diff --git a/Directory.Packages.props b/Directory.Packages.props
index 348ec6c..4dc04f7 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -4,19 +4,27 @@
     <CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
   </PropertyGroup>
   <ItemGroup>
-    <PackageVersion Include="System.Text.Json" Version="10.0.3" />
+    <PackageVersion Include="System.Text.Json" Version="10.0.5" />
     <PackageVersion Include="Microsoft.CodeAnalysis.CSharp" Version="5.0.0" />
-    <PackageVersion Include="System.Formats.Cbor" Version="10.0.3" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.0.1" />
+    <PackageVersion Include="System.Formats.Cbor" Version="10.0.5" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
     <PackageVersion Include="xunit" Version="2.9.3" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2"/>
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5"/>
     <PackageVersion Include="coverlet.collector" Version="8.0.0"/>
-    <PackageVersion Include="GitVersion.MSBuild" Version="6.6.0" />
+    <PackageVersion Include="GitVersion.MSBuild" Version="6.6.1" />
     <PackageVersion Include="ZstdSharp.Port" Version="0.8.7" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.3" />
-    <PackageVersion Include="Microsoft.Extensions.Logging.Debug" Version="10.0.3" />
-    <PackageVersion Include="Microsoft.Build.Framework" Version="18.3.3" />
-    <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="18.3.3" />
+    <PackageVersion Include="Microsoft.Extensions.Logging" Version="10.0.5" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.5" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Console" Version="10.0.5" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Debug" Version="10.0.5" />
+    <PackageVersion Include="Microsoft.Build.Framework" Version="18.4.0" />
+    <PackageVersion Include="Microsoft.Build.Utilities.Core" Version="18.4.0" />
     <PackageVersion Include="ConsoleAppFramework" Version="5.7.13"/>
+    <PackageVersion Include="Microsoft.Maui.Controls" Version="10.0.50" />
+    <PackageVersion Include="Avalonia" Version="12.0.0-preview2" />
+    <PackageVersion Include="Avalonia.Desktop" Version="12.0.0-preview2" />
+    <PackageVersion Include="Avalonia.Themes.Fluent" Version="12.0.0-preview2" />
+    <PackageVersion Include="Avalonia.Browser" Version="12.0.0-preview2" />
+    <PackageVersion Include="Avalonia.Controls.WebView" Version="12.0.999-cibuild0000026-alpha" />
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/NuGet.Config b/NuGet.Config
index ad32aba..7123d24 100644
--- a/NuGet.Config
+++ b/NuGet.Config
@@ -4,6 +4,8 @@
   <packageSources>
     <clear />
     <add key="api.nuget.org" value="https://api.nuget.org/v3/index.json" />
+    <add key="avalonia-nightly" value="https://nuget-feed-nightly.avaloniaui.net/v3/index.json"
+      protocolVersion="3" />
   </packageSources>
 
   <fallbackPackageFolders>
@@ -13,6 +15,10 @@
   <packageSourceMapping>
     <packageSource key="api.nuget.org">
       <package pattern="*" />
+      <package pattern="Avalonia*" />
+    </packageSource>
+    <packageSource key="avalonia-nightly">
+      <package pattern="Avalonia*" />
     </packageSource>
   </packageSourceMapping>
 </configuration>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuth.MacCatalyst/BSkyOAuth.MacCatalyst.csproj b/samples/BSkyOAuth/BSkyOAuth.MacCatalyst/BSkyOAuth.MacCatalyst.csproj
index 42ac5fb..d6db9f2 100644
--- a/samples/BSkyOAuth/BSkyOAuth.MacCatalyst/BSkyOAuth.MacCatalyst.csproj
+++ b/samples/BSkyOAuth/BSkyOAuth.MacCatalyst/BSkyOAuth.MacCatalyst.csproj
@@ -12,6 +12,7 @@
     <SupportedOSPlatformVersion>18.0</SupportedOSPlatformVersion>
     <ValidateXcodeVersion>false</ValidateXcodeVersion>
     <UseInterpreter>true</UseInterpreter>
+    <NoWarn>$(NoWarn);CS8002</NoWarn>
 
