js`](./packages/js) | 0.7.11 | Core browser SDK — ShadowDOM modal, OAuth, sessions, CAPTCHA, i18n (21 languages) | [npm](https://www.npmjs.com/package/@authon/js) |
 | [`@authon/react`](./packages/react) | 0.3.2 | Provider, hooks, and components for React | [npm](https://www.npmjs.com/package/@authon/react) |
 | [`@authon/nextjs`](./packages/nextjs) | 0.3.0 | Middleware and React components for Next.js | [npm](https://www.npmjs.com/package/@authon/nextjs) |
 | [`@authon/vue`](./packages/vue) | 0.3.3 | Plugin, composables, and components for Vue 3 | [npm](https://www.npmjs.com/package/@authon/vue) |
 
@@ -2494,6 +2494,7 @@ var SessionManager = class _SessionManager {
   publishableKey;
   storageKey;
   refreshRetryCount = 0;
+  refreshInFlight = null;
   static MAX_REFRESH_RETRIES = 3;
   static RETRY_DELAYS = [3, 10, 30];
   // seconds
@@ -2577,6 +2578,17 @@ var SessionManager = class _SessionManager {
     this.refreshTimer = setTimeout(() => this.refresh(), refreshIn);
   }
   async refresh() {
+    if (this.refreshInFlight) return this.refreshInFlight;
+    if (!this.refreshToken) {
+      this.clearSession();
+      return null;
+    }
+    this.refreshInFlight = this._doRefresh();
+    const result = await this.refreshInFlight;
+    this.refreshInFlight = null;
+    return result;
+  }
+  async _doRefresh() {
     if (!this.refreshToken) {
       this.clearSession();
       return null;
 
@@ -1,6 +1,6 @@
 {
   "name": "@authon/js",
-  "version": "0.7.10",
+  "version": "0.7.11",
   "description": "Authon core browser SDK — ShadowDOM login modal, OAuth, session management",
   "type": "module",
   "main": "./dist/index.cjs",
 
@@ -9,6 +9,7 @@ export class SessionManager {
   private publishableKey: string;
   private storageKey: string;
   private refreshRetryCount = 0;
+  private refreshInFlight: Promise<AuthTokens | null> | null = null;
   private static readonly MAX_REFRESH_RETRIES = 3;
   private static readonly RETRY_DELAYS = [3, 10, 30]; // seconds
 
@@ -102,6 +103,21 @@ export class SessionManager {
   }
 
   async refresh(): Promise<AuthTokens | null> {
+    // Single-flight: if refresh is already in progress, return that promise
+    if (this.refreshInFlight) return this.refreshInFlight;
+
+    if (!this.refreshToken) {
+      this.clearSession();
+      return null;
+    }
+
+    this.refreshInFlight = this._doRefresh();
+    const result = await this.refreshInFlight;
+    this.refreshInFlight = null;
+    return result;
+  }
+
+  private async _doRefresh(): Promise<AuthTokens | null> {
     if (!this.refreshToken) {
       this.clearSession();
       return null;
 
@@ -18,6 +18,7 @@ final class SessionManager {
     private var refreshRetryCount = 0
     private static let maxRefreshRetries = 3
     private static let retryDelays: [TimeInterval] = [3, 10, 30]
+    private var refreshInFlight: Task<TokenPair?, Never>?
     private let onExpired: () -> Void
 
     init(api: AuthonAPI, onRefreshed: @escaping (TokenPair, AuthonUser) -> Void, onExpired: @escaping () -> Void) {
@@ -115,27 +116,38 @@ final class SessionManager {
     }
 
     func refresh() async -> TokenPair? {
+        // Single-flight: if refresh is already in progress, wait for that result
+        if let existing = refreshInFlight {
+            return await existing.value
+        }
         guard let refreshToken = tokens?.refreshToken, !refreshToken.isEmpty else { return nil }
-        do {
-            struct RefreshBody: Encodable {
-                let refreshToken: String
+        let task = Task<TokenPair?, Never> { [weak self] in
+            guard let self else { return nil }
+            do {
+                struct RefreshBody: Encodable {
+                    let refreshToken: String
+                }
+                let response: ApiAuthResponse = try await self.api.request(
+                    "POST",
+                    "/v1/auth/token/refresh",
+                    body: RefreshBody(refreshToken: refreshToken)
+                )
+                let newPair = TokenPair(
+                    accessToken: response.accessToken,
+                    refreshToken: response.refreshToken,
+                    expiresAt: Date().timeIntervalSince1970 * 1000 + Double(response.expiresIn) * 1000
+                )
+                self.tokens = newPair
+                self.saveToKeychain(newPair)
+                return newPair
+            } catch {
+                return nil
             }
-            let response: ApiAuthResponse = try await api.request(
-                "POST",
-                "/v1/auth/token/refresh",
-                body: RefreshBody(refreshToken: refreshToken)
-            )
-            let newPair = TokenPair(
-                accessToken: response.accessToken,
-                refreshToken: response.refreshToken,
-                expiresAt: Date().timeIntervalSince1970 * 1000 + Double(response.expiresIn) * 1000
-            )
-            tokens = newPair
-            saveToKeychain(newPair)
-            return newPair
-        } catch {
-            return nil
         }
+        refreshInFlight = task
+        let result = await task.value
+        refreshInFlight = nil
+        return result
     }
 
     // MARK: - Auto-Refresh
@@ -166,6 +178,9 @@ final class SessionManager {
     }
 
     private func performRefresh() {
+        // Skip if refresh is already in flight
+        if refreshInFlight != nil { return }
+
         guard let refreshToken = tokens?.refreshToken else {
             onExpired()
             return
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@authon/js",`
`3`		`- "version": "0.7.10",`
	`3`	`+ "version": "0.7.11",`
`4`	`4`	`"description": "Authon core browser SDK — ShadowDOM login modal, OAuth, session management",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": "./dist/index.cjs",`