feat: link external wallet

[lwin-kyaw]

Jira Link

https://consensyssoftware.atlassian.net/browse/EMBED-85?atlOrigin=eyJpIjoiM2UxZDY3YTZlOGFkNGU2Nzg0YjFjYjliOTc5N2I1MjAiLCJwIjoiaiJ9

Description

This PR adds external wallet account linking to Web3Auth.

Users authenticated through the AUTH connector can now link and unlink external wallets, retrieve connected account metadata from user info, and access framework-level React/Vue helpers for the flow. The change also updates the demo apps to showcase the new linking UX.

What Changed

• Added linkAccount(params) and unlinkAccount(address) to Web3AuthNoModal.
• Introduced account-linking types and REST helpers for Citadel-backed /v1/link/wallet and /v1/unlink/wallet requests.
• Added dedicated AccountLinkingError error codes and analytics events for linking/unlinking start, success, and failure.
• Extended connector interfaces with generateChallengeAndSign() so external wallets can produce proof-of-ownership signatures for linking.
• Refactored EVM, Solana, and WalletConnect v2 connectors to support reusable challenge/sign flows.
• Implemented isolated connector creation during linking so external wallet proof generation does not mutate the main SDK session state.
• Updated AuthConnector.getUserInfo() to include connectedAccounts fetched from Citadel /v1/user.
• Added and exported useLinkAccount hooks/composables for:
  • @web3auth/modal/react
  • @web3auth/modal/vue
  • @web3auth/no-modal/react
  • @web3auth/no-modal/vue
• Updated the Vue and Wagmi React demo apps to:
  • display connected wallets from user info
  • link external wallets
  • unlink linked wallets
  • show success/error state for the flow

User-Facing Features

• Authenticated users can link an external wallet to their Web3Auth account.
• Linked wallets can be unlinked later by address.
• User info now includes connected account metadata, including primary account state and linked wallet details.
• React and Vue consumers get a simplified useLinkAccount API with loading, error, and linked account state.

Notes

• Account linking/unlinking is only supported when the active session is connected with the AUTH connector.
• Automatic wallet linking currently supports METAMASK and WALLET_CONNECT_V2.
• Linking uses signed wallet challenges and refreshed identity tokens returned from Citadel.

How has this been tested?

• Authenticate with the AUTH connector.
• Call getUserInfo() and verify connectedAccounts is returned.
• Link a MetaMask wallet and confirm the linked account appears in the response.
• Link a WalletConnect wallet and confirm the linked account appears in the response.
• Unlink a previously linked wallet and confirm it is removed from the returned linked accounts.
• Verify React/Vue demo flows show loading, success, and error states correctly.

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

High Risk
High risk because it adds new account-linking and account-switching flows that touch core connector interfaces, modal state management, and WalletConnect session handling, which can affect authentication and connection lifecycle across apps.

Overview
Adds external wallet account linking and active-wallet switching to Web3Auth, including new linkAccount, unlinkAccount, and switchAccount APIs, plus React/Vue hooks/composables and REST helpers for Citadel-backed linking/unlinking requests.

Updates the modal UI/state machine to support a dedicated WalletConnect-based account-linking session (QR flow, status/intent tracking, cleanup/reset on close), and adjusts Wagmi providers to resync on Web3Auth connection changes rather than provider identity.

Demo apps are updated to showcase linking, unlinking, switching between connected wallets, and displaying userInfo.connectedAccounts; dependencies and lockfiles are refreshed (notably MetaMask connect packages).

^{Reviewed by Cursor Bugbot for commit d0c8e95. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	May 13, 2026 2:45am

[tuna1207]

should we log something here if the switch doesn't do anything

[lwin-kyaw]

There's only one case that authConnector.switchAccount can return empty value, i.e when the target account is already active.

We should not need any log for that, this is not an error. Clients should handle it to prevent switching to same account again.

[tuna1207]

do we need to check both ? what could be the case 1 of cached and current connection match

[lwin-kyaw]

On load, we init all the connectors (including external wallet connectors) again.
There's a case that user has linked the external wallet (the connector status is Connected) but it's not an active account (not cachedConnector).

[tuna1207]

updateAccountLinkingState already setState i don't think we need this anymore

[chaitanyapotti]

groupedAuthConnectionId?

[chaitanyapotti]

do we also get a new access token?

[lwin-kyaw]

No. We don't store linked account info in the accessToken, only in idToken.

[chaitanyapotti]

same

[lwin-kyaw]

No, we don't refresh the accessToken.

[chaitanyapotti]

isn't all these access token and not idtoken

[lwin-kyaw]

idToken, if I'm not mistaken.

I've updated the comment for the interfaces.

[chaitanyapotti]

deduplicate this file

[lwin-kyaw]

Deduped here, a36472d

[chaitanyapotti]

where's the data?

[chaitanyapotti]

data?

[chaitanyapotti]

use the ref

[chaitanyapotti]

lint warning

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f3f96c9. Configure here.}

[chaitanyapotti]

we shouldn't ideally re-assign this object.
listeners are already set on this by clients
you're moving listeners to a new obj but depending on client framework used, it may not work correctly