     <!--
       Enable full trimming in Release mode.
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/BSkyOAuthAvalonia.Browser.csproj b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/BSkyOAuthAvalonia.Browser.csproj
new file mode 100644
index 0000000..7e70083
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/BSkyOAuthAvalonia.Browser.csproj
@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk.WebAssembly">
+  <PropertyGroup>
+    <TargetFramework>net10.0-browser</TargetFramework>
+    <OutputType>Exe</OutputType>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\BSkyOAuthAvalonia\BSkyOAuthAvalonia.csproj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Update="Avalonia" />
+    <PackageReference Include="Avalonia.Browser" />
+  </ItemGroup>
+</Project>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/Program.cs b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/Program.cs
new file mode 100644
index 0000000..0e5e6fe
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/Program.cs
@@ -0,0 +1,13 @@
+using System.Threading.Tasks;
+using Avalonia;
+using Avalonia.Browser;
+using BSkyOAuthAvalonia;
+
+internal sealed partial class Program
+{
+    private static Task Main(string[] args) => BuildAvaloniaApp()
+            .StartBrowserAppAsync("out");
+
+    public static AppBuilder BuildAvaloniaApp()
+        => AppBuilder.Configure<App>();
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/app.css b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/app.css
new file mode 100644
index 0000000..4c9e1fd
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/app.css
@@ -0,0 +1,42 @@
+.avalonia-splash {
+    position: absolute;
+    height: 100%;
+    width: 100%;
+    background: white;
+    font-family: 'Outfit', sans-serif;
+    justify-content: center;
+    align-items: center;
+    display: flex;
+    pointer-events: none;
+}
+
+@media (prefers-color-scheme: light) {
+    .avalonia-splash {
+        background: white;
+    }
+
+    .avalonia-splash h2 {
+        color: #1b2a4e;
+    }
+}
+
+@media (prefers-color-scheme: dark) {
+    .avalonia-splash {
+        background: #1b2a4e;
+    }
+
+    .avalonia-splash h2 {
+        color: white;
+    }
+}
+
+.avalonia-splash h2 {
+    font-weight: 400;
+    font-size: 1.5rem;
+}
+
+.avalonia-splash.splash-close {
+    transition: opacity 200ms, display 200ms;
+    display: none;
+    opacity: 0;
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/index.html b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/index.html
new file mode 100644
index 0000000..a44824e
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/index.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>BSkyOAuthAvalonia</title>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="stylesheet" href="./app.css" />
+</head>
+
+<body style="margin: 0; overflow: hidden">
+<div id="out">
+    <div class="avalonia-splash">
+        <h2>Loading...</h2>
+    </div>
+</div>
+<script type='module' src="./main.js"></script>
+</body>
+
+</html>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/main.js b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/main.js
new file mode 100644
index 0000000..bf1555e
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/wwwroot/main.js
@@ -0,0 +1,13 @@
+import { dotnet } from './_framework/dotnet.js'
+
+const is_browser = typeof window != "undefined";
+if (!is_browser) throw new Error(`Expected to be running in a browser`);
+
+const dotnetRuntime = await dotnet
+    .withDiagnosticTracing(false)
+    .withApplicationArgumentsFromQuery()
+    .create();
+
+const config = dotnetRuntime.getConfig();
+
+await dotnetRuntime.runMain(config.mainAssemblyName, [globalThis.location.href]);
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/BSkyOAuthAvalonia.Desktop.csproj b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/BSkyOAuthAvalonia.Desktop.csproj
new file mode 100644
index 0000000..b418f9a
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/BSkyOAuthAvalonia.Desktop.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <OutputType>WinExe</OutputType>
+    <TargetFramework>net10.0</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Avalonia.Desktop" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\BSkyOAuthAvalonia\BSkyOAuthAvalonia.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/Program.cs b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/Program.cs
new file mode 100644
index 0000000..60cad19
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/Program.cs
@@ -0,0 +1,17 @@
+using System;
+using Avalonia;
+using BSkyOAuthAvalonia;
+
+namespace BSkyOAuthAvalonia.Desktop;
+
+internal class Program
+{
+    [STAThread]
+    public static void Main(string[] args) => BuildAvaloniaApp()
+        .StartWithClassicDesktopLifetime(args);
+
+    public static AppBuilder BuildAvaloniaApp()
+        => AppBuilder.Configure<App>()
+            .UsePlatformDetect()
+            .LogToTrace();
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml
new file mode 100644
index 0000000..ab58895
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml
@@ -0,0 +1,7 @@
+<Application xmlns="https://github.com/avaloniaui"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             x:Class="BSkyOAuthAvalonia.App">
+    <Application.Styles>
+        <FluentTheme />
+    </Application.Styles>
+</Application>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml.cs b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml.cs
new file mode 100644
index 0000000..59678af
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/App.axaml.cs
@@ -0,0 +1,28 @@
+using Avalonia;
+using Avalonia.Controls;
+using Avalonia.Controls.ApplicationLifetimes;
+using Avalonia.Markup.Xaml;
+
+namespace BSkyOAuthAvalonia;
+
+public class App : Application
+{
+    public override void Initialize()
+    {
+        AvaloniaXamlLoader.Load(this);
+    }
+
+    public override void OnFrameworkInitializationCompleted()
+    {
+        if (ApplicationLifetime is IClassicDesktopStyleApplicationLifetime desktop)
+        {
+            desktop.MainWindow = new MainWindow();
+        }
+        else if (ApplicationLifetime is ISingleViewApplicationLifetime singleView)
+        {
+            singleView.MainView = new MainView();
+        }
+
+        base.OnFrameworkInitializationCompleted();
+    }
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/BSkyOAuthAvalonia.csproj b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/BSkyOAuthAvalonia.csproj
new file mode 100644
index 0000000..176353c
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/BSkyOAuthAvalonia.csproj
@@ -0,0 +1,33 @@
+<Project Sdk="Microsoft.NET.Sdk">
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <AllowUnsafeBlocks>True</AllowUnsafeBlocks>
+        <DefineConstants>$(DefineConstants);AVALONIA</DefineConstants>
+        <NoWarn>$(NoWarn);CS8002;CS8632</NoWarn>
+        <CarpaNet_LexiconAutoResolve>true</CarpaNet_LexiconAutoResolve>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Avalonia" />
+        <PackageReference Include="Avalonia.Themes.Fluent" />
+        <PackageReference Include="Avalonia.Controls.WebView" />
+    </ItemGroup>
+
+    <ItemGroup>
+		<ProjectReference Include="../../../../src/CarpaNet/CarpaNet.csproj" />
+		<ProjectReference Include="../../../../src/CarpaNet.OAuth/CarpaNet.OAuth.csproj" />
+		<ProjectReference Include="../../../../src/CarpaNet.SourceGen/CarpaNet.SourceGen.csproj"
+		                  OutputItemType="Analyzer"
+		                  ReferenceOutputAssembly="false" />
+	</ItemGroup>
+
+	<Import Project="../../../../src/CarpaNet/build/CarpaNet.targets" />
+
+    <ItemGroup>
+        <LexiconResolve Include="app.bsky.feed.getTimeline" />
+        <LexiconResolve Include="app.bsky.actor.getProfile" />
+        <LexiconResolve Include="app.bsky.feed.post" />
+    </ItemGroup>
+
+</Project>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml
new file mode 100644
index 0000000..fae3003
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml
@@ -0,0 +1,54 @@
+<UserControl xmlns="https://github.com/avaloniaui"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             xmlns:local="clr-namespace:BSkyOAuthAvalonia"
+             x:Class="BSkyOAuthAvalonia.MainView">
+    <Grid RowDefinitions="Auto,*" Margin="15">
+        <StackPanel Grid.Row="0" Spacing="10">
+            <TextBox x:Name="HandleEntry"
+                     PlaceholderText="Enter your Bluesky handle (e.g. alice.bsky.social)" />
+
+            <StackPanel Orientation="Horizontal" Spacing="10">
+                <Button x:Name="LoginBtn"
+                        Content="Login"
+                        Click="OnLoginClicked" />
+                <Button x:Name="LoadSessionBtn"
+                        Content="Load Session"
+                        Click="OnLoadSessionClicked" />
+                <Button x:Name="GetTimelineBtn"
+                        Content="Get Timeline"
+                        IsEnabled="False"
+                        Click="OnGetTimelineClicked" />
+            </StackPanel>
+
+            <ProgressBar x:Name="LoadingIndicator"
+                         IsIndeterminate="True"
+                         IsVisible="False"
+                         Height="4" />
+
+            <TextBlock x:Name="StatusLabel"
+                       Text="Not authenticated"
+                       Foreground="Gray"
+                       TextWrapping="Wrap" />
+        </StackPanel>
+
+        <ListBox x:Name="TimelineView" Grid.Row="1" Margin="0,10,0,0">
+            <ListBox.ItemTemplate>
+                <DataTemplate x:DataType="local:TimelineItem">
+                    <Border BorderBrush="Gray"
+                            BorderThickness="1"
+                            CornerRadius="8"
+                            Padding="10"
+                            Margin="0,4">
+                        <StackPanel Spacing="4">
+                            <TextBlock Text="{Binding AuthorDisplay}"
+                                       FontWeight="Bold" />
+                            <TextBlock Text="{Binding Text}"
+                                       TextWrapping="Wrap"
+                                       MaxLines="5" />
+                        </StackPanel>
+                    </Border>
+                </DataTemplate>
+            </ListBox.ItemTemplate>
+        </ListBox>
+    </Grid>
+</UserControl>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml.cs b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml.cs
new file mode 100644
index 0000000..6c94d6b
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainView.axaml.cs
@@ -0,0 +1,285 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using System.Threading;
+using System.Threading.Tasks;
+using AppBsky.Feed;
+using Avalonia.Controls;
+using Avalonia.Interactivity;
+using CarpaNet;
+using CarpaNet.Identity;
+using CarpaNet.OAuth;
+using CarpaNet.OAuth.Storage;
+using Microsoft.Extensions.Logging;
+
+namespace BSkyOAuthAvalonia;
+
+public partial class MainView : UserControl
+{
+    private const string ClientMetadataUrl = "https://drasticactions.vip/client-metadata.json";
+    private const string RedirectUri = "vip.drasticactions:/callback";
+
+    private readonly OAuthSession oauthSession;
+    private readonly OauthStore sessionStore;
+
+    private ATProtoOAuthClient? client;
+
+    public MainView()
+    {
+        InitializeComponent();
+
+        this.sessionStore = new OauthStore();
+
+        var config = new OAuthClientConfig
+        {
+            ClientId = ClientMetadataUrl,
+            RedirectUri = RedirectUri,
+            Scope = "atproto transition:generic",
+            JsonOptions = ATProtoClientFactory.CreateJsonOptions(),
+            SessionStore = this.sessionStore,
+            LoggerFactory = new WasmLoggerFactory(),
+        };
+
+        this.oauthSession = new OAuthSession(config);
+    }
+
+    private async void OnLoginClicked(object? sender, RoutedEventArgs e)
+    {
+        var handle = HandleEntry.Text?.Trim();
+        if (string.IsNullOrWhiteSpace(handle))
+        {
+            StatusLabel.Text = "Please enter a handle.";
+            return;
+        }
+
+        var atIdentifier = new ATIdentifier(handle);
+        if (!atIdentifier.IsValid)
+        {
+            StatusLabel.Text = "Invalid handle.";
+            return;
+        }
+
+        SetLoading(true);
+
+        try
+        {
+            var authUrl = await this.oauthSession.AuthorizeAsync(atIdentifier);
+
+            var topLevel = TopLevel.GetTopLevel(this);
+            var options = new WebAuthenticatorOptions(
+                new Uri(authUrl),
+                new Uri(RedirectUri));
+
+            var result = await WebAuthenticationBroker.AuthenticateAsync(topLevel!, options);
+
+            var callbackUrl = result.CallbackUri.ToString();
+            this.client = await this.oauthSession.CallbackAsync(callbackUrl);
+
+            if (this.client != null)
+            {
+                GetTimelineBtn.IsEnabled = true;
+                StatusLabel.Text = $"Authenticated as {this.client.Did}";
+            }
+            else
+            {
+                StatusLabel.Text = "Authentication failed.";
+            }
+        }
+        catch (OperationCanceledException)
+        {
+            StatusLabel.Text = "Authentication cancelled.";
+        }
+        catch (Exception ex)
+        {
+            var errorDetail = $"Error: {ex.GetType().FullName}: {ex.Message}\n{ex.StackTrace}";
+            StatusLabel.Text = errorDetail;
+            Console.Error.WriteLine(errorDetail);
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private async void OnLoadSessionClicked(object? sender, RoutedEventArgs e)
+    {
+        var handle = HandleEntry.Text?.Trim();
+        if (string.IsNullOrWhiteSpace(handle))
+        {
+            StatusLabel.Text = "Enter a DID or handle to restore.";
+            return;
+        }
+
+        var atIdentifier = new ATIdentifier(handle);
+        if (!atIdentifier.IsValid)
+        {
+            StatusLabel.Text = "Invalid DID or handle.";
+            return;
+        }
+
+        SetLoading(true);
+
+        try
+        {
+            var did = handle;
+            if (atIdentifier.IsHandle)
+            {
+                using var resolver = new IdentityResolver();
+                var doc = await resolver.ResolveAsync(did);
+                did = doc.Id;
+            }
+
+            var session = await this.oauthSession.RestoreSessionAsync(did);
+            if (session != null)
+            {
+                this.client = session;
+                GetTimelineBtn.IsEnabled = true;
+                StatusLabel.Text = $"Session restored for {session.Did}";
+            }
+            else
+            {
+                StatusLabel.Text = "No saved session found.";
+            }
+        }
+        catch (Exception ex)
+        {
+            StatusLabel.Text = $"Error: {ex.Message}";
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private async void OnGetTimelineClicked(object? sender, RoutedEventArgs e)
+    {
+        if (this.client == null)
+            return;
+
+        SetLoading(true);
+
+        try
+        {
+            var parameters = new GetTimelineParameters { Limit = 25 };
+            var timeline = await this.client.AppBskyFeedGetTimelineAsync(parameters);
+
+            var items = new List<TimelineItem>();
+            if (timeline.Feed != null)
+            {
+                foreach (var item in timeline.Feed)
+                {
+                    var author = item.Post?.Author;
+                    var text = string.Empty;
+                    if (item.Post?.Record is JsonElement recordElement)
+                    {
+                        if (recordElement.TryGetProperty("text", out var textElement))
+                        {
+                            text = textElement.GetString() ?? string.Empty;
+                        }
+                    }
+
+                    items.Add(new TimelineItem
+                    {
+                        AuthorDisplay = $"@{author?.Handle} ({author?.DisplayName})",
+                        Text = text,
+                    });
+                }
+            }
+
+            TimelineView.ItemsSource = items;
+            StatusLabel.Text = $"Loaded {items.Count} posts";
+        }
+        catch (Exception ex)
+        {
+            StatusLabel.Text = $"Error: {ex.Message}";
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private void SetLoading(bool isLoading)
+    {
+        LoadingIndicator.IsVisible = isLoading;
+        LoginBtn.IsEnabled = !isLoading;
+        LoadSessionBtn.IsEnabled = !isLoading;
+        GetTimelineBtn.IsEnabled = !isLoading && this.client != null;
+    }
+}
+
+public class TimelineItem
+{
+    public string AuthorDisplay { get; set; } = string.Empty;
+
+    public string Text { get; set; } = string.Empty;
+}
+
+public sealed class OauthStore : IOAuthSessionStore
+{
+    private readonly string _directory;
+
+    public OauthStore()
+    {
+        _directory = Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+            "BSkyOAuthAvalonia");
+        Directory.CreateDirectory(_directory);
+    }
+
+    public Task StoreAsync(string sub, OAuthSessionData data, CancellationToken cancellationToken = default)
+    {
+        var json = JsonSerializer.Serialize(data, OAuthStoreJsonContext.Default.OAuthSessionData);
+        File.WriteAllText(GetPath(sub), json);
+        return Task.CompletedTask;
+    }
+
+    public Task<OAuthSessionData?> GetAsync(string sub, CancellationToken cancellationToken = default)
+    {
+        var path = GetPath(sub);
+        if (!File.Exists(path))
+            return Task.FromResult<OAuthSessionData?>(null);
+        var json = File.ReadAllText(path);
+        var data = JsonSerializer.Deserialize(json, OAuthStoreJsonContext.Default.OAuthSessionData);
+        return Task.FromResult(data);
+    }
+
+    public Task DeleteAsync(string sub, CancellationToken cancellationToken = default)
+    {
+        var path = GetPath(sub);
+        if (File.Exists(path))
+            File.Delete(path);
+        return Task.CompletedTask;
+    }
+
+    private string GetPath(string sub) =>
+        Path.Combine(_directory, $"oauth-{sub.Replace(":", "_")}.json");
+}
+
+[JsonSerializable(typeof(OAuthSessionData))]
+[JsonSourceGenerationOptions(
+    PropertyNamingPolicy = JsonKnownNamingPolicy.CamelCase,
+    DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)]
+public partial class OAuthStoreJsonContext : JsonSerializerContext
+{
+}
+
+internal sealed class WasmLoggerFactory : ILoggerFactory
+{
+    public ILogger CreateLogger(string categoryName) => new WasmLogger(categoryName);
+    public void AddProvider(ILoggerProvider provider) { }
+    public void Dispose() { }
+
+    private sealed class WasmLogger(string category) : ILogger
+    {
+        public IDisposable? BeginScope<TState>(TState state) where TState : notnull => null;
+        public bool IsEnabled(LogLevel logLevel) => logLevel >= LogLevel.Debug;
+        public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception? exception, Func<TState, Exception?, string> formatter)
+        {
+            if (!IsEnabled(logLevel)) return;
+            var msg = $"[{logLevel}] {category}: {formatter(state, exception)}";
+            if (exception != null) msg += $"\n{exception}";
+            Console.WriteLine(msg);
+        }
+    }
+}
+
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml
new file mode 100644
index 0000000..1593414
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml
@@ -0,0 +1,9 @@
+<Window x:Class="BSkyOAuthAvalonia.MainWindow"
+        xmlns="https://github.com/avaloniaui"
+        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+        xmlns:local="clr-namespace:BSkyOAuthAvalonia"
+        Title="BSky OAuth - Avalonia"
+        Width="800"
+        Height="600">
+    <local:MainView />
+</Window>
diff --git a/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml.cs b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml.cs
new file mode 100644
index 0000000..2124424
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthAvalonia/BSkyOAuthAvalonia/MainWindow.axaml.cs
@@ -0,0 +1,11 @@
+using Avalonia.Controls;
+
+namespace BSkyOAuthAvalonia;
+
+public partial class MainWindow : Window
+{
+    public MainWindow()
+    {
+        InitializeComponent();
+    }
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml
new file mode 100644
index 0000000..a7f9749
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml
@@ -0,0 +1,14 @@
+<?xml version = "1.0" encoding = "UTF-8" ?>
+<Application xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+             xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml"
+             xmlns:local="clr-namespace:BSkyOAuthMaui"
+             x:Class="BSkyOAuthMaui.App">
+    <Application.Resources>
+        <ResourceDictionary>
+            <ResourceDictionary.MergedDictionaries>
+                <ResourceDictionary Source="Resources/Styles/Colors.xaml" />
+                <ResourceDictionary Source="Resources/Styles/Styles.xaml" />
+            </ResourceDictionary.MergedDictionaries>
+        </ResourceDictionary>
+    </Application.Resources>
+</Application>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml.cs b/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml.cs
new file mode 100644
index 0000000..7f69f87
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/App.xaml.cs
@@ -0,0 +1,16 @@
+using Microsoft.Extensions.DependencyInjection;
+
+namespace BSkyOAuthMaui;
+
+public partial class App : Application
+{
+	public App()
+	{
+		InitializeComponent();
+	}
+
+	protected override Window CreateWindow(IActivationState? activationState)
+	{
+		return new Window(new AppShell());
+	}
+}
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml
new file mode 100644
index 0000000..4453d30
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<Shell
+    x:Class="BSkyOAuthMaui.AppShell"
+    xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+    xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml"
+    xmlns:local="clr-namespace:BSkyOAuthMaui"
+    Title="BSkyOAuthMaui">
+
+    <ShellContent
+        Title="Home"
+        ContentTemplate="{DataTemplate local:MainPage}"
+        Route="MainPage" />
+
+</Shell>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml.cs b/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml.cs
new file mode 100644
index 0000000..298827a
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/AppShell.xaml.cs
@@ -0,0 +1,9 @@
+namespace BSkyOAuthMaui;
+
+public partial class AppShell : Shell
+{
+	public AppShell()
+	{
+		InitializeComponent();
+	}
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/BSkyOAuthMaui.csproj b/samples/BSkyOAuth/BSkyOAuthMaui/BSkyOAuthMaui.csproj
new file mode 100644
index 0000000..3139a8b
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/BSkyOAuthMaui.csproj
@@ -0,0 +1,90 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<PropertyGroup>
+		<TargetFrameworks>net10.0-android</TargetFrameworks>
+		<TargetFrameworks Condition="!$([MSBuild]::IsOSPlatform('linux'))">$(TargetFrameworks);net10.0-ios;net10.0-maccatalyst</TargetFrameworks>
+
+		<!-- Note for MacCatalyst:
+		The default runtime is maccatalyst-x64, except in Release config, in which case the default is maccatalyst-x64;maccatalyst-arm64.
+		When specifying both architectures, use the plural <RuntimeIdentifiers> instead of the singular <RuntimeIdentifier>.
+		The Mac App Store will NOT accept apps with ONLY maccatalyst-arm64 indicated;
+		either BOTH runtimes must be indicated or ONLY macatalyst-x64. -->
+		<!-- For example: <RuntimeIdentifiers>maccatalyst-x64;maccatalyst-arm64</RuntimeIdentifiers> -->
+
+		<OutputType>Exe</OutputType>
+		<RootNamespace>BSkyOAuthMaui</RootNamespace>
+		<UseMaui>true</UseMaui>
+		<SingleProject>true</SingleProject>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+		<ValidateXcodeVersion>false</ValidateXcodeVersion>
+
+		<!-- Enable XAML source generation for faster build times and improved performance.
+		     This generates C# code from XAML at compile time instead of runtime inflation.
+		     To disable, remove this line.
+		     For individual files, you can override by setting Inflator metadata:
+		       <MauiXaml Update="MyPage.xaml" Inflator="Default" /> (reverts to defaults: Runtime for Debug, XamlC for Release)
+		       <MauiXaml Update="MyPage.xaml" Inflator="Runtime" /> (force runtime inflation) -->
+		<MauiXamlInflator>SourceGen</MauiXamlInflator>
+
+		<!-- Display name -->
+		<ApplicationTitle>BSkyOAuthMaui</ApplicationTitle>
+
+		<!-- App Identifier -->
+		<ApplicationId>com.companyname.bskyoauthmaui</ApplicationId>
+
+		<!-- Versions -->
+		<ApplicationDisplayVersion>1.0</ApplicationDisplayVersion>
+		<ApplicationVersion>1</ApplicationVersion>
+
+		<!-- To develop, package, and publish an app to the Microsoft Store, see: https://aka.ms/MauiTemplateUnpackaged -->
+		<WindowsPackageType>None</WindowsPackageType>
+
+		<SupportedOSPlatformVersion Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'ios'">15.0</SupportedOSPlatformVersion>
+		<SupportedOSPlatformVersion Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'maccatalyst'">15.0</SupportedOSPlatformVersion>
+		<SupportedOSPlatformVersion Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'android'">21.0</SupportedOSPlatformVersion>
+
+		<NoWarn>$(NoWarn);CS8002</NoWarn>
+		<CarpaNet_LexiconAutoResolve>true</CarpaNet_LexiconAutoResolve>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<!-- App Icon -->
+		<MauiIcon Include="Resources\AppIcon\appicon.svg" ForegroundFile="Resources\AppIcon\appiconfg.svg" Color="#512BD4" />
