feat: link external wallet

[lwin-kyaw]

Jira Link

https://consensyssoftware.atlassian.net/browse/EMBED-85?atlOrigin=eyJpIjoiM2UxZDY3YTZlOGFkNGU2Nzg0YjFjYjliOTc5N2I1MjAiLCJwIjoiaiJ9

Description

This PR adds external wallet account linking to Web3Auth.

Users authenticated through the AUTH connector can now link and unlink external wallets, retrieve connected account metadata from user info, and access framework-level React/Vue helpers for the flow. The change also updates the demo apps to showcase the new linking UX.

What Changed

• Added linkAccount(params) and unlinkAccount(address) to Web3AuthNoModal.
• Introduced account-linking types and REST helpers for Citadel-backed /v1/link/wallet and /v1/unlink/wallet requests.
• Added dedicated AccountLinkingError error codes and analytics events for linking/unlinking start, success, and failure.
• Extended connector interfaces with generateChallengeAndSign() so external wallets can produce proof-of-ownership signatures for linking.
• Refactored EVM, Solana, and WalletConnect v2 connectors to support reusable challenge/sign flows.
• Implemented isolated connector creation during linking so external wallet proof generation does not mutate the main SDK session state.
• Updated AuthConnector.getUserInfo() to include connectedAccounts fetched from Citadel /v1/user.
• Added and exported useLinkAccount hooks/composables for:
  • @web3auth/modal/react
  • @web3auth/modal/vue
  • @web3auth/no-modal/react
  • @web3auth/no-modal/vue
• Updated the Vue and Wagmi React demo apps to:
  • display connected wallets from user info
  • link external wallets
  • unlink linked wallets
  • show success/error state for the flow

User-Facing Features

• Authenticated users can link an external wallet to their Web3Auth account.
• Linked wallets can be unlinked later by address.
• User info now includes connected account metadata, including primary account state and linked wallet details.
• React and Vue consumers get a simplified useLinkAccount API with loading, error, and linked account state.

Notes

• Account linking/unlinking is only supported when the active session is connected with the AUTH connector.
• Automatic wallet linking currently supports METAMASK and WALLET_CONNECT_V2.
• Linking uses signed wallet challenges and refreshed identity tokens returned from Citadel.

How has this been tested?

• Authenticate with the AUTH connector.
• Call getUserInfo() and verify connectedAccounts is returned.
• Link a MetaMask wallet and confirm the linked account appears in the response.
• Link a WalletConnect wallet and confirm the linked account appears in the response.
• Unlink a previously linked wallet and confirm it is removed from the returned linked accounts.
• Verify React/Vue demo flows show loading, success, and error states correctly.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

High Risk
Adds new account linking/unlinking and active-wallet switching flows that touch authentication state, connector lifecycle, and WalletConnect modal behavior; regressions could break login/connect or leave connectors in a bad state. Also introduces new Citadel API calls and token refresh handling that must be correct to avoid linking the wrong account or failing silently.

Overview
Adds external wallet account linking to the SDK: new linkAccount, unlinkAccount, and switchAccount APIs, Citadel REST helpers (/v1/link/wallet, /v1/unlink), new AccountLinkingError codes, analytics events, and a connectedAccounts shape on userInfo.

Extends connector contracts to support proof generation via generateChallengeAndSign and introduces a connection_updated event so apps (notably Wagmi providers) resync when the active account changes without a full reconnect.

Updates the modal UI to run a dedicated WalletConnect-driven account-linking/session screen (QR + status states), and exports new account-linking entrypoints for React/Vue; demo apps add linking/switching UI (Vue adds a full AccountLinkingSection, React demo adds a basic link flow) and bumps MetaMask connect package versions.

^{Reviewed by Cursor Bugbot for commit 71af882. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	May 15, 2026 3:48am

[tuna1207]

updateAccountLinkingState already setState i don't think we need this anymore

[chaitanyapotti]

groupedAuthConnectionId?

[chaitanyapotti]

do we also get a new access token?

[lwin-kyaw]

No. We don't store linked account info in the accessToken, only in idToken.

[chaitanyapotti]

same

[lwin-kyaw]

No, we don't refresh the accessToken.

[chaitanyapotti]

isn't all these access token and not idtoken

[lwin-kyaw]

idToken, if I'm not mistaken.

I've updated the comment for the interfaces.

[chaitanyapotti]

deduplicate this file

[lwin-kyaw]

Deduped here, a36472d

[chaitanyapotti]

where's the data?

[chaitanyapotti]

data?

[chaitanyapotti]

use the ref

[chaitanyapotti]

lint warning

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f3f96c9. Configure here.}

[chaitanyapotti]

we shouldn't ideally re-assign this object.
listeners are already set on this by clients
you're moving listeners to a new obj but depending on client framework used, it may not work correctly