npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@abstract-foundation/wallet-sdk

v0.0.1

Published

Abstract Wallet SDK — framework-agnostic core for embedding the Abstract Global Wallet on third-party origins via iframe (with popup fallback). Origin-validated postMessage transport, hardened iframe sandboxing, IntersectionObserver-v2-aware visibility ch

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cygaardevcygaardevcoffeexcoincoffeexcoinjarrodwattsjarrodwatts

Keywords

abstractabstract-global-walletagwwalletiframeembedded-walleteip-1193ethereumweb3sdk

Readme

@abstract-foundation/wallet-sdk

Framework-agnostic SDK for embedding the Abstract Global Wallet on third-party origins via iframe (with popup fallback).

Ports the security-relevant pieces of Porto to the Abstract stack: origin-validated postMessage transport, hardened iframe sandboxing, IntersectionObserver-v2-aware visibility checks (the clickjacking primitive lives in the wallet host), runtime-driven popup fallback over the messenger, and an EIP-1193 provider that proxies through to the wallet origin.

Status: early. The dApp-side core is in place; Web Components (/elements) and React wrappers (/react) ship in follow-up releases.

Install

pnpm add @abstract-foundation/wallet-sdk viem

Usage

import { createWallet } from '@abstract-foundation/wallet-sdk';

const wallet = createWallet({
  host: 'https://wallet.abs.xyz',
  chainId: 2741,
  // optional
  dialog: 'auto',  // 'auto' | 'iframe' | 'popup'
});

// EIP-1193 — pass straight to wagmi/viem/ethers
const accounts = await wallet.provider.request({
  method: 'eth_requestAccounts',
});

Mode selection

'auto' (default) starts in iframe mode and transparently falls back to a popup when:

  • Parent origin is HTTP (HTTPS is required for the iframe transport).
  • IntersectionObserver v2 (isVisible) is unsupported AND the parent host is not on the wallet host's trusted-host allowlist.
  • The wallet host explicitly requests a switch via the messenger (__internal { type: 'switch', mode: 'popup' }). The host uses this hook for cases the parent SDK can't predict — for example, WebAuthn credential creation on Safari (which Safari blocks in cross-origin iframes) if a flow ever required it.

A note on WebAuthn / passkeys

AGW does not use WebAuthn for wallet signing or account creation. Privy passkey enrollment happens in the main Abstract portal app under account management — never inside the iframed wallet — so the SDK does not pre-emptively force Safari users into popup mode for wallet_connect or eth_requestAccounts.

Returning users with passkeys log in via navigator.credentials.get(), which works in cross-origin iframes when the publickey-credentials-get permission is granted (set automatically by Dialog.iframe()).

Iframe hardening

When the iframe path is chosen, the iframe is mounted inside a top-layer <dialog> with:

sandbox="allow-forms allow-scripts allow-same-origin
         allow-popups allow-popups-to-escape-sandbox"
allow="payment;
       publickey-credentials-get   <walletOrigin>;
       publickey-credentials-create <walletOrigin>;
       clipboard-write"

The dApp side also installs a MutationObserver that strips inert attributes injected onto the dialog by browser extensions (a known issue with 1Password and similar).

The actual visibility/clickjacking defence (the IO-v2 isVisible check that disables pointer-events when the iframe is occluded) lives in the wallet host application, not in this SDK — it's a property of being delivered cross-origin in an iframe and would not be meaningful on the parent side.

Public API

// Top-level (consumed by most dApps)
import {
  createWallet,
  type Wallet,
  type WalletConfig,
  type Eip1193Provider,
} from '@abstract-foundation/wallet-sdk';

// Lower-level primitives (for embedders / framework wrappers)
import {
  Dialog,
  Messenger,
  UserAgent,
  IntersectionObserver,
} from '@abstract-foundation/wallet-sdk/core';

License

MIT