+
+		<!-- Splash Screen -->
+		<MauiSplashScreen Include="Resources\Splash\splash.svg" Color="#512BD4" BaseSize="128,128" />
+
+		<!-- Images -->
+		<MauiImage Include="Resources\Images\*" />
+		<MauiImage Update="Resources\Images\dotnet_bot.png" Resize="True" BaseSize="300,185" />
+
+		<!-- Custom Fonts -->
+		<MauiFont Include="Resources\Fonts\*" />
+
+		<!-- Raw Assets (also remove the "Resources\Raw" prefix) -->
+		<MauiAsset Include="Resources\Raw\**" LogicalName="%(RecursiveDir)%(Filename)%(Extension)" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Microsoft.Maui.Controls" />
+		<PackageReference Include="Microsoft.Extensions.Logging.Debug" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<ProjectReference Include="../../../src/CarpaNet/CarpaNet.csproj" />
+		<ProjectReference Include="../../../src/CarpaNet.OAuth/CarpaNet.OAuth.csproj" />
+		<ProjectReference Include="../../../src/CarpaNet.SourceGen/CarpaNet.SourceGen.csproj"
+		                  OutputItemType="Analyzer"
+		                  ReferenceOutputAssembly="false" />
+	</ItemGroup>
+
+	<Import Project="../../../src/CarpaNet/build/CarpaNet.targets" />
+
+	<ItemGroup>
+		<LexiconResolve Include="app.bsky.feed.getTimeline" />
+		<LexiconResolve Include="app.bsky.actor.getProfile" />
+		<LexiconResolve Include="app.bsky.feed.post" />
+	</ItemGroup>
+
+</Project>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml
new file mode 100644
index 0000000..674e394
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<ContentPage xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+             xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml"
+             x:Class="BSkyOAuthMaui.MainPage"
+             Title="BSky OAuth">
+
+    <Grid RowDefinitions="Auto,*" Padding="15">
+        <VerticalStackLayout Spacing="10" Grid.Row="0">
+            <Entry x:Name="HandleEntry"
+                   Placeholder="Enter your Bluesky handle"
+                   Keyboard="Url" />
+
+            <HorizontalStackLayout Spacing="10">
+                <Button x:Name="LoginBtn"
+                        Text="Login"
+                        Clicked="OnLoginClicked" />
+                <Button x:Name="LoadSessionBtn"
+                        Text="Load Session"
+                        Clicked="OnLoadSessionClicked" />
+                <Button x:Name="GetTimelineBtn"
+                        Text="Get Timeline"
+                        IsEnabled="False"
+                        Clicked="OnGetTimelineClicked" />
+            </HorizontalStackLayout>
+
+            <ActivityIndicator x:Name="LoadingIndicator"
+                               IsRunning="False"
+                               IsVisible="False"
+                               HorizontalOptions="Start" />
+
+            <Label x:Name="StatusLabel"
+                   Text="Not authenticated"
+                   TextColor="Gray" />
+        </VerticalStackLayout>
+
+        <CollectionView x:Name="TimelineView" Grid.Row="1">
+            <CollectionView.ItemTemplate>
+                <DataTemplate>
+                    <Border Stroke="LightGray"
+                            StrokeThickness="1"
+                            Padding="10"
+                            Margin="0,5"
+                            StrokeShape="RoundRectangle 8">
+                        <VerticalStackLayout Spacing="4">
+                            <Label Text="{Binding AuthorDisplay}"
+                                   FontAttributes="Bold" />
+                            <Label Text="{Binding Text}"
+                                   MaxLines="5" />
+                        </VerticalStackLayout>
+                    </Border>
+                </DataTemplate>
+            </CollectionView.ItemTemplate>
+        </CollectionView>
+    </Grid>
+
+</ContentPage>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml.cs b/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml.cs
new file mode 100644
index 0000000..8abd1c7
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/MainPage.xaml.cs
@@ -0,0 +1,251 @@
+// <copyright file="MainPage.xaml.cs" company="Drastic Actions">
+// Copyright (c) Drastic Actions. All rights reserved.
+// </copyright>
+
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using AppBsky.Feed;
+using CarpaNet;
+using CarpaNet.Identity;
+using CarpaNet.OAuth;
+using CarpaNet.OAuth.Storage;
+
+namespace BSkyOAuthMaui;
+
+public partial class MainPage : ContentPage
+{
+    private const string ClientMetadataUrl = "https://drasticactions.vip/client-metadata.json";
+    private const string RedirectUri = "vip.drasticactions:/callback";
+
+    private readonly OAuthSession oauthSession;
+    private readonly OauthStore sessionStore;
+
+    private ATProtoOAuthClient? client;
+
+    public MainPage()
+    {
+        InitializeComponent();
+
+        this.sessionStore = new OauthStore();
+
+        var config = new OAuthClientConfig
+        {
+            ClientId = ClientMetadataUrl,
+            RedirectUri = RedirectUri,
+            Scope = "atproto transition:generic",
+            JsonOptions = ATProtoClientFactory.CreateJsonOptions(),
+            SessionStore = this.sessionStore
+        };
+
+        this.oauthSession = new OAuthSession(config);
+    }
+
+    private async void OnLoginClicked(object? sender, EventArgs e)
+    {
+        var atIdentifier = new ATIdentifier(HandleEntry.Text ?? string.Empty);
+        if (!atIdentifier.IsValid)
+        {
+            await DisplayAlertAsync("Error", "Invalid handle", "OK");
+            return;
+        }
+
+        SetLoading(true);
+
+        try
+        {
+            var authUrl = await this.oauthSession.AuthorizeAsync(atIdentifier);
+            var callbackUri = new Uri(RedirectUri);
+
+            var result = await WebAuthenticator.AuthenticateAsync(new Uri(authUrl), callbackUri);
+
+            // Reconstruct the full callback URL from the result properties
+            var queryParams = string.Join("&", result.Properties.Select(p => $"{p.Key}={Uri.EscapeDataString(p.Value)}"));
+            var fullCallbackUrl = $"{RedirectUri}?{queryParams}";
+
+            this.client = await this.oauthSession.CallbackAsync(fullCallbackUrl);
+
+            if (this.client != null)
+            {
+                GetTimelineBtn.IsEnabled = true;
+                StatusLabel.Text = $"Authenticated as {this.client.Did}";
+                await DisplayAlertAsync("Success", $"Authenticated as {this.client.Did}", "OK");
+            }
+            else
+            {
+                await DisplayAlertAsync("Error", "Failed to authenticate", "OK");
+            }
+        }
+        catch (TaskCanceledException)
+        {
+            // User cancelled the auth flow
+        }
+        catch (Exception ex)
+        {
+            await DisplayAlertAsync("Error", $"Authentication failed: {ex.Message}", "OK");
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private async void OnLoadSessionClicked(object? sender, EventArgs e)
+    {
+        var input = await DisplayPromptAsync("Restore Session", "Enter your DID or handle", placeholder: "did:plc:... or alice.bsky.social");
+        if (string.IsNullOrWhiteSpace(input))
+            return;
+
+        var atIdentifier = new ATIdentifier(input.Trim());
+        if (!atIdentifier.IsValid)
+        {
+            await DisplayAlertAsync("Error", "Invalid DID or handle.", "OK");
+            return;
+        }
+
+        SetLoading(true);
+
+        try
+        {
+            var did = input.Trim();
+            if (atIdentifier.IsHandle)
+            {
+                using var resolver = new IdentityResolver();
+                var doc = await resolver.ResolveAsync(did);
+                did = doc.Id;
+            }
+
+            var session = await this.oauthSession.RestoreSessionAsync(did);
+            if (session != null)
+            {
+                this.client = session;
+                GetTimelineBtn.IsEnabled = true;
+                StatusLabel.Text = $"Session restored for {session.Did}";
+                await DisplayAlertAsync("Success", $"Session restored for {session.Did}", "OK");
+            }
+            else
+            {
+                await DisplayAlertAsync("Error", "No saved session found for that identifier.", "OK");
+            }
+        }
+        catch (Exception ex)
+        {
+            await DisplayAlertAsync("Error", $"Failed to restore session: {ex.Message}", "OK");
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private async void OnGetTimelineClicked(object? sender, EventArgs e)
+    {
+        if (this.client == null)
+            return;
+
+        SetLoading(true);
+
+        try
+        {
+            var parameters = new GetTimelineParameters { Limit = 25 };
+            var timeline = await this.client.AppBskyFeedGetTimelineAsync(parameters);
+
+            var items = new List<TimelineItem>();
+            if (timeline.Feed != null)
+            {
+                foreach (var item in timeline.Feed)
+                {
+                    var author = item.Post?.Author;
+                    var text = string.Empty;
+                    if (item.Post?.Record is System.Text.Json.JsonElement recordElement)
+                    {
+                        if (recordElement.TryGetProperty("text", out var textElement))
+                        {
+                            text = textElement.GetString() ?? string.Empty;
+                        }
+                    }
+
+                    items.Add(new TimelineItem
+                    {
+                        AuthorDisplay = $"@{author?.Handle} ({author?.DisplayName})",
+                        Text = text
+                    });
+                }
+            }
+
+            TimelineView.ItemsSource = items;
+            StatusLabel.Text = $"Loaded {items.Count} posts";
+        }
+        catch (Exception ex)
+        {
+            await DisplayAlertAsync("Error", $"Failed to get timeline: {ex.Message}", "OK");
+        }
+        finally
+        {
+            SetLoading(false);
+        }
+    }
+
+    private void SetLoading(bool isLoading)
+    {
+        LoadingIndicator.IsRunning = isLoading;
+        LoadingIndicator.IsVisible = isLoading;
+        LoginBtn.IsEnabled = !isLoading;
+        LoadSessionBtn.IsEnabled = !isLoading;
+        GetTimelineBtn.IsEnabled = !isLoading && this.client != null;
+    }
+}
+
+public class TimelineItem
+{
+    public string AuthorDisplay { get; set; } = string.Empty;
+    public string Text { get; set; } = string.Empty;
+}
+
+public sealed class OauthStore : IOAuthSessionStore
+{
+    private readonly string _directory;
+
+    public OauthStore()
+    {
+        _directory = Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData),
+            "BSkyOAuth");
+        Directory.CreateDirectory(_directory);
+    }
+
+    public Task StoreAsync(string sub, OAuthSessionData data, CancellationToken cancellationToken = default)
+    {
+        var json = JsonSerializer.Serialize(data, OAuthStoreJsonContext.Default.OAuthSessionData);
+        File.WriteAllText(GetPath(sub), json);
+        return Task.CompletedTask;
+    }
+
+    public Task<OAuthSessionData?> GetAsync(string sub, CancellationToken cancellationToken = default)
+    {
+        var path = GetPath(sub);
+        if (!File.Exists(path))
+            return Task.FromResult<OAuthSessionData?>(null);
+        var json = File.ReadAllText(path);
+        var data = JsonSerializer.Deserialize(json, OAuthStoreJsonContext.Default.OAuthSessionData);
+        return Task.FromResult(data);
+    }
+
+    public Task DeleteAsync(string sub, CancellationToken cancellationToken = default)
+    {
+        var path = GetPath(sub);
+        if (File.Exists(path))
+            File.Delete(path);
+        return Task.CompletedTask;
+    }
+
+    private string GetPath(string sub) =>
+        Path.Combine(_directory, $"oauth-{sub.Replace(":", "_")}.json");
+}
+
+[JsonSerializable(typeof(OAuthSessionData))]
+[JsonSourceGenerationOptions(
+    PropertyNamingPolicy = JsonKnownNamingPolicy.CamelCase,
+    DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull)]
+public partial class OAuthStoreJsonContext : JsonSerializerContext
+{
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/MauiProgram.cs b/samples/BSkyOAuth/BSkyOAuthMaui/MauiProgram.cs
new file mode 100644
index 0000000..6f7280b
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/MauiProgram.cs
@@ -0,0 +1,24 @@
+using Microsoft.Extensions.Logging;
+
+namespace BSkyOAuthMaui;
+
+public static class MauiProgram
+{
+	public static MauiApp CreateMauiApp()
+	{
+		var builder = MauiApp.CreateBuilder();
+		builder
+			.UseMauiApp<App>()
+			.ConfigureFonts(fonts =>
+			{
+				fonts.AddFont("OpenSans-Regular.ttf", "OpenSansRegular");
+				fonts.AddFont("OpenSans-Semibold.ttf", "OpenSansSemibold");
+			});
+
+#if DEBUG
+		builder.Logging.AddDebug();
+#endif
+
+		return builder.Build();
+	}
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/AndroidManifest.xml b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/AndroidManifest.xml
new file mode 100644
index 0000000..f65fc33
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/AndroidManifest.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+	<application android:allowBackup="true" android:icon="@mipmap/appicon" android:roundIcon="@mipmap/appicon_round" android:supportsRtl="true"></application>
+	<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
+	<uses-permission android:name="android.permission.INTERNET" />
+	<queries>
+		<intent>
+			<action android:name="android.support.customtabs.action.CustomTabsService" />
+		</intent>
+	</queries>
+</manifest>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainActivity.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainActivity.cs
new file mode 100644
index 0000000..47ebab2
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainActivity.cs
@@ -0,0 +1,20 @@
+using Android.App;
+using Android.Content;
+using Android.Content.PM;
+using Android.OS;
+
+namespace BSkyOAuthMaui;
+
+[Activity(Theme = "@style/Maui.SplashTheme", MainLauncher = true, LaunchMode = LaunchMode.SingleTop, ConfigurationChanges = ConfigChanges.ScreenSize | ConfigChanges.Orientation | ConfigChanges.UiMode | ConfigChanges.ScreenLayout | ConfigChanges.SmallestScreenSize | ConfigChanges.Density)]
+public class MainActivity : MauiAppCompatActivity
+{
+}
+
+[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)]
+[IntentFilter(
+    [Intent.ActionView],
+    Categories = [Intent.CategoryDefault, Intent.CategoryBrowsable],
+    DataScheme = "vip.drasticactions")]
+public class WebAuthenticatorCallbackActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity
+{
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainApplication.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainApplication.cs
new file mode 100644
index 0000000..6745ee0
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/MainApplication.cs
@@ -0,0 +1,15 @@
+using Android.App;
+using Android.Runtime;
+
+namespace BSkyOAuthMaui;
+
+[Application]
+public class MainApplication : MauiApplication
+{
+	public MainApplication(IntPtr handle, JniHandleOwnership ownership)
+		: base(handle, ownership)
+	{
+	}
+
+	protected override MauiApp CreateMauiApp() => MauiProgram.CreateMauiApp();
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/Resources/values/colors.xml b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/Resources/values/colors.xml
new file mode 100644
index 0000000..5cd1604
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Android/Resources/values/colors.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <color name="colorPrimary">#512BD4</color>
+    <color name="colorPrimaryDark">#2B0B98</color>
+    <color name="colorAccent">#2B0B98</color>
+</resources>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/AppDelegate.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/AppDelegate.cs
new file mode 100644
index 0000000..6e6a0f7
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/AppDelegate.cs
@@ -0,0 +1,9 @@
+using Foundation;
+
+namespace BSkyOAuthMaui;
+
+[Register("AppDelegate")]
+public class AppDelegate : MauiUIApplicationDelegate
+{
+	protected override MauiApp CreateMauiApp() => MauiProgram.CreateMauiApp();
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Entitlements.plist b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Entitlements.plist
new file mode 100644
index 0000000..8e87c0c
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Entitlements.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <!-- See https://aka.ms/maui-publish-app-store#add-entitlements for more information about adding entitlements.-->
+    <dict>
+        <!-- App Sandbox must be enabled to distribute a MacCatalyst app through the Mac App Store. -->
+        <key>com.apple.security.app-sandbox</key>
+        <true/>
+        <!-- When App Sandbox is enabled, this value is required to open outgoing network connections. -->
+        <key>com.apple.security.network.client</key>
+        <true/>
+    </dict>
+</plist>
+
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Info.plist b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Info.plist
new file mode 100644
index 0000000..385e722
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Info.plist
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- The Mac App Store requires you specify if the app uses encryption. -->
+    <!-- Please consult https://developer.apple.com/documentation/bundleresources/information_property_list/itsappusesnonexemptencryption -->
+    <!-- <key>ITSAppUsesNonExemptEncryption</key> -->
+    <!-- Please indicate <true/> or <false/> here. -->
+
+    <!-- Specify the category for your app here. -->
+    <!-- Please consult https://developer.apple.com/documentation/bundleresources/information_property_list/lsapplicationcategorytype -->
+    <!-- <key>LSApplicationCategoryType</key> -->
+    <!-- <string>public.app-category.YOUR-CATEGORY-HERE</string> -->
+	<key>UIDeviceFamily</key>
+	<array>
+		<integer>2</integer>
+	</array>
+	<key>LSApplicationCategoryType</key>
+	<string>public.app-category.lifestyle</string>
+	<key>UIRequiredDeviceCapabilities</key>
+	<array>
+		<string>arm64</string>
+	</array>
+	<key>UISupportedInterfaceOrientations</key>
+	<array>
+		<string>UIInterfaceOrientationPortrait</string>
+		<string>UIInterfaceOrientationLandscapeLeft</string>
+		<string>UIInterfaceOrientationLandscapeRight</string>
+	</array>
+	<key>UISupportedInterfaceOrientations~ipad</key>
+	<array>
+		<string>UIInterfaceOrientationPortrait</string>
+		<string>UIInterfaceOrientationPortraitUpsideDown</string>
+		<string>UIInterfaceOrientationLandscapeLeft</string>
+		<string>UIInterfaceOrientationLandscapeRight</string>
+	</array>
+	<key>XSAppIconAssets</key>
+	<string>Assets.xcassets/appicon.appiconset</string>
+	<key>CFBundleURLTypes</key>
+    <array>
+        <dict>
+            <key>CFBundleURLSchemes</key>
+            <array>
+                <string>vip.drasticactions</string>
+            </array>
+            <key>CFBundleURLName</key>
+            <string>vip.drasticactions</string>
+        </dict>
+    </array>
+</dict>
+</plist>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Program.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Program.cs
new file mode 100644
index 0000000..3c7c3e5
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/MacCatalyst/Program.cs
@@ -0,0 +1,15 @@
+using ObjCRuntime;
+using UIKit;
+
+namespace BSkyOAuthMaui;
+
+public class Program
+{
+	// This is the main entry point of the application.
+	static void Main(string[] args)
+	{
+		// if you want to use a different Application Delegate class from "AppDelegate"
+		// you can specify it here.
+		UIApplication.Main(args, null, typeof(AppDelegate));
+	}
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml
new file mode 100644
index 0000000..4c4328d
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml
@@ -0,0 +1,8 @@
+<maui:MauiWinUIApplication
+    x:Class="BSkyOAuthMaui.WinUI.App"
+    xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+    xmlns:maui="using:Microsoft.Maui"
+    xmlns:local="using:BSkyOAuthMaui.WinUI">
+
+</maui:MauiWinUIApplication>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml.cs
new file mode 100644
index 0000000..82a4a06
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/App.xaml.cs
@@ -0,0 +1,24 @@
+using Microsoft.UI.Xaml;
+
+// To learn more about WinUI, the WinUI project structure,
+// and more about our project templates, see: http://aka.ms/winui-project-info.
+
+namespace BSkyOAuthMaui.WinUI;
+
+/// <summary>
+/// Provides application-specific behavior to supplement the default Application class.
+/// </summary>
+public partial class App : MauiWinUIApplication
+{
+	/// <summary>
+	/// Initializes the singleton application object.  This is the first line of authored code
+	/// executed, and as such is the logical equivalent of main() or WinMain().
+	/// </summary>
+	public App()
+	{
+		this.InitializeComponent();
+	}
+
+	protected override MauiApp CreateMauiApp() => MauiProgram.CreateMauiApp();
+}
+
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/Package.appxmanifest b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/Package.appxmanifest
new file mode 100644
index 0000000..0e2bf16
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/Package.appxmanifest
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Package
+  xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
+  xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
+  xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest"
+  xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
+  IgnorableNamespaces="uap rescap">
+
+  <Identity Name="maui-package-name-placeholder" Publisher="CN=User Name" Version="0.0.0.0" />
+
+  <mp:PhoneIdentity PhoneProductId="274E6621-7E15-4E38-B1E1-DCD35924FADA" PhonePublisherId="00000000-0000-0000-0000-000000000000"/>
+
+  <Properties>
+    <DisplayName>$placeholder$</DisplayName>
+    <PublisherDisplayName>User Name</PublisherDisplayName>
+    <Logo>$placeholder$.png</Logo>
+  </Properties>
+
+  <Dependencies>
+    <TargetDeviceFamily Name="Windows.Universal" MinVersion="10.0.17763.0" MaxVersionTested="10.0.19041.0" />
+    <TargetDeviceFamily Name="Windows.Desktop" MinVersion="10.0.17763.0" MaxVersionTested="10.0.19041.0" />
+  </Dependencies>
+
+  <Resources>
+    <Resource Language="x-generate" />
+  </Resources>
+
+  <Applications>
+    <Application Id="App" Executable="$targetnametoken$.exe" EntryPoint="$targetentrypoint$">
+      <uap:VisualElements
+        DisplayName="$placeholder$"
+        Description="$placeholder$"
+        Square150x150Logo="$placeholder$.png"
+        Square44x44Logo="$placeholder$.png"
+        BackgroundColor="transparent">
+        <uap:DefaultTile Square71x71Logo="$placeholder$.png" Wide310x150Logo="$placeholder$.png" Square310x310Logo="$placeholder$.png" />
+        <uap:SplashScreen Image="$placeholder$.png" />
+      </uap:VisualElements>
+    </Application>
+  </Applications>
+
+  <Capabilities>
+    <rescap:Capability Name="runFullTrust" />
+  </Capabilities>
+
+</Package>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/app.manifest b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/app.manifest
new file mode 100644
index 0000000..a33f528
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/Windows/app.manifest
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
+  <assemblyIdentity version="1.0.0.0" name="BSkyOAuthMaui.WinUI.app"/>
+
+  <application xmlns="urn:schemas-microsoft-com:asm.v3">
+    <windowsSettings>
+      <!-- The combination of below two tags have the following effect:
+           1) Per-Monitor for >= Windows 10 Anniversary Update
+           2) System < Windows 10 Anniversary Update
+      -->
+      <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true/PM</dpiAware>
+      <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness>
+
+      <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware>
+    </windowsSettings>
+  </application>
+</assembly>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/AppDelegate.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/AppDelegate.cs
new file mode 100644
index 0000000..6e6a0f7
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/AppDelegate.cs
@@ -0,0 +1,9 @@
+using Foundation;
+
+namespace BSkyOAuthMaui;
+
+[Register("AppDelegate")]
+public class AppDelegate : MauiUIApplicationDelegate
+{
+	protected override MauiApp CreateMauiApp() => MauiProgram.CreateMauiApp();
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Info.plist b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Info.plist
new file mode 100644
index 0000000..4494349
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Info.plist
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>LSRequiresIPhoneOS</key>
+	<true/>
+	<key>UIDeviceFamily</key>
+	<array>
+		<integer>1</integer>
+		<integer>2</integer>
+	</array>
+	<key>UIRequiredDeviceCapabilities</key>
+	<array>
+		<string>arm64</string>
+	</array>
+	<key>UISupportedInterfaceOrientations</key>
+	<array>
+		<string>UIInterfaceOrientationPortrait</string>
+		<string>UIInterfaceOrientationLandscapeLeft</string>
+		<string>UIInterfaceOrientationLandscapeRight</string>
+	</array>
+	<key>UISupportedInterfaceOrientations~ipad</key>
+	<array>
+		<string>UIInterfaceOrientationPortrait</string>
+		<string>UIInterfaceOrientationPortraitUpsideDown</string>
+		<string>UIInterfaceOrientationLandscapeLeft</string>
+		<string>UIInterfaceOrientationLandscapeRight</string>
+	</array>
+	<key>XSAppIconAssets</key>
+	<string>Assets.xcassets/appicon.appiconset</string>
+	<key>CFBundleURLTypes</key>
+    <array>
+        <dict>
+            <key>CFBundleURLSchemes</key>
+            <array>
+                <string>vip.drasticactions</string>
+            </array>
+            <key>CFBundleURLName</key>
+            <string>vip.drasticactions</string>
+        </dict>
+    </array>
+</dict>
+</plist>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Program.cs b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Program.cs
new file mode 100644
index 0000000..3c7c3e5
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Program.cs
@@ -0,0 +1,15 @@
+using ObjCRuntime;
+using UIKit;
+
+namespace BSkyOAuthMaui;
+
+public class Program
+{
+	// This is the main entry point of the application.
+	static void Main(string[] args)
+	{
+		// if you want to use a different Application Delegate class from "AppDelegate"
+		// you can specify it here.
+		UIApplication.Main(args, null, typeof(AppDelegate));
+	}
+}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Resources/PrivacyInfo.xcprivacy b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Resources/PrivacyInfo.xcprivacy
new file mode 100644
index 0000000..1ea3a5d
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Platforms/iOS/Resources/PrivacyInfo.xcprivacy
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This is the minimum required version of the Apple Privacy Manifest for .NET MAUI apps.
+The contents below are needed because of APIs that are used in the .NET framework and .NET MAUI SDK.
+
+You are responsible for adding extra entries as needed for your application.
+
+More information: https://aka.ms/maui-privacy-manifest
+-->
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>NSPrivacyAccessedAPITypes</key>
+    <array>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>C617.1</string>
+            </array>
+        </dict>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategorySystemBootTime</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>35F9.1</string>
+            </array>
+        </dict>
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryDiskSpace</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>E174.1</string>
+            </array>
+        </dict>
+        <!--
+            The entry below is only needed when you're using the Preferences API in your app.
+        <dict>
+            <key>NSPrivacyAccessedAPIType</key>
+            <string>NSPrivacyAccessedAPICategoryUserDefaults</string>
+            <key>NSPrivacyAccessedAPITypeReasons</key>
+            <array>
+                <string>CA92.1</string>
+            </array>
+        </dict> -->
+    </array>
+</dict>
+</plist>
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Properties/launchSettings.json b/samples/BSkyOAuth/BSkyOAuthMaui/Properties/launchSettings.json
new file mode 100644
index 0000000..f4c6c8d
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Properties/launchSettings.json
@@ -0,0 +1,8 @@
+{
+  "profiles": {
+    "Windows Machine": {
+      "commandName": "Project",
+      "nativeDebugging": false
+    }
+  }
+}
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appicon.svg b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appicon.svg
new file mode 100644
index 0000000..5f04fcf
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appicon.svg
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="456" height="456" viewBox="0 0 456 456" version="1.1" xmlns="http://www.w3.org/2000/svg">
+    <rect x="0" y="0" width="456" height="456" fill="#512BD4" />
+</svg>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appiconfg.svg b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appiconfg.svg
new file mode 100644
index 0000000..62d66d7
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/AppIcon/appiconfg.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="456" height="456" viewBox="0 0 456 456" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <path d="m 105.50037,281.60863 c -2.70293,0 -5.00091,-0.90042 -6.893127,-2.70209 -1.892214,-1.84778 -2.837901,-4.04181 -2.837901,-6.58209 0,-2.58722 0.945687,-4.80389 2.837901,-6.65167 1.892217,-1.84778 4.190197,-2.77167 6.893127,-2.77167 2.74819,0 5.06798,0.92389 6.96019,2.77167 1.93749,1.84778 2.90581,4.06445 2.90581,6.65167 0,2.54028 -0.96832,4.73431 -2.90581,6.58209 -1.89221,1.80167 -4.212,2.70209 -6.96019,2.70209 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="M 213.56111,280.08446 H 195.99044 L 149.69953,207.0544 c -1.17121,-1.84778 -2.14037,-3.76515 -2.90581,-5.75126 h -0.40578 c 0.36051,2.12528 0.54076,6.67515 0.54076,13.6496 v 65.13172 h -15.54349 v -99.36009 h 18.71925 l 44.7374,71.29798 c 1.89222,2.95695 3.1087,4.98917 3.64945,6.09751 h 0.26996 c -0.45021,-2.6325 -0.67573,-7.09015 -0.67573,-13.37293 v -64.02256 h 15.47557 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="m 289.25134,280.08446 h -54.40052 v -99.36009 h 52.23835 v 13.99669 h -36.15411 v 28.13085 h 33.31621 v 13.9271 h -33.31621 v 29.37835 h 38.31628 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="M 366.56466,194.72106 H 338.7222 v 85.3634 h -16.08423 v -85.3634 h -27.77455 v -13.99669 h 71.70124 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+</svg>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Regular.ttf b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Regular.ttf
new file mode 100644
index 0000000..9b09396
Binary files /dev/null and b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Regular.ttf differ
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Semibold.ttf b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Semibold.ttf
new file mode 100644
index 0000000..ca26718
Binary files /dev/null and b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Fonts/OpenSans-Semibold.ttf differ
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Images/dotnet_bot.png b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Images/dotnet_bot.png
new file mode 100644
index 0000000..054167e
Binary files /dev/null and b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Images/dotnet_bot.png differ
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Raw/AboutAssets.txt b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Raw/AboutAssets.txt
new file mode 100644
index 0000000..f22d3bf
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Raw/AboutAssets.txt
@@ -0,0 +1,15 @@
+Any raw assets you want to be deployed with your application can be placed in
+this directory (and child directories). Deployment of the asset to your application
+is automatically handled by the following `MauiAsset` Build Action within your `.csproj`.
+
+	<MauiAsset Include="Resources\Raw\**" LogicalName="%(RecursiveDir)%(Filename)%(Extension)" />
+
+These files will be deployed with your package and will be accessible using Essentials:
+
+	async Task LoadMauiAsset()
+	{
+		using var stream = await FileSystem.OpenAppPackageFileAsync("AboutAssets.txt");
+		using var reader = new StreamReader(stream);
+
+		var contents = reader.ReadToEnd();
+	}
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Splash/splash.svg b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Splash/splash.svg
new file mode 100644
index 0000000..62d66d7
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Splash/splash.svg
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="456" height="456" viewBox="0 0 456 456" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2;">
+    <path d="m 105.50037,281.60863 c -2.70293,0 -5.00091,-0.90042 -6.893127,-2.70209 -1.892214,-1.84778 -2.837901,-4.04181 -2.837901,-6.58209 0,-2.58722 0.945687,-4.80389 2.837901,-6.65167 1.892217,-1.84778 4.190197,-2.77167 6.893127,-2.77167 2.74819,0 5.06798,0.92389 6.96019,2.77167 1.93749,1.84778 2.90581,4.06445 2.90581,6.65167 0,2.54028 -0.96832,4.73431 -2.90581,6.58209 -1.89221,1.80167 -4.212,2.70209 -6.96019,2.70209 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="M 213.56111,280.08446 H 195.99044 L 149.69953,207.0544 c -1.17121,-1.84778 -2.14037,-3.76515 -2.90581,-5.75126 h -0.40578 c 0.36051,2.12528 0.54076,6.67515 0.54076,13.6496 v 65.13172 h -15.54349 v -99.36009 h 18.71925 l 44.7374,71.29798 c 1.89222,2.95695 3.1087,4.98917 3.64945,6.09751 h 0.26996 c -0.45021,-2.6325 -0.67573,-7.09015 -0.67573,-13.37293 v -64.02256 h 15.47557 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="m 289.25134,280.08446 h -54.40052 v -99.36009 h 52.23835 v 13.99669 h -36.15411 v 28.13085 h 33.31621 v 13.9271 h -33.31621 v 29.37835 h 38.31628 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+    <path d="M 366.56466,194.72106 H 338.7222 v 85.3634 h -16.08423 v -85.3634 h -27.77455 v -13.99669 h 71.70124 z" style="fill:#ffffff;fill-rule:nonzero;stroke-width:0.838376" />
+</svg>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Colors.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Colors.xaml
new file mode 100644
index 0000000..daae3bd
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Colors.xaml
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<ResourceDictionary 
+    xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+    xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml">
+
+    <!-- Note: For Android please see also Platforms\Android\Resources\values\colors.xml -->
+
+    <Color x:Key="Primary">#512BD4</Color>
+    <Color x:Key="PrimaryDark">#ac99ea</Color>
+    <Color x:Key="PrimaryDarkText">#242424</Color>
+    <Color x:Key="Secondary">#DFD8F7</Color>
+    <Color x:Key="SecondaryDarkText">#9880e5</Color>
+    <Color x:Key="Tertiary">#2B0B98</Color>
+
+    <Color x:Key="White">White</Color>
+    <Color x:Key="Black">Black</Color>
+    <Color x:Key="Magenta">#D600AA</Color>
+    <Color x:Key="MidnightBlue">#190649</Color>
+    <Color x:Key="OffBlack">#1f1f1f</Color>
+
+    <Color x:Key="Gray100">#E1E1E1</Color>
+    <Color x:Key="Gray200">#C8C8C8</Color>
+    <Color x:Key="Gray300">#ACACAC</Color>
+    <Color x:Key="Gray400">#919191</Color>
+    <Color x:Key="Gray500">#6E6E6E</Color>
+    <Color x:Key="Gray600">#404040</Color>
+    <Color x:Key="Gray900">#212121</Color>
+    <Color x:Key="Gray950">#141414</Color>
+
+    <SolidColorBrush x:Key="PrimaryBrush" Color="{StaticResource Primary}"/>
+    <SolidColorBrush x:Key="SecondaryBrush" Color="{StaticResource Secondary}"/>
+    <SolidColorBrush x:Key="TertiaryBrush" Color="{StaticResource Tertiary}"/>
+    <SolidColorBrush x:Key="WhiteBrush" Color="{StaticResource White}"/>
+    <SolidColorBrush x:Key="BlackBrush" Color="{StaticResource Black}"/>
+
+    <SolidColorBrush x:Key="Gray100Brush" Color="{StaticResource Gray100}"/>
+    <SolidColorBrush x:Key="Gray200Brush" Color="{StaticResource Gray200}"/>
+    <SolidColorBrush x:Key="Gray300Brush" Color="{StaticResource Gray300}"/>
+    <SolidColorBrush x:Key="Gray400Brush" Color="{StaticResource Gray400}"/>
+    <SolidColorBrush x:Key="Gray500Brush" Color="{StaticResource Gray500}"/>
+    <SolidColorBrush x:Key="Gray600Brush" Color="{StaticResource Gray600}"/>
+    <SolidColorBrush x:Key="Gray900Brush" Color="{StaticResource Gray900}"/>
+    <SolidColorBrush x:Key="Gray950Brush" Color="{StaticResource Gray950}"/>
+</ResourceDictionary>
\ No newline at end of file
diff --git a/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Styles.xaml b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Styles.xaml
new file mode 100644
index 0000000..0dce374
--- /dev/null
+++ b/samples/BSkyOAuth/BSkyOAuthMaui/Resources/Styles/Styles.xaml
@@ -0,0 +1,434 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<ResourceDictionary 
+    xmlns="http://schemas.microsoft.com/dotnet/2021/maui"
+    xmlns:x="http://schemas.microsoft.com/winfx/2009/xaml">
+
+    <Style TargetType="ActivityIndicator">
+        <Setter Property="Color" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+    </Style>
+
+    <Style TargetType="IndicatorView">
+        <Setter Property="IndicatorColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray500}}"/>
+        <Setter Property="SelectedIndicatorColor" Value="{AppThemeBinding Light={StaticResource Gray950}, Dark={StaticResource Gray100}}"/>
+    </Style>
+
+    <Style TargetType="Border">
+        <Setter Property="Stroke" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray500}}" />
+        <Setter Property="StrokeShape" Value="Rectangle"/>
+        <Setter Property="StrokeThickness" Value="1"/>
+    </Style>
+
+    <Style TargetType="BoxView">
+        <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource Gray950}, Dark={StaticResource Gray200}}" />
+    </Style>
+
+    <Style TargetType="Button">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource PrimaryDarkText}}" />
+        <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource PrimaryDark}}" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14"/>
+        <Setter Property="BorderWidth" Value="0"/>
+        <Setter Property="CornerRadius" Value="8"/>
+        <Setter Property="Padding" Value="14,10"/>
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray950}, Dark={StaticResource Gray200}}" />
+                            <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                    <VisualState x:Name="PointerOver" />
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="CheckBox">
+        <Setter Property="Color" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="Color" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="DatePicker">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource White}}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14"/>
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray500}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="Editor">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource White}}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="PlaceholderColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray500}}" />
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="Entry">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource White}}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="PlaceholderColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray500}}" />
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="ImageButton">
+        <Setter Property="Opacity" Value="1" />
+        <Setter Property="BorderColor" Value="Transparent"/>
+        <Setter Property="BorderWidth" Value="0"/>
+        <Setter Property="CornerRadius" Value="0"/>
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="Opacity" Value="0.5" />
+                        </VisualState.Setters>
+                    </VisualState>
+                    <VisualState x:Name="PointerOver" />
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="Label">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource White}}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular" />
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="Label" x:Key="Headline">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource MidnightBlue}, Dark={StaticResource White}}" />
+        <Setter Property="FontSize" Value="32" />
+        <Setter Property="HorizontalOptions" Value="Center" />
+        <Setter Property="HorizontalTextAlignment" Value="Center" />
+    </Style>
+
+    <Style TargetType="Label" x:Key="SubHeadline">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource MidnightBlue}, Dark={StaticResource White}}" />
+        <Setter Property="FontSize" Value="24" />
+        <Setter Property="HorizontalOptions" Value="Center" />
+        <Setter Property="HorizontalTextAlignment" Value="Center" />
+    </Style>
+
+    <Style TargetType="Picker">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource White}}" />
+        <Setter Property="TitleColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource Gray200}}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                            <Setter Property="TitleColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="ProgressBar">
+        <Setter Property="ProgressColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="ProgressColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="RadioButton">
+        <Setter Property="BackgroundColor" Value="Transparent"/>
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource White}}" />
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14"/>
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="RefreshView">
+        <Setter Property="RefreshColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource Gray200}}" />
+    </Style>
+
+    <Style TargetType="SearchBar">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource White}}" />
+        <Setter Property="PlaceholderColor" Value="{StaticResource Gray500}" />
+        <Setter Property="CancelButtonColor" Value="{StaticResource Gray500}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular" />
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                            <Setter Property="PlaceholderColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="SearchHandler">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource White}}" />
+        <Setter Property="PlaceholderColor" Value="{StaticResource Gray500}" />
+        <Setter Property="BackgroundColor" Value="Transparent" />
+        <Setter Property="FontFamily" Value="OpenSansRegular" />
+        <Setter Property="FontSize" Value="14" />
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                            <Setter Property="PlaceholderColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="Shadow">
+        <Setter Property="Radius" Value="15" />
+        <Setter Property="Opacity" Value="0.5" />
+        <Setter Property="Brush" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource White}}" />
+        <Setter Property="Offset" Value="10,10" />
+    </Style>
+
+    <Style TargetType="Slider">
+        <Setter Property="MinimumTrackColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+        <Setter Property="MaximumTrackColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray600}}" />
+        <Setter Property="ThumbColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="MinimumTrackColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}"/>
+                            <Setter Property="MaximumTrackColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}"/>
+                            <Setter Property="ThumbColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}"/>
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="SwipeItem">
+        <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource Black}}" />
+    </Style>
+
+    <Style TargetType="Switch">
+        <Setter Property="OnColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+        <Setter Property="ThumbColor" Value="{StaticResource White}" />
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="OnColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                            <Setter Property="ThumbColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                    <VisualState x:Name="On">
+                        <VisualState.Setters>
+                            <Setter Property="OnColor" Value="{AppThemeBinding Light={StaticResource Secondary}, Dark={StaticResource Gray200}}" />
+                            <Setter Property="ThumbColor" Value="{AppThemeBinding Light={StaticResource Primary}, Dark={StaticResource White}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                    <VisualState x:Name="Off">
+                        <VisualState.Setters>
+                            <Setter Property="ThumbColor" Value="{AppThemeBinding Light={StaticResource Gray400}, Dark={StaticResource Gray500}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+
+    <Style TargetType="TimePicker">
+        <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource White}}" />
+        <Setter Property="BackgroundColor" Value="Transparent"/>
+        <Setter Property="FontFamily" Value="OpenSansRegular"/>
+        <Setter Property="FontSize" Value="14"/>
+        <Setter Property="MinimumHeightRequest" Value="44"/>
+        <Setter Property="MinimumWidthRequest" Value="44"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="CommonStates">
+                    <VisualState x:Name="Normal" />
+                    <VisualState x:Name="Disabled">
+                        <VisualState.Setters>
+                            <Setter Property="TextColor" Value="{AppThemeBinding Light={StaticResource Gray300}, Dark={StaticResource Gray600}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+  
+    <!--
+    <Style TargetType="TitleBar">
+        <Setter Property="MinimumHeightRequest" Value="32"/>
+        <Setter Property="VisualStateManager.VisualStateGroups">
+            <VisualStateGroupList>
+                <VisualStateGroup x:Name="TitleActiveStates">
+                    <VisualState x:Name="TitleBarTitleActive">
+                        <VisualState.Setters>
+                            <Setter Property="BackgroundColor" Value="Transparent" />
+                            <Setter Property="ForegroundColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource White}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                    <VisualState x:Name="TitleBarTitleInactive">
+                        <VisualState.Setters>
+                            <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource Black}}" />
+                            <Setter Property="ForegroundColor" Value="{AppThemeBinding Light={StaticResource Gray400}, Dark={StaticResource Gray500}}" />
+                        </VisualState.Setters>
+                    </VisualState>
+                </VisualStateGroup>
+            </VisualStateGroupList>
+        </Setter>
+    </Style>
+    -->
+
+    <Style TargetType="Page" ApplyToDerivedTypes="True">
+        <Setter Property="Padding" Value="0"/>
+        <Setter Property="BackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource OffBlack}}" />
+    </Style>
+
+    <Style TargetType="Shell" ApplyToDerivedTypes="True">
+        <Setter Property="Shell.BackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource OffBlack}}" />
+        <Setter Property="Shell.ForegroundColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource SecondaryDarkText}}" />
+        <Setter Property="Shell.TitleColor" Value="{AppThemeBinding Light={StaticResource Black}, Dark={StaticResource SecondaryDarkText}}" />
+        <Setter Property="Shell.DisabledColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray950}}" />
+        <Setter Property="Shell.UnselectedColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray200}}" />
+        <Setter Property="Shell.NavBarHasShadow" Value="False" />
+        <Setter Property="Shell.TabBarBackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource Black}}" />
+        <Setter Property="Shell.TabBarForegroundColor" Value="{AppThemeBinding Light={StaticResource Magenta}, Dark={StaticResource White}}" />
+        <Setter Property="Shell.TabBarTitleColor" Value="{AppThemeBinding Light={StaticResource Magenta}, Dark={StaticResource White}}" />
+        <Setter Property="Shell.TabBarUnselectedColor" Value="{AppThemeBinding Light={StaticResource Gray900}, Dark={StaticResource Gray200}}" />
+    </Style>
+
+    <Style TargetType="NavigationPage">
+        <Setter Property="BarBackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource OffBlack}}" />
+        <Setter Property="BarTextColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource White}}" />
+        <Setter Property="IconColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource White}}" />
+    </Style>
+
+    <Style TargetType="TabbedPage">
+        <Setter Property="BarBackgroundColor" Value="{AppThemeBinding Light={StaticResource White}, Dark={StaticResource Gray950}}" />
+        <Setter Property="BarTextColor" Value="{AppThemeBinding Light={StaticResource Magenta}, Dark={StaticResource White}}" />
+        <Setter Property="UnselectedTabColor" Value="{AppThemeBinding Light={StaticResource Gray200}, Dark={StaticResource Gray950}}" />
+        <Setter Property="SelectedTabColor" Value="{AppThemeBinding Light={StaticResource Gray950}, Dark={StaticResource Gray200}}" />
+    </Style>
+
+</ResourceDictionary>
diff --git a/samples/BSkyOAuth/BskyOauth.slnx b/samples/BSkyOAuth/BskyOauth.slnx
index a7a1c6a..d33e45d 100644
--- a/samples/BSkyOAuth/BskyOauth.slnx
+++ b/samples/BSkyOAuth/BskyOauth.slnx
@@ -1,5 +1,12 @@
 <Solution>
   <Project Path="../../src/CarpaNet.SourceGen/CarpaNet.SourceGen.csproj" />
   <Project Path="../../src/CarpaNet/CarpaNet.csproj" />
+  <Folder Name="/BSkyOAuthAvalonia/">
+    <Project Path="BSkyOAuthAvalonia/BSkyOAuthAvalonia.Browser/BSkyOAuthAvalonia.Browser.csproj" />
+    <Project Path="BSkyOAuthAvalonia/BSkyOAuthAvalonia.Desktop/BSkyOAuthAvalonia.Desktop.csproj" />
+    <Project Path="BSkyOAuthAvalonia/BSkyOAuthAvalonia/BSkyOAuthAvalonia.csproj" />
+  </Folder>
+  <Project Path="../../src/CarpaNet.OAuth/CarpaNet.OAuth.csproj" />
   <Project Path="BSkyOAuth.MacCatalyst/BSkyOAuth.MacCatalyst.csproj" />
-</Solution>
\ No newline at end of file
+  <Project Path="BSkyOAuthMaui/BSkyOAuthMaui.csproj" />
+</Solution>
diff --git a/src/CarpaNet.OAuth/ATProtoDPoPAuthHandler.cs b/src/CarpaNet.OAuth/ATProtoDPoPAuthHandler.cs
index f60249d..a54778f 100644
--- a/src/CarpaNet.OAuth/ATProtoDPoPAuthHandler.cs
+++ b/src/CarpaNet.OAuth/ATProtoDPoPAuthHandler.cs
@@ -52,7 +52,7 @@ protected override async Task<HttpResponseMessage> SendAsync(
         CancellationToken cancellationToken)
     {
         // Add DPoP proof and auth headers
-        _tokenProvider.AddDPoPHeaders(request);
+        await _tokenProvider.AddDPoPHeadersAsync(request).ConfigureAwait(false);
 
         var response = await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
         _tokenProvider.UpdateNonceFromResponse(response, request.RequestUri!.ToString());
@@ -64,7 +64,7 @@ protected override async Task<HttpResponseMessage> SendAsync(
 
             // Clone request and add fresh DPoP headers
             using var retryRequest = XrpcHttpHandler.CloneRequest(request, "Authorization", "DPoP");
-            _tokenProvider.AddDPoPHeaders(retryRequest);
+            await _tokenProvider.AddDPoPHeadersAsync(retryRequest).ConfigureAwait(false);
 
             // Copy custom headers (e.g., atproto-proxy)
             foreach (var header in request.Headers)
diff --git a/src/CarpaNet.OAuth/ATProtoOAuthClient.cs b/src/CarpaNet.OAuth/ATProtoOAuthClient.cs
index 9f1f151..81827e8 100644
--- a/src/CarpaNet.OAuth/ATProtoOAuthClient.cs
+++ b/src/CarpaNet.OAuth/ATProtoOAuthClient.cs
@@ -108,7 +108,7 @@ public async Task<TOutput> GetAsync<TOutput>(
         _logger.LogDebug("OAuth GET {Nsid}", nsid);
 
         var url = (await XrpcHttpHandler.BuildUrlAsync(BaseUrl, nsid, parameters, _identityResolver, cancellationToken).ConfigureAwait(false)).ToString();
-        using var request = _tokenProvider.CreateDPoPRequest(HttpMethod.Get, url);
+        using var request = await _tokenProvider.CreateDPoPRequestAsync(HttpMethod.Get, url).ConfigureAwait(false);
         XrpcHttpHandler.AddCommonHeaders(request, null, LabelerDids);
 
         var response = await SendWithRetryAsync(request, url, cancellationToken).ConfigureAwait(false);
@@ -125,7 +125,7 @@ public async Task<TOutput> GetAsync<TOutput>(
         ThrowIfDisposed();
 
         var url = (await XrpcHttpHandler.BuildUrlAsync(BaseUrl, nsid, parameters, _identityResolver, cancellationToken).ConfigureAwait(false)).ToString();
-        using var request = _tokenProvider.CreateDPoPRequest(HttpMethod.Get, url);
+        using var request = await _tokenProvider.CreateDPoPRequestAsync(HttpMethod.Get, url).ConfigureAwait(false);
         XrpcHttpHandler.AddCommonHeaders(request, proxyServiceDid, LabelerDids);
 
         var response = await SendWithRetryAsync(request, url, cancellationToken).ConfigureAwait(false);
@@ -142,7 +142,7 @@ public async Task<TOutput> PostAsync<TInput, TOutput>(
         _logger.LogDebug("OAuth POST {Nsid}", nsid);
 
         var url = XrpcHttpHandler.BuildUrl(BaseUrl, nsid).ToString();
-        using var request = _tokenProvider.CreateDPoPRequest(HttpMethod.Post, url);
+        using var request = await _tokenProvider.CreateDPoPRequestAsync(HttpMethod.Post, url).ConfigureAwait(false);
         XrpcHttpHandler.AddCommonHeaders(request, null, LabelerDids);
 
         if (input != null)
@@ -166,7 +166,7 @@ public async Task<TOutput> PostAsync<TInput, TOutput>(
         ThrowIfDisposed();
 
         var url = XrpcHttpHandler.BuildUrl(BaseUrl, nsid).ToString();
-        using var request = _tokenProvider.CreateDPoPRequest(HttpMethod.Post, url);
+        using var request = await _tokenProvider.CreateDPoPRequestAsync(HttpMethod.Post, url).ConfigureAwait(false);
         XrpcHttpHandler.AddCommonHeaders(request, proxyServiceDid, LabelerDids);
 
         if (input != null)
@@ -220,7 +220,7 @@ private async Task<HttpResponseMessage> SendWithRetryAsync(
             await _tokenProvider.RefreshAsync(cancellationToken).ConfigureAwait(false);
 
             // Create a new request (can't reuse the old one)
-            using var retryRequest = _tokenProvider.CreateDPoPRequest(request.Method, url);
+            using var retryRequest = await _tokenProvider.CreateDPoPRequestAsync(request.Method, url).ConfigureAwait(false);
 
             if (request.Content != null)
             {
diff --git a/src/CarpaNet.OAuth/CarpaNet.OAuth.csproj b/src/CarpaNet.OAuth/CarpaNet.OAuth.csproj
index 326e7f0..9e7d7c4 100644
--- a/src/CarpaNet.OAuth/CarpaNet.OAuth.csproj
+++ b/src/CarpaNet.OAuth/CarpaNet.OAuth.csproj
@@ -1,7 +1,7 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFrameworks>net8.0;net9.0;net10.0;netstandard2.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0;net10.0;net10.0-browser;netstandard2.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <LangVersion>latest</LangVersion>
@@ -11,6 +11,11 @@
     <Description>.NET ATProtocol OAuth Implementation Library for CarpaNet.</Description>
   </PropertyGroup>
 
+  <PropertyGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'browser'">
+    <DefineConstants>$(DefineConstants);BROWSER</DefineConstants>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+  </PropertyGroup>
+
   <ItemGroup>
     <ProjectReference Include="../CarpaNet/CarpaNet.csproj" />
   </ItemGroup>
@@ -20,7 +25,19 @@
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
   </ItemGroup>
 
-  <ItemGroup Condition=" ('$(IsPackable)' == 'true') or ('$(PackAsTool)' == 'true') ">
+  <!-- Exclude browser-only files from non-browser TFMs -->
+  <ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) != 'browser'">
+    <Compile Remove="Crypto/BrowserCryptoProvider.cs" />
+    <Compile Remove="Crypto/BrowserCryptoInterop.cs" />
+    <None Remove="Crypto/carpanet-crypto.mjs" />
+  </ItemGroup>
+
+  <!-- Exclude desktop crypto provider from browser TFM -->
+  <ItemGroup Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'browser'">
+    <Compile Remove="Crypto/EcdsaCryptoProvider.cs" />
+  </ItemGroup>
+
+<ItemGroup Condition=" ('$(IsPackable)' == 'true') or ('$(PackAsTool)' == 'true') ">
     <None Include="$(MSBuildThisFileDirectory)README.md" Pack="true" PackagePath=""
       Visible="false" />
   </ItemGroup>
diff --git a/src/CarpaNet.OAuth/ClientAssertion.cs b/src/CarpaNet.OAuth/ClientAssertion.cs
index e4ea1d1..ffe05af 100644
--- a/src/CarpaNet.OAuth/ClientAssertion.cs
+++ b/src/CarpaNet.OAuth/ClientAssertion.cs
@@ -1,7 +1,7 @@
 using System;
-using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
+using System.Threading.Tasks;
 
 namespace CarpaNet.OAuth.Crypto;
 
@@ -23,7 +23,41 @@ public static class ClientAssertion
     /// <param name="keyPair">The signing key pair.</param>
     /// <param name="keyId">Optional key ID to include in the header.</param>
     /// <returns>A signed JWT for client authentication.</returns>
+    /// <remarks>
+    /// On browser platforms, use <see cref="CreateAsync"/> instead.
+    /// </remarks>
     public static string Create(string clientId, string audience, DPoPKeyPair keyPair, string? keyId = null)
+    {
+        var (headerBase64, payloadBase64) = BuildComponents(clientId, audience, keyPair, keyId);
+        var signingInput = $"{headerBase64}.{payloadBase64}";
+
+        var signature = keyPair.SignData(Encoding.UTF8.GetBytes(signingInput));
+        var signatureBase64 = Pkce.Base64UrlEncode(signature);
+
+        return $"{signingInput}.{signatureBase64}";
+    }
+
+    /// <summary>
+    /// Creates a client assertion JWT asynchronously. Works on all platforms including browser.
+    /// </summary>
+    /// <param name="clientId">The client ID.</param>
+    /// <param name="audience">The token endpoint URL or issuer.</param>
+    /// <param name="keyPair">The signing key pair.</param>
+    /// <param name="keyId">Optional key ID to include in the header.</param>
+    /// <returns>A signed JWT for client authentication.</returns>
+    public static async Task<string> CreateAsync(string clientId, string audience, DPoPKeyPair keyPair, string? keyId = null)
+    {
+        var (headerBase64, payloadBase64) = BuildComponents(clientId, audience, keyPair, keyId);
+        var signingInput = $"{headerBase64}.{payloadBase64}";
+
+        var signature = await keyPair.SignDataAsync(Encoding.UTF8.GetBytes(signingInput)).ConfigureAwait(false);
+        var signatureBase64 = Pkce.Base64UrlEncode(signature);
+
+        return $"{signingInput}.{signatureBase64}";
+    }
+
+    private static (string HeaderBase64, string PayloadBase64) BuildComponents(
+        string clientId, string audience, DPoPKeyPair keyPair, string? keyId)
     {
         var now = DateTimeOffset.UtcNow;
 
@@ -46,46 +80,12 @@ public static string Create(string clientId, string audience, DPoPKeyPair keyPai
             Exp = now.AddMinutes(1).ToUnixTimeSeconds()
         };
 
-        return CreateSignedJwt(header, payload, keyPair);
-    }
-
-    private static string CreateSignedJwt(
-        JwtHeader header,
-        ClientAssertionPayload payload,
-        DPoPKeyPair keyPair)
-    {
         var headerJson = JsonSerializer.Serialize(header, OAuthJsonContext.Default.JwtHeader);
         var payloadJson = JsonSerializer.Serialize(payload, OAuthJsonContext.Default.ClientAssertionPayload);
 
         var headerBase64 = Pkce.Base64UrlEncode(Encoding.UTF8.GetBytes(headerJson));
         var payloadBase64 = Pkce.Base64UrlEncode(Encoding.UTF8.GetBytes(payloadJson));
 
-        var signingInput = $"{headerBase64}.{payloadBase64}";
-
-        // Use the key pair's internal signing - we need to create a proof without the DPoP-specific fields
-        // For now, we'll create a simple ES256 signature
-        var jwk = keyPair.ExportKeyPair();
-
-        using var ecdsa = CreateEcdsaFromJwk(jwk);
-        var signature = ecdsa.SignData(Encoding.UTF8.GetBytes(signingInput), HashAlgorithmName.SHA256);
-        var signatureBase64 = Pkce.Base64UrlEncode(signature);
-
-        return $"{signingInput}.{signatureBase64}";
-    }
-
-    private static ECDsa CreateEcdsaFromJwk(JsonWebKey jwk)
-    {
-        var parameters = new ECParameters
-        {
-            Curve = ECCurve.NamedCurves.nistP256,
-            Q = new ECPoint
-            {
-                X = Pkce.Base64UrlDecode(jwk.X!),
-                Y = Pkce.Base64UrlDecode(jwk.Y!)
-            },
-            D = Pkce.Base64UrlDecode(jwk.D!)
-        };
-
-        return ECDsa.Create(parameters);
+        return (headerBase64, payloadBase64);
     }
 }
diff --git a/src/CarpaNet.OAuth/Crypto/BrowserCryptoInterop.cs b/src/CarpaNet.OAuth/Crypto/BrowserCryptoInterop.cs
new file mode 100644
index 0000000..59d8deb
--- /dev/null
+++ b/src/CarpaNet.OAuth/Crypto/BrowserCryptoInterop.cs
@@ -0,0 +1,95 @@
+using System;
+using System.Runtime.InteropServices.JavaScript;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace CarpaNet.OAuth.Crypto;
+
+/// <summary>
+/// JavaScript interop declarations for WebCrypto ECDSA P-256 operations.
+/// </summary>
+internal static partial class BrowserCryptoInterop
+{
+    private static Task? _initTask;
+
+    /// <summary>
+    /// Ensures the JavaScript module is loaded. Safe to call multiple times.
+    /// </summary>
+    internal static Task EnsureInitializedAsync()
+    {
+        return _initTask ??= InitializeCoreAsync();
+    }
+
+    private static async Task InitializeCoreAsync()
+    {
+        // Create a JS module from inline source using a data URI
+        const string moduleSource = """
+            export async function generateKeyPair() {
+                const keyPair = await crypto.subtle.generateKey(
+                    { name: "ECDSA", namedCurve: "P-256" },
+                    true,
+                    ["sign"]
+                );
+                const jwk = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
+                return JSON.stringify({ x: jwk.x, y: jwk.y, d: jwk.d });
+            }
+
+            export async function signData(x, y, d, dataBase64) {
+                const jwk = { kty: "EC", crv: "P-256", x, y, d };
+                const key = await crypto.subtle.importKey(
+                    "jwk",
+                    jwk,
+                    { name: "ECDSA", namedCurve: "P-256" },
+                    false,
+                    ["sign"]
+                );
+                const data = Uint8Array.from(atob(dataBase64), c => c.charCodeAt(0));
+                const sig = await crypto.subtle.sign(
+                    { name: "ECDSA", hash: "SHA-256" },
+                    key,
+                    data
+                );
+                const bytes = new Uint8Array(sig);
+                let binary = "";
+                for (let i = 0; i < bytes.length; i++) {
+                    binary += String.fromCharCode(bytes[i]);
+                }
+                return btoa(binary);
+            }
+            """;
+
+        // Encode as data URI and import
+        var base64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(moduleSource));
+        var dataUri = $"data:text/javascript;base64,{base64}";
+
+        await JSHost.ImportAsync("carpanet-crypto", dataUri).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    /// Generates a new ECDSA P-256 key pair and returns the JWK as JSON (with x, y, d fields).
+    /// </summary>
+    [JSImport("generateKeyPair", "carpanet-crypto")]
+    internal static partial Task<string> GenerateKeyPairAsync();
+
+    /// <summary>
+    /// Signs data using ECDSA P-256 with SHA-256.
+    /// Returns signature bytes as a base64-encoded string.
+    /// </summary>
+    [JSImport("signData", "carpanet-crypto")]
+    internal static partial Task<string> SignDataRawAsync(
+        string x,
+        string y,
+        string d,
+        string dataBase64);
+
+    /// <summary>
+    /// Signs data and returns the signature as a byte array.
+    /// </summary>
+    internal static async Task<byte[]> SignDataAsync(string x, string y, string d, byte[] data)
+    {
+        await EnsureInitializedAsync().ConfigureAwait(false);
+        var dataBase64 = Convert.ToBase64String(data);
+        var resultBase64 = await SignDataRawAsync(x, y, d, dataBase64).ConfigureAwait(false);
+        return Convert.FromBase64String(resultBase64);
+    }
+}
diff --git a/src/CarpaNet.OAuth/Crypto/BrowserCryptoProvider.cs b/src/CarpaNet.OAuth/Crypto/BrowserCryptoProvider.cs
new file mode 100644
index 0000000..be75b3f
--- /dev/null
+++ b/src/CarpaNet.OAuth/Crypto/BrowserCryptoProvider.cs
@@ -0,0 +1,80 @@
+using System;
+using System.Text.Json;
+using System.Threading.Tasks;
+
+namespace CarpaNet.OAuth.Crypto;
+
+/// <summary>
+/// WebCrypto-based crypto provider for browser (WASM) platforms.
+/// Uses JavaScript interop via <see cref="BrowserCryptoInterop"/>.
+/// </summary>
+internal sealed class BrowserCryptoProvider : ICryptoProvider
+{
+    private readonly string _x;
+    private readonly string _y;
+    private readonly string _d;
+
+    private BrowserCryptoProvider(string x, string y, string d)
+    {
+        _x = x;
+        _y = y;
+        _d = d;
+    }
+
+    /// <summary>
+    /// Creates a new provider by generating a P-256 key pair via WebCrypto.
+    /// </summary>
+    public static async Task<BrowserCryptoProvider> CreateAsync()
+    {
+        await BrowserCryptoInterop.EnsureInitializedAsync().ConfigureAwait(false);
+        var json = await BrowserCryptoInterop.GenerateKeyPairAsync().ConfigureAwait(false);
+        using var doc = JsonDocument.Parse(json);
+        var root = doc.RootElement;
+        var x = root.GetProperty("x").GetString()
+            ?? throw new InvalidOperationException("Failed to generate key pair via WebCrypto: missing 'x'.");
+        var y = root.GetProperty("y").GetString()
+            ?? throw new InvalidOperationException("Failed to generate key pair via WebCrypto: missing 'y'.");
+        var d = root.GetProperty("d").GetString()
+            ?? throw new InvalidOperationException("Failed to generate key pair via WebCrypto: missing 'd'.");
+        return new BrowserCryptoProvider(x, y, d);
+    }
+
+    /// <summary>
+    /// Creates a provider by importing JWK components (sync, no validation).
+    /// </summary>
+    public static BrowserCryptoProvider Import(string x, string y, string d)
+    {
+        return new BrowserCryptoProvider(x, y, d);
+    }
+
+    /// <inheritdoc/>
+    public byte[] SignData(byte[] data)
+    {
+        throw new PlatformNotSupportedException(
+            "Synchronous ECDSA signing is not supported on browser platforms. Use SignDataAsync instead.");
+    }
+
+    /// <inheritdoc/>
+    public async Task<byte[]> SignDataAsync(byte[] data)
+    {
+        return await BrowserCryptoInterop.SignDataAsync(_x, _y, _d, data).ConfigureAwait(false);
+    }
+
+    /// <inheritdoc/>
+    public (string X, string Y) ExportPublicParameters()
+    {
+        return (_x, _y);
+    }
+
+    /// <inheritdoc/>
+    public (string X, string Y, string D) ExportPrivateParameters()
+    {
+        return (_x, _y, _d);
+    }
+
+    /// <inheritdoc/>
+    public void Dispose()
+    {
+        // No-op: no unmanaged resources
+    }
+}
diff --git a/src/CarpaNet.OAuth/Crypto/EcdsaCryptoProvider.cs b/src/CarpaNet.OAuth/Crypto/EcdsaCryptoProvider.cs
new file mode 100644
index 0000000..13ee846
--- /dev/null
+++ b/src/CarpaNet.OAuth/Crypto/EcdsaCryptoProvider.cs
@@ -0,0 +1,77 @@
+using System;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+
+namespace CarpaNet.OAuth.Crypto;
+
+/// <summary>
+/// ECDsa-based crypto provider for desktop/server platforms.
+/// </summary>
+internal sealed class EcdsaCryptoProvider : ICryptoProvider
+{
+    private readonly ECDsa _key;
+
+    private EcdsaCryptoProvider(ECDsa key)
+    {
+        _key = key;
+    }
+
+    /// <summary>
+    /// Creates a new provider with a freshly generated P-256 key.
+    /// </summary>
+    public static EcdsaCryptoProvider Create()
+    {
+        return new EcdsaCryptoProvider(ECDsa.Create(ECCurve.NamedCurves.nistP256));
+    }
+
+    /// <summary>
+    /// Creates a provider by importing JWK components.
+    /// </summary>
+    public static EcdsaCryptoProvider Import(string x, string y, string d)
+    {
+        var parameters = new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint
+            {
+                X = Pkce.Base64UrlDecode(x),
+                Y = Pkce.Base64UrlDecode(y)
+            },
+            D = Pkce.Base64UrlDecode(d)
+        };
+
+        return new EcdsaCryptoProvider(ECDsa.Create(parameters));
+    }
+
+    /// <inheritdoc/>
+    public byte[] SignData(byte[] data)
+    {
+        return _key.SignData(data, HashAlgorithmName.SHA256);
+    }
+
+    /// <inheritdoc/>
+    public Task<byte[]> SignDataAsync(byte[] data)
+    {
+        return Task.FromResult(SignData(data));
+    }
+
+    /// <inheritdoc/>
+    public (string X, string Y) ExportPublicParameters()
+    {
+        var parameters = _key.ExportParameters(includePrivateParameters: false);
+        return (Pkce.Base64UrlEncode(parameters.Q.X!), Pkce.Base64UrlEncode(parameters.Q.Y!));
+    }
+
+    /// <inheritdoc/>
+    public (string X, string Y, string D) ExportPrivateParameters()
+    {
+        var parameters = _key.ExportParameters(includePrivateParameters: true);
+        return (Pkce.Base64UrlEncode(parameters.Q.X!), Pkce.Base64UrlEncode(parameters.Q.Y!), Pkce.Base64UrlEncode(parameters.D!));
+    }
+
+    /// <inheritdoc/>
+    public void Dispose()
+    {
+        _key.Dispose();
+    }
+}
diff --git a/src/CarpaNet.OAuth/Crypto/ICryptoProvider.cs b/src/CarpaNet.OAuth/Crypto/ICryptoProvider.cs
new file mode 100644
index 0000000..6d9c1e4
--- /dev/null
+++ b/src/CarpaNet.OAuth/Crypto/ICryptoProvider.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Threading.Tasks;
+
+namespace CarpaNet.OAuth.Crypto;
+
+/// <summary>
+/// Abstracts platform-specific ECDSA P-256 operations for DPoP key pairs.
+/// </summary>
+internal interface ICryptoProvider : IDisposable
+{
+    /// <summary>
+    /// Signs data synchronously using ES256. Throws <see cref="PlatformNotSupportedException"/> on browser.
+    /// </summary>
+    byte[] SignData(byte[] data);
+
+    /// <summary>
+    /// Signs data asynchronously using ES256. Works on all platforms.
+    /// </summary>
+    Task<byte[]> SignDataAsync(byte[] data);
+
+    /// <summary>
+    /// Exports the public key parameters as base64url-encoded strings.
+    /// </summary>
+    (string X, string Y) ExportPublicParameters();
+
+    /// <summary>
+    /// Exports the full key parameters (including private key) as base64url-encoded strings.
+    /// </summary>
+    (string X, string Y, string D) ExportPrivateParameters();
+}
diff --git a/src/CarpaNet.OAuth/DPoPKeyPair.cs b/src/CarpaNet.OAuth/DPoPKeyPair.cs
index 5b3f599..2d50c0d 100644
--- a/src/CarpaNet.OAuth/DPoPKeyPair.cs
+++ b/src/CarpaNet.OAuth/DPoPKeyPair.cs
@@ -2,6 +2,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
+using System.Threading.Tasks;
 
 namespace CarpaNet.OAuth.Crypto;
 
@@ -10,7 +11,7 @@ namespace CarpaNet.OAuth.Crypto;
 /// </summary>
 public sealed class DPoPKeyPair : IDisposable
 {
-    private readonly ECDsa _key;
+    private readonly ICryptoProvider _crypto;
     private readonly string _publicKeyJwk;
     private readonly string _thumbprint;
     private bool _disposed;
@@ -28,9 +29,9 @@ public sealed class DPoPKeyPair : IDisposable
     /// <summary>
     /// Creates a new ES256 key pair.
     /// </summary>
-    private DPoPKeyPair(ECDsa key, string publicKeyJwk, string thumbprint)
+    private DPoPKeyPair(ICryptoProvider crypto, string publicKeyJwk, string thumbprint)
     {
-        _key = key;
+        _crypto = crypto;
         _publicKeyJwk = publicKeyJwk;
         _thumbprint = thumbprint;
     }
@@ -38,67 +39,96 @@ private DPoPKeyPair(ECDsa key, string publicKeyJwk, string thumbprint)
     /// <summary>
     /// Generates a new ES256 key pair.
     /// </summary>
+    /// <remarks>
+    /// On browser platforms, use <see cref="GenerateAsync"/> instead. This method throws
+    /// <see cref="PlatformNotSupportedException"/> on browser.
+    /// </remarks>
     public static DPoPKeyPair Generate()
     {
-        var key = ECDsa.Create(ECCurve.NamedCurves.nistP256);
-        var parameters = key.ExportParameters(includePrivateParameters: false);
+#if BROWSER
+        throw new PlatformNotSupportedException(
+            "Synchronous key generation is not supported on browser platforms. Use GenerateAsync instead.");
+#else
+        var crypto = EcdsaCryptoProvider.Create();
+        return FromCryptoProvider(crypto);
+#endif
+    }
 
-        var x = Pkce.Base64UrlEncode(parameters.Q.X!);
-        var y = Pkce.Base64UrlEncode(parameters.Q.Y!);
+    /// <summary>
+    /// Generates a new ES256 key pair asynchronously. Works on all platforms including browser.
+    /// </summary>
+    public static async Task<DPoPKeyPair> GenerateAsync()
+    {
+#if BROWSER
+        var crypto = await BrowserCryptoProvider.CreateAsync().ConfigureAwait(false);
+#else
+        var crypto = EcdsaCryptoProvider.Create();
+        await Task.CompletedTask.ConfigureAwait(false);
+#endif
+        return FromCryptoProvider(crypto);
+    }
 
-        // Build JWK for the public key (properties already in alphabetical order for thumbprint)
-        var jwk = new EcJwk { Crv = "P-256", Kty = "EC", X = x, Y = y };
-        var publicKeyJwk = JsonSerializer.Serialize(jwk, OAuthJsonContext.Default.EcJwk);
+    /// <summary>
+    /// Creates a DPoP proof JWT.
+    /// </summary>
+    /// <param name="httpMethod">The HTTP method (e.g., "POST", "GET").</param>
+    /// <param name="httpUri">The HTTP URI (without query string or fragment).</param>
+    /// <param name="nonce">Optional server-provided nonce.</param>
+    /// <param name="accessToken">Optional access token for access token hash (ath).</param>
+    /// <returns>A signed DPoP proof JWT.</returns>
+    /// <remarks>
+    /// On browser platforms, use <see cref="CreateProofAsync"/> instead. This method throws
+    /// <see cref="PlatformNotSupportedException"/> on browser.
+    /// </remarks>
+    public string CreateProof(string httpMethod, string httpUri, string? nonce = null, string? accessToken = null)
+    {
+        ThrowIfDisposed();
 
-        // Compute JWK thumbprint (RFC 7638) - canonical form
-        using var sha256 = SHA256.Create();
-        var thumbprintBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(publicKeyJwk));
-        var thumbprint = Pkce.Base64UrlEncode(thumbprintBytes);
+        var (headerBase64, payloadBase64) = BuildProofComponents(httpMethod, httpUri, nonce, accessToken);
+        var signingInput = $"{headerBase64}.{payloadBase64}";
+        var signature = _crypto.SignData(Encoding.UTF8.GetBytes(signingInput));
+        var signatureBase64 = Pkce.Base64UrlEncode(signature);
 
-        return new DPoPKeyPair(key, publicKeyJwk, thumbprint);
+        return $"{signingInput}.{signatureBase64}";
     }
 
     /// <summary>
-    /// Creates a DPoP proof JWT.
+    /// Creates a DPoP proof JWT asynchronously. Works on all platforms including browser.
     /// </summary>
     /// <param name="httpMethod">The HTTP method (e.g., "POST", "GET").</param>
     /// <param name="httpUri">The HTTP URI (without query string or fragment).</param>
     /// <param name="nonce">Optional server-provided nonce.</param>
     /// <param name="accessToken">Optional access token for access token hash (ath).</param>
     /// <returns>A signed DPoP proof JWT.</returns>
-    public string CreateProof(string httpMethod, string httpUri, string? nonce = null, string? accessToken = null)
+    public async Task<string> CreateProofAsync(string httpMethod, string httpUri, string? nonce = null, string? accessToken = null)
     {
         ThrowIfDisposed();
 
-        // Build header
-        var jwkObj = JsonSerializer.Deserialize(_publicKeyJwk, OAuthJsonContext.Default.EcJwk)!;
-        var header = new DPoPProofHeader { Alg = "ES256", Typ = "dpop+jwt", Jwk = jwkObj };
+        var (headerBase64, payloadBase64) = BuildProofComponents(httpMethod, httpUri, nonce, accessToken);
+        var signingInput = $"{headerBase64}.{payloadBase64}";
 
-        // Normalize URI (remove query and fragment)
-        var uri = new Uri(httpUri);
-        var normalizedUri = $"{uri.Scheme}://{uri.Authority}{uri.AbsolutePath}";
+        var signature = await _crypto.SignDataAsync(Encoding.UTF8.GetBytes(signingInput)).ConfigureAwait(false);
+        var signatureBase64 = Pkce.Base64UrlEncode(signature);
 
-        // Compute access token hash if needed
-        string? ath = null;
-        if (!string.IsNullOrEmpty(accessToken))
-        {
-            using var sha256 = SHA256.Create();
-            var hash = sha256.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
-            ath = Pkce.Base64UrlEncode(hash);
-        }
+        return $"{signingInput}.{signatureBase64}";
+    }
 
-        // Build payload
-        var payload = new DPoPProofPayload
-        {
-            Iat = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
-            Jti = Pkce.GenerateNonce(16),
-            Htm = httpMethod.ToUpperInvariant(),
-            Htu = normalizedUri,
-            Nonce = string.IsNullOrEmpty(nonce) ? null : nonce,
-            Ath = ath
-        };
+    /// <summary>
+    /// Signs data using the key pair. Throws <see cref="PlatformNotSupportedException"/> on browser.
+    /// </summary>
+    internal byte[] SignData(byte[] data)
+    {
+        ThrowIfDisposed();
+        return _crypto.SignData(data);
+    }
 
-        return CreateDPoPJwt(header, payload);
+    /// <summary>
+    /// Signs data asynchronously using the key pair. Works on all platforms.
+    /// </summary>
+    internal Task<byte[]> SignDataAsync(byte[] data)
+    {
+        ThrowIfDisposed();
+        return _crypto.SignDataAsync(data);
     }
 
     /// <summary>
@@ -108,13 +138,13 @@ public JsonWebKey ExportPublicKey()
     {
         ThrowIfDisposed();
 
-        var parameters = _key.ExportParameters(includePrivateParameters: false);
+        var (x, y) = _crypto.ExportPublicParameters();
         return new JsonWebKey
         {
             Kty = "EC",
             Crv = "P-256",
-            X = Pkce.Base64UrlEncode(parameters.Q.X!),
-            Y = Pkce.Base64UrlEncode(parameters.Q.Y!),
+            X = x,
+            Y = y,
             Alg = "ES256",
             Use = "sig"
         };
@@ -127,14 +157,14 @@ public JsonWebKey ExportKeyPair()
     {
         ThrowIfDisposed();
 
-        var parameters = _key.ExportParameters(includePrivateParameters: true);
+        var (x, y, d) = _crypto.ExportPrivateParameters();
         return new JsonWebKey
         {
             Kty = "EC",
             Crv = "P-256",
-            X = Pkce.Base64UrlEncode(parameters.Q.X!),
-            Y = Pkce.Base64UrlEncode(parameters.Q.Y!),
-            D = Pkce.Base64UrlEncode(parameters.D!),
+            X = x,
+            Y = y,
+            D = d,
             Alg = "ES256",
             Use = "sig"
         };
@@ -155,43 +185,69 @@ public static DPoPKeyPair Import(JsonWebKey jwk)
             throw new ArgumentException("JWK must contain x, y, and d components.", nameof(jwk));
         }
 
-        var parameters = new ECParameters
-        {
-            Curve = ECCurve.NamedCurves.nistP256,
-            Q = new ECPoint
-            {
-                X = Pkce.Base64UrlDecode(jwk.X!),
-                Y = Pkce.Base64UrlDecode(jwk.Y!)
-            },
-            D = Pkce.Base64UrlDecode(jwk.D!)
-        };
+#if BROWSER
+        ICryptoProvider crypto = BrowserCryptoProvider.Import(jwk.X!, jwk.Y!, jwk.D!);
+#else
+        ICryptoProvider crypto = EcdsaCryptoProvider.Import(jwk.X!, jwk.Y!, jwk.D!);
+#endif
 
-        var key = ECDsa.Create(parameters);
+        return FromCryptoProvider(crypto);
+    }
 
-        // Build public JWK for thumbprint (properties in alphabetical order)
-        var publicJwk = new EcJwk { Crv = "P-256", Kty = "EC", X = jwk.X!, Y = jwk.Y! };
-        var publicKeyJwk = JsonSerializer.Serialize(publicJwk, OAuthJsonContext.Default.EcJwk);
+    private static DPoPKeyPair FromCryptoProvider(ICryptoProvider crypto)
+    {
+        var (x, y) = crypto.ExportPublicParameters();
 
+        // Build JWK for the public key (properties already in alphabetical order for thumbprint)
+        var jwk = new EcJwk { Crv = "P-256", Kty = "EC", X = x, Y = y };
+        var publicKeyJwk = JsonSerializer.Serialize(jwk, OAuthJsonContext.Default.EcJwk);
+
+        // Compute JWK thumbprint (RFC 7638) - canonical form
         using var sha256 = SHA256.Create();
         var thumbprintBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(publicKeyJwk));
         var thumbprint = Pkce.Base64UrlEncode(thumbprintBytes);
 
-        return new DPoPKeyPair(key, publicKeyJwk, thumbprint);
+        return new DPoPKeyPair(crypto, publicKeyJwk, thumbprint);
     }
 
-    private string CreateDPoPJwt(DPoPProofHeader header, DPoPProofPayload payload)
+    private (string HeaderBase64, string PayloadBase64) BuildProofComponents(
+        string httpMethod, string httpUri, string? nonce, string? accessToken)
     {
+        // Build header
+        var jwkObj = JsonSerializer.Deserialize(_publicKeyJwk, OAuthJsonContext.Default.EcJwk)!;
+        var header = new DPoPProofHeader { Alg = "ES256", Typ = "dpop+jwt", Jwk = jwkObj };
+
+        // Normalize URI (remove query and fragment)
+        var uri = new Uri(httpUri);
+        var normalizedUri = $"{uri.Scheme}://{uri.Authority}{uri.AbsolutePath}";
+
+        // Compute access token hash if needed
+        string? ath = null;
+        if (!string.IsNullOrEmpty(accessToken))
+        {
+            using var sha256 = SHA256.Create();
+            var hash = sha256.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
+            ath = Pkce.Base64UrlEncode(hash);
+        }
+
+        // Build payload
+        var payload = new DPoPProofPayload
+        {
+            Iat = DateTimeOffset.UtcNow.ToUnixTimeSeconds(),
+            Jti = Pkce.GenerateNonce(16),
+            Htm = httpMethod.ToUpperInvariant(),
+            Htu = normalizedUri,
+            Nonce = string.IsNullOrEmpty(nonce) ? null : nonce,
+            Ath = ath
+        };
+
         var headerJson = JsonSerializer.Serialize(header, OAuthJsonContext.Default.DPoPProofHeader);
         var payloadJson = JsonSerializer.Serialize(payload, OAuthJsonContext.Default.DPoPProofPayload);
 
         var headerBase64 = Pkce.Base64UrlEncode(Encoding.UTF8.GetBytes(headerJson));
         var payloadBase64 = Pkce.Base64UrlEncode(Encoding.UTF8.GetBytes(payloadJson));
 
-        var signingInput = $"{headerBase64}.{payloadBase64}";
-        var signature = _key.SignData(Encoding.UTF8.GetBytes(signingInput), HashAlgorithmName.SHA256);
-        var signatureBase64 = Pkce.Base64UrlEncode(signature);
-
-        return $"{signingInput}.{signatureBase64}";
+        return (headerBase64, payloadBase64);
     }
 
     private void ThrowIfDisposed()
@@ -211,6 +267,6 @@ public void Dispose()
         }
 
         _disposed = true;
-        _key.Dispose();
+        _crypto.Dispose();
     }
 }
diff --git a/src/CarpaNet.OAuth/DPoPTokenProvider.cs b/src/CarpaNet.OAuth/DPoPTokenProvider.cs
index 5ec3f56..8cf89d2 100644
--- a/src/CarpaNet.OAuth/DPoPTokenProvider.cs
+++ b/src/CarpaNet.OAuth/DPoPTokenProvider.cs
@@ -293,6 +293,38 @@ public void AddDPoPHeaders(HttpRequestMessage request, bool includeAccessToken =
         }
     }
 
+    /// <summary>
+    /// Adds DPoP proof and authorization headers to an existing HTTP request asynchronously.
+    /// Works on all platforms including browser.
+    /// </summary>
+    /// <param name="request">The HTTP request to add headers to.</param>
+    /// <param name="includeAccessToken">Whether to include the access token.</param>
+    public async Task AddDPoPHeadersAsync(HttpRequestMessage request, bool includeAccessToken = true)
+    {
+        ThrowIfDisposed();
+
+        if (_dpopKey == null)
+        {
+            throw new InvalidOperationException("No DPoP key available.");
+        }
+
+        var url = request.RequestUri!.ToString();
+        var nonce = _nonceCache.Get(url);
+        var accessToken = includeAccessToken ? _tokenSet?.AccessToken : null;
+        var proof = await _dpopKey.CreateProofAsync(request.Method.Method, url, nonce, accessToken).ConfigureAwait(false);
+
+        // Remove existing DPoP headers before adding new ones
+        request.Headers.Remove("DPoP");
+        request.Headers.Remove("Authorization");
+
+        request.Headers.Add("DPoP", proof);
+
+        if (includeAccessToken && !string.IsNullOrEmpty(accessToken))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("DPoP", accessToken);
+        }
+    }
+
     /// <summary>
     /// Creates a DPoP-signed HTTP request.
     /// </summary>
@@ -324,6 +356,38 @@ public HttpRequestMessage CreateDPoPRequest(HttpMethod method, string url, bool
         return request;
     }
 
+    /// <summary>
+    /// Creates a DPoP-signed HTTP request asynchronously.
+    /// Works on all platforms including browser.
+    /// </summary>
+    /// <param name="method">The HTTP method.</param>
+    /// <param name="url">The request URL.</param>
+    /// <param name="includeAccessToken">Whether to include the access token.</param>
+    /// <returns>The HTTP request message with DPoP headers.</returns>
+    public async Task<HttpRequestMessage> CreateDPoPRequestAsync(HttpMethod method, string url, bool includeAccessToken = true)
+    {
+        ThrowIfDisposed();
+
+        if (_dpopKey == null)
+        {
+            throw new InvalidOperationException("No DPoP key available.");
+        }
+
+        var nonce = _nonceCache.Get(url);
+        var accessToken = includeAccessToken ? _tokenSet?.AccessToken : null;
+        var proof = await _dpopKey.CreateProofAsync(method.Method, url, nonce, accessToken).ConfigureAwait(false);
+
+        var request = new HttpRequestMessage(method, url);
+        request.Headers.Add("DPoP", proof);
+
+        if (includeAccessToken && !string.IsNullOrEmpty(accessToken))
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue("DPoP", accessToken);
+        }
+
+        return request;
+    }
+
     /// <summary>
     /// Updates the DPoP nonce from a response.
     /// </summary>
@@ -367,7 +431,7 @@ private async Task<TokenSet> ExecuteTokenRequestAsync(
         CancellationToken cancellationToken)
     {
         _logger.LogDebug("Executing token request to {Endpoint}", tokenEndpoint);
-        using var request = CreateDPoPRequest(HttpMethod.Post, tokenEndpoint, includeAccessToken: false);
+        using var request = await CreateDPoPRequestAsync(HttpMethod.Post, tokenEndpoint, includeAccessToken: false).ConfigureAwait(false);
         request.Content = new StringContent(formContent, Encoding.UTF8, "application/x-www-form-urlencoded");
 
         var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
diff --git a/src/CarpaNet.OAuth/OAuthSession.cs b/src/CarpaNet.OAuth/OAuthSession.cs
index cc86365..78f0cbd 100644
--- a/src/CarpaNet.OAuth/OAuthSession.cs
+++ b/src/CarpaNet.OAuth/OAuthSession.cs
@@ -75,7 +75,7 @@ public async Task<string> AuthorizeAsync(
         var state = Pkce.GenerateState();
 
         // Generate DPoP key
-        var dpopKey = DPoPKeyPair.Generate();
+        var dpopKey = await DPoPKeyPair.GenerateAsync().ConfigureAwait(false);
 
         // Store state data
         var stateData = new OAuthStateData
@@ -119,7 +119,7 @@ public async Task<string> AuthorizeAsync(
         // Try PAR if available
         if (!string.IsNullOrEmpty(serverMetadata.PushedAuthorizationRequestEndpoint))
         {
-            _logger.LogDebug("Attempting PAR");
+            _logger.LogDebug("Attempting PAR to {Endpoint}", serverMetadata.PushedAuthorizationRequestEndpoint);
             try
             {
                 var requestUri = await PushAuthorizationRequestAsync(
@@ -137,9 +137,16 @@ public async Task<string> AuthorizeAsync(
                         ["request_uri"] = requestUri
                     });
             }
-            catch (OAuthException)
+            catch (OAuthException ex)
             {
-                _logger.LogWarning("PAR failed, falling back to standard URL");
+                _logger.LogWarning("PAR failed ({Error}): {Description}. Falling back to standard URL.", ex.ErrorCode, ex.Message);
+
+                // If PAR is required by the server, don't silently fall back
+                if (serverMetadata.RequirePushedAuthorizationRequests == true)
+                {
+                    throw;
+                }
+
                 // Fall back to standard authorization URL if PAR fails
             }
         }
@@ -339,7 +346,7 @@ public async Task RevokeAsync(string sub, CancellationToken cancellationToken =
                     using var request = new HttpRequestMessage(HttpMethod.Post, serverMetadata.RevocationEndpoint);
 
                     var nonce = new DPoPNonceCache().Get(serverMetadata.RevocationEndpoint!);
-                    var proof = dpopKey.CreateProof("POST", serverMetadata.RevocationEndpoint!, nonce);
+                    var proof = await dpopKey.CreateProofAsync("POST", serverMetadata.RevocationEndpoint!, nonce).ConfigureAwait(false);
                     request.Headers.Add("DPoP", proof);
 
                     var content = $"token={Uri.EscapeDataString(sessionData.TokenSet.RefreshToken)}&token_type_hint=refresh_token";
@@ -413,7 +420,21 @@ private async Task<string> PushAuthorizationRequestAsync(
 
         for (int attempt = 0; attempt < 2; attempt++)
         {
-            var proof = dpopKey.CreateProof("POST", parEndpoint, nonce);
+            var proof = await dpopKey.CreateProofAsync("POST", parEndpoint, nonce).ConfigureAwait(false);
+
+            _logger.LogDebug("PAR attempt {Attempt}: endpoint={Endpoint}, nonce={Nonce}", attempt, parEndpoint, nonce ?? "(none)");
+
+            // Log the decoded DPoP proof JWT for diagnostics
+            var proofParts = proof.Split('.');
+            if (proofParts.Length == 3)
+            {
+                var proofHeader = Encoding.UTF8.GetString(Pkce.Base64UrlDecode(proofParts[0]));
+                var proofPayload = Encoding.UTF8.GetString(Pkce.Base64UrlDecode(proofParts[1]));
+                var sigBytes = Pkce.Base64UrlDecode(proofParts[2]);
+                _logger.LogDebug("DPoP proof header: {Header}", proofHeader);
+                _logger.LogDebug("DPoP proof payload: {Payload}", proofPayload);
+                _logger.LogDebug("DPoP proof signature: {SigLength} bytes", sigBytes.Length);
+            }
 
             using var request = new HttpRequestMessage(HttpMethod.Post, parEndpoint);
             request.Headers.Add("DPoP", proof);
@@ -421,8 +442,12 @@ private async Task<string> PushAuthorizationRequestAsync(
             var formContent = BuildFormContent(authParams);
             request.Content = new StringContent(formContent, Encoding.UTF8, "application/x-www-form-urlencoded");
 
+            _logger.LogDebug("PAR request body: {Body}", formContent);
+
             var response = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
 
+            _logger.LogDebug("PAR response: {StatusCode}", (int)response.StatusCode);
+
             // Update nonce from response
             if (response.Headers.TryGetValues("DPoP-Nonce", out var nonceValues))
             {
@@ -449,21 +474,25 @@ private async Task<string> PushAuthorizationRequestAsync(
 
             // Check for use_dpop_nonce error
             var errorContent = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
+            _logger.LogWarning("PAR failed with {StatusCode}: {ErrorBody}", (int)response.StatusCode, errorContent);
+
             try
             {
                 var errorResponse = JsonSerializer.Deserialize(errorContent, OAuthJsonContext.Default.OAuthErrorResponse);
                 if (errorResponse?.Error == "use_dpop_nonce" && attempt == 0)
                 {
+                    _logger.LogDebug("PAR retry: use_dpop_nonce, retrying with new nonce");
                     continue; // Retry with new nonce
                 }
 
+                var errorDesc = errorResponse?.ErrorDescription ?? errorContent;
                 throw new OAuthException(
                     errorResponse?.Error ?? "par_failed",
-                    errorResponse?.ErrorDescription ?? errorContent);
+                    $"PAR request to {parEndpoint} failed with HTTP {(int)response.StatusCode}: {errorDesc}");
             }
             catch (JsonException)
             {
-                throw new OAuthException("par_failed", errorContent);
+                throw new OAuthException("par_failed", $"PAR request to {parEndpoint} failed with HTTP {(int)response.StatusCode}: {errorContent}");
             }
         }
 
@@ -482,7 +511,7 @@ private async Task<TokenSet> ExchangeCodeAsync(
 
         for (int attempt = 0; attempt < 2; attempt++)
         {
-            var proof = dpopKey.CreateProof("POST", tokenEndpoint, nonce);
+            var proof = await dpopKey.CreateProofAsync("POST", tokenEndpoint, nonce).ConfigureAwait(false);
 
             using var request = new HttpRequestMessage(HttpMethod.Post, tokenEndpoint);
             request.Headers.Add("DPoP", proof);
diff --git a/tests/CarpaNet.UnitTests/OAuth/DPoPKeyPairTests.cs b/tests/CarpaNet.UnitTests/OAuth/DPoPKeyPairTests.cs
index 3abadff..45e8051 100644
--- a/tests/CarpaNet.UnitTests/OAuth/DPoPKeyPairTests.cs
+++ b/tests/CarpaNet.UnitTests/OAuth/DPoPKeyPairTests.cs
@@ -1,6 +1,8 @@
 using System;
+using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
+using System.Threading.Tasks;
 using CarpaNet.OAuth;
 using CarpaNet.OAuth.Crypto;
 using Xunit;
@@ -208,6 +210,268 @@ public void CreateProof_AfterDispose_Throws()
             keyPair.CreateProof("POST", "https://example.com/token"));
     }
 
+    [Fact]
+    public void CreateProof_SignatureIsVerifiable()
+    {
+        // This test validates what a server does: extract the JWK from the header,
+        // reconstruct the public key, and verify the ES256 signature.
+        // If the browser WebCrypto implementation produces a different format,
+        // this same verification would fail on the server.
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var proof = keyPair.CreateProof("POST", "https://example.com/token", nonce: "test-nonce");
+
+        AssertProofSignatureIsValid(proof);
+    }
+
+    [Fact]
+    public void CreateProof_ImportedKey_SignatureIsVerifiable()
+    {
+        // Verify that export → import → sign produces verifiable signatures
+        using var original = DPoPKeyPair.Generate();
+        var jwk = original.ExportKeyPair();
+
+        using var imported = DPoPKeyPair.Import(jwk);
+        var proof = imported.CreateProof("POST", "https://example.com/token");
+
+        AssertProofSignatureIsValid(proof);
+    }
+
+    [Fact]
+    public void CreateProof_WithAccessToken_SignatureIsVerifiable()
+    {
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var proof = keyPair.CreateProof("GET", "https://example.com/api",
+            nonce: "server-nonce", accessToken: "my-access-token");
+
+        AssertProofSignatureIsValid(proof);
+    }
+
+    [Fact]
+    public async Task CreateProofAsync_SignatureIsVerifiable()
+    {
+        using var keyPair = await DPoPKeyPair.GenerateAsync();
+
+        var proof = await keyPair.CreateProofAsync("POST", "https://example.com/token", nonce: "test-nonce");
+
+        AssertProofSignatureIsValid(proof);
+    }
+
+    [Fact]
+    public async Task CreateProofAsync_MatchesSyncProofStructure()
+    {
+        // Verify that sync and async paths produce structurally identical JWTs
+        // (different jti/iat values, but same header structure and signature format)
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var syncProof = keyPair.CreateProof("POST", "https://example.com/token");
+        var asyncProof = await keyPair.CreateProofAsync("POST", "https://example.com/token");
+
+        // Both should be valid JWTs with verifiable signatures
+        AssertProofSignatureIsValid(syncProof);
+        AssertProofSignatureIsValid(asyncProof);
+
+        // Both should have identical header structure
+        var syncHeader = ParseJwtPart(syncProof.Split('.')[0]);
+        var asyncHeader = ParseJwtPart(asyncProof.Split('.')[0]);
+
+        Assert.Equal(
+            syncHeader.RootElement.GetProperty("alg").GetString(),
+            asyncHeader.RootElement.GetProperty("alg").GetString());
+        Assert.Equal(
+            syncHeader.RootElement.GetProperty("typ").GetString(),
+            asyncHeader.RootElement.GetProperty("typ").GetString());
+
+        // JWK in header should be identical (same key)
+        Assert.Equal(
+            syncHeader.RootElement.GetProperty("jwk").GetProperty("x").GetString(),
+            asyncHeader.RootElement.GetProperty("jwk").GetProperty("x").GetString());
+        Assert.Equal(
+            syncHeader.RootElement.GetProperty("jwk").GetProperty("y").GetString(),
+            asyncHeader.RootElement.GetProperty("jwk").GetProperty("y").GetString());
+
+        syncHeader.Dispose();
+        asyncHeader.Dispose();
+    }
+
+    [Fact]
+    public void CreateProof_SignatureIs64Bytes()
+    {
+        // ES256 (ECDSA P-256) signatures in IEEE P1363 format are exactly 64 bytes
+        // (32 bytes r + 32 bytes s). Both .NET ECDsa and WebCrypto produce this format.
+        // If the signature were DER-encoded instead, it would be 70-72 bytes.
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var proof = keyPair.CreateProof("POST", "https://example.com/token");
+
+        var parts = proof.Split('.');
+        var signatureBytes = Base64UrlDecode(parts[2]);
+
+        Assert.Equal(64, signatureBytes.Length);
+    }
+
+    [Fact]
+    public void CreateProof_JwkThumbprintMatchesHeader()
+    {
+        // The dpop_jkt claim that gets sent to the server must match the thumbprint
+        // computed from the JWK in the proof header. This validates the thumbprint
+        // computation is correct.
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var proof = keyPair.CreateProof("POST", "https://example.com/token");
+
+        var parts = proof.Split('.');
+        var headerJson = Encoding.UTF8.GetString(Base64UrlDecode(parts[0]));
+        using var headerDoc = JsonDocument.Parse(headerJson);
+
+        var jwkElement = headerDoc.RootElement.GetProperty("jwk");
+        var crv = jwkElement.GetProperty("crv").GetString()!;
+        var kty = jwkElement.GetProperty("kty").GetString()!;
+        var x = jwkElement.GetProperty("x").GetString()!;
+        var y = jwkElement.GetProperty("y").GetString()!;
+
+        // Compute thumbprint per RFC 7638: lexicographic JSON with required members
+        var canonicalJwk = $"{{\"crv\":\"{crv}\",\"kty\":\"{kty}\",\"x\":\"{x}\",\"y\":\"{y}\"}}";
+        using var sha256 = SHA256.Create();
+        var thumbprintBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(canonicalJwk));
+        var computedThumbprint = Pkce.Base64UrlEncode(thumbprintBytes);
+
+        Assert.Equal(computedThumbprint, keyPair.Thumbprint);
+    }
+
+    [Fact]
+    public void CreateProof_AccessTokenHash_IsCorrectSha256()
+    {
+        // Verify the ath (access token hash) claim is computed correctly per RFC 9449
+        using var keyPair = DPoPKeyPair.Generate();
+        var accessToken = "test-access-token-12345";
+
+        var proof = keyPair.CreateProof("GET", "https://example.com/api", accessToken: accessToken);
+
+        var parts = proof.Split('.');
+        var payloadJson = Encoding.UTF8.GetString(Base64UrlDecode(parts[1]));
+        using var payloadDoc = JsonDocument.Parse(payloadJson);
+
+        var ath = payloadDoc.RootElement.GetProperty("ath").GetString()!;
+
+        // Compute expected ath: base64url(SHA-256(ASCII(access_token)))
+        using var sha256 = SHA256.Create();
+        var expectedHash = sha256.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
+        var expectedAth = Pkce.Base64UrlEncode(expectedHash);
+
+        Assert.Equal(expectedAth, ath);
+    }
+
+    [Fact]
+    public void ClientAssertion_Create_ProducesVerifiableSignature()
+    {
+        using var keyPair = DPoPKeyPair.Generate();
+
+        var jwt = ClientAssertion.Create("client-id", "https://auth.example.com", keyPair);
+
+        var parts = jwt.Split('.');
+        Assert.Equal(3, parts.Length);
+
+        // Verify signature using the public key
+        var signingInput = $"{parts[0]}.{parts[1]}";
+        var signatureBytes = Base64UrlDecode(parts[2]);
+
+        var jwk = keyPair.ExportPublicKey();
+        using var ecdsa = ECDsa.Create(new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint
+            {
+                X = Pkce.Base64UrlDecode(jwk.X!),
+                Y = Pkce.Base64UrlDecode(jwk.Y!)
+            }
+        });
+
+        var isValid = ecdsa.VerifyData(
+            Encoding.UTF8.GetBytes(signingInput),
+            signatureBytes,
+            HashAlgorithmName.SHA256);
+
+        Assert.True(isValid, "Client assertion signature verification failed");
+    }
+
+    [Fact]
+    public async Task ClientAssertion_CreateAsync_ProducesVerifiableSignature()
+    {
+        using var keyPair = await DPoPKeyPair.GenerateAsync();
+
+        var jwt = await ClientAssertion.CreateAsync("client-id", "https://auth.example.com", keyPair);
+
+        var parts = jwt.Split('.');
+        Assert.Equal(3, parts.Length);
+
+        // Verify signature using the public key
+        var signingInput = $"{parts[0]}.{parts[1]}";
+        var signatureBytes = Base64UrlDecode(parts[2]);
+
+        var jwk = keyPair.ExportPublicKey();
+        using var ecdsa = ECDsa.Create(new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint
+            {
+                X = Pkce.Base64UrlDecode(jwk.X!),
+                Y = Pkce.Base64UrlDecode(jwk.Y!)
+            }
+        });
+
+        var isValid = ecdsa.VerifyData(
+            Encoding.UTF8.GetBytes(signingInput),
+            signatureBytes,
+            HashAlgorithmName.SHA256);
+
+        Assert.True(isValid, "Client assertion async signature verification failed");
+    }
+
+    /// <summary>
+    /// Extracts the JWK from a DPoP proof header, reconstructs the ECDSA public key,
+    /// and verifies the signature — exactly what a server does to validate a DPoP proof.
+    /// </summary>
+    private static void AssertProofSignatureIsValid(string proof)
+    {
+        var parts = proof.Split('.');
+        Assert.Equal(3, parts.Length);
+
+        // Extract public key from the JWK in the header
+        var headerJson = Encoding.UTF8.GetString(Base64UrlDecode(parts[0]));
+        using var headerDoc = JsonDocument.Parse(headerJson);
+
+        var jwkElement = headerDoc.RootElement.GetProperty("jwk");
+        var x = Pkce.Base64UrlDecode(jwkElement.GetProperty("x").GetString()!);
+        var y = Pkce.Base64UrlDecode(jwkElement.GetProperty("y").GetString()!);
+
+        // Reconstruct the public key (as a server would)
+        using var ecdsa = ECDsa.Create(new ECParameters
+        {
+            Curve = ECCurve.NamedCurves.nistP256,
+            Q = new ECPoint { X = x, Y = y }
+        });
+
+        // Verify the signature over the signing input (header.payload)
+        var signingInput = $"{parts[0]}.{parts[1]}";
+        var signature = Base64UrlDecode(parts[2]);
+
+        var isValid = ecdsa.VerifyData(
+            Encoding.UTF8.GetBytes(signingInput),
+            signature,
+            HashAlgorithmName.SHA256);
+
+        Assert.True(isValid, "DPoP proof ES256 signature verification failed — " +
+            "this would cause a 400 error from the authorization server");
+    }
+
+    private static JsonDocument ParseJwtPart(string base64UrlPart)
+    {
+        var json = Encoding.UTF8.GetString(Base64UrlDecode(base64UrlPart));
+        return JsonDocument.Parse(json);
+    }
+
     private static byte[] Base64UrlDecode(string input)
     {
         return Pkce.Base64UrlDecode(